Monthly Chat Agenda May (2020-05-04)

[franbuehler]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, May 4, at 20:30 CET.

Items on the Agenda:

Previous Meetings decisions: here

PRs

• New ldap injection rule 921200 (fixes issue #276) #1707 New ldap injection rule 921200 (fixes issue LDAP Injection Rule #276)
• Perf issue with regexes that start with repeating digits #1708 Perf issue with regexes that start with repeating digits
• Add word boundaries around values in SQL tautologies (942130) #1710 Add word boundaries around values in SQL tautologies (942130) - reviewed, approved by @franbuehler. Ready to be merged.
• Fix content type whitelist #1734 Fix content type whitelist (feedback @franbuehler: rule only on test system, @lifeforms?)
• Fix link for 941310 #1735 Fix link for 941310
• WordPress: exclude additional URL fields in profile editor #1738 WordPress: exclude additional URL fields in profile editor
• XenForo: update exclusions #1739 XenForo: update exclusions
• Make Content-Type case insensitive #1740 Make Content-Type case insensitive (on hold until Content-Type var fix ModSec v2 v3 900220 soap xml #1748 is merged)
• Suppress rule 200002 when editing contacts in Nextcloud #1742 Suppress rule 200002 when editing contacts in Nextcloud
• Allow REPORT requests without Content-Type header in Nextcloud #1743 Allow REPORT requests without Content-Type header in Nextcloud
• Update README.md #1744 Update README.md
• Changed variable to lowercase (fixed #1741) #1745 Changed variable to lowercase (fixed Rule 920450 and modsec 3x  #1741)
• Fix 921120 FP #1746 Fix 921120 FP (resolves issue Rule 921120: False positive #1615)
• Content-Type var fix ModSec v2 v3 900220 soap xml #1748 Content-Type var fix ModSec v2 v3 900220 soap xml
• Added 'ver' action with current version to all necessary rules (fix for #650) #1750 Added 'ver' action with current version to all necessary rules (fix for Consistent support for the "ver" action #650)

PRs on hold

• 932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)
• Revert #578 #1616 Revert Add urlDecodeUni() operation to ARG/ARGS_NAMES #578 (Needs action)
• RE2 compatibility for 920120 #1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately)
• Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) #1667 Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) (In progress)
• Extend sql having in rule 942230 #1674 Extend sql having in rule 942230 (no feedback from CDN unfortunately)
• Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1690 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (Needs action)

Other items

• GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi.
  A full test was performed today, you will see that every issue has a mention from the friendly CRS-migration-bot. You can see the results in https://github.com/crstest01/owasp-modsecurity-crs. There is also a plan to perform the migration, we only need to set the date with Trustwave.

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

• Issue slot 1: Regression Tests in CRS doesn't have Tests for some of the CRS Rules #1666
• Issue slot 2: FP 942100 MySQLi rule triggered?  #1711
• Issue slot 3: DoS rule triggering with static (png) file #1726
• Issue slot 4: SQLi bypass at PL1(CRS 3.2.0) #1727
• Issue slot 5: NextCloud False Positive #1736
• Issue slot 6: WordPress JetPack False Positive #1737
• Issue slot 7: rule 920300 title / details mismatch #1751

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

[dune73]

Decisions

PRs

• New ldap injection rule 921200 (fixes issue #276) #1707 merge
• Perf issue with regexes that start with repeating digits #1708 @airween und Mirko will work on this PR and see it or a new PR getting merged during May
• Add word boundaries around values in SQL tautologies (942130) #1710 merge
• Fix content type whitelist #1734 merge
• Fix link for 941310 #1735 merge
• WordPress: exclude additional URL fields in profile editor #1738 merge
• XenForo: update exclusions #1739 merge
• Make Content-Type case insensitive #1740 stalled until Content-Type var fix ModSec v2 v3 900220 soap xml #1748 is merged. Then @franbuehler needs somebody to talk this through.
• Suppress rule 200002 when editing contacts in Nextcloud #1742 merge
• Allow REPORT requests without Content-Type header in Nextcloud #1743 merge
• Update README.md #1744 Assigning @franbuehler to review and investigat the use of ENV variables
• Changed variable to lowercase (fixed #1741) #1745 merge
• Fix 921120 FP #1746 review by @fzipi
• Content-Type var fix ModSec v2 v3 900220 soap xml #1748 merge and make sure we note the config change in the release notes (-> issue: Note config change of tx.allowed_request_content_type in the v3.3 release notes #1752)
• Added 'ver' action with current version to all necessary rules (fix for #650) #1750 merge

Other Items

• Repo migration is now planned (but not confirmed by TW) for Wednesday May 13.
• The migration will happen with a helper script and a migration bot programmed by @fzipi. This will copy all issues via the API and make sure the IDs remain the same! A test migration went smooth and @nerrehmit will now check the result carefully (-> https://github.com/fzipi/crs-migration)
• We are seeing less active developers in the project. This is probably natural turnover, but it is painful for the project. We will schedule a talk about this at the next meeting.

Issues

• rule 920300 title / details mismatch #1751 -> @dune73
• NextCloud False Positive #1736 -> @fzipi
• WordPress JetPack False Positive #1737 -> @lifeforms
• Regression Tests in CRS doesn't have Tests for some of the CRS Rules #1666 -> @franbuehler
• SQLi bypass at PL1(CRS 3.2.0) #1727 -> @mirkodziadzka-avi
• DoS rule triggering with static (png) file #1726 -> @fzipi
• FP 942100 MySQLi rule triggered?  #1711 -> @franbuehler