-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: false positives from PHP config directives and functions (933120 PL1, 933151 PL2) #3638
Conversation
Thank you for the PR @ssigwart. Don't merge just yet. Maybe there are alternatives to simply kicking out the keywords. |
I like your update. Did not play around with it so far, but I think this could be a good workaround. Also: Performance in chained rules is less of an issue since they are only executed if the original rule matches. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I removed the extra capture.
I've been using this rule on a production site since yesterday and it seems to be working well.
Is there anything blocking this pr? An alternative has been found to outright kicking out the false positive keywords. |
@EsadCetiner, I don't think your question was directed towards me, but just in case, I'm not aware of anyone waiting on changes from me on this. |
No, this was addressed towards the team, @ssigwart. I removed the label. Ready for review. |
We probably don't need to set variable In the current form of the rule we may simplify the logging with these changes:
By the way, we probably can do the similar with rule |
@azurit, I updated it. I did noticed that the log message wasn't showing the most useful information, so I added variables to capture the original matched variable name and value. I'm looking into rule |
The following will work: http://localhost:8080/?test=great%20ceiling%20heights%20(9ft) The following will still trigger rule: http://localhost:8080/?test=ceiling%20(9ft)
I updated rule 933151 too now. The following will work: The following will still trigger rule: |
@azurit, what do you think of the test failure? It's no longer detecting |
Payload |
Test for |
Hmm, all tests for
@theseion What do you think about tests for |
I agree, the tests should be fixed. @theMiddleBlue did a huge clean up of other tests that had the same issue (body data + URI). I think it's copy pasta. The tests should also be properly separated into URI and body data tests. And test 6 should be dropped. |
I updated the tests, so they're all passing now. |
Looks good. I suggest you to add yourself into the |
Thanks. I updated the |
LGTM! @Xhoenix Can you merge this one? Thanks. |
Closes #3637