Skip to content

fix(942550): cleanup regex #3767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fzipi merged 23 commits into from
Sep 9, 2025
Merged

fix(942550): cleanup regex #3767

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
b7ec7fc
fix(942559): cleanup regex
fzipi Jul 8, 2024
4102f37
fix: 3354
fzipi Jul 22, 2024
03164b7
fix: update regex
fzipi Mar 26, 2025
e778fe1
Apply suggestion from @Xhoenix
fzipi Jul 6, 2025
a869a2e
fix: apply regex update
fzipi Jul 6, 2025
666c42a
Merge branch 'main' into fix/3354
fzipi Jul 7, 2025
b56ba7c
Apply suggestion from @EsadCetiner
fzipi Jul 11, 2025
70ba891
Apply suggestion from @theseion
fzipi Jul 13, 2025
ded8916
Apply suggestion from @theseion
fzipi Jul 13, 2025
afde9ff
Apply suggestion from @theseion
fzipi Jul 13, 2025
3800681
Apply suggestion from @fzipi
fzipi Jul 13, 2025
bedd356
Apply suggestion from @theseion
fzipi Jul 13, 2025
e80eb72
chore(formatting): auto fixes from pre-commit hooks
pre-commit-ci[bot] Jul 13, 2025
57e1d10
test: add test with sql comments
fzipi Jul 13, 2025
6f75692
Merge branch 'main' into fix/3354
fzipi Jul 13, 2025
7d416dd
Apply suggestion from @Xhoenix
fzipi Jul 14, 2025
0366e05
chore(formatting): auto fixes from pre-commit hooks
pre-commit-ci[bot] Jul 14, 2025
9356811
fix: move lowercase from rule to regex
fzipi Jul 14, 2025
7082046
Apply suggestions from code review
fzipi Jul 15, 2025
55f872e
fix: remove optional spacing
fzipi Jul 16, 2025
6ca187e
Merge branch 'main' into fix/3354
fzipi Jul 16, 2025
036957f
Apply suggestions from code review
fzipi Aug 30, 2025
16684e4
Merge branch 'main' into fix/3354
fzipi Aug 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 22 additions & 8 deletions regex-assembly/942550.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,42 @@

##! Referring to https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
##! this rule tries to match the following payloads:
##!
##!
##! PostgreSQL reference: https://www.postgresql.org/docs/current/functions-json.html
##! PostgreSQL: '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb @ '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb

##! SQLite reference: https://www.sqlite.org/json1.html
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' < '$.c[2].f' = 7
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' > '$.c[2].f' = 7

##! MySQL reference: https://dev.mysql.com/doc/refman/8.4/en/json-function-reference.html
##! MySQL: JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan'
##! MySQL: SELECT id FROM users WHERE id=JsoN_EXTraCT/**/(/**/' {"a":1} '/**/,/**/' $.a '/**/);

##! This regex relies on the `removeWhitespace` transformation.

##!+ i

##!> define quotes [\"'`]
##!> define operators (?:@>|<@|\?|\?\||\?&|#>|#>>|->>|<|>|->|<-)
##!> define json_ending_brackets [\]\}]
##!> define json_starting_brackets [\[\{]
##!> define json_starting_brackets [[{]
##!> define something_except_json_ending_brackets [^}\]#]*
##!> define json_ending_brackets [\]}]+
##!> define sql_comment (/\*.*?\*/)?
##!> define non_greedy_jsonb (?:::{{sql_comment}}jsonb?)?

##!> assemble
##! https://regex101.com/r/mzG5Fg/1
{{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}.*(::.*jsonb?)?.*{{operators}}
{{operators}}{{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}
##! SQLite + PostgreSQL
{{non_greedy_jsonb}}{{operators}}
{{quotes}}{{json_starting_brackets}}{{something_except_json_ending_brackets}}{{json_ending_brackets}}{{quotes}}
{{operators}}{{quotes}}{{json_starting_brackets}}{{something_except_json_ending_brackets}}{{json_ending_brackets}}{{quotes}}

##! example: SELECT id FROM users WHERE id=JsoN_EXTraCT/**/(/**/' {"a":1} '/**/,/**/' $.a '/**/);
json_extract.*\(.*\)
##! MySQL
\bjson_extract\b[^\(]*\([^)]*\)
##!<
4 changes: 2 additions & 2 deletions rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -605,11 +605,11 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)1\
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 942550
#
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" \
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:::(/\*.*?\*/)?jsonb?)?(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)?[\"'`][\[\{][^#\]\}]*[\]\}]+[\"'`]|\bjson_extract\b[^\(]*\([^\)]*\)" \
"id:942550,\
phase:2,\
block,\
t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,\
t:none,t:urlDecodeUni,t:removeWhitespace,\
msg:'JSON-Based SQL Injection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
18 changes: 18 additions & 0 deletions tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -670,3 +670,21 @@ tests:
output:
log:
expect_ids: [942550]
- test_id: 37
desc: |
SQL Comment in payload
decoded payload: OR '{"a":1}'::jsonb #> /* Some * comment */'{a,b}' ? 'c'
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: "*/*"
method: GET
port: 80
uri: "/get?q=OR%20%27%7B%22a%22%3A1%7D%27%3A%3Ajsonb%20%23%3E%20%2F%2A%20Some%20%2A%20comment%20%2A%2F%27%7Ba%2Cb%7D%27%20%3F%20%27c%27"
version: HTTP/1.1
output:
log:
expect_ids: [942550]