-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule 933150 Has False Positive for URLs #3641
Comments
I have a possible fix of adding a chain. Please let me know if you want me to open a PR for this.
|
@ssigwart Thanks for reporting this. Your solution looks too complex and prone to errors. For example, you are not catching |
Yes, it's probably too specific. But you got the hang of this really quickly @ssigwart. Congratulations on your progress with the rule language. |
I'm a bit confused by this comment. However, I can test I tested locally with these: |
I think what's needed here is a rule exclusion to tune away that false positive. We have some great documentation on how to do that. Please shout if we can help with that and we will. We've done a lot of work recently on resolving false positives with natural language, but E.g. "Print forty pages" would be a big problem if that caused false positives, but something like "sprintforwards" is not natural language and should probably be addressed with a rule exclusion if it's causing a problem in a specific deployment. |
Thanks, @RedXanadu. I have already tweaked rules to prevent the FP in our code, so I'm fine with you closing this if you want. I do find it odd that it's picking up substrings though. I can definitely see how it would be really hard to prevent FPs on some things and I'm not an expert on the types of attacks these try to prevent, but wouldn't matching with Ha. I fall under the https://coreruleset.org/docs/concepts/false_positives_tuning/#directly-modifying-crs-rules section with the big red warning that it's a bad idea. In our case, I think it's actually the best way for us to handle it. For rules we want to exclude, we don't want to totally ignore it, so I typically add a chain rule to ignore certain patterns that seem like likely FPs. I know why it's documentation as a bad practice though. It's a pain doing the diff of the rule set each time there's an update to see which customizations I need to apply. There's not a great alternative for what I'm going though, right? |
Description
The PHP
printf
rule is triggering issues on URLs like "SprintForTheCause".How to reproduce the misbehavior (-> curl call)
curl -H "x-format-output: txt-matched-rules" https://sandbox.coreruleset.org/SprintForTheCause
Confirmation
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: