Skip to content

feat: added detection for ruby errors and code leakage #4089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Jul 22, 2025
Merged

feat: added detection for ruby errors and code leakage #4089

merged 19 commits into from
Jul 22, 2025

Conversation

@Xhoenix
Copy link
Member

@Xhoenix Xhoenix commented Apr 8, 2025

Fixes: #4074

@github-actions
Copy link
Contributor

github-actions bot commented Apr 8, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@fzipi fzipi added the release:new-detection In this PR we introduce a new detection label Apr 8, 2025
@Xhoenix Xhoenix requested a review from dune73 April 9, 2025 05:30
Xhoenix added 2 commits April 9, 2025 08:07
@Xhoenix
added detection for ruby code leakage
9fea971 
ERB Template engine syntax and slim interpolation
@Xhoenix
update comments
deeb8d7
@Xhoenix Xhoenix changed the title feat: detect ruby errors feat: added detection for ruby errors and code leakage Apr 9, 2025
@Xhoenix
Copy link
Member Author

Xhoenix commented Apr 9, 2025
edited
Loading

I've this following additional rule, similar to rule 953110 but looks like this is going to be VERY prone to False positives, any suggestions are welcome.

#
# -=[ Ruby source code leakage ]=-
#
# Detect some common Ruby keywords in output.
#
SecRule RESPONSE_BODY "@rx (?:\b(?:def|class|module|end|if|else|elsif|unless|while|until|for|do|begin|rescue|ensure|case|when|then|yield|return|super|self|nil|true|false|and|or|not|attr_accessor|attr_reader|attr_writer|alias|break|next|redo|retry|require|include|extend|private|protected|public|__FILE__|__LINE__|BEGIN|END)\b)" \
    "id:956120,\
    phase:4,\
    block,\
    capture,\
    t:none,\
    msg:'Ruby source code leakage',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-ruby',\
    tag:'platform-multi',\
    tag:'attack-disclosure',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/DATA-LEAKAGES-RUBY',\
    tag:'capec/1000/118/116',\
    tag:'PCI/6.5.6',\
    ver:'OWASP_CRS/4.14.0-dev',\
    severity:'ERROR',\
    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"

@Xhoenix Xhoenix requested a review from theseion April 9, 2025 10:07
@fzipi fzipi mentioned this pull request May 5, 2025
Closed
@github-actions github-actions bot added the Stale label May 10, 2025
@Xhoenix Xhoenix removed the Stale label May 15, 2025
@Xhoenix Xhoenix requested a review from a team May 15, 2025 07:14
@Xhoenix
Copy link
Member Author

Xhoenix commented May 23, 2025

Ping!

@Xhoenix Xhoenix removed request for dune73 and theseion May 25, 2025 04:21
@fzipi fzipi mentioned this pull request Jun 2, 2025
Closed
@Xhoenix
Copy link
Member Author

Xhoenix commented Jun 14, 2025

Pong!

gif

@Xhoenix Xhoenix requested review from fzipi and theseion July 5, 2025 04:18
theseion
theseion requested changes Jul 5, 2025
View reviewed changes
@Xhoenix @theseion
Apply suggestions from code review
6470e38 
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
theseion
theseion requested changes Jul 5, 2025
View reviewed changes
Xhoenix and others added 2 commits July 5, 2025 18:54
@Xhoenix @theseion
Update rules/RESPONSE-956-DATA-LEAKAGES-RUBY.conf
57a728d 
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
@Xhoenix
update comment
e0d7026
@fzipi fzipi mentioned this pull request Jul 7, 2025
Closed
@Xhoenix Xhoenix requested a review from theseion July 18, 2025 05:07
theseion
theseion requested changes Jul 19, 2025
View reviewed changes
@Xhoenix @theseion
Update rules/RESPONSE-956-DATA-LEAKAGES-RUBY.conf
7c0b790 
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
theseion
theseion previously approved these changes Jul 21, 2025
View reviewed changes
theseion
theseion previously approved these changes Jul 21, 2025
View reviewed changes
@Xhoenix
Copy link
Member Author

Xhoenix commented Jul 21, 2025

The new tag is causing linter error, even though it is already added to APPROVED_TAGS.

@Xhoenix Xhoenix requested a review from theseion July 21, 2025 05:44
@airween
Copy link
Contributor

airween commented Jul 21, 2025

The new tag is causing linter error, even though it is already added to APPROVED_TAGS.

Let me check that soon.

theseion
theseion requested changes Jul 22, 2025
View reviewed changes
@theseion
Copy link
Contributor

theseion commented Jul 22, 2025

The issue are the PCI tags, not the language tag.

@theseion theseion added this pull request to the merge queue Jul 22, 2025
Merged via the queue into coreruleset:main with commit b3722fc Jul 22, 2025
7 checks passed
This was referenced Jul 31, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@airween airween airween left review comments

@theseion theseion theseion approved these changes

@fzipi fzipi Awaiting requested review from fzipi

Assignees

No one assigned

Labels

release:new-detection In this PR we introduce a new detection

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Create ruby-errors.data

4 participants

@Xhoenix @airween @theseion @fzipi