Regular Expression Failure Triggers `!@rx`

[ssigwart]

Describe the bug

When there's a regular expression error due to SecPcreMatchLimit or SecPcreMatchLimitRecursion (i.e. MSC_PCRE_LIMITS_EXCEEDED), a rule using !@rx will say that the rule was triggered. However, failures with @rx will say that the rule was not triggered. I think both should assume the rule was not triggered. See coreruleset/coreruleset#3640 (comment) for additional context.

To Reproduce

See coreruleset/coreruleset#3640 (comment).

You can probably reproduce by setting SecPcreMatchLimit and SecPcreMatchLimitRecursion really low (maybe 5) and adding a !@rx rule.

Expected behavior

I would expect !@rx to not trigger a rule if there's a MSC_PCRE_LIMITS_EXCEEDED error.

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v3.0.12 with nginx-connector v1.0.3
• WebServer: nginx-1.24.0
• OS (and distro): Amazon Linux 2

Rule Set (please complete the following information):

• Running any public or commercial rule set? CRS
• What is the version number? 4.1.0

[airween]

Hi @ssigwart,

thanks for reporting, I will take a look at this issue soon.

[airween]

Hi @ssigwart,

meanwhile I faced this problem somewhere else, now I can confirm this is a bug. Thanks for reporting.

[ssigwart]

Great. Thanks, @airween.

[airween]

Hi @ssigwart,

first of all, sorry for the long delay.

I checked this issue again and tried to figure out what would be the solution. I agree with your suggestion:

Expected behavior

I would expect !@rx to not trigger a rule if there's a MSC_PCRE_LIMITS_EXCEEDED error.

I took a look at @rx's behavior, and I think we don't need to care about "other direction" - I mean if a rule uses @rx PATTERN syntax and the MSC_PCRE_LIMITS_EXCEEDED is set then the rule won't trigger.

Here is the condition table:

Operator syntax	Operator evaluation result	MSC_PCRE_LIMITS_EXCEEDED is set	Rule result
!@rx PATTERN	false	no matter	not triggered
!@rx PATTERN	true	no	triggered
!@rx PATTERN	true	yes	not triggered

The last row is a new condition. We should implement this in both engines (mod_security2 and libmodsecurity3), but in first step only at the @rx operator (I mean this modification won't affect the other regex's behavior, eg. targets like ARGS:/^foo.*$/).

What do you think about this solution?

Please note this solution @marcstern, @dune73, @fzipi, @theseion.

Also note to @jptosso, @M4tteoP, @jcchavezs - for Coraza compatibility.

[ssigwart]

Hi @airween, I agree that the !@rx condition when MSC_PCRE_LIMITS_EXCEEDED happens is the only one that needs to be updated to not trigger the rule. Thanks!

[fzipi]

Sound good. This condition is specific to modsecurity, as Coraza does not not use pcre2 engine.