Monthly Chat Agenda June 2023 (2023-06-05 and 2023-06-19)

[RedXanadu]

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2023-06-05, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-06-19. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

• Coraza getting serious about NGINX - Right after the release of v3, Coraza created an issue where they look for an nginx module engineer to help with Coraza integration. See below for CRS discussion.
• Fastly blog post ranting about Regex based WAFs (like us)
• Long series of blog posts and tutorials with ModSecurity installation advice. All rather superficial giving the impression that the problem was the installation not the operation. Also: All of them mention ModSecurity but only half of them name the CRS project.
• Coraza v3 is out

Inside development

Rules

• Ready to accept HTTP/3? There is a queue of users waiting for PR feat: HTTP/3 support #3218

CRS Sandbox

• FIXME: Please fill in

Security

• We're currently tracking 3 security reports.

Plugins

• FIXME: Please fill in

Documentation and Public Relations

• 📜 Three new blog posts published.
  (If you're happy to do so, help us by liking/boosting our LinkedIn posts and our Twitter posts!)
  • A brief report on the CRS Community Summit 2023 (LinkedIn)
  • What we learnt from our bug bounty program: It’s not for the faint of heart (Twitter, LinkedIn)
  • Follow the CRS project on YouTube (Twitter, LinkedIn)

Project Administration and Sponsor relationships

• 🚀 Existing SILVER sponsor is upgrading to GOLD

Tools

• go-ftw: added new flags to wait for services to be up (--wait-for... flags)
• crs-toolchain: now with self-update! ™️

Testing incl. Seaweed and many future plans

• No news here.

Containers

• FIXME: Please fill in

CRS Status Page

• On hold until CRS v4 is out.

Project discussions and decisions

• Fix date and location for developer retreat: We're looking into spending Sat Nov 4 - Sat Nov 11 around Budapest in Hungary.
• Proposal to rename the project from OWASP ModSecurity Core Rule Set to OWASP WAF Core Rule Set or simply to OWASP Core Rule Set by @fzipi. This will be more in line that we support other engines.
• Item carried over from April and May meetings: agreed to formally add to the agenda for discussion at the June meeting.
  Coraza/libcoraza: Should the CRS project pay for someone to build an Nginx connector?
  • We were waiting on the imminent milestone release of Coraza due out in May: Coraza v3.
• Item carried over from second May meeting:
  PR feat: scanner overhaul: new rules, new data files #3202
  • Is this really what we want?
  • How to maintain this - fix future FPs?
  • Do we do a tag? Which one?
• Roadmap to CRS v4 release
• v3.3.5. We agreed at the February meeting to do a 3.3.5 patch-based fix release with the scoring/PL fixes, along with a blog post.
  • Can we agree on the messaging that we're happy to publish to users, vendors, etc. (i.e. "we will not provide a formal fix release because <reason>") so that the blog post writing can begin now? Are we happy to just say "we don't have time to do a formal release"?
• feat: updated ssrf.data and java-classes.data #3219: Do we want to include 127.0.0.1 and friends into the into ssrf rule?
• 📝 Meeting agendas: GitHub issue editing is not very robust when there are multiple users… We're having problems whereby CRS team members accidentally overwrite each other's edits (and even overwrite their own edits!) when adding things to a meeting agenda GitHub issue. Even refreshing the page first doesn't always help. Is there a better system for us to use?
  • Collaborate in a Google Doc? Then we copy-paste it into a GitHub issue just before the meeting?
  • Something else?

Rules development, key project numbers

PRs that have been merged since the last meeting

• feat: updated web-shells-php.data #3215
• feat: updated sql-errors.data #3214
• feat: added newer PHP functions #3213
• feat: added php Fileinfo functions and update restricted-files.data #3212
• fix: use the correct entrypoint defenitions for containers #3211
• chore: update example tests in CONTRIBUTING.md #3209
• feat: Adding credentials file of October CMS into restricted files #3210
• chore: adds Matteo Pace to list of Developers #3208
• fix: fix fp in 942330 by adding word boundaries #3207

We merged 9 PRs since the last monthly project chat.

Open PRs marked DRAFT or work in progress or needs action

• fix: Add missing content and crs-toolchain links #3223
• feat(933151): update PHP fn to latest version #3228
• feat: updated ssrf.data and java-classes.data #3219
• feat: HTTP/3 support #3218
• fix: Rework restricted headers #3152
• fix(934100): improve transformation pipeline #3203
• feat: scanner overhaul: new rules, new data files #3202
• feat(windows): update windows commands list #3170
• fix: fixed tests and descriptions #3201
• fix: exclude well known user agents from unix commands #3190
• fix: 933161 regex #2302
• fix: change order of base64decode in NODEJS Attack #3184
• feat: Split Node-Validator keywords functionally #2637
• Negative lookarounds for rule 941310 to stop matching Japanese word Company. #2666

Open issues and PRs

• As of Monday, we have 113 open issues.
• As of Monday, we have 18 open pull requests.

Separate 2nd Meeting (Monday, 2023-06-19)

• Talk about PHP function rules overhaul: feat(933151): update PHP fn to latest version #3228
  This is the last major rules construction site before we can tackle the release candidate.
• add 3rd party RoundCube, SOGo and iRedAdmin Plugin plugin-registry#13: exclusion rules plugin for RoundCube -> 3 separate plugins?
• Use GitHub wiki for agenda (https://docs.github.com/en/communities/documenting-your-project-with-wikis/adding-or-editing-wiki-pages#adding-or-editing-wiki-pages-locally)?

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.

[franbuehler]

Decisions June 5th

• Fix date and location for developer retreat: We're looking into spending Sat Nov 4 - Sat Nov 11 around Budapest in Hungary.

🔵 Decision: Shift the dates to Sunday Nov 5th - Sunday Nov 12th

• Proposal to rename the project from OWASP ModSecurity Core Rule Set to OWASP WAF Core Rule Set or simply to OWASP Core Rule Set by @fzipi. This will be more in line that we support other engines. -> We want to erase ModSecurity from our name and we want to develop a plan how to pull this off in a useful timeframe. We'll continue the conversation during the next few weeks how to get there.

🔵 Decision: General agreement to change the project name at some future time. Next steps are: create a plan; talk with our communications/PR partner; continue the discussion inside the project.

• Item carried over from April and May meetings: agreed to formally add to the agenda for discussion at the June meeting.
  Coraza/libcoraza: Should the CRS project pay for someone to build an Nginx connector?
  • We were waiting on the imminent milestone release of Coraza due out in May: Coraza v3.

🔵 Decision: No concrete plans from the CRS side at this time, but CRS is still open to providing financial support (and Coraza now have an advert out to find a developer for this project). Issue left open for further thought and discussion.

• Item carried over from second May meeting:
  PR feat: scanner overhaul: new rules, new data files #3202
  • Is this really what we want?
  • How to maintain this - fix future FPs?
  • Do we do a tag? Which one?

🔵 Decision: Agreed with @dune73's proposal: keep a short list of known bad scanners and lose the rest (could be a plugin in the future). @dune73 agreed to prepare the necessary PRs.

• Roadmap to CRS v4 release

🔵 Decision: Wait until the end of the week and see if the word list issues are completed, as these are holding up the CRS v4 release.

• v3.3.5. We agreed at the February meeting to do a 3.3.5 patch-based fix release with the scoring/PL fixes, along with a blog post.
  • Can we agree on the messaging that we're happy to publish to users, vendors, etc. (i.e. "we will not provide a formal fix release because <reason>") so that the blog post writing can begin now? Are we happy to just say "we don't have time to do a formal release"?

🔵 Decision: General agreement. Focus on how much work it has taken to bring out CRS v4, and no time to complete a real 3.3.5 release. @RedXanadu agreed to write this.

• feat: updated ssrf.data and java-classes.data #3219: Do we want to include 127.0.0.1 and friends into the into ssrf rule?

🔵 Decision: Yes: add this in for RC 2 and see what happens.

• 📝 Meeting agendas: GitHub issue editing is not very robust when there are multiple users… We're having problems whereby CRS team members accidentally overwrite each other's edits (and even overwrite their own edits!) when adding things to a meeting agenda GitHub issue. Even refreshing the page first doesn't always help. Is there a better system for us to use?
  • Collaborate in a Google Doc? Then we copy-paste it into a GitHub issue just before the meeting?
  • Something else?

🔵 Decision: Not discussed due to time constraints. To be considered before the next meeting.

[franbuehler]

Decisions June 19

• Talk about PHP function rules overhaul: feat(933151): update PHP fn to latest version #3228
  This is the last major rules construction site before we can tackle the release candidate.
  🔵 Decision: @theseion will do a new spell.sh that no longer uses spell, but a new and modern tool. This PR will just be a quick solution. In CRS 4.1 this could be rewritten again and then be added to crs-toolchain.
  🔵 Decision: @M4tteoP will work with @dune73 to put everything into a new PR.
• add 3rd party RoundCube, SOGo and iRedAdmin Plugin plugin-registry#13: exclusion rules plugin for RoundCube -> 3 separate plugins?
  🔵 Decision: Yes, the contributor will provide 3 plugins with 3 id ranges.
• Use GitHub wiki for agenda (https://docs.github.com/en/communities/documenting-your-project-with-wikis/adding-or-editing-wiki-pages#adding-or-editing-wiki-pages-locally)?
  🔵 Decision: Yes, let's try this for the July meeting. Pros: Preferable to stay in one place (GitHub) rather than spreading out into Google Docs, if possible. And world visible while Google docs in our google drive is not. @theseion has the idea to check the possibility to use iframe in the issue.