Description

This application contains a feature that allow an authenticated actor to send messages to another authenticated actor, of a different type. Note this bug is not unique to this feature, and seems to be related to the 'having friends over is nice string' in the request body.

How to reproduce the misbehavior (-> curl call)

curl 'https://foo.com/encryption/encrypt' \
  -H 'accept: application/json' \
  -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'authorization: Bearer xxxx' \
  -H 'content-type: application/json' \
  -H 'origin: https://foo.com' \
  -H 'referer: https://foo.com/' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36' \
  --data-raw '[{"bodies":["having friends over is nice"],"source":{"@id":"some-uuid","@type":"MailboxConversation"}}]'

Note the requests are not blocked with other state

Your Environment

• CRS version v3.3.2
• Paranoia level setting PL1)
• ModSecurity version (e.g., 2.9.6): N/A (Using Google Cloud Armour with these rules)
• Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Google Cloud Platform
• Operating System and version: N/A (web application firewall using managed service, Google Cloud Armour)

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.