Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule 920470 seems to be too restricted and create false positives in PL1 #2438

Closed
mirkodziadzka-avi opened this issue Mar 18, 2022 · 3 comments
Closed

Rule 920470 seems to be too restricted and create false positives in PL1 #2438

mirkodziadzka-avi opened this issue Mar 18, 2022 · 3 comments
Assignees
@lifeforms
Labels
➕ False Positive

Comments

@mirkodziadzka-avi
Copy link

Description

We see the case of an application which is using application/*+json as content type. This is blocked by rule 920470 in PL1
While this content type is unusual, I think it does not qualify as "Illegal" and should not blocked by 920470

According to
-> https://httpwg.org/specs/rfc7231.html#header.content-type
-> https://httpwg.org/specs/rfc7231.html#media.type
-> and finally https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6

seem to indicate that * is an allowed character in the content-type header sub-type

To reproduce, I used the sandbox with the following request

$ curl -v -H  "Content-type: application/*+json" -H "X-Format-Output: txt-matched-rules" --data "{}" https://sandbox.coreruleset.org/ 
...
> POST / HTTP/1.1
> Host: sandbox.coreruleset.org
> User-Agent: curl/7.79.1
> Accept: */*
> Content-type: application/*+json
> X-Format-Output: txt-matched-rules
> Content-Length: 2
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 18 Mar 2022 16:35:03 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Unique-ID: YjS0txNdhbRUIQjSqRmn5AAAAIA
< x-backend: apache-3.3.2
< x-crs-pullrequest: invalid pull request number
< 
920470 PL1 Illegal Content-Type header
920420 PL1 Request content type is not allowed by policy
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 10)
980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0

Audit Logs / Triggered Rule Numbers

920470 PL1 Illegal Content-Type header

Your Environment

Sandbox at https://sandbox.coreruleset.org/, default settings

Confirmation

[ x ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@mirkodziadzka-avi mirkodziadzka-avi changed the title Rule 920470 seems to restricted and create false positives Rule 920470 seems to be too restricted and create false positives in PL1 Mar 18, 2022
@airween airween mentioned this issue Mar 18, 2022
Closed
@airween
Copy link
Contributor

airween commented Mar 18, 2022

Hi @mirkodziadzka-avi,

thank you for reporting. I think this is a bit more complex problem, so - as you can see - I've appended this issue to next monthly chat, and we will discuss it.

Thanks again.

@lifeforms lifeforms self-assigned this Mar 21, 2022
@lifeforms
Copy link
Member

I will add the * to the allowed characters somewhere this or next week. Thank you.

@lifeforms lifeforms mentioned this issue Mar 26, 2022
Merged
@lifeforms
Copy link
Member

A PR proposal is in #2455. Please continue discussion there!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lifeforms lifeforms

Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @lifeforms @mirkodziadzka-avi