Regex Patterns Not Matching Expected Inputs in NAXSI

[MiguelFGM]

Issue Description: I have been experiencing issues with certain regex patterns not matching expected inputs when used within NAXSI rules. Despite the regex patterns functioning correctly in standard PCRE testing environments (e.g., regex101.com), these patterns do not seem to work when deployed in the NAXSI environment. This discrepancy occurs even with simplified and confirmed regex expressions.

Details: Here are some examples of regex patterns that are not matching as expected:

Pattern for Matching Windows Drive Paths: Regex: (?i)([c-h])(\:|%3a)(\\|\/|%2f|%5c)+ Expected to match: C://, D:\, etc. Issue: Fails to match multiple slashes following the colon, even with simplified forms.

General Observations:

• Regex patterns including URL-encoded characters and multiple slashes/backslashes seem particularly prone to failing.
• Adjustments to simplify the regex or explicitly handle multiple characters do not resolve the issue.

Steps to Reproduce:

1. Implement the following main rule in NAXSI:

   MainRule "rx:(?i)([c-h])(:|%3a)(\|/|%2f|%5c)+" "msg:Windows drive path detected" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TEST:8" id:3000;

2. Send requests with URLs containing C://, D:\, etc.

Expected Behavior: The regex should match any valid Windows drive path format, including paths with multiple slashes or URL-encoded slashes/backslashes.

Actual Behavior: The regex fails to trigger on inputs that include multiple slashes or certain encoded forms, despite these being valid as per PCRE standards and confirmed via external regex testing tools.

Additional Information: For contrast, the following regex patterns exhibit different behaviors:

• (?i)(\\|\/|%2f|%5c)+(etc)+\b(\\|\/|%2f|%5c)+\b(passwd|shadow|issue|group|hosts|motd) matches in regex101.com but does not match in NAXSI.
• (?i)(\\/|%2f|%5c)+etc(\\/|%2f|%5c)+(passwd|shadow|issue|group|hosts|motd) does not match in regex101.com but successfully matches in NAXSI.

This inconsistency suggests there might be specific handling differences of regex components or patterns within NAXSI compared to standard PCRE environments.

Request: I would appreciate any guidance on why these regex patterns might not be functioning as expected within NAXSI, or if there are specific considerations or limitations within NAXSI’s regex engine that I might be missing. Suggestions for adjustments or confirmations on potential bugs would also be highly valued.

[wargio]

I think the regex you wrote is wrong. i would write it as this: "rx:[a-z](:|%3a)([\\/]|%2f|%5c)+" On naxsi, due how strings are handled by nginx, you may need to escape them (like for \). Also you don't need (?i) because the regex is always executed as case insensitive.

[MiguelFGM]

Thank you for your suggestions on the regex formatting. I understand that backslashes () are included in your regex, but it seems NAXSI or NGINX might not be processing them effectively.

Examples: domain.com/etc/passwd - matches domain.com\etc\passwd - it's translated to domain.com/etc/passwd by the browser - matches domain.com/?test=/etc/passwd - matches domain.com/?test=\etc\passwd - doesn't match

In cases where inputs like C:\ are sent as arguments or BODY (not in URLs), NAXSI doesn't seem to block them. Could you clarify how NAXSI handles backslashes in these scenarios?

[wargio]

I do not know if you check the logs, but \etc\passwd gets converted to \x5c. So you need a rule like ([\\/]|%2f|%5c|\\x2f|\\x5c)