fix(942290): add word boundary to MongoDB operator detection#4588
Conversation
Add \b word boundary after MongoDB operator names to prevent matching operator prefixes that appear in cookie values and GraphQL field names (e.g., \$exists matching inside \$existingUser). Refs: coreruleset#4584
|
📊 Quantitative test results for language: |
|
Fair point — these were split from a single combined PR at a maintainer's request, so they all landed at once. No more incoming. That said, we're keen to keep contributing where it's useful. What pace works best for the team? Happy to batch future submissions or coordinate differently. Let us know how we can help. |
|
I've just released v4 LTS. That was the priority. We are a bunch of developers also. It might take time to review only, just be patient. |
|
@zoutjebot Can you add tests? |
- Test 10: as standalone operator still triggers (positive) - Test 11: in cookie does NOT trigger (word boundary fix) - Test 12: in JSON body does NOT trigger (word boundary fix) Refs: coreruleset#4588
|
Tests added to 942290.yaml: Test 10 (positive): POST with {"user": {"": true}} — standalone $exists operator still triggers. Verifies the word boundary doesn't break legitimate detection. Test 11 (negative): Cookie with $existingUser=admin does NOT trigger. This is the core FP case — $exists matching as a prefix inside a longer variable name. Test 12 (negative): POST body with {"": "foo"} does NOT trigger. Another prefix match FP case with a made-up but realistic field name. |
What
Add \b word boundary after MongoDB operator names to prevent matching operator prefixes in cookie values and GraphQL fields (e.g., $exists matching inside $existingUser).
Context
Part of CVE-derived payload research FP reductions. See tracking issue #4584 for full context.
Refs: #4584