Monthly Chat Agenda October (2019-10-07) #1536

[dune73]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, October 7, at 20:30 CET.

Items on the Agenda:

PRs

• Change chain order #1585 - Change chain order
• Correct example text regarding GeoIP #1584 - Correct example text regarding GeoIP
• Add exception for Monit status check #1583 - Add exception for Monit status check
• Fix a FP in 942360 (#1580) #1581 - Fix a FP in 942360 (Rule 942360: Small bug in the regex cause FP  #1580)
• Adding new test for 942180 based on XSS cheatsheet by portswigger #1569 - Adding new test for 941150 based on XSS cheatsheet by portswigger #1579 - New unit tests
• update rx SQLi rule 942400 #1565 - update rx SQLi rule 942400
• Sync with v3.2 php fp and java tags #1548 - Sync with v3.2 php fp and java tags
• Rule 941370: Remove deprecated t:removeComments #1538 - Rule 941370: Remove deprecated t:removeComments
• 920470: include chars from rfc 2046 #1534 - 920470: include chars from rfc 2046
• Fix bypass in 931130 #1525 - Fix bypass in 931130
• Rule to check if both C-L and T-E are present #1310 - Rule to check if both C-L and T-E are present

Other items

• Proceedings of the planning meeting at the CRS Community Summit in Amsterdam / Things we want to do for 3.3
  • HTTP Header Whitelisting
  • Overhaul the complete tagging (@fzipi confirms he will put a student on this task)
  • Better support for non-European languages
  • Rule exclusion package for hosters
  • More node or JS rules -> better protection for the MEAN stack
  • More rules protecting users from python injections / attacks
  • consistent way dealing with transformations (working plan: apply different transformations to args at higher PL, save in TX:/xxx/, add TX:/xxx/ to every rule targetting ARGS)
  • Stop HTTP request smuggling once and for all (Content-Length + Transfer-Encoding)
  • Setup a series of demo-sites where people can test their attack payloads (PL1 to PL4)
• Another CRS community Summit in 2020? -> 17 June 2020 in Dublin (?)
• Close stale/old issues if no activity for N days: We are going to add a canned message to stale issues after N days asking for update or interest in fixing, then we're closing it after some time. The Github marketplace presents a standard procedure to get this by a bot via a stale-file in our repository: https://github.com/marketplace/stale (thank you @fzipi)
• Release hashing and/or GPG signing tag
• Setup Security policy on github (new tab!)
• Should we add base64 decoding everywhere? v3.3/devb64decoder
• Special proposal of textglass.org developer Reza Naghibi. The idea is to expand Textglass into a WAF executing CRS rules. This would possibly also mean to change CRS and lean on said alternative engine with our project.

Feel free to add items as you see fit either above, or below as comments.

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

[dune73]

Decisions / Infos

• @csanders-git will be at cloudfest (-> rule exclusions for hosters)
• @csanders-git has the demo setup almost done. We are talking end of the week.
• Stale issues: @fzipi volunteers and the leads will make sure the permissions are being set up correctly.
• Release signing: @fzipi volunteers to do this, signing and publication of checksums.
• @csanders-git will look into the new github security policy that projects can set up via a new tab.
• @spartantri and @dune73 will join forces and work on a transformation proposal resulting in a PR.

PRs

• Change chain order #1585 - @fgs and friends will merge this once done
• Correct example text regarding GeoIP #1584 - @fgs will review and merge. @franbuehler and @lifeforms might also take a look
• Add exception for Monit status check #1583 - @lifeforms will handle this
• Fix a FP in 942360 (#1580) #1581 - @fgs and @emphazer will sort out breaking tests to make this work - and then merged
• Adding new test for 942180 based on XSS cheatsheet by portswigger #1569 - Adding new test for 941150 based on XSS cheatsheet by portswigger #1579 - @lifeforms will merge this
• update rx SQLi rule 942400 #1565 - @fgs will make sure this gets into a mergeable state
• Sync with v3.2 php fp and java tags #1548 - this has been broken. @spartantri will close it and maybe come up with a new attempt
• Rule 941370: Remove deprecated t:removeComments #1538 - @fgs will get this merged asap
• 920470: include chars from rfc 2046 #1534 - @franbuehler will make sure this gets merged
• Fix bypass in 931130 #1525 - @lifeforms will review and merge
• Rule to check if both C-L and T-E are present #1310 - @dune73 will join with @fgs to finish this and solve the request smuggling problem