Monthly Chat Agenda April (2020-04-06)

[dune73]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, April 6, at 20:30 CET.

Items on the Agenda:

Previous Meetings decisions: here

PRs

• New ldap injection rule 921200 (fixes issue #276) #1707 New ldap injection rule 921200 (fixes issue LDAP Injection Rule #276)
• Perf issue with regexes that start with repeating digits #1708 Perf issue with regexes that start with repeating digits
• Add word boundaries around values in SQL tautologies (942130) #1710 Add word boundaries around values in SQL tautologies (942130)
• Remove MIME Attribute from application/soap+xml Rule 900220 #1717 Remove MIME Attribute from application/soap+xml Rule 900220
• Add Content-Type: multipart/related as allowed default #1721 Add Content-Type: multipart/related as allowed default
• Make severities and scores consistent #1732 Make severities and scores consistent
• Fix content type whitelist #1734 Fix content type whitelist

PRs on hold

• 932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)
• Revert #578 #1616 Revert Add urlDecodeUni() operation to ARG/ARGS_NAMES #578 (Needs action)
• RE2 compatibility for 920120 #1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately)
• Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) #1667 Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) (In progress)
• Extend sql having in rule 942230 #1674 Extend sql having in rule 942230 (no feedback from CDN unfortunately)
• Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1690 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (Needs action)

Other items

• GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi.
• HAProxy Layered Security Guide recomments CRS: https://www.haproxy.com/content-library/the-haproxy-guide-to-multi-layer-security/
• Release schedule for 3.3

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

Issue slot 1:
Issue slot 2:
Issue slot 3:
Issue slot 4:
Issue slot 5:
Issue slot 6:
Issue slot 7:
Issue slot 8:
Issue slot 9:
Issue slot 10:

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

[franbuehler]

Decisions

PRs

• New ldap injection rule 921200 (fixes issue #276) #1707 - @lifeforms did not have the time. This issue remains open.
• Perf issue with regexes that start with repeating digits #1708 - no relevant progress here
• Add word boundaries around values in SQL tautologies (942130) #1710 - @franbuehler will review this PR
• Remove MIME Attribute from application/soap+xml Rule 900220 #1717 - @franbuehler did not have the time. This issue remains open.
• Add Content-Type: multipart/related as allowed default #1721 - merged
• Make severities and scores consistent #1732 - merged
• Fix content type whitelist #1734 - @franbuehler and @lifeforms will test this rule in production.

PRs on hold

• 932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 - we will ask @theMiddleBlue what the matter with his PR is
• RE2 compatibility for 920120 #1663 - on hold with @dune73
• Extend sql having in rule 942230 #1674 - on hold with @dune73
• Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) #1667 - on hold on request of @fzipi

Other Items

• Travis doesn't run on new PRs. @theMiddleBlue will troubleshoot this.
• GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi: "We think we are almost there with the migration script."
• HAProxy Layered Security Guide recommends CRS: https://www.haproxy.com/content-library/the-haproxy-guide-to-multi-layer-security/
• Release schedule for 3.3: @lifeforms was thinking of RCs around 23 May, 6 June, then release 16 June for instance. @dune73: "So let's see one month from now, confirm your schedule or we re-schedule. I think June makes a lot of sense in the long run. Close to a 9 month schedule, also if we do 3.4 for Dublin next winter." So we will see.

Issues

It was already late. We did not talk about new issues.