I decided that the other thread was becoming too massive to include
false positives as well and so am starting this thread!
To get the ball rolling:
An interesting problem with the rule that "finds attribute breaking
injections including obfuscated attributes":
This rule will be triggered by:
x = true;
y = false;
but not by:
x = true;y = false;
M
x = true;y = false;
</fixed>
Thanks!
I have a few things to mention about this filter in the hope of making
it better. (please pardon me if I am misunderstanding anything here)
1) the first part doesn't add anything to the regex really. Having
optional matching parts at the beginning or end of the regex are
useless because they are not ever needed to make a match. In
particular, the ([':;,])? part is optional so it can be done a way
with. Same for the following \s* . In other words, String X will
match this filter if and only if it matches [)}\]](?(1)).+[=;:{[] .
2) the (?(1)) looks like the conditional notation you (.mario) were
telling me about. if so, is this doing what you intended it to do? I
see that you are using the conditional notation in other patterns now,
so what's going on here?
3) assuming 1 and 2 are correct, then this pattern boils down to [)}
\]].+[=;:{[] which would seem to trigger a lot of false positives.
I'm not for sure what specific attacks this filter was originally
created for, so I don't want to speculate on how I would improve it.
On Sep 18, 2:57 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote: