Fix runaway regexp in 942260

* Add variant regexp assemble script to handle possessive qualifiers This is an interim solution and these changes will eventually be added back to regexp-assemble.pl * Use possessive qualifiers to tight this up and solve ReDoS problem Should address the remaining problem with #1359.
SpiderLabs · Jun 7, 2019 · 920ccf2 · 920ccf2
1 parent c6249fa
commit 920ccf2
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 4 deletions.
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -752,12 +752,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # Regexp generated from util/regexp-assemble/regexp-942260.data using Regexp::Assemble.
 # To rebuild the regexp:
 #   cd util/regexp-assemble
-#   ./regexp-assemble.pl regexp-942260.data
+#   ./regexp-assemble-v2.pl regexp-942260.data
 # Note that after assemble an outer bracket with an ignore case flag is added
 # to the Regexp::Assemble output:
-#   (?i:ASSEMBLE_OUTPUT)
+#    ASSEMBLE_OUTPUT | s/^(?:/(?i:/
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%)" \
     "id:942260,\
     phase:2,\
     block,\

diff --git a/util/regexp-assemble/regexp-942260.data b/util/regexp-assemble/regexp-942260.data
@@ -17,6 +17,6 @@ like\s*?[\"'`]\%
 [\"'`]\s*?\|\|\s+[\s\w]+=\s*?\w+\s*?having\s+
 [\"'`]\s*?\&\&\s+[\s\w]+=\s*?\w+\s*?having\s+
 [\"'`]\s*?\*\s*?\w+\W+[\"'`]
-[\"'`]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w
+[\"'`]\s*?[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w
 select\s+?[\[\]()\s\w\.,\"'`-]+from\s+
 find_in_set\s*?\(
diff --git a/util/regexp-assemble/regexp-assemble-v2.pl b/util/regexp-assemble/regexp-assemble-v2.pl
@@ -0,0 +1,29 @@
+#!/usr/bin/env perl
+#
+# Create one regexp from a set of regexps.
+# Regexps can be submitted via standard input, one per line.
+#
+# Requires Regexp::Assemble Perl module.
+# To install: cpan install Regexp::Assemble
+#
+# See: http://blog.modsecurity.org/2007/06/optimizing-regu.html
+#
+
+use strict;
+use Regexp::Assemble;
+
+my $ra = Regexp::Assemble->new;
+while (<>)
+{
+  # Handle possessive qualifiers
+  # https://rt.cpan.org/Public/Bug/Display.html?id=50228#txn-672717
+  my $arr = $ra->lexstr($_);
+  for (my $n = 0; $n < $#$arr - 1; ++$n)
+  {
+    if ($arr->[$n] =~ /\+$/ and $arr->[$n + 1] eq '+') {
+      $arr->[$n] .= splice(@$arr, $n + 1, 1);
+    }
+  }
+  $ra->insert(@$arr);
+}
+print $ra->as_string() . "\n";