Skip to content

Test: 026 - MATCHED_VARS_NAMES #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Test: 026 - MATCHED_VARS_NAMES #33

wants to merge 2 commits into from

Conversation

Sebitosh
Copy link
Contributor

Description

#27
Based on issue owasp-modsecurity/ModSecurity#3382
Positive and negative tests for target MATCHED_VARS_NAMES

Added features

I added two features to the generator script to create these tests:

  1. Enable no_expect_ids to get the current rule id. This is my proposition to implement negative tests. Of course, negative tests for MRTS will have a different motivation than for CRS regression tests. CRS cares about avoiding false positives on the rule set, MRTS should use it to verify correct feature implementation. In the case of targets, negative tests will probably not be created for each target, and when they are it will be for reasons specific to that target or category of targets. In our case, a negative test helps us recreate the scenario of Issue 3382. In general, enabling no_expect_ids with the current rule id is quite useful for negative tests.

  2. Enable multiple request arguments. Allows multiple dictionary entries in the test.data section to define test requests. In this case it is useful to recreate the test proposed by the issue author.

Evaluation on ModSecurity2

Quite surprisingly, the positive test fails. The reason for this is that the semantics of MATCHED_VARS_NAMES on V2 seems to be "vars names of the current rule being matched". I verified manually and it works inside rule actions and in chained rules, but in the example from issue 3382 when it tests for rules following each other, MATCHED_VARS_NAMES is resolved to empty.

For the same reason, the negative tests pass.

Evaluation on libmodsecurity3

The positive tests pass, and the negative tests fail demonstrating issue 3382.

Sebitosh added 2 commits May 25, 2025 20:46
@Sebitosh
Enable no_expect_ids with current id an allow multiple request arguments
c1071b7 
Signed-off-by: Sebitosh <soloplayerdiablo@gmail.com>
@Sebitosh
Test target MATCHED_VARS_NAMES - Positive & Negative
c951265 
Signed-off-by: Sebitosh <soloplayerdiablo@gmail.com>
@Sebitosh Sebitosh force-pushed the matched_vars_names branch from 1d0be79 to c951265 Compare May 29, 2025 14:14
@Sebitosh
Copy link
Contributor Author

Sebitosh commented May 29, 2025
edited
Loading

I have reworked the positive test a bit: since MATCHED_VARS_NAMES is a collection, I tested it by making match the ARGS, ARGS_NAME, and REQUEST_COOKIES targets and check the presence of each target by creating combinations using oparg.

The tests pass on V3, fail on V2 for the same previous reasons. This way, we confirm that the target holds ALL previously matched variable names.

@airween
Copy link
Member

airween commented Jun 1, 2025

Let me review this with @M4tteoP. Moreover there is an issue for v3, we should investigate first that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sebitosh @airween