What's Changed

🆕 New features and detections 🎉

• feat(931100): add IPv6 support / XML scan and SSH scheme. by @touchweb-vincent in #4321
• feat(920440): add new restricted file extensions by @touchweb-vincent in #4322

🧰 Other Changes

• fix(942160): adding unit test for double comment by @touchweb-vincent in #4315
• fix(920280, 920300, 920310, 920311, 920320, 920330): should be block by @touchweb-vincent in #4319
• fix(942151,942152): wrong functions names by @touchweb-vincent in #4333
• feat(942460): adding help for non-English folks by @touchweb-vincent in #4334
• fix(932180): reduce substring false positives by @EsadCetiner in #4338
• fix(942151,942152): wrong functions names by @touchweb-vincent in #4337
• fix(920180): wrong unit test - content-type evasion bypass by @touchweb-vincent in #4339
• fix(956110): move rule to pl-2 by @EsadCetiner in #4344
• docs: comment on disabling Expect header in .Net by @theseion in #4348
• fix: add missing capture action to affected rules by @airween in #4361

Full Changelog: v4.20.0...v4.21.0

What's Changed

🆕 New features and detections 🎉

• feat: update restricted file extensions by @EsadCetiner in #4287
• feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8+ & Magento 2 by @touchweb-vincent in #4303
• feat: add expect header to list of restricted headers by @franbuehler in #4298

🧰 Other Changes

• fix(942560): missing capture keyword by @touchweb-vincent in #4285
• fix(932281): reduce false positive matches with json payload by @EsadCetiner in #4288
• fix(932240): reduce false positive matches with json payloads by @EsadCetiner in #4290
• fix(921180, 921210, 921220): should be block not pass by @touchweb-vincent in #4294
• fix(942550): partial revert - too high risk of false positive by @touchweb-vincent in #4284
• fix(942160): updating regex to deal with new payloads by @touchweb-vincent in #4292

Full Changelog: v4.19.0...v4.20.0

What's Changed

⭐ Important changes

• refactor: 920340 - delete 920341 by @touchweb-vincent in #4268

🆕 New features and detections 🎉

• fix: update lfi-os-files.data by @Xhoenix in #4240

🧰 Other Changes

• fix: dont block .url file extension by @EsadCetiner in #4259
• fix(933135): wrong score variable by @touchweb-vincent in #4262
• fix(933153): missing inbound_anomaly_score by @touchweb-vincent in #4260
• fix(953100): remove generic SQLSTATE error codes causing false positives by @Elnadrion in #4257
• feat: add stricter sibling 954101 to 954100 by @franbuehler in #4258
• fix(942550): cleanup regex by @fzipi in #3767
• fix: reduce false positives with php response rules by @EsadCetiner in #4272
• fix: don't block on all question marks (942550 PL-1) by @EsadCetiner in #4264
• feat: whitelist application/csp-report content-type header by @Elnadrion in #4274

New Contributors

• @touchweb-vincent made their first contribution in #4262
• @Elnadrion made their first contribution in #4257

Full Changelog: v4.18.0...v4.19.0

What's Changed

🆕 New features and detections 🎉

• feat: add application/reports+json content-type header by @Xhoenix in #4230
• feat: update unix commands list by @EsadCetiner in #4215
• feat: added ssh commands by @Xhoenix in #4249
• feat: detect rmt and rmt-tar by @theseion in #4242

🧰 Other Changes

• feat: Add product name tags by @TimDiam0nd in #3960
• fix: remove dot star by @Xhoenix in #4235
• fix(942370): remove dot star by @Xhoenix in #4234
• fix: avoid matching non-ruby errors and source code by @EsadCetiner in #4224
• fix: don't replace cmdline suffixes for 932220 and 932250 by @theseion in #4231

Full Changelog: v4.17.1...v4.18.0

What's Changed

⭐ Important changes

• chore: removed detection for LaTeX injection by @Xhoenix in #4221

🧰 Other Changes

• fix(942340): remove dot star by @Xhoenix in #4220

Full Changelog: v4.17.0...v4.17.1

What's Changed

⭐ Important changes

• feat: remove PCI DSS tags (#4194) by @pha6d in #4203

🆕 New features and detections 🎉

• feat: added detection for ASP.NET errors by @Xhoenix in #4092
• feat: added detection for RCE via Referer header by @Xhoenix in #3993
• feat: added detection for LaTeX injection by @Xhoenix in #4206
• feat: added detection for ruby errors and code leakage by @Xhoenix in #4089

🧰 Other Changes

• fix(951xxx): remove dot star by @Xhoenix in #4171
• fix: use word bondary on 952110 to avoid matching non-java errors by @EsadCetiner in #4177
• feat: Update java-classes.data by @KIC-8462852 in #4173
• fix(931130): update file uri with single slash by @fzipi in #4193
• fix(932281): avoid matching on json payloads by @EsadCetiner in #4187
• fix: 932280/932281 bypass by @Xhoenix in #4207

