Skip to content

fix(920650): don't block on method override if it's not actually being overwritten#4455

Merged
fzipi merged 1 commit into
coreruleset:mainfrom
EsadCetiner:fix-reduce-method-fps
Feb 11, 2026
Merged

fix(920650): don't block on method override if it's not actually being overwritten#4455
fzipi merged 1 commit into
coreruleset:mainfrom
EsadCetiner:fix-reduce-method-fps

Conversation

@EsadCetiner
Copy link
Copy Markdown
Member

@EsadCetiner EsadCetiner commented Feb 11, 2026

Proposed changes

GitLab, and possibly some other applications sometimes always sets the _method override even when the intent isn't actually to override a method. When signing out of GitLab, a POST request is sent to /users/sign_out with _method=post in the request body. This change should not have any security impact and make 920650 a bit easier to work with.

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

Further comments

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 11, 2026

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

fzipi
fzipi approved these changes Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Good refinement.

@fzipi fzipi changed the title fix: don't block on method override if it's not actually being overwritten fix(920650): don't block on method override if it's not actually being overwritten Feb 11, 2026
@fzipi fzipi added this pull request to the merge queue Feb 11, 2026
Merged via the queue into coreruleset:main with commit 0d992f8 Feb 11, 2026
10 checks passed
@EsadCetiner EsadCetiner deleted the fix-reduce-method-fps branch February 11, 2026 23:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EsadCetiner @fzipi