Skip to content

feat: update list of unix commands#4446

Merged
fzipi merged 16 commits into
coreruleset:mainfrom
EsadCetiner:feat-update-unix-command-list
Mar 15, 2026
Merged

feat: update list of unix commands#4446
fzipi merged 16 commits into
coreruleset:mainfrom
EsadCetiner:feat-update-unix-command-list

Conversation

@EsadCetiner
Copy link
Copy Markdown
Member

@EsadCetiner EsadCetiner commented Feb 8, 2026

Proposed changes

Updates Unix commands list to cover the following:

  • Common commands using in rust development
  • Common shell aliases of ls
  • Adds the shred command which can be used to delete files.

closes: #4390
closes: #4425
closes: #4424
closes: #4423

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

Further comments

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@EsadCetiner EsadCetiner requested a review from fzipi February 8, 2026 07:23
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 8, 2026
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@EsadCetiner EsadCetiner had a problem deploying to quantitative-testing-approval February 8, 2026 07:23 — with GitHub Actions Failure
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Feb 8, 2026

Hmm.. thanks quantitative tests! I see that we are way up now on false positives. Can we double check why? Probably because of using just l?

@HackingRepo
Copy link
Copy Markdown
Contributor

HackingRepo commented Feb 8, 2026
edited
Loading

Large of false positives in PL1 that huge, because PL1 is the first level if fps here that will impact users experience.

@EsadCetiner
Copy link
Copy Markdown
Member Author

EsadCetiner commented Feb 9, 2026

@fzipi

Hmm.. thanks quantitative tests! I see that we are way up now on false positives. Can we double check why? Probably because of using just l?

That looks to be where a good bulk of the false positives are coming from, I think we're hitting up against #4356 since just l<space> shouldn't cause many natural language false positives.

I can try to fight false positives a bit more, but imo I don't think this will mean a huge increase in real-world false positives.

@pre-commit-ci pre-commit-ci Bot had a problem deploying to quantitative-testing-approval February 9, 2026 03:56 Failure
@EsadCetiner EsadCetiner temporarily deployed to quantitative-testing-approval February 12, 2026 09:31 — with GitHub Actions Inactive
@EsadCetiner EsadCetiner temporarily deployed to quantitative-testing-approval February 12, 2026 09:33 — with GitHub Actions Inactive
@azurit
Copy link
Copy Markdown
Member

azurit commented Feb 12, 2026

Added this to the next chat agenda so we can discuss the FPs increase.

@fzipi fzipi mentioned this pull request Mar 2, 2026
Closed
@fzipi fzipi self-assigned this Mar 2, 2026
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Mar 2, 2026

@EsadCetiner Let's try to work together on this one.

Can you do a couple of tests to see what is increasing the FP rate? I think we could even do separate PRs to try to tackle this better.

I think the english workds shred, cargo (which btw, is nothing in the rust ecosystem), and rust could be a problem. But also l, ll and la.

So maybe don't close this one, but start with one for each problem. Then we can move on. Wdyt?

@EsadCetiner EsadCetiner had a problem deploying to quantitative-testing-approval March 3, 2026 04:45 — with GitHub Actions Failure
@EsadCetiner EsadCetiner temporarily deployed to quantitative-testing-approval March 3, 2026 05:04 — with GitHub Actions Inactive
@EsadCetiner
Copy link
Copy Markdown
Member Author

EsadCetiner commented Mar 3, 2026

@fzipi Most of the false positives were coming from ll for some reason, should be fixed now.

@fzipi
Copy link
Copy Markdown
Member

fzipi commented Mar 3, 2026

This is a very good outcome then, in my opinion. Let me run the full quantitative analysis and we are good to go! 💪

@fzipi
Copy link
Copy Markdown
Member

fzipi commented Mar 3, 2026 

📊 New Results
{
  "count": 10000,
  "falsePositives": 84,
  "falsePositivesPerRule": {
    "932230": 28,
    "932235": 24,
    "932250": 28,
    "933160": 1,
    "942100": 1,
    "942230": 1,
    "942360": 1
  },
  "skipped": 0,
  "totalTimeSeconds": 8.133940812
}

📊 Old Results
{
  "count": 10000,
  "falsePositives": 84,
  "falsePositivesPerRule": {
    "932230": 28,
    "932235": 24,
    "932250": 28,
    "933160": 1,
    "942100": 1,
    "942230": 1,
    "942360": 1
  },
  "skipped": 0,
  "totalTimeSeconds": 7.829370213
}

@HackingRepo
Copy link
Copy Markdown
Contributor

HackingRepo commented Mar 3, 2026
edited
Loading

Problem of WAFs that like in that case an attacker can brute forces aliases and bypass them completly because number of aliases infinite, Command Injection in websites should not exist today to fix it just use subprocess.run that it and std::process:Command in rust, Why peoples not do that still they use os.system and other stuff like that.

@fzipi fzipi enabled auto-merge March 9, 2026 16:35
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Mar 15, 2026

Ugh, now this is in conflict. @EsadCetiner Can you fix the conflicts, so I can approve again? I dind't merged waiting for you, but I guess I can merge now as soon as the conflicts are solved.

@EsadCetiner
Copy link
Copy Markdown
Member Author

EsadCetiner commented Mar 15, 2026

@fzipi Should be fixed now

@fzipi fzipi disabled auto-merge March 15, 2026 20:56
@fzipi fzipi added this pull request to the merge queue Mar 15, 2026
Merged via the queue into coreruleset:main with commit 3440bfb Mar 15, 2026
9 of 10 checks passed
@fzipi fzipi mentioned this pull request Apr 6, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

Assignees

@fzipi fzipi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RCE Bypass via rustc command RCE bypass via cargo command RCE Bypass via shred command RCE Bypass via common shell aliases from Bash And Zsh

4 participants

@EsadCetiner @fzipi @HackingRepo @azurit