Skip to content

fix(953100): remove generic SQLSTATE error codes causing false positives #4257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 8, 2025
Merged

fix(953100): remove generic SQLSTATE error codes causing false positives #4257

merged 6 commits into from
Sep 8, 2025

Conversation

@Elnadrion
Copy link
Contributor

@Elnadrion Elnadrion commented Sep 4, 2025

This patch refines rule 953100 (PHP leakage) by removing overly broad markers (HY000, HY093, HY105, IM001) from php-errors.data and replacing them with context-aware signatures:

  • SQLSTATE[HY000], (HY000/
  • SQLSTATE[HY093]
  • SQLSTATE[HY105]
  • SQLSTATE[IM001]

These patterns align with real PDO/ODBC error messages while eliminating false positives caused by random substrings in response bodies (e.g. I had tokens like hazhhy0004,sim001a). This improves detection accuracy without weakening coverage of genuine leakage events.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 4, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@fzipi
Copy link
Member

fzipi commented Sep 4, 2025

Hi @Elnadrion! Thanks for your contribution!

@fzipi
Copy link
Member

fzipi commented Sep 4, 2025

Question: wouldn't this be caught by

coreruleset/rules/sql-errors.data

Line 81 in 2bd0e9a

SQLSTATE[
instead?

@Elnadrion
Copy link
Contributor Author

Elnadrion commented Sep 4, 2025

Question: wouldn't this be caught by

coreruleset/rules/sql-errors.data

Line 81 in 2bd0e9a

SQLSTATE[

instead?

Sure, I think it would. Should I remove my SQLSTATE rows then, or just replace them with SQLSTATE[? Or is it enough to just have them in sql-errors.data?

@Elnadrion
Copy link
Contