Tom S.
Tom S.

Reputation: 63

Varnish modsecurity rules syntax errors

I am trying to run modsecurity CRS within Varnish (varnish-6.0.3) but I have a problem with the rules 932106, 932150, 932105 and 932100 -> RCE related. The VCC compiler is throwing the syntax error (for example [rule 932106]):

   if(req.url ~ "(?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\.\/\\\\]+\/)?[\\\\'\"]*(?:(?:(?:a[\\\\'\"]*p[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*u[\\\\'\"]*d|u[\\\\'\"]*p[\\\\'\"]*2[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t)[\\\\'\"]*e|d[\\\\'\"]*n[\\\\'\"]*f|v[\\\\'\"]*i)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*(?:a[\\\\'\"]*c[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*(?:\s|<|>).*|w[\\\\'\"]*d|s)|w[\\\\'\"]*(?:(?:\s|<|>).*|h[\\\\'\"]*o))\b{
------------------------------------------------------------------------------------------------------------------------------------------#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

without any further explanation, which means the syntax error is within: \", this is kinda surprising as the " char is escaped.

Does anyone had similar issue in the past or have any idea how to solve it?

The regexes from the rulesets are not modified and are stable ones from CRS (v3.0).

Upvotes: 0

Views: 121

Answers (1)

Thijs Feryn
Thijs Feryn

Reputation: 4808

I suggest you use long strings to reduce the risk of escaping issues.

This is what a long string looks like in Varnish:

{"Some string, including "double quotes""}

That way, you don't need to escape double quotes, and maybe that will solve your problem.

Upvotes: 2

Related Questions