Merge pull request #1581 from sqreen/942360/fix-fp

fgsch · web-flow · commit 1f7a2977fc87 · 2019-10-29T00:44:22.000+09:00
Fix a FP in 942360 (#1580)
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -461,7 +461,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # to the Regexp::Assemble output:
 #   (?i:ASSEMBLE_OUTPUT)
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|u(?:nion\s*(?:(?:distin|sele)ct|all)|pdate)|(?:(?:trunc|cre)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|load)\b|(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|[\d\W]\s+as\s*?[\"'`\w]+\s*?from|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|u(?:nion\s*(?:(?:distin|sele)ct|all)|pdate)|(?:(?:trunc|cre)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|load)\b|(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \
     "id:942360,\
     phase:2,\
     block,\
diff --git a/util/regexp-assemble/regexp-942360.data b/util/regexp-assemble/regexp-942360.data
@@ -31,7 +31,7 @@ update\s+load_file\s?[(]?
 end\s*?\);
 [\s(]load_file\s*?\(
 [\"'`]\s+regexp\W
-[\d\W]\s+as\s*?[\"'`\w]+\s*?from
+[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom
 ^[\W\d]+\s*?create\b
 ^[\W\d]+\s*?delete\b
 ^[\W\d]+\s*?desc\b

Original file line number	Diff line number	Diff line change
`@@ -461,7 +461,7 @@ SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAME`
`461`	`461`	`# to the Regexp::Assemble output:`
`462`	`462`	`# (?i:ASSEMBLE_OUTPUT)`
`463`	`463`	`#`
`464`		-SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:^[\W\d]+\s?(?:alter\s(?:a(?:(?:pplication\srol\|ggregat)e\|s(?:ymmetric\ske\|sembl)y\|u(?:thorization\|dit)\|vailability\sgroup)\|c(?:r(?:yptographic\sprovider\|edential)\|o(?:l(?:latio\|um)\|nversio)n\|ertificate\|luster)\|s(?:e(?:rv(?:ice\|er)\|curity\|quence\|ssion\|arch)\|y(?:mmetric\skey\|nonym)\|togroup\|chema)\|m(?:a(?:s(?:ter\skey\|k)\|terialized)\|e(?:ssage\stype\|thod)\|odule)\|l(?:o(?:g(?:file\sgroup\|in)\|ckdown)\|a(?:ngua\|r)ge\|ibrary)\|t(?:(?:abl(?:espac)?\|yp)e\|r(?:igger\|usted)\|hreshold\|ext)\|p(?:a(?:rtition\|ckage)\|ro(?:cedur\|fil)e\|ermission)\|d(?:i(?:mension\|skgroup)\|atabase\|efault\|omain)\|r(?:o(?:l(?:lback\|e)\|ute)\|e(?:sourc\|mot)e)\|f(?:u(?:lltext\|nction)\|lashback\|oreign)\|e(?:xte(?:nsion\|rnal)\|(?:ndpoi\|ve)nt)\|in(?:dex(?:type)?\|memory\|stance)\|b(?:roker\spriority\|ufferpool)\|x(?:ml\sschema\|srobject)\|w(?:ork(?:load)?\|rapper)\|hi(?:erarchy\|stogram)\|o(?:perator\|utline)\|(?:nicknam\|queu)e\|us(?:age\|er)\|group\|java\|view)\|u(?:nion\s(?:(?:distin\|sele)ct\|all)\|pdate)\|(?:(?:trunc\|cre)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|load)\b\|(?:(?:(?:trunc\|cre\|upd)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|alter\|load)\s+(?:group_concat\|load_file\|char)\s?\(?\|[\d\W]\s+as\s?[\"'`\w]+\s?from\|[\s(]load_file\s?\(\|[\"'`]\s+regexp\W\|end\s*?\);))" \
	`464`	+SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:^[\W\d]+\s?(?:alter\s(?:a(?:(?:pplication\srol\|ggregat)e\|s(?:ymmetric\ske\|sembl)y\|u(?:thorization\|dit)\|vailability\sgroup)\|c(?:r(?:yptographic\sprovider\|edential)\|o(?:l(?:latio\|um)\|nversio)n\|ertificate\|luster)\|s(?:e(?:rv(?:ice\|er)\|curity\|quence\|ssion\|arch)\|y(?:mmetric\skey\|nonym)\|togroup\|chema)\|m(?:a(?:s(?:ter\skey\|k)\|terialized)\|e(?:ssage\stype\|thod)\|odule)\|l(?:o(?:g(?:file\sgroup\|in)\|ckdown)\|a(?:ngua\|r)ge\|ibrary)\|t(?:(?:abl(?:espac)?\|yp)e\|r(?:igger\|usted)\|hreshold\|ext)\|p(?:a(?:rtition\|ckage)\|ro(?:cedur\|fil)e\|ermission)\|d(?:i(?:mension\|skgroup)\|atabase\|efault\|omain)\|r(?:o(?:l(?:lback\|e)\|ute)\|e(?:sourc\|mot)e)\|f(?:u(?:lltext\|nction)\|lashback\|oreign)\|e(?:xte(?:nsion\|rnal)\|(?:ndpoi\|ve)nt)\|in(?:dex(?:type)?\|memory\|stance)\|b(?:roker\spriority\|ufferpool)\|x(?:ml\sschema\|srobject)\|w(?:ork(?:load)?\|rapper)\|hi(?:erarchy\|stogram)\|o(?:perator\|utline)\|(?:nicknam\|queu)e\|us(?:age\|er)\|group\|java\|view)\|u(?:nion\s(?:(?:distin\|sele)ct\|all)\|pdate)\|(?:(?:trunc\|cre)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|load)\b\|(?:(?:(?:trunc\|cre\|upd)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|alter\|load)\s+(?:group_concat\|load_file\|char)\s?\(?\|[\d\W]\s+as\b\s[\"'`\w]+\s\bfrom\|[\s(]load_file\s?\(\|[\"'`]\s+regexp\W\|end\s*?\);))" \
`465`	`465`	`"id:942360,\`
`466`	`466`	`phase:2,\`
`467`	`467`	`block,\`