New Contributors

• @KIC-8462852 made their first contribution in #4173
• @pre-commit-ci[bot] made their first contribution in #4185
• @pha6d made their first contribution in #4203

Full Changelog: v4.16.0...v4.17.0

What's Changed

🆕 New features and detections 🎉

• feat: remediation for Python SSTI by @TheRubick in #4145
• fix: update rule 942560 by @Xhoenix in #4161
• feat: detect generic config filenames by @EsadCetiner in #4102
• feat: update java-errors.data by @Xhoenix in #4113
• feat: added rule to detect Bash Brace Expansion by @Xhoenix in #3780
• feat: added MongoDB operators by @Xhoenix in #4162
• feat: added zmodload and sudo-rs by @Xhoenix in #4143

🧰 Other Changes

• fix(941160): remove dot star by @fzipi in #4155
• fix(934140): remove dot star by @fzipi in #4165
• fix(932370): remove dot star by @fzipi in #4166
• fix(955xxx): remove dot star by @Xhoenix in #4169
• fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) by @EsadCetiner in #3840
• fix: create a stricter sibling to 932370 and move at to PL-2 (932370 PL-1, 932371 PL-2) by @EsadCetiner in #4015
• fix(942340): remove dot star by @fzipi in #4164
• refactor(942340): move to regex assembly by @fzipi in #4014
• fix(933160): remove dot star by @fzipi in #4167

New Contributors

• @TheRubick made their first contribution in #4145

Full Changelog: v4.15.0...v4.16.0

What's Changed

🆕 New features and detections 🎉

• feat: add User-Agent and Referer into targets (942280 PL1) by @azurit in #4115
• feat: update java-classes.data by @Xhoenix in #4080
• feat: block database yaml files by @EsadCetiner in #4130

🧰 Other Changes

• fix: false positive with title_strip_tags by moving strip_tags to 933160 by @EsadCetiner in #4105
• fix: remove self command by @EsadCetiner in #4111
• fix: remove rc shell to reduce FPs by @theseion in #4125
• feat: remove unnecessary character class from 933151 by @TimDiam0nd in #4135
• fix: false positives with session tokens/cookies 933150 by @EsadCetiner in #4142
• fix: add word ending to unix command sendmail (932235 PL1, 932236 PL2, 932239 PL2, 932260 PL1) by @franbuehler in #4141
• feat: 933151 change from capture and double pmf to regex by @TimDiam0nd in #4139
• feat: 933120 change from capture and double pmf to regex by @TimDiam0nd in #4138
• feat: remove exclusion of deprecated __utm cookies by @theseion in #4151

Full Changelog: v4.14.0...v4.15.0

What's Changed

🆕 New features and detections 🎉

• feat: detect ASP web shells by @Xhoenix in #4063
• feat: detect compressed database dumps by @EsadCetiner in #4082
• feat: detect javascript methods import fetch console.log console.dir by @EsadCetiner in #4076

🧰 Other Changes

• fix: fixing FPs related to rule 951220 by @azurit in #4079
• fix: don't block ttf font files by @EsadCetiner in #4081
• fix: 932270 FP by @Xhoenix in #3917
• fix(954100): detect forward slash in path by @Xhoenix in #4094
• fix: remove .application from restricted extensions by @EsadCetiner in #4103
• fix: 44J-250329 by @EsadCetiner in #4107

Full Changelog: v4.13.0...v4.14.0

What's Changed

⭐ Important changes

• fix(security): fixing double URL decode of REQUEST_URI by @azurit in #4047

🆕 New features and detections 🎉

• feat: block header related to CVE-2025-29927 (Next.js) by @azurit in #4053
• feat: added new XSS payloads by @Xhoenix in #4055
• feat: add potential malicious file extensions into tx.restricted_extensions by @Xhoenix in #4068
• feat: add additional files commonly accessed by bots by @EsadCetiner in #4069
• feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @azurit in #4057
• feat: add more default session cookie names by @Xhoenix in #4062

🪦 Rule removals

• feat: remove rule 952100 for detecting Java Source Code Leakage by @S0obi in #4052

🧰 Other Changes

• fix(934130): extend prototype pollution payload by @Xhoenix in #4036
• fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @azurit in #4050
• fix: use boundary to fix false positive with email [email protected] by @EsadCetiner in #4045
• feat: refresh restricted-upload.data by @S0obi in #4046
• fix: tag inconsistency per file by @Xhoenix in #4031
• fix: added pre-check of unset TX variable by @airween in #4066
• fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @EsadCetiner in #4019

New Contributors

• @daum3ns made their first contribution in #4043
• @S0obi made their first contribution in #4046

Full Changelog: v4.12.0...v4.13.0