Skip to content

Is it possible to use regex groups with alternatives for SecRuleUpdateTargetById? #3299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
studersi opened this issue Nov 13, 2024 · 4 comments
Closed

Is it possible to use regex groups with alternatives for SecRuleUpdateTargetById? #3299

studersi opened this issue Nov 13, 2024 · 4 comments
Labels
2.x Related to ModSecurity version 2.x

Comments

@studersi
Copy link

Describe the bug

If we use the following rule and rule exclusion, the configuration does not pass the syntax check:

SecRule ARGS:foo|ARGS:bar "@rx ^.*" "id:1,deny"
SecRuleUpdateTargetById 1 "!ARGS:/(foo|bar)/"

AH00526: Syntax error on line XXX of /opt/apache24/conf/httpd.conf:
Error parsing rule targets to append variable

However, the following is accepted by the syntax check and the rule exclusion is working as expected:

SecRule ARGS:foo|ARGS:bar "@rx ^.*" "id:1,deny"
SecRuleUpdateTargetById 1 "!ARGS:/(foo)/"

Should this be possible or is this simply not supported?

Logs and dumps

See above.

To Reproduce

Steps to reproduce the behavior:

  1. Add rule and rule exclusion to config file
  2. Restart Apache -> fails with error message

Expected behavior

I would expect the rule exclusion to remove both ARGS:foo and ARGS:bar from rule 1 instead of failing the syntax check.

Server (please complete the following information):

  • ModSecurity version (and connector): v2.9.8
  • WebServer: Apache 2.4.62
  • OS (and distro): Linux, RHEL
@studersi studersi added the 2.x Related to ModSecurity version 2.x label Nov 13, 2024
@dune73
Copy link
Member

dune73 commented Nov 13, 2024

Ah, interesting. I've come across this before. Good there is now a bug report covering it.

@studersi
Copy link
Author

Yes, and we also found out that for older versions (confirmed on v2.9.7) there was no syntax error but the exclusion did not work either.

With respects to the case described above, it means that this rule exclusion would pass the syntax check but access to https://example.com/?foo=x would still be blocked.

SecRule ARGS:foo|ARGS:bar "@rx ^.*" "id:1,deny"
SecRuleUpdateTargetById 1 "!ARGS:/(foo|bar)/"

While the following would still work as expected, allowing https://example.com/?foo=x to be accessed.

SecRule ARGS:foo|ARGS:bar "@rx ^.*" "id:1,deny"
SecRuleUpdateTargetById 1 "!ARGS:/(foo)/"

@marcstern
Copy link

Can you try to enclose your regex in single quotes?
ARGS:'/(foo|bar)/'

@studersi
Copy link
Author

Using single quotes instead of double quotes to surround the argument yields the same result as before:

SecRule ARGS:foo|ARGS:bar "@rx ^.*" "id:1,deny"
SecRuleUpdateTargetById 1 '!ARGS:/(foo|bar)/'

AH00526: Syntax error on line XXX of /opt/apache24/conf/httpd.conf:
Error parsing rule targets to append variable

However, using single quotes around only the regex, as @marcstern suggests, appears to solve the problem.

SecRule ARGS:foo|ARGS:bar "@rx ^.*" "id:1,deny"
SecRuleUpdateTargetById 1 !ARGS:'/(foo|bar)/'

I can now access both https://example.com/?foo=x and https://example.com/?bar=x. This is true for both v2.9.7 and v2.9.8.

Thank you @marcstern for the suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x Related to ModSecurity version 2.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dune73 @marcstern @studersi