Description
A thing which could be tremendously helpful would be a user-defined transformations.
The most interesting would probably be a parametrizable regular-expression replace transformation, let's say t:replace:from:to.
In CRS3, the RCE rules (932xxx) contain many horrible regexp abominations. I added these regexps to deal with shell evasions. The t:cmdLine transformation can't be used for us, since they replace a character like ;. We match on this character (among others) as a token for starting a potential shell commands. Also, t:cmdLine lowercases the string which is not desired in this particular case.
We discussed possible cmdLineWin and cmdLineUnix transformations, but I think in general, the cmdline transformations do a bit too much. It is also not very scalable to require upstream ModSecurity support for any required transformation. It takes engineering effort to write them in C++ and it would be undesirable if all users had to update their ModSec installs. There might also be a proliferation of transformations. This problem would go away if rule writers could define their own transformations.
The simplest way for a rule writer to create a transformation might be a regexp replace. In the CRS RCE rules, we could definitely use something like t:replace:[\^\'\"\\]: to elide those characters. I feel that just regexps would allow rule writers to do a large part of their required transformation work.
In the far future, it could be even more powerful for people to write Lua transformations, e.g. t:exec:evasion.lua. The Lua script would receive a string and have the possibility to return it changed. Extreme care should probably be taken about performance (maybe the script could indicate whether a modification was done or not, to prevent copies/allocations). Maybe even then the Lua bindings performance would not be acceptable for large scale use however.