Merge pull request #1668 from allanrbo/feature/allanbo/942330anchors

Avoid embedded anchors in CRS rule 942330
SpiderLabs · Mar 2, 2020 · 0532911 · 0532911
2 parents 51a243d + 935db62
commit 0532911
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 23 deletions.
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -898,7 +898,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # to the Regexp::Assemble output:
 #   (?i:ASSEMBLE_OUTPUT)
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+|(?:^[\"'`\\\\]*?[\d\"'`]+)+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:between|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W|^.?[\"'`]$))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^(?:[\"'`\\\\]*?(?:[^\"'`]+[\"'`]|[\d\"'`]+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|.?[\"'`]$)|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:between|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W))" \
     "id:942330,\
     phase:2,\
     block,\

diff --git a/util/regexp-assemble/regexp-942330.data b/util/regexp-assemble/regexp-942330.data
@@ -6,28 +6,28 @@
 [\"'`]\s*?and\s*?[\"'`]?\d
 \\\\x(?:23|27|3d)
 ^.?[\"'`]$
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?and\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?nand\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?or\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?xor\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?xxor\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?div\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?like\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?between\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?not\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?\|\|\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?\&\&\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?and\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?nand\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?or\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?xor\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?xxor\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?div\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?like\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?between\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?not\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?\|\|\s*?[\w\"'`][+&!@(),.-]
-(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?\&\&\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?and\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?nand\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?or\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?xor\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?xxor\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?div\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?like\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?between\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?not\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?\|\|\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[\d\"'`]+\s*?\&\&\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?and\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?nand\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?or\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xor\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xxor\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?div\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?like\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?between\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?not\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\|\|\s*?[\w\"'`][+&!@(),.-]
+^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\&\&\s*?[\w\"'`][+&!@(),.-]
 [^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w
 @\w+\s+and\s*?[\"'`\d]+
 @\w+\s+or\s*?[\"'`\d]+