fix: remove non-unix commands from unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932237 PL-3)#4247
Conversation
…5 PL-1, 932250 PL-1, 932260 PL-1, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932237 PL-3)
|
📊 Quantitative test results for language: |
|
I see what you did. Makes sense. Now, these are mentions to files instead of commands, are they in another list or do we lose them? |
|
@fzipi Yes they still exist in unix-shell.data, that's where these entries came from. This PR just prevents those entries from being added to |
|
@EsadCetiner Can you please explain more what this PR does? You are talking only about modifying two scripts, which now excludes keywords |
The script uses |
@EsadCetiner Ok, got it, thanks. |
|
Wouldn't it be safer to use |
There was a problem hiding this comment.
Pull request overview
This PR refines the Unix RCE detection rules to stop treating non-command entries (notably /dev, /etc, /proc paths and similar) from unix-shell.data as shell commands, thereby reducing false positives such as the | SELF case reported in #4110 and in the linked phpMyAdmin plugin issue.
Changes:
- Updated the Unix shell regex assembly inputs (
unix-shell-upto3.ra,unix-shell-4andup.ra) to exclude non-command entries fromrules/unix-shell.dataandrules/unix-shell-builtins.data, and refreshed the generated command lists accordingly. - Regenerated the large assembled regexes in
REQUEST-932-APPLICATION-ATTACK-RCE.conffor several RCE rules (932230, 932235, 932250, 932260, 932220, 932236, 932239, 932237) to align with the cleaned command lists. - Tightened regression tests for rule 932235 by adding a new FP test for the
nulltoken and simplifying the PL1/PL2 false-positive exclusion lists that are now redundant with the cleaned sources.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml | Adds a regression test ensuring time null space is no longer flagged by rule 932235, covering the null-token change in the command lists. |
| rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | Regenerates several RCE detection regexes so they no longer include non-command entries derived from /dev, /etc, /proc, and similar sources. |
| regex-assembly/include/unix-shell-upto3.ra | Adjusts the regeneration script to pre-filter non-command entries and updates the short-command list to drop items such as fd@, tcp@, and udp@. |
| regex-assembly/include/unix-shell-4andup.ra | Modifies the regeneration script to filter out non-command paths before assembling long-command patterns, updates the English-word suffixing step, and removes non-command tokens like group, null, shadow, zero, etc. |
| regex-assembly/exclude/unix-shell-fps-pl2.ra | Cleans up PL2 false-positive exclusions (e.g., removing null variants) that are now handled at the source list level. |
| regex-assembly/exclude/unix-shell-fps-pl1.ra | Simplifies PL1 FP exclusions by dropping entries (group, null, shadow, shells, tcp, zero, etc.) that no longer appear in the assembled command lists. |
| regex-assembly/exclude/unix-shell-fps-pl1-curated.ra | Removes now-redundant curated FP exclusions for group that are covered by the updated source filtering. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@azurit You got this one? Can I count on you for pushing it to the finish line? |
|
@fzipi Sure thing. |
|
@EsadCetiner There are still some invalid commands in the lists, at least: They were added in #3735 and maybe they can be completely removed. |
|
@azurit No those entries were not added in that PR, and no they are not invalid commands. coreruleset/rules/unix-shell.data Line 227 in 3f83126 |
What about this? |
|
@azurit Sorry, I missed that. It's fixed now. |
|
@EsadCetiner Good work, thank you! |
The Unix RCE rules uses
unix-shell.dataas a source of truth as to what commands it should be blocking, some entries in that list are not commands (some are /dev/ or /proc/ files) and are as a result being treated as a unix command as can be seen in issues like #4110.This PR modifies the scripts used to generate
unix-shell-upto3.raandunix-shell-4andup.rato exclude these entries so non-unix commands are not blocked along with the risk of false positives.closes: coreruleset/phpmyadmin-rule-exclusions-plugin#31