Skip to content

refactor: create 942250 .ra file #4512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fzipi merged 1 commit into from
Mar 3, 2026
Merged

refactor: create 942250 .ra file #4512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions regex-assembly/942250.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Rule 942250: Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
##!
##! SQL injection patterns for:
##! - SQL MERGE...USING (ANSI SQL)
##! - EXECUTE IMMEDIATE with string literal (Oracle/PL/SQL)
##! - MySQL MATCH...AGAINST full-text search

##!+ i

##! SQL MERGE statement with USING clause
merge.*?using\s*?\(

##! Oracle EXECUTE IMMEDIATE with string delimiter
execute\s*?immediate\s*?["'`]

##! MySQL MATCH...AGAINST full-text search
match\s*?[\w(),+-]+\s*?against\s*?\(
7 changes: 6 additions & 1 deletion rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,7 +300,12 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)al
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \
# Regular expression generated from regex-assembly/942250.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 942250
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)m(?:erge.*?using|atch[\s\x0b]*?[\(\)\+-\-0-9A-Z_a-z]+[\s\x0b]*?against)[\s\x0b]*?\(|execute[\s\x0b]*?immediate[\s\x0b]*?[\"'`]" \
"id:942250,\
phase:2,\
block,\
Expand Down
Loading