ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

DOC: `SecRuleUpdateActionById` and `chain` docs are errant for both 2.x and 3.x

Open diablodale opened this issue 2 years ago • 1 comments

The official doc for modsecurity 2.x and 3.x for both SecRuleUpdateActionById and chain are errant. They lead to errant rule writing and/or exposing underlying modsecurity bugs. I request clarification/rewrite of at least these two sections of both 2.x and 3.x docs.

This is a cascade issue from https://github.com/coreruleset/coreruleset/issues/3080#issuecomment-1374575642. I recommend reviewing that whole issue to understand the errant docs and gaps in information.

Doc Problems

  1. SecRuleUpdateActionById doesn't organize limitations/workarounds together; e.g. modsec 2.x SecRuleUpdateActionById on rule chains has a chain workaround (see issue above) and limitation (see issue above) and may have additional behavior/workaround changes in 3.x (I can't test 3.x)
  2. chain has wrong language, e.g. "Non-disruptive rules" should be "Non-disruptive actions"
  3. chain has wrong facts, e.g. "they [non-disruptive actions] will be executed if the rule that contains them matches and not only when the entire chain matches". That statement is false since it has been proven in 2.x (can't test myself in 3.x) that setvar does NOT "not only when the entire chain matches".
  4. Coordinate chain with SecRuleUpdateActionById docs so they match each other's limitations/workarounds.

Docs problems of these areas exist in both 2.x and 3.x docs; sometimes similar, sometimes identical. I recommend adding some rule + rule update examples to demonstrate how to use them correctly on each 2.x and 3.x. The issue above has premade examples.

Below is one suggestion for the 3.x docs.

Example 3.x docs for SecRuleUpdateActionById

...It has two limitations: it cannot be used to change the ID or phase of a rule. Only the actions that  
can appear only once are overwritten. The actions that are allowed to appear multiple times in a list,  
will be appended to the end of the list.

Example foo bar...

then 3 paragraphs and 2 examples under that is another limitation

Note : If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.

These need to be combined together. Perhaps something like

...It has limitations

1. it cannot be used to change the ID or phase of a rule.
2. Only the actions that can appear only once are overwritten. The actions that are allowed to appear  
   multiple times in a list, will be appended to the end of the list.
3. If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.  
   This is a tighter restriction than modsecurity 2.x.

Example foo bar...

diablodale avatar Jan 12 '23 16:01 diablodale

@diablodale ,

Thanks for raising these. I have corrected what you mentioned in (3) with the rest still to be addressed.

martinhsv avatar Jul 28 '23 13:07 martinhsv