coreruleset icon indicating copy to clipboard operation
coreruleset copied to clipboard
verified publisher icon coreruleset

JSON-Based SQL Injection - Slow regex

Open christiantreutler-avi opened this issue 2 years ago • 7 comments

Describe the bug

In https://github.com/coreruleset/coreruleset/pull/3055 a new rule was introduced for JSON-Based SQL Injection. This is a v4 rule.

In testing, we have discovered that the regular expression for this rule triggers time-outs in the regex engine.

Reviewing the regex it definitively has too many backtrack points and therefore a bad worst-case behavior.

Steps to reproduce

I cannot share the actual payloads, but in our testing, it only needs a long-running relatively small JSON to trigger long running regex execution.

Additional context

Your Environment

  • CRS version (e.g., v3.2.0): Custom CRS version with JSON-Based SQL Injection included.
  • Paranoia level setting: PL1
  • ModSecurity version (e.g., 2.9.3): VMware (Avi Load Balancer), libmodsecurity3, PCRE

christiantreutler-avi avatar Nov 07 '23 08:11 christiantreutler-avi

@theMiddleBlue Please reach out if you like to discuss details.

christiantreutler-avi avatar Nov 07 '23 08:11 christiantreutler-avi

Thank you, @christiantreutler-avi

I'm currently reviewing the issue. @airween has already provided the payload, and I'm committed to finding a solution.

theMiddleBlue avatar Nov 08 '23 07:11 theMiddleBlue

Any update here?

Also, is this something that has to go into CRSv4?

dune73 avatar Dec 12 '23 08:12 dune73

@dune73 Probably can be omitted until either the regex is improved or re-written.

christiantreutler-avi avatar Dec 14 '23 12:12 christiantreutler-avi

Thank you. We'll just keep it open then.

dune73 avatar Dec 14 '23 12:12 dune73

I'll take a look at this one now.

fzipi avatar Jul 06 '24 20:07 fzipi