Skip to content

Enable multiline mode for rx #732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 23, 2023
Merged

Enable multiline mode for rx #732

merged 4 commits into from
Mar 23, 2023

Conversation

anuraaga
Copy link
Contributor

I noticed ModSec uses dotall / multiline for regex

https://github.com/SpiderLabs/ModSecurity/blob/1feaa7d24b3ae19e6d9d2a4c055d64cd8a305aa1/src/utils/regex.cc#L68

Currently one CRS test fails because of the lack of multiline. I added dotall as well to match modsec though no CRS tests fail without it.

@anuraaga anuraaga requested a review from a team as a code owner March 23, 2023 04:13
anuraaga
anuraaga commented Mar 23, 2023
View reviewed changes
operators/rx_test.go Outdated
@@ -38,6 +38,12 @@ func TestRx(t *testing.T) {
input: "グッバイワールド",
want: false,
},
// Requires dotall
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't come up with a simplified unit test for requiring multiline. The failing one is

https://github.com/coreruleset/coreruleset/blob/v4.0/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#LL1507C37-L1507C37

I tried using ^ and \b together but it didn't seem to fail without the m option. Any other regex gurus able to suggest a simple unit test that fails without m?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ping @theseion

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test seems not working without m:

// Requires multiline
{
	pattern: `^hello.*world`,
	input:   "test\nhello\nworld",
	want:    true,
},

--- FAIL: TestRx (0.00s)
    --- FAIL: TestRx/^hello.*world/test_hello_world (0.00s)
        /Users/matteopace/Repo/coraza/operators/rx_test.go:71: want true, got false

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good one.

anuraaga
anuraaga commented Mar 23, 2023
View reviewed changes
operators/rx.go Outdated
@@ -19,6 +20,7 @@ var _ rules.Operator = (*rx)(nil)

func newRX(options rules.OperatorOptions) (rules.Operator, error) {
data := options.Arguments
data = fmt.Sprintf("(?sm)%s", data)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn't a programattic way to do it with Go but this seems like the way. Note I verified that multiple instances of (?sm) etc work so even if the input expression from CRS were to change to include options in the future, it wouldn't break.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Rag, now it's clear how 942522 was supposed to match against 942522-7!
I would Maybe just add a comment about what this line tweak is for?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I am not a big fan of mutating user input I believe there is no other way to achieve this as even Go people recommends this https://groups.google.com/g/golang-nuts/c/jiVdamGFU9E

@codecov
Copy link

codecov bot commented Mar 23, 2023
edited
Loading

Codecov Report

Patch coverage: 100.00% and no project coverage change.

Comparison is base (be84e18) 81.82% compared to head (fabcd64) 81.82%.

❗ Current head fabcd64 differs from pull request most recent head d021b6e. Consider uploading reports for the commit d021b6e to get more accurate results

Additional details and impacted files 
@@           Coverage Diff           @@
##           v3/dev     #732   +/-   ##
=======================================
  Coverage   81.82%   81.82%           
=======================================
  Files         149      149           
  Lines        8280     8282    +2     
=======================================
+ Hits         6775     6777    +2     
  Misses       1286     1286           
  Partials      219      219
Flag Coverage Δ
default 77.85% <100.00%> (+<0.01%) ⬆️
examples 25.66% <0.00%> (-0.01%) ⬇️
ftw 49.59% <100.00%> (+0.01%) ⬆️
ftw-multiphase 49.70% <100.00%> (+0.01%) ⬆️
tinygo 77.00% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
operators/rx.go 78.57% <100.00%> (+1.64%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@jptosso
Copy link
Member

jptosso commented Mar 23, 2023
edited
Loading

What about https://pkg.go.dev/regexp/syntax#Parse regexp.Parse("regex", flags...)
Also, can we concatenate multiple flags? Like (?sm)(?i).... Some CRS regexes uses the case insensitive flag

jcchavezs
jcchavezs reviewed Mar 23, 2023
View reviewed changes
operators/rx.go Outdated
@@ -19,6 +20,7 @@ var _ rules.Operator = (*rx)(nil)

func newRX(options rules.OperatorOptions) (rules.Operator, error) {
data := options.Arguments
data = fmt.Sprintf("(?sm)%s", data)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
data = fmt.Sprintf("(?sm)%s", data)
// (?sm) enables multiline mode, see https://stackoverflow.com/a/27680233
// for more info
data = fmt.Sprintf("(?sm)%s", data)

@jcchavezs jcchavezs enabled auto-merge (squash) March 23, 2023 16:32
@jcchavezs jcchavezs merged commit b8e5c6d into corazawaf:v3/dev Mar 23, 2023
@jcchavezs
Copy link
Member

jcchavezs commented Mar 23, 2023 via email

@anuraaga
Copy link
Contributor Author

Also, can we concatenate multiple flags? Like (?sm)(?i).... Some CRS regexes uses the case insensitive flag

@jptosso I added a test case to verify concatenating flags works fine

https://github.com/corazawaf/coraza/compare/v3/dev...anuraaga:test-insensitive?expand=1

regexp/syntax only parses an expression and it is possible but tedious to actually execute it, prepending is probably more practical and seems to work fine

M4tteoP pushed a commit to M4tteoP/coraza that referenced this pull request Mar 28, 2023
@anuraaga @jcchavezs @M4tteoP
Enable multiline mode for rx (corazawaf#732)
3a1f67e 
* Enable dotall/multiline mode for rx

---------

Co-authored-by: José Carlos Chávez <jcchavezs@gmail.com>
@M4tteoP M4tteoP mentioned this pull request Jul 24, 2023
Closed
@M4tteoP M4tteoP mentioned this pull request Aug 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@M4tteoP M4tteoP M4tteoP left review comments

@jcchavezs jcchavezs jcchavezs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@anuraaga @jptosso @jcchavezs @M4tteoP