coreruleset · fzipi · Mar 15, 2026 · Feb 8, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/regex-assembly/exclude/unix-shell-fps-pl1.ra b/regex-assembly/exclude/unix-shell-fps-pl1.ra
@@ -145,6 +145,7 @@ c99
 cancel
 cancel@
 cancel~
+cargo@
 capsh@
 cat
 cat@
@@ -408,6 +409,8 @@ knife
 knife@
 knife~
 ksshell
+l@
+la@
 last
 last@
 last~
@@ -425,6 +428,7 @@ less~
 links
 links@
 links~
+ll@
 ln
 ln@
 local
@@ -627,6 +631,7 @@ ruby@
 ruby~
 run-mailcap
 run-parts
+rust@
 rview
 rvim
 sash
@@ -652,6 +657,7 @@ set~
 sg
 sg@
 sg~
+shred@
 shuf
 shutdown
 shutdown@

diff --git a/regex-assembly/include/unix-shell-4andup.ra b/regex-assembly/include/unix-shell-4andup.ra
@@ -9,7 +9,7 @@
 ##! NL=$'\n'
 ##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-4andup.ra)"
 ##! # Exclude entries starting with `(dev/|etc/|proc/|#)` and empty lines, they are not commands
-##! source="$(grep -vEh '^(dev/|etc/|proc/|#|$)' rules/unix-{shell,shell-builtins}.data | \
+##! source="$(grep -vEh '^(dev/|etc/|proc/|#|$)' rules/unix-{shell-aliases,shell,shell-builtins}.data | \
 ##!   awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) > 3 {print y}' | \
 ##!   sort | uniq)"
 ##! # retain all unmodified entries in this list and skip removed ones; ignore the manually added suffixes
@@ -144,6 +144,10 @@ c89-gcc
 c99-gcc
 cancel@
 capsh@
+cargo@
+cargo-audit
+cargo-miri
+cargo-watch
 certbot
 chattr@
 chdir@
@@ -167,6 +171,7 @@ chroot@
 chsh@
 clang\+\+
 clang@
+clippy-driver
 cobc@
 cobcrun
 column@
@@ -469,6 +474,13 @@ ruby~
 run-mailcap
 run-parts
 runc@
+rust-analyzer
+rust-gdb
+rust-lldb
+rustc@
+rustdoc
+rustfmt
+rustup
 rview@
 rvim@
 sash@
@@ -485,6 +497,7 @@ setfacl@
 setsid
 sftp@
 sh\.distrib
+shred@
 shuf@
 shutdown@
 sleep@

diff --git a/regex-assembly/include/unix-shell-upto3.ra b/regex-assembly/include/unix-shell-upto3.ra
@@ -7,7 +7,7 @@
 ##! # select words of length <= 3
 ##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)"
 ##! # Exclude entries starting with `(dev/|etc/|proc/|#)` and empty lines, they are not commands
-##! source=$(grep -vEh '^(dev/|etc/|proc/|#|$)' rules/unix-{shell,shell-builtins}.data | \
+##! source=$(grep -vEh '^(dev/|etc/|proc/|#|$)' rules/unix-{shell-aliases,shell,shell-builtins}.data | \
 ##!   awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) <= 3 {print y}' | \
 ##!   sort | uniq)
 ##! result=""
@@ -123,8 +123,11 @@ irb@
 jjs@
 jq@
 ksh@
+l@
+la@
 ld@
 ldd@
+ll@
 ln@
 lp@
 ls@

diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
diff --git a/rules/unix-shell-aliases.data b/rules/unix-shell-aliases.data
@@ -0,0 +1,7 @@
+# This list only includes shell aliases that are included in various Distro's out of the box
+# to limit false positives. The number of shell aliases that can exist are infinite.
+
+# ls
+l
+la
+ll
diff --git a/rules/unix-shell.data b/rules/unix-shell.data
@@ -106,6 +106,10 @@ bin/c99
 bin/c99-gcc
 bin/cancel
 bin/capsh
+bin/cargo
+bin/cargo-audit
+bin/cargo-miri
+bin/cargo-watch
 bin/cat
 bin/cc
 bin/certbot
@@ -130,6 +134,7 @@ bin/chroot
 bin/chsh
 bin/clang
 bin/clang++
+bin/clippy-driver
 bin/cmp
 bin/cobc
 bin/cobcrun
@@ -496,6 +501,13 @@ bin/ruby
 bin/runc
 bin/run-mailcap
 bin/run-parts
+bin/rustc
+bin/rustdoc
+bin/rustfmt
+bin/rustup
+bin/rust-analyzer
+bin/rust-gdb
+bin/rust-lldb
 bin/rview
 bin/rvim
 bin/sash
@@ -515,6 +527,7 @@ bin/sftp
 bin/sg
 bin/sh
 bin/sh.distrib
+bin/shred
 bin/shuf
 bin/shutdown
 bin/sleep

diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
@@ -1803,3 +1803,19 @@ tests:
         output:
           log:
             expect_ids: [932236]
+  - test_id: 100
+    desc: "True Postitive: ll alias of ls `ll /var/www/`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: localhost
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+          method: GET
+          port: 80
+          uri: "/get?test=ll%20%2Fvar%2Fwww%2F"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [932236]
-Original file line number
+Diff line change
@@ Expand Up / @@ -145,6 +145,7 @@ c99 @@
     cancel
     cancel@
     cancel~
+    cargo@
     capsh@
     cat
     cat@
@@ Expand Down Expand Up / @@ -408,6 +409,8 @@ knife @@
     knife@
     knife~
     ksshell
+    l@
+    la@
     last
     last@
     last~
@@ Expand All / @@ -425,6 +428,7 @@ less~ @@
     links
     links@
     links~
+    ll@
     ln
     ln@
     local
@@ Expand Down Expand Up / @@ -627,6 +631,7 @@ ruby@ @@
     ruby~
     run-mailcap
     run-parts
+    rust@
     rview
     rvim
     sash
@@ Expand All / @@ -652,6 +657,7 @@ set~ @@
     sg
     sg@
     sg~
+    shred@
     shuf
     shutdown
     shutdown@
@@ Expand Down @@