Skip to content

fix(932340): Add more UNIX FP commands#4454

Merged
EsadCetiner merged 8 commits into
coreruleset:mainfrom
ssigwart:unix932340Fp
Feb 13, 2026
Merged

fix(932340): Add more UNIX FP commands#4454
EsadCetiner merged 8 commits into
coreruleset:mainfrom
ssigwart:unix932340Fp

Conversation

@ssigwart
Copy link
Copy Markdown
Contributor

@ssigwart ssigwart commented Feb 10, 2026

Proposed changes

Add move UNIX commands that are likely to cause FPs. Basically any two letter one can cause FPs for fields to enter your initials.

Feel free to close this if you'd rather people add exceptions instead.

Fixes #4453

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

Further comments

I can work on tests if you want, but didn't want to do that if it's not the right direction.

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 10, 2026
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@ssigwart ssigwart changed the title Add more UNIX FP commands fix(4453): Add more UNIX FP commands Feb 10, 2026
EsadCetiner
EsadCetiner requested changes Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EsadCetiner EsadCetiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

I think this PR is excluding too many commands, based on your report I think it would be better if we required an evasion prefix such as ; or & before blocking. Can you update 932340.ra to use the unix-shell-evasion-prefix instead of unix-shell-evasion-prefix-start-of-string?

You'll need to update the tests as well since they test for blocking with no prefix.

@EsadCetiner EsadCetiner changed the title fix(4453): Add more UNIX FP commands fix(932340): Add more UNIX FP commands Feb 11, 2026
@ssigwart
Copy link
Copy Markdown
Contributor Author

ssigwart commented Feb 11, 2026

Thanks, @EsadCetiner. I made those updates.

EsadCetiner
EsadCetiner requested changes Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EsadCetiner EsadCetiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add some negative tests based on the false positives you've experienced? Also please update the Author section at the top of the test file.

@ssigwart
Copy link
Copy Markdown
Contributor Author

ssigwart commented Feb 12, 2026

@EsadCetiner, I added a test. I tried to follow the docker instructions on https://coreruleset.org/docs/6-development/6-5-testing-the-rule-set/ to run it locally, but I received the error below.

docker compose -f tests/docker-compose.yml up -d modsec2-apache
[+] up 2/2
 ✘ Image ghcr.io/coreruleset/albedo:0.3.0@sha256:843ed01d28f... Error       0.4s
 ! Image owasp/modsecurity-crs:apache@sha256:e6f652efbd9a183... Interrupted 0.4s
Error response from daemon: Get "https://ghcr.io/v2/coreruleset/albedo/manifests/sha256:843ed01d28f48b594dcc0278ea9403175a0bf40ec065432040b796f589e89507": denied: denied

EsadCetiner
EsadCetiner requested changes Feb 12, 2026
View reviewed changes
Comment thread tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932340.yaml Outdated
@EsadCetiner
Copy link
Copy Markdown
Member

EsadCetiner commented Feb 12, 2026

@ssigwart Sorry, I haven't used the Docker image before so I can't help you. I have a personal setup script for bare metal installations if you are interested: https://github.com/EsadCetiner/crs-dev-environment-setup it's meant to be ran on a dev environment only.

Nevertheless, I don't think you'll need to run the tests locally since your not writing very complex tests.

ssigwart
ssigwart commented Feb 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@ssigwart ssigwart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I haven't used the Docker image before so I can't help you. I have a personal setup script for bare metal installations if you are interested: https://github.com/EsadCetiner/crs-dev-environment-setup it's meant to be ran on a dev environment only.

Nevertheless, I don't think you'll need to run the tests locally since your not writing very complex tests.

No problem. I'll just let GitHub Actions run it.

I made the updates. Also, I updated the test authors file because I forgot to do that last round.

Comment thread tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932340.yaml Outdated
EsadCetiner
EsadCetiner approved these changes Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EsadCetiner EsadCetiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for the contribution!

@EsadCetiner EsadCetiner added this pull request to the merge queue Feb 13, 2026
Merged via the queue into coreruleset:main with commit dca83c3 Feb 13, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EsadCetiner EsadCetiner EsadCetiner approved these changes

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rule 932340 FP on Short Strings (e.g. w, df, su)

2 participants

@ssigwart @EsadCetiner