Monthly Chat Agenda March (2020-03-02)

[dune73]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, March 2, at 20:30 CET.

Items on the Agenda:

• Previous Meetings decisions: Monthly Chat Agenda February (extraordinary changed to: 2020-02-10) #1671 (comment)

PRs

In light of the planned migration or our github, cleaning out the open PRs would be welcome.

• Rule to check if both C-L and T-E are present #1310 - Checking for presence CT in combo with LE, Travis fails on 942350-2
• Revert #578 #1616 - Revert of an older PR - waiting for an update to the commit msg and now we have conflicts
• Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1690 - Coverage of more exotic CT headers - PR needs work and contributor probably grew tired
• Ignore check of CT header in POST reqest if protocol is HTTP/2 #1695 - Ignore CT header for HTTP/2
• New ldap injection rule 921200 (fixes issue #276) #1707 - New LDAP injection rule 921200 (fix for LDAP Injection Rule #276)

PRs on hold

• 932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 - PR against 932200 bypass - this has been in DRAFT for + 4 months
• RE2 compatibility for 920120 #1663 - on hold - @dune73 tries to get this tested with CDN support
• Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) #1667 - on hold - Remove /util/docker folder
• Extend sql having in rule 942230 #1674 - on hold - @dune73 tries to get this tested with CDN support

Other items

• GitHub migration scheduled for March 18 (unconfirmed). Migration team: @dune73, @lifeforms and @fzipi.
• travis-ci status: We are still only working on a workaround. Yet @fzipi has been working on a replacement of our Travis integration with github actions. Status update?
• Drop support for python 2 in FTW
• General problem with newly discovered DoS issues in our rules

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

• Issue slot 1: pmf and case-sensitive matching #998 - Reflection on reverting a change around the topic of @pmf
• Issue slot 2: Rule 921130: False positive #1609, FP on 921130 (@franbuehler will look into this)
• Issue slot 3: Rule 921120: False positive #1615, FP on 921120 (@franbuehler will look into this)
• Issue slot 4: Review severity levels of CRS to make sure all rules have severity levels #610 - consistent support for "severity" action
• Issue slot 5: Consistent support for the "ver" action #650 - consistent support for "ver" action
• Issue slot 6: SQLi id:942100, false positive on combination of two chars #794 - FP on 942100
• Issue slot 7: phpMyAdmin "on" cookie blocked by libinjection #820 - FP on 941100
• Issue slot 8: False positive on Cyrillic input 942120 (PL2) #823 - FP on 942120
• Issue slot 9: Rule 942450 (SQL Hex Encoding Identified) too lax? #833 - FP on 942450
• Issue slot 10: Rule 941310: False positive #1645 - FP on 941310

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

[dune73]

Decisions

PRs

• Rule to check if both C-L and T-E are present #1310 - merged
• Revert #578 #1616 - @fgsch is at it but needs more time
• Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1690 - @fgsch volunteers to get this completed
• Ignore check of CT header in POST reqest if protocol is HTTP/2 #1695 - merged
• New ldap injection rule 921200 (fixes issue #276) #1707 - @lifeforms will review on his production servers and merge this

PRs on hold

• 932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 - we will ask @theMiddleBlue what the matter with his PR is
• RE2 compatibility for 920120 #1663 - on hold with @dune73
• Extend sql having in rule 942230 #1674 - on hold with @dune73
• Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) #1667 - on hold on request of @fzipi

Other issues

• @lifeforms is going to be release manager for 3.3.
• Github migration is scheduled for March 18, confirmation with Trustwave pending. Migration team is @dune73, @lifeforms and @fzipi. The idea is to move our github to github.com/coreruleset and to let crs-support die.
• FTW + Python 2: @fgsch is very close to a PR that moves FTP to Python 3. We will keep Python 2 for the upcoming CRS 3.3 release intact, but will drop afterwards.
• There are more ReDoS issues with some our rules around. @airween has been trying to sort this out for some time. After the meeting, @allanrbo spoke up and immediately submitted some ideas in a PR at Perf issue with regexes that start with repeating digits #1708.

Issues

• pmf and case-sensitive matching #998 - postponed
• Rule 921130: False positive #1609, FP on 921130 - @franbuehler will look into this
• Rule 921120: False positive #1615, FP on 921120 - @franbuehler will look into this
• Review severity levels of CRS to make sure all rules have severity levels #610, consistent support for "severity" action - @lifeforms will cover this
• Consistent support for the "ver" action #650, consistent support for "ver" action - @airween will do this
• SQLi id:942100, false positive on combination of two chars #794, FP on 942100 - @dune73 will talk to the libinjection project
• phpMyAdmin "on" cookie blocked by libinjection #820, FP on 941100 - @dune73 will talk to the libinjection project
• False positive on Cyrillic input 942120 (PL2) #823, FP on 942120 - close and try to find somebody really working on unicode. @dune73 and @franbuehler have set their eye on somebody outside the project
• Rule 942450 (SQL Hex Encoding Identified) too lax? #833, FP on 942450 - @lifeforms will cover this
• Rule 941310: False positive #1645, FP on 941310 - @theseion is picked this one up