Fix lexer rejection of '@' in ctl:ruleRemoveTarget actions (#3565)#3566
Fix lexer rejection of '@' in ctl:ruleRemoveTarget actions (#3565)#3566Jitterx69 wants to merge 6 commits into
Conversation
|
thanks - please add test cases to prove the correct behavior of this patch. |
|
Thanks - sorry, I forgot to mention that you should regenerate Bison related files. For this, please install the latest Bison and Flex versions, run Without this, the new tests will be failed. You can find a similar solution here. |
Yeah...I just realized that before you qoute...I will imply as you say. |
…mic delimiter lookup and updating regex scanner pattern
|
|
There was a problem hiding this comment.
Pull request overview
This PR fixes SecLang lexer tokenization for ctl:ruleRemove* action values so that XPath-like selectors (and other variable selectors) containing @, =, (, ), and ' are not prematurely rejected, restoring ModSecurity v2 parity for granular target removals.
Changes:
- Expand the Flex macro used to lex
ctl:ruleRemoveBy*/ctl:ruleRemoveTargetBy*payloads to allow additional selector characters (notably@). - Add regression coverage for
ctl:ruleRemoveTargetByTagandctl:ruleRemoveTargetByIdwhen selectors include@,=,(,), and'. - Harden
ctlaction parsing by extracting payloads via=detection instead of fixed substring offsets, improving error handling for malformed inputs.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
src/parser/seclang-scanner.ll |
Expands the lexer character class for ctl rule removal payloads to accept XPath/selector characters. |
src/actions/ctl/rule_remove_target_by_tag.cc |
Parses ctl payload using = delimiter and adds validation instead of fixed offsets. |
src/actions/ctl/rule_remove_target_by_id.cc |
Same =-based payload parsing/validation for ID-based target removal. |
src/actions/ctl/rule_remove_by_tag.cc |
Switches to =-based parsing for tag-based rule removal payloads. |
src/actions/ctl/rule_remove_by_id.cc |
Switches to =-based parsing for ID/range-based rule removal payloads. |
test/test-cases/regression/action-ctl_rule_remove_target_by_tag.json |
Adds regression cases for special characters in ctl:ruleRemoveTargetByTag targets. |
test/test-cases/regression/action-ctl_rule_remove_target_by_id.json |
Adds regression cases for special characters in ctl:ruleRemoveTargetById targets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "Host": "localhost", | ||
| "Accept": "*/*" | ||
| }, | ||
| "uri": "/index.html?foo=bar=attack", |
| "Host": "localhost", | ||
| "Accept": "*/*" | ||
| }, | ||
| "uri": "/index.html?foo=bar=attack", |
| NOT ! | ||
| FREE_TEXT ([^\"]|([^\\]\\\"))+ | ||
| REMOVE_RULE_BY [0-9A-Za-z_\/\.\-\*\:\;\]\[\$]+ | ||
| REMOVE_RULE_BY [a-zA-Z0-9_\-\.\*\/\:\;\$@\=\(\)\[\]\']+ |
|
thanks for this PR again. I saw you added syntax handling, which is definitely a very good step: Would you mind to add more tests to check these conditions too? Please note that our regression test framework handles the parser error too, eg. you can add a wrong syntax in a test and expect a parser error. For eg. see this block: here the In the planned "negative" tests you could construct invalid exclusions that you handle in those conditions. Unfortunately my update merge failed you PR, could you rebase it? But may be you might wait to merge of this PR. Let us know if you need any help. |
|
Also please take a look at the Copilot suggestions. |
what
REMOVE_RULE_BYregular expression macro in the Flex scanner (src/parser/seclang-scanner.ll) to include characters essential for XPath selectors.@,=,(,), and'to the allowed character class.why
@character (such asXML://@*orARGS:@foo) because the macro lacked these characters.Expecting an action, got: @*.references
@(e.g. XPath attribute selectors) #3565