Skip to content

fix: remove self command #4111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 7, 2025
Merged

fix: remove self command #4111

merged 4 commits into from
May 7, 2025

Conversation

@EsadCetiner
Copy link
Member

@EsadCetiner EsadCetiner commented May 1, 2025

There is a non-existent command that is being blocked by the Unix rules causing false positives in #4110. I can't find any indication that this command exists anywhere.

closes #4110

@github-actions
Copy link
Contributor

github-actions bot commented May 1, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@theseion
Copy link
Contributor

theseion commented May 2, 2025

self appears to be a command from Tcl: https://wiki.tcl-lang.org/page/self+-+TclOO. This might not seem like something we should care about, however, there are a number of Tcl interpreters, one of which is "Cisco IOS": https://wiki.tcl-lang.org/page/What+is+Tcl. There's probably a reason for self being in that list.

That being said, it's probably still an edge case that we could drop. I'll put this on the agenda to discuss.

@fzipi fzipi mentioned this pull request May 5, 2025
Closed
@franbuehler
Copy link
Contributor

franbuehler commented May 5, 2025
edited
Loading

In the monthly chat meeting from May 5th, we decided to drop the command self.
#4116

franbuehler
franbuehler previously approved these changes May 5, 2025
View reviewed changes
Copy link
Contributor

@franbuehler franbuehler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@RedXanadu
Copy link
Member

RedXanadu commented May 5, 2025
edited
Loading

Doing some digging, it looks like the pattern for self only appeared in 2023 (added to regex-assembly/include/unix-shell-4andup-with-params.ra when we moved to script-based processing to generate that list, it seems).

I think self ever being added may have been a simple mistake.

Maybe it came from proc/self which is an entry in rules/unix-shell.data which is used as the source to crate the unix-4-and-up pattern file.

89c1b5812

@theseion
Copy link
Contributor

theseion commented May 6, 2025

Ah yes! /proc/self makes sense. Thanks @RedXanadu.

@EsadCetiner EsadCetiner changed the title fix: remove non-existant self command fix: remove self command May 6, 2025
@EsadCetiner EsadCetiner requested a review from franbuehler May 6, 2025 06:11
@EsadCetiner EsadCetiner added this pull request to the merge queue May 7, 2025
Merged via the queue into coreruleset:main with commit b3f9f9e May 7, 2025
6 checks passed
@EsadCetiner EsadCetiner deleted the fix-remove-self-command branch May 7, 2025 04:17
@RedXanadu RedXanadu mentioned this pull request Aug 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theseion theseion theseion approved these changes

@franbuehler franbuehler Awaiting requested review from franbuehler

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

false positive: REQUEST-932-APPLICATION-ATTACK-RCE.conf

4 participants

@EsadCetiner @theseion @franbuehler @RedXanadu