This is a special Agenda, only for the CRS Issues chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-18-04, at 20:30 CET (CEST during summer in the Northern Hemisphere). Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

• The annual, in person CRS developer meetup took place in Woburn, UK from 1-8 November: CRS Dev Retreat 2024
• The monthly, online project discussion chat did not take place as a majority of the developer team were at the CRS retreat
• CrowdSec WAF released a tweet on X.com that shows their WAF's capability.

Rules development, key project numbers

PRs that have been merged since the last meeting

• docs: extended rule documentation (900200) #3934
• feat: add quantitative testing to Git workflow #3924
• fix: do not run scheduled in forked repos #3920
• fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441 PL2, 942442 PL2, 942460 PL3) #3741
• feat: added support for new web shells #3898
• feat: add fish shell files to restricted-files.data #3915
• chore: release v3.3.7 #3911
• chore: release v3.3.7 #3910
• chore: post-release v4.9.0-dev #3909
• fix: 9EA-241022 v3 #3906
• chore: release v4.8.0 #3907
• fix(ci): get version when releasing from branch name #3908
• fix: 9EA-241022 v4 #3905
• docs: update contributing #3903
• docs: update README #3904
• fix: bypass by supplying whitespace or path argument (933120 PL-1) #3894
• chore: remove fp-finder #3893
• fix: include v3.3.6 release notes in latest #3867
• chore: remove util virtual patching #3889
• chore: remove av-scanning #3871
• chore: remove join multiline rules #3877
• chore: remove change-version script #3869
• chore: remove crs2 renumbering #3873
• chore: remove geo-location #3875
• chore: remove send-payload-pls #3879
• chore: remove browser tools #3887
• chore: remove honeypot sensor #3883
• chore: remove find-max-datalen-in-tests #3891
• chore: remove verify id-range #3885

We merged 29 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• feat: accidental firewall disability prevention #3650
• fix: 932270 FP #3917
• fix: move sql operators to include file #3901
• chore: find rules without test #3881
• chore: add quant as comment #3925
• chore: quantitative diff #3927
• fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
• fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) #3735
• feat: added detection for quote evasion #3813
• feat: add product name tags #3815
• feat: added rule to detect Bash Brace Expansion #3780
• fix(932130): use lazy regex #3730
• fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840
• fix: move rule's phase 950100 to 3 #3941

Separate 2nd Meeting (Monday, 2024-11-18)

• FP with rule 942360 #3914
• False positives with 933160 PL1 PHP Injection Attack: High-Risk PHP Function Call Found #3931
• False positives with 942151 PL1 SQL Injection Attack: SQL function name detected #3929
• 920220 PL1 / 920221 PL1 have a lot of false positives with unencoded percent signs in URIs (-> query strings) #3926 -> what regex version does the team prefer?

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.