V3/collection re fix #2297
V3/collection re fix #2297
Conversation
|
A couple of observations:
|
|
Hi @martinhsv,
If someone wants to do that, how can he/she does it in case of mod_security2? The expected mode is case insensitive (but the documentation doesn't contain it). I think if you want to implement this feature, it would be more correct to introduce some new syntax (and make the relevant code).
Yes, that works as well - but you can see there are two issues about this problem (#2296, #1808) and one PR (#1810), so I think the users accustomed this form. |
|
Hi @airween , First off, apologies for the delay. I previously expressed some reservations about the change. I have put some more thought into this and am persuaded that this is the right thing to do. A couple of reasons:
(We also wanted to check that some futures features, such as supporting PCRE alternatives, would be unlikely to be hampered by this change.) @zimmerle and I discussed this earlier today, and I don't think we have any further concerns. This should get merged within a few days. |
|
Hi @martinhsv,
Thanks, it's good to read :). |
| { | ||
| "enabled":1, | ||
| "version_min":300000, | ||
| "title":"OWASP CRS id:920450", |
There was a problem hiding this comment.
I would prefer to have a title with a more meaningful message. If the test "OWASP CRS id:920450" fails, what does it means to the user?
| { | ||
| "enabled":1, | ||
| "version_min":300000, | ||
| "title":"OWASP CRS id:920450", |
Makefile.am
Outdated
| @@ -185,6 +185,7 @@ TESTS+=test/test-cases/regression/request-body-parser-xml-validade-dtd.json | |||
| TESTS+=test/test-cases/regression/rule-920120.json | |||
| TESTS+=test/test-cases/regression/rule-920200.json | |||
| TESTS+=test/test-cases/regression/rule-920274.json | |||
| TESTS+=test/test-cases/regression/rule-920450.json | |||
There was a problem hiding this comment.
I would expect a different name for that file. Explained below.
| @@ -0,0 +1,87 @@ | |||
| [ | |||
| { | |||
| "enabled":1, | |||
There was a problem hiding this comment.
Since this is a pull request that was well described in a issue i miss the github_issue tag.
There was a problem hiding this comment.
Thanks for info. The last commit contains both 'url' and 'github_issue' keys, in both test cases.
Note: it would be good to make some wiki page about your expectations for contributors. I'm sure these keywords are part of the regression test structure, but after 17 commits I've met with them first.
| }, | ||
| "rules":[ | ||
| "SecRuleEngine On", | ||
| "SecRule &TX:restricted_headers \"@eq 0\" \"id:901165,phase:1,pass,nolog,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'\"", |
There was a problem hiding this comment.
There is a value of having complex rules on the regression tests as it increases surface area for testing features. However, I am afraid that together with the complex example, we need to have a very simple use case scenario. If/When this test fails, it was a consequence of a problem on the selection of variables using regular expression or elsewhere (e.g. setvar)?
There was a problem hiding this comment.
I changed the rules in the new regression test file. I based @michaelgranzow-avi test cases, but there are only two cases, with same context: only the TX variable name format differ.
| }, | ||
| "request":{ | ||
| "headers":{ | ||
| "TRANSLATE": "test" |
There was a problem hiding this comment.
I would prefer to use real request headers, to mimic a real world example.
| }, | ||
| "rules":[ | ||
| "SecRuleEngine On", | ||
| "SecRule &TX:restricted_headers \"@eq 0\" \"id:901165,phase:1,pass,nolog,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'\"", |
There was a problem hiding this comment.
Same rule complexity issue explained below.
| "no need." | ||
| ] | ||
| }, | ||
| "expected":{ |
There was a problem hiding this comment.
Specially because the rules are complex, this test case could fail silent... as a combination of two (or more) failures. Better to also considers the debug and error log (when possible).
There was a problem hiding this comment.
I changed the test cases: both of them block the request, and gives the error_log, which used in "expected" block.
| "no need." | ||
| ] | ||
| }, | ||
| "expected":{ |
There was a problem hiding this comment.
Same comment above. Use error and debug logs.
This issue was initially reported by @michaelgranzow-avi on #2296. @airween made an initial attempt to provide a fixed at #2107; As a consequence of the pull request review - provided by @victorhora, @zimmerle, and @michaelgranzow-avi - @airween made a second attempt at #2297. After reviewing by @martinhsv, @zimmerle, I have absorbed the essential pieces from @airween patch into this one. This patch differs from @airween's because @airween's patches were partially working: Key exclusions with regex weren't covered, same for anchored variables (e.g. ARGS). During the review, I have highlighted the importance of having elementary test cases. A simple test case on ARGS could spot the issue. Since that is an important fix, I don't want to hold this for one more review cycle; therefore, I am committing the fix myself. Thank you all involved in the solution of this very own issue.
|
Closing this as consequence of 910a187. Thanks everybody involved on this issue resolution. |
This issue was initially reported by @michaelgranzow-avi on #2296. @airween made an initial attempt to provide a fixed at #2107; As a consequence of the pull request review - provided by @victorhora, @zimmerle, and @michaelgranzow-avi - @airween made a second attempt at #2297. After reviewing by @martinhsv, @zimmerle, I have absorbed the essential pieces from @airween patch into this one. This patch differs from @airween's because @airween's patches were partially working: Key exclusions with regex weren't covered, same for anchored variables (e.g. ARGS). During the review, I have highlighted the importance of having elementary test cases. A simple test case on ARGS could spot the issue. Since that is an important fix, I don't want to hold this for one more review cycle; therefore, I am committing the fix myself. Thank you all involved in the solution of this very own issue.
This issue was initially reported by @michaelgranzow-avi on owasp-modsecurity#2296. @airween made an initial attempt to provide a fixed at owasp-modsecurity#2107; As a consequence of the pull request review - provided by @victorhora, @zimmerle, and @michaelgranzow-avi - @airween made a second attempt at owasp-modsecurity#2297. After reviewing by @martinhsv, @zimmerle, I have absorbed the essential pieces from @airween patch into this one. This patch differs from @airween's because @airween's patches were partially working: Key exclusions with regex weren't covered, same for anchored variables (e.g. ARGS). During the review, I have highlighted the importance of having elementary test cases. A simple test case on ARGS could spot the issue. Since that is an important fix, I don't want to hold this for one more review cycle; therefore, I am committing the fix myself. Thank you all involved in the solution of this very own issue.
This PR is the cleaned version of #2107.
I've updated my local branch and forked a new one from current v3/master. Contains only one necessary commit, changed the variable name for better readability.
Edit: this PR fixes the #2296.