Skip to content

fix: remove bypass-vulnerable content types from default allow lists#4365

Merged
fzipi merged 3 commits into
mainfrom
fix_content-type_bypasses
Jan 12, 2026
Merged

fix: remove bypass-vulnerable content types from default allow lists#4365
fzipi merged 3 commits into
mainfrom
fix_content-type_bypasses

Conversation

@RedXanadu
Copy link
Copy Markdown
Member

@RedXanadu RedXanadu commented Nov 28, 2025
edited by fzipi
Loading

Proposed changes

Fixes #4362

Remove content types that we do not parse/process by default from the stock list of allowed request content types.

Note: This PR is intentionally limited in scope to fixing the original bypass/issue. If we want to discuss "should we add more default allowed content types?" and "should we override modsecurity.conf-recommended body processor rules in CRS?" then we can have that conversation separately.

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives n/a
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit n/a
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@RedXanadu RedXanadu self-assigned this Nov 28, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 28, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@RedXanadu RedXanadu mentioned this pull request Nov 28, 2025
Closed
@fzipi fzipi changed the title Remove bypass-vulnerable content types from default allow lists fix: remove bypass-vulnerable content types from default allow lists Nov 28, 2025
@touchweb-vincent
Copy link
Copy Markdown
Contributor

touchweb-vincent commented Dec 7, 2025
edited
Loading

Hello,

I don’t understand why the conditional enabling of the XML/JSON processors isn’t in crs-setup.conf.example but instead here:
https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended

What you just reported is going to happen again.

In my opinion, we should add a comment above 900220 stating that it is forbidden to add items to this stack without simultaneously adding a corresponding declaration to one of the body processors.

@fzipi fzipi requested review from airween and theseion December 8, 2025 16:56
theseion
theseion previously approved these changes Dec 9, 2025
View reviewed changes
@theseion
Copy link
Copy Markdown
Contributor

theseion commented Dec 9, 2025

I don’t understand why the conditional enabling of the XML/JSON processors isn’t in crs-setup.conf.example but instead here

For historical reasons and now we're stuck with modsecurity.conf-recommended. We've had issues with the interoperability before but we can't simply remove / change that file, since CRS is technically only one potential choice of rule set, so the defaults can't rely on the CRS configuration.

What you just reported is going to happen again.

Probably, but if I had done my job right, I would have read the existing comment and realised that I was making a mistake.

In my opinion, we should add a comment above 900220 stating that it is forbidden to add items to this stack without simultaneously adding a corresponding declaration to one of the body processors.

That comment exists in crs-setup.conf.example, where it belongs.

@touchweb-vincent
Copy link
Copy Markdown
Contributor

touchweb-vincent commented Dec 9, 2025
edited
Loading

You’re right, there’s already a long explanation about this. https://github.com/coreruleset/coreruleset/blob/main/crs-setup.conf.example#L499C1-L506C64

# When additional JSON content types are legitimately used in a deployment,
# e.g. application/cloudevents+json, it is extremely important to ensure that a
# rule exists to enable the engine's JSON body processor for these additional
# JSON content types. Failure to do so can lead to a request body bypass. The
# default JSON rule in modsecurity.conf-recommended (200001) will only activate
# the JSON body processor for the specific content type application/json. The
# optional modsecurity.conf-recommended rule 200006 can be used to enable the
# JSON body processor for a wide variety of JSON content types.

@theseion theseion mentioned this pull request Jan 5, 2026
Closed
@github-actions github-actions Bot added the Stale label Jan 9, 2026
@fzipi fzipi enabled auto-merge January 12, 2026 12:32
@fzipi fzipi added this pull request to the merge queue Jan 12, 2026
Merged via the queue into main with commit f2f0624 Jan 12, 2026
14 checks passed
@fzipi fzipi deleted the fix_content-type_bypasses branch January 12, 2026 12:41
@fzipi fzipi mentioned this pull request Apr 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

@Xhoenix Xhoenix Xhoenix approved these changes

@theseion theseion theseion left review comments

@airween airween Awaiting requested review from airween

Assignees

@RedXanadu RedXanadu

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Default list of allowed request content types includes non-processed types

5 participants

@RedXanadu @touchweb-vincent @theseion @fzipi @Xhoenix