Skip to content

fix: FPs related to maxDB information leakage#4382

Merged
azurit merged 9 commits into
coreruleset:mainfrom
azurit:MaxDBFP
Jan 25, 2026
Merged

fix: FPs related to maxDB information leakage#4382
azurit merged 9 commits into
coreruleset:mainfrom
azurit:MaxDBFP

Conversation

@azurit
Copy link
Copy Markdown
Member

@azurit azurit commented Dec 11, 2025
edited
Loading

Proposed changes

  • Fixing regex which was too wide and was triggered by unrelated keywords accross whole response body.
  • Removing part of the regex because:
  1. I wasn't able to find any error messages returned by MaxDB which matched that part of the regex.
  2. Regex was wrong from the beginning anyway as it was supposed to match strings containing keywords like POS(8) but brackets were not escaped and were later removed probably because we considered them as excessive group in regex (regex changed from POS([0-9]+) to POS[0-9]+).

These are the only error messages i was able to find on the net:

PHP Warning:  maxdb_query(): -4005 POS(8) Unknown column name:XXX [42000]
PHP Warning:  maxdb_connect(): -4008 POS(1) Unknown user name/password combination <...>
PHP Warning: maxdb::query():  -4004 POS(15) Unknown table name:CALCULATE_RETURN [42000]

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

Further comments

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Dec 11, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@theseion theseion mentioned this pull request Jan 5, 2026
Closed
@fzipi fzipi requested a review from Copilot January 16, 2026 14:41
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes false positives in the MaxDB SQL information leakage detection rule (951210) by making the regex pattern more specific and removing an unverified pattern component.

Changes:

  • Tightened the regex pattern from (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*) to (?i)Warning.{1,10}maxdb[\(\)_a-z:]{1,26}: to reduce false positives
  • Removed the SQL error.*POS[0-9]+.* alternative pattern that could not be verified with actual MaxDB error messages
  • Added a second positive test case covering the maxdb::query() error format

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf Updated regex to be more specific and removed unverified pattern alternative
tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml Added test case for maxdb::query() error format

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Comment thread tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml Outdated
@fzipi
Update tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml
03f6998 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Jan 18, 2026

I'm questioning even having this database supported. Looks like the conenctor for PHP (PECL) has been unmaintained since 2007: https://pecl.php.net/package/maxdb.

Maybe we just drop this?

@fzipi
Copy link
Copy Markdown
Member

fzipi commented Jan 24, 2026

ping @azurit

@azurit
Copy link
Copy Markdown
Member Author

azurit commented Jan 25, 2026

@fzipi Well, current regex supports only PHP error messages, so.. But I'm not sure if we should remove support for some software without releasing a major version. I would merge this now and remove whole rule in the next major release.

@azurit azurit enabled auto-merge January 25, 2026 13:51
@azurit azurit added this pull request to the merge queue Jan 25, 2026
Merged via the queue into coreruleset:main with commit 0bd2fd7 Jan 25, 2026
8 checks passed
@azurit azurit deleted the MaxDBFP branch January 25, 2026 15:12
@theseion theseion mentioned this pull request Feb 2, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@fzipi fzipi fzipi approved these changes

@M4tteoP M4tteoP M4tteoP approved these changes

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@azurit @fzipi @M4tteoP