feat: resolve common false positives with ad and tracker cookies#4378
Conversation
|
📊 Quantitative test results for language: |
|
@EsadCetiner CRS provides the file |
|
@fzipi I'm confused, how will |
|
Ugh, I'm sorry. Read it twice, and couldn't separate the two names apart 🤦 . |
|
Do we plan to have tests? |
Co-authored-by: Felipe Zipitría <3012076+fzipi@users.noreply.github.com>
|
@fzipi I don't have any tests for the Matomo cookie since I don't use it, I'll add tests for the others. |
|
@fzipi Added tests |
|
We should add a new linting rule that prevents adding exceptions to request cookies in SecRules. I'll create a followup in the crs-linter repo. |
There was a problem hiding this comment.
Pull request overview
This PR introduces a new dedicated file for common cookie exceptions to address false positives with tracking and advertising cookies, particularly Google's newer tracking cookies and other widely-used ad/tracking services. The change improves maintainability by consolidating cookie exceptions that were previously inline in rule files.
Changes:
- Created new file
REQUEST-999-COMMON-EXCEPTIONS-AFTER.confcontaining exceptions for common tracking/ad cookies (Google Analytics, Google Ads, Microsoft Clarity, Prebid.js, AWS Load Balancer, and Matomo) - Removed inline
!REQUEST_COOKIES:/_pk_ref/exceptions from SQLi and XSS rule files, moving them to the new centralized file - Added comprehensive test suite with 10 test cases covering all new cookie exceptions
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
rules/REQUEST-999-COMMON-EXCEPTIONS-AFTER.conf |
New file containing centralized cookie exceptions for common tracking/advertising cookies with the 999 prefix ensuring it loads after request rules |
rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf |
Removed inline !REQUEST_COOKIES:/_pk_ref/ exceptions from multiple SQLi detection rules (942380, 942390, 942400, 942410, 942420, 942421, 942440, 942450, 942470, 942480) |
rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf |
Removed inline !REQUEST_COOKIES:/_pk_ref/ exceptions from XSS detection rules (941320, 941330, 941340) |
tests/regression/tests/REQUEST-999-COMMON-EXCEPTIONS-AFTER/999999.yml |
Added test suite verifying that legitimate tracking/ad cookies do not trigger WAF rules |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
fzipi
left a comment
There was a problem hiding this comment.
I think this is in good shape now.
Proposed changes
This PR resolves false positives with the new Google tracking cookies and a few other common tracking/ad cookies. I've moved the existing cookie exceptions to it's own file
REQUEST-999-COMMON-EXCEPTIONS-AFTER.confto improve the overall maintainability of these exceptions. The999in the filename is to ensure that the file is loaded after all the request rules have been created.closes #4370
supersedes: #4293
PR Checklist
commentfield to write the expected behaviorFurther comments
For the reviewer
ctl:requestBodyAccess=Offwere used in the rule