changed regexp-942130.data to circumvent regexp-assemble bug and optimized rule 942130

franbuehler · franbuehler · commit e5a65e3dffc9 · 2017-10-24T16:05:45.000Z
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -567,7 +567,15 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:r(?:like(?:\s+binary)?|egexp\s+binary
 #
 # -=[ SQL Tautologies ]=-
 #
-SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`\(\)]*?)(?!\2)([\d\w]+)))" \
+# Regexp generated from util/regexp-assemble/regexp-942130.data using Regexp::Assemble.
+# To rebuild the regexp:
+#   cd util/regexp-assemble
+#   ./regexp-assemble.pl regexp-942130.data
+# Note that after assemble an outer bracket with an ignore case flag is added
+# to the Regexp::Assemble output:
+#   (?i:ASSEMBLE_OUTPUT)
+#
+SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)(?:<(?:=(?:([\s'\"`\(\)]*?)(?!\2)([\d\w]+)|>([\s'\"`\(\)]*?)(?:\2))|>?([\s'\"`\(\)]*?)(?!\2)([\d\w]+))|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)([\s'\"`\(\)]*?)(?!\2)([\d\w]+)|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)([\s'\"`\(\)]*?)(?:\2)))" \
     "phase:2,\
     rev:'2',\
     ver:'OWASP_CRS/3.0.0',\
diff --git a/util/regexp-assemble/regexp-942130.data b/util/regexp-assemble/regexp-942130.data
@@ -1,9 +1,9 @@
-([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)=([\s'\"`\(\)]*?)\2
-([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<=>([\s'\"`\(\)]*?)\2
-([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)like([\s'\"`\(\)]*?)\2
-([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)rlike([\s'\"`\(\)]*?)\2
-([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)sounds\s+like([\s'\"`\(\)]*?)\2
-([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)regexp([\s'\"`\(\)]*?)\2
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)=([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<=>([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)like([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)rlike([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)sounds\s+like([\s'\"`\(\)]*?)(?:\2)
+([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)regexp([\s'\"`\(\)]*?)(?:\2)
 ([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)!=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
 ([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
 ([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)>=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
