Merge pull request #1675 from franbuehler/create-942360

lifeforms · web-flow · commit 864f8cf00c1f · 2020-02-10T21:06:55.000+01:00
Fix FP with create with 942360
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -461,7 +461,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # to the Regexp::Assemble output:
 #   (?i:ASSEMBLE_OUTPUT)
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|u(?:nion\s*(?:(?:distin|sele)ct|all)|pdate)|(?:(?:trunc|cre)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|load)\b|(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^[\W\d]+\s*?(?:(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|u(?:nion\s*(?:(?:distin|sele)ct|all)|pdate)|(?:truncat|renam)e|(?:inser|selec)t|de(?:lete|sc)|load)\b|create\s+\w+)|(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \
     "id:942360,\
     phase:2,\
     block,\
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml
@@ -1,6 +1,6 @@
 ---
   meta:
-    author: "Christian S.J. Peron, Christoph Hansen"
+    author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler"
     description: None
     enabled: true
     name: 942360.yaml
@@ -517,3 +517,41 @@
           version: HTTP/1.0
         output:
           no_log_contains: id "942360"
+  -
+    test_title: 942360-31
+    desc: GH issue 1605
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: ModSecurity CRS 3 Tests
+          method: POST
+          port: 80
+          uri: /
+          data: "a=/create"
+          version: HTTP/1.0
+        output:
+          no_log_contains: id "942360"
+  -
+    test_title: 942360-32
+    desc: GH issue 1605
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: ModSecurity CRS 3 Tests
+          method: POST
+          port: 80
+          uri: /
+          data: "a=/CREATE TABLE Persons"
+          version: HTTP/1.0
+        output:
+          log_contains: id "942360"
diff --git a/util/regexp-assemble/regexp-942360.data b/util/regexp-assemble/regexp-942360.data
@@ -32,7 +32,7 @@ end\s*?\);
 [\s(]load_file\s*?\(
 [\"'`]\s+regexp\W
 [\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom
-^[\W\d]+\s*?create\b
+^[\W\d]+\s*?create\s+\w+
 ^[\W\d]+\s*?delete\b
 ^[\W\d]+\s*?desc\b
 ^[\W\d]+\s*?insert\b

Original file line number	Diff line number	Diff line change
`@@ -461,7 +461,7 @@ SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAME`
`461`	`461`	`# to the Regexp::Assemble output:`
`462`	`462`	`# (?i:ASSEMBLE_OUTPUT)`
`463`	`463`	`#`
`464`		-SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:^[\W\d]+\s?(?:alter\s(?:a(?:(?:pplication\srol\|ggregat)e\|s(?:ymmetric\ske\|sembl)y\|u(?:thorization\|dit)\|vailability\sgroup)\|c(?:r(?:yptographic\sprovider\|edential)\|o(?:l(?:latio\|um)\|nversio)n\|ertificate\|luster)\|s(?:e(?:rv(?:ice\|er)\|curity\|quence\|ssion\|arch)\|y(?:mmetric\skey\|nonym)\|togroup\|chema)\|m(?:a(?:s(?:ter\skey\|k)\|terialized)\|e(?:ssage\stype\|thod)\|odule)\|l(?:o(?:g(?:file\sgroup\|in)\|ckdown)\|a(?:ngua\|r)ge\|ibrary)\|t(?:(?:abl(?:espac)?\|yp)e\|r(?:igger\|usted)\|hreshold\|ext)\|p(?:a(?:rtition\|ckage)\|ro(?:cedur\|fil)e\|ermission)\|d(?:i(?:mension\|skgroup)\|atabase\|efault\|omain)\|r(?:o(?:l(?:lback\|e)\|ute)\|e(?:sourc\|mot)e)\|f(?:u(?:lltext\|nction)\|lashback\|oreign)\|e(?:xte(?:nsion\|rnal)\|(?:ndpoi\|ve)nt)\|in(?:dex(?:type)?\|memory\|stance)\|b(?:roker\spriority\|ufferpool)\|x(?:ml\sschema\|srobject)\|w(?:ork(?:load)?\|rapper)\|hi(?:erarchy\|stogram)\|o(?:perator\|utline)\|(?:nicknam\|queu)e\|us(?:age\|er)\|group\|java\|view)\|u(?:nion\s(?:(?:distin\|sele)ct\|all)\|pdate)\|(?:(?:trunc\|cre)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|load)\b\|(?:(?:(?:trunc\|cre\|upd)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|alter\|load)\s+(?:group_concat\|load_file\|char)\s?\(?\|[\d\W]\s+as\b\s[\"'`\w]+\s\bfrom\|[\s(]load_file\s?\(\|[\"'`]\s+regexp\W\|end\s*?\);))" \
	`464`	+SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:^[\W\d]+\s?(?:(?:alter\s(?:a(?:(?:pplication\srol\|ggregat)e\|s(?:ymmetric\ske\|sembl)y\|u(?:thorization\|dit)\|vailability\sgroup)\|c(?:r(?:yptographic\sprovider\|edential)\|o(?:l(?:latio\|um)\|nversio)n\|ertificate\|luster)\|s(?:e(?:rv(?:ice\|er)\|curity\|quence\|ssion\|arch)\|y(?:mmetric\skey\|nonym)\|togroup\|chema)\|m(?:a(?:s(?:ter\skey\|k)\|terialized)\|e(?:ssage\stype\|thod)\|odule)\|l(?:o(?:g(?:file\sgroup\|in)\|ckdown)\|a(?:ngua\|r)ge\|ibrary)\|t(?:(?:abl(?:espac)?\|yp)e\|r(?:igger\|usted)\|hreshold\|ext)\|p(?:a(?:rtition\|ckage)\|ro(?:cedur\|fil)e\|ermission)\|d(?:i(?:mension\|skgroup)\|atabase\|efault\|omain)\|r(?:o(?:l(?:lback\|e)\|ute)\|e(?:sourc\|mot)e)\|f(?:u(?:lltext\|nction)\|lashback\|oreign)\|e(?:xte(?:nsion\|rnal)\|(?:ndpoi\|ve)nt)\|in(?:dex(?:type)?\|memory\|stance)\|b(?:roker\spriority\|ufferpool)\|x(?:ml\sschema\|srobject)\|w(?:ork(?:load)?\|rapper)\|hi(?:erarchy\|stogram)\|o(?:perator\|utline)\|(?:nicknam\|queu)e\|us(?:age\|er)\|group\|java\|view)\|u(?:nion\s(?:(?:distin\|sele)ct\|all)\|pdate)\|(?:truncat\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|load)\b\|create\s+\w+)\|(?:(?:(?:trunc\|cre\|upd)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|alter\|load)\s+(?:group_concat\|load_file\|char)\s?\(?\|[\d\W]\s+as\b\s[\"'`\w]+\s\bfrom\|[\s(]load_file\s?\(\|[\"'`]\s+regexp\W\|end\s*?\);))" \
`465`	`465`	`"id:942360,\`
`466`	`466`	`phase:2,\`
`467`	`467`	`block,\`