Skip to content

fix(956110): move rule to pl-2 #4344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 19, 2025
Merged

fix(956110): move rule to pl-2 #4344

merged 1 commit into from
Nov 19, 2025

Conversation

@EsadCetiner
Copy link
Member

@EsadCetiner EsadCetiner commented Nov 17, 2025

Proposed changes

956110 is intended to match Ruby ERB templates within response bodies to detect data leakage, however this syntax also overlaps with some common JavaScript templating engines (Zabbix, WordPress, and Horde IMP). I don't see an way to modify this rule to prevent these false positives since the syntax is virtually identical so I'm moving this to level 2.

Closes #4343

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

Further comments

N/A

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@github-actions
Copy link
Contributor

github-actions bot commented Nov 17, 2025

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@EsadCetiner EsadCetiner mentioned this pull request Nov 17, 2025
Closed
@EsadCetiner EsadCetiner added this pull request to the merge queue Nov 19, 2025
Merged via the queue into coreruleset:main with commit a9f721d Nov 19, 2025
7 checks passed
@EsadCetiner EsadCetiner deleted the fix-956110-pl2-move branch November 19, 2025 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azurit azurit azurit approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False positives with Ruby leakage (956110)

2 participants

@EsadCetiner @azurit