From 72c4cf08b9deb422326dc3eca26f7c91f5e6bc10 Mon Sep 17 00:00:00 2001
From: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Date: Tue, 7 Apr 2026 15:18:57 +1000
Subject: [PATCH] fix(930130): comment out false positive prone entries

---
 rules/restricted-files.data                   |  4 +--
 .../930130.yaml                               | 32 +++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/rules/restricted-files.data b/rules/restricted-files.data
index fa92a6fb08..f341084e5c 100644
--- a/rules/restricted-files.data
+++ b/rules/restricted-files.data
@@ -625,7 +625,7 @@ build.zig.zon
 # Red Hat Subscription Manager config
 .redhat/
 # NPM node modules
-node_modules/
+# node_modules/
 # Bun Dir
 .bun/
 # Bun global config
@@ -678,7 +678,7 @@ miniconda3/
 .perldb
 .perl_repl_history
 .perlhistory
-perl/
+# perl/
 # CPAN & Cpan+
 .cpan/
 .cpanplus/
diff --git a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml
index 391a01249a..c675f20dcd 100644
--- a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml
+++ b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml
@@ -213,3 +213,35 @@ tests:
         output:
           log:
             expect_ids: [930130]
+  - test_id: 14
+    desc: "Wazuh: False positive loading light css module matching `/node_modules/`"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: "*/*"
+          uri: "/node_modules/@osd/ui-framework/dist/kui_light.css"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [930130]
+  - test_id: 15
+    desc: "GitLab: loading VSCode Web editor config matching `/perl/`"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: "*/*"
+          uri: "/assets/webpack/gitlab-web-ide-vscode-workbench-0.0.1-dev-20260106142046/vscode/extensions/perl/syntaxes/perl6.tmLanguage.json"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [930130]