Skip to content

fix(security): fixing double URL decode of REQUEST_URI #4047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
azurit merged 6 commits into from
Mar 25, 2025
Merged

fix(security): fixing double URL decode of REQUEST_URI #4047

azurit merged 6 commits into from
Mar 25, 2025

Conversation

@azurit
Copy link
Member

@azurit azurit commented Mar 23, 2025
edited
Loading

Variable REQUEST_URI is URL decoded by the engine so we should NOT use t:urlDecodeUni / t:urlDecode actions with it, otherwise, the value gets URL decoded twice.

It looks as better fix for rule 921240 to remove action t:urlDecodeUni and keep using REQUEST_URI but it is not as rule runs in phase 1 and, thanks to a bug in modsec2, REQUEST_URI is URL decoded at the start of phase 2. This does not apply for modsec3, where it is URL decoded at the start of phase1, so we need to use REQUEST_URI_RAW + t:urlDecodeUni to keep consistent bahavior accross the engines (by the way, current behavior of this rule differs between modsec2 and 3 as it gets double URL decoded in modsec3 but not in modsec2).

Note: Variable REQUEST_URI_RAW may contain also domain name (if it was send by client) which is a different behavior from REQUEST_URI but it shoud not interfere with affected rules.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 23, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@azurit azurit added the ⚠️ do not merge Additional work or discussion is needed despite passing tests label Mar 23, 2025
@azurit azurit removed the ⚠️ do not merge Additional work or discussion is needed despite passing tests label Mar 23, 2025
theseion
theseion previously approved these changes Mar 23, 2025
View reviewed changes
@azurit azurit changed the title fix: fixing double URL decode or REQUEST_URI security: fixing double URL decode or REQUEST_URI Mar 24, 2025
@azurit azurit changed the title security: fixing double URL decode or REQUEST_URI security: fixing double URL decode of REQUEST_URI Mar 24, 2025
@azurit azurit changed the title security: fixing double URL decode of REQUEST_URI fix(security): fixing double URL decode of REQUEST_URI Mar 24, 2025
@fzipi
Copy link
Member

fzipi commented Mar 24, 2025

You probably need to update test 930110-7?

@azurit
Copy link
Member Author

azurit commented Mar 24, 2025

You probably need to update test 930110-7?

@fzipi No, test is ok, see #4050.

@azurit
Copy link
Member Author

azurit commented Mar 25, 2025

Ready for review.

@azurit azurit added this pull request to the merge queue Mar 25, 2025
Merged via the queue into coreruleset:main with commit acf3189 Mar 25, 2025
6 checks passed
@azurit azurit deleted the RequestUriRaw branch March 25, 2025 18:46
@fzipi fzipi mentioned this pull request Apr 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theseion theseion theseion approved these changes

Assignees

No one assigned

Labels

release:important

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@azurit @fzipi @theseion