Skip to content

fix(932330): require non-alphanumeric prefix for bash negation pattern#4595

Open
zoutjebot wants to merge 5 commits into
coreruleset:mainfrom
zoutjebot:fix/932330-negation-prefix
Open

fix(932330): require non-alphanumeric prefix for bash negation pattern#4595
zoutjebot wants to merge 5 commits into
coreruleset:mainfrom
zoutjebot:fix/932330-negation-prefix

Conversation

@zoutjebot
Copy link
Copy Markdown
Contributor

@zoutjebot zoutjebot commented Mar 30, 2026
edited by fzipi
Loading

What

Add (?:^|[^a-zA-Z0-9]) before !-\\d to prevent FPs on product codes and values containing '!-' followed by digits.

Context

Part of CVE-derived payload research FP reductions. See tracking issue #4584 for full context.

Refs: #4584

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 30, 2026
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@zoutjebot zoutjebot mentioned this pull request Mar 30, 2026
Open
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Mar 30, 2026

Can you add tests? Positive and negative, so we cover both cases. Thanks!

@fzipi fzipi mentioned this pull request Apr 6, 2026
Closed
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Apr 8, 2026

Review

Approach is reasonable — adding a boundary prefix to reduce FPs on product codes. A few issues:

  1. (?:^|[^a-zA-Z0-9]) could be (?:^|\W) — excludes _ which [^a-zA-Z0-9] doesn't. Product codes like SKU_!-1 probably should also not trigger, so \W might be more appropriate. Minor difference but worth considering

  2. PL1 rule with very short pattern!-\d is extremely short. Adding boundary helps but it's still fragile for paranoia level 1

  3. No .ra file — should create one per convention, even for simple regex

  4. Missing test for start-of-value — needs a test where !-1 is the entire value (no prefix) to ensure detection still works at ^

  5. Need more boundary tests — test with space before (foo !-3), with special chars before, to validate the boundary logic covers real attack scenarios

Xhoenix
Xhoenix reviewed Apr 14, 2026
View reviewed changes
Comment thread rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Outdated
@zoutjebot
Copy link
Copy Markdown
Contributor Author

zoutjebot commented Apr 14, 2026

Thanks for the detailed review @fzipi! I've addressed all points:

  1. ** → 13:33 up 8 days, 5:52, 2 users, load averages: 2.38 2.73 2.93
    USER TTY FROM LOGIN@ IDLE WHAT
    zoutje console - 06Apr26 8days -
    zoutje s000 - 06Apr26 8days -zsh** — Updated the regex to use 13:33 up 8 days, 5:52, 2 users, load averages: 2.38 2.73 2.93
    USER TTY FROM LOGIN@ IDLE WHAT
    zoutje console - 06Apr26 8days -
    zoutje s000 - 06Apr26 8days -zsh which also excludes as a valid prefix (e.g., won't trigger).

  2. ** file** — Added with the assembly pattern and documentation.

  3. Test coverage — Expanded from 3 to 7 regression tests:

    • Test 4: Start-of-value ( alone) — should trigger
    • Test 5: Space prefix () — should trigger
    • Test 6: Underscore prefix () — FP test, should NOT trigger
    • Test 7: Special char prefix () — should trigger

  4. PL1 fragility concern — Noted. The boundary prefix helps but the pattern remains short. If further FPs surface, we can move the boundary requirement to PL2 as a stricter sibling.

@zoutjebot
Copy link
Copy Markdown
Contributor Author

zoutjebot commented Apr 14, 2026

Thanks for the detailed review @fzipi! I've addressed all points:

  1. Boundary prefix — Updated the regex to use (?:^|\W) instead of (?:^|[^a-zA-Z0-9]), which also excludes underscore as a valid prefix character (e.g., SKU_!-1 won't trigger).

  2. .ra file — Added regex-assembly/932330.ra with the assembly pattern and documentation.

  3. Test coverage — Expanded from 3 to 7 regression tests:

    • Test 4: Start-of-value (!-f alone) — should trigger
    • Test 5: Space prefix (foo !-d) — should trigger
    • Test 6: Underscore prefix (SKU_!-1) — FP test, should NOT trigger
    • Test 7: Special char prefix ([!-2) — should trigger

  4. PL1 fragility concern — Noted. The boundary prefix helps but the pattern remains short. If further FPs surface, we can adjust.

Zoutje and others added 5 commits April 27, 2026 21:16
fix(932330): require non-alphanumeric prefix for bash negation pattern
d610acc 
The pattern !-\d (bash file test negation like !-f, !-d) matches
too broadly when it can appear anywhere in a value. Strings like
'abc!-1' or product codes containing '!-' followed by digits trigger
false positives.

Adding (?:^|[^a-zA-Z0-9]) ensures the pattern only matches at the
start of input or after a non-alphanumeric character, consistent with
how bash negation operators actually appear in shell commands.

Refs: coreruleset#4584
@claude
test(932330): add regression tests for negation prefix requirement
0435948 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
resolve conflict: keep expanded test suite
a2ebff4
@pre-commit-ci
chore(formatting): auto fixes from pre-commit hooks
ca4ee4e 
for more information, see https://pre-commit.ci
test(932330): fix regression tests using letters instead of digits
ecb3655 
Tests 4 and 5 used !-f and !-d but rule 932330 matches !-\d (digits
only). Changed to !-5 and !-7 so the tests match what the rule
actually detects.
@zoutjebot zoutjebot force-pushed the fix/932330-negation-prefix branch from 230df2e to ecb3655 Compare April 27, 2026 19:17
@zoutjebot
Copy link
Copy Markdown
Contributor Author

zoutjebot commented Apr 27, 2026

Fixed the failing regression tests. Tests 4 and 5 used !-f and !-d (letters) but the rule matches !-\d (digits only). Updated to !-5 and !-7. Rebased on latest main.

Quick summary of current state:

  • .ra file: ✅ present (regex-assembly/932330.ra)
  • Boundary: (?:^|\W) per fzipi review
  • Tests: 7 total (4 positive, 3 negative including underscore FP test)
  • Quantitative: no new FPs at PL1/10K

@theseion theseion mentioned this pull request May 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xhoenix Xhoenix Xhoenix left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zoutjebot @fzipi @Xhoenix