Monthly Chat Agenda April 2024 (2024-03-01 and 2024-04-15)

[dune73]

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-04-01, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2024-04-15. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happend in the meantime since the chat last month

Outside development

• FIXME

Inside development

Rules

• FIXME: Please fill in

CRS Sandbox

• sandbox blocking mode doesn't work #3609 - A fix is working locally but haven't been pushed because of container hiccups.

Security

• No news on this front.

Plugins

• FIXME: Please fill in

Documentation and Public Relations

• We are working on a new version for the website.

Project Administration and Sponsor relationships

• FIXME: Please fill in

Tools

• crs-toolchain version 2.2.0 with fixes available.

Testing incl. Seaweed and many future plans

• No updates on this front.

Containers

• We are testing the Alpine Apache image using the CIS Benchmark for Apache
• Now apache and nginx images run using unprivileged users

CRS Status Page

• No progress

Project discussions and decisions

• #3623 -> do we want to handle this long accept-encoding header in CRS and allow a value of 100 instead of 50 OR do we say that the user has to write an exclusion rule for this exotic use-case?
• release policy - we need to update the existing policy to reflect what we are pushing now.
• Azurit has a series of additional plugins he wants to bet listed or made official. How do we go about this in an effective manner?
• Hardening of the Apache Alpine docker container according to CIS benchmark (see https://docs.google.com/document/d/1Li2LNSWXSAKOHr5VmO0UgEyMsFQO-Cb915S69GiJ1Lo/edit)

Rules development, key project numbers

PRs that have been merged since the last meeting

• chore: update version post-release #3626
• fix: typo in encoding name #3627
• chore: release v4.1.0 #3625
• fix: merge_group does not have paths child #3621
• fix: add missing variable and fix lint issues #3622
• fix(tests): do not send test GET requests with an HTTP request body #3617
• chore: next attempt at fixing changelog PR script #3620
• chore: changelog updates for 2024-03-18, merged by @dune73 #3618
• chore: consolidate CONTRIBUTORS.md after 4.0 #3619
• fix: range expressions must not start with \v #3615
• chore: changelog updates for 2024-03-16, merged by @fzipi #3614
• chore(deps): update workflow actions #3613
• refactor: Replace cnn.com with coreruleset.org #3612
• feat: add support for additional ansible and chef commands (932160 PL-1, 932161 PL-2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) #3601
• chore: try to give job full access #3606
• fix: update permissions for changelog-pr workflow #3604
• feat: base changelog PRs on existing changelog PRs #3600
• chore: changelog updates for 2024-03-04, merged by @dune73 #3599
• fix: set explicit token permissions for workflows #3602
• chore(ci): enable running on merge_group #3598
• fix: prevent FPs against URL fragments in Referer header #3485

We merged 21 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• feat: Split Node-Validator keywords functionally #2637

• feat: auto-sync to coreruleset/documentation #3292

• fix: add missing roundcube files (930120 PL-1, 930121 PL-2, 930130 PL-1, 932180 PL-1) #3635

• feat: commenting out unneeded PL skipping rules to gain performance #3595

• fix: adjust the order of t:urlDecodeUni and t:utf8toUnicode in 941160 PL1 #3450

• As of Monday, we have FIXME open issues.

• As of Monday, we have FIXME open pull requests.

Separate 2nd Meeting (Monday, 2024-FIXME)

• feat: block The Mysterious Mozlila User Agent bot (913100 PL1) #3646
• feat: accidental firewall disability prevention #3650
• FP 932260: Name of "Axel" #3644
• CIS Benchmark for Apache Docker Container

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.

[fzipi]

Decisions April 1

Accept-encoding length
🔵 Decision: looks like going up to 100 will solve the problem reported, and won't break anything. So we decided to go 100.

Release Policy
🔵 Decision: @fzipi will create a new drive document so we can start collaborating on a policy document.

Plugin adoption
🔵 Decision: @azurit will create a new PR template with the steps for plugins to be accepted using https://github.com/coreruleset/coreruleset/wiki/New-plugin-creation-and-integration as base.

[franbuehler]

Decisions April 15

OWASP summit / CRS retreat
🔵 Decision: CRS would participate the official OWASP summit as a project. We hope for some exchange with other projects, but we really want to work on CRS as productively as possible.

Mozlila User Agent
🔵 Decision: We want to block this. We don't see it as legitimate.

Disable FW prevention
🔵 Decision: no agreement on this question tonight. We need more time to think about this and then take it into the Agenda in May.

Axel
🔵 Decision: @theseion will take a look and @franbuehler will help

CIS Benchmark for Apache Docker Container
🔵 Decision: Everything that can not obviously be exploited should be left as per default because anything we change we will have to maintain. @dune73 will try to get the low hanging fruits sorted and then maybe add documentation to talk about hardening.