[BUG] multiMatch lead to unexpected match

[leveryd]

Describe the bug

SecRule REQUEST_BODY "@rx abc" "id:111, msg:'test', t:base64DecodeExt,multiMatch, phase:2, block, capture, severity:'CRITICAL', tag:'attack-rce', tag:'paranoia-level/1', setvar:'tx.matched=%{MATCHED_VAR}', chain"
    SecRule REQUEST_BODY "@rx 123"

The above rule match request which body is 'abc'

curl 127.0.0.1:86 -d 'abc'

The match is not expected, because the rule is "chained" rule, the second rule require the body contains "123" string.

If i remove multiMatch ,then everything is expected.

SecRule REQUEST_BODY "@rx abc" "id:222, msg:'test', t:none, phase:2, block, capture, severity:'CRITICAL', tag:'attack-rce', tag:'paranoia-level/1', setvar:'tx.matched=%{MATCHED_VAR}', chain"
    SecRule REQUEST_BODY "@rx 123"

curl 127.0.0.1:86 -d 'abc'  // not match
curl 127.0.0.1:86 -d 'abc123'  // match

So i think the multiMatch flag has bug when it is used with chain rule

[airween]

Hi @leveryd,

thanks for reporting.

I can confirm this is a bug. I tested this with Apache + mod_security2 and it worked as you expect.

Just one note: the rule above is wrong especially for libmodsecurity3. As I know, every rule (even it's a chained rule) must have some action. So I could have tested with this rule:

SecRule REQUEST_BODY "@rx abc" \
    "id:111,\
    msg:'test',\
    t:base64DecodeExt,\
    multiMatch,\
    phase:2,\
    block,\
    capture,\
    severity:'CRITICAL',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    setvar:'tx.matched=%{MATCHED_VAR}',\
    chain"
    SecRule REQUEST_BODY "@rx 123"
        "setvar:'tx.foo=1'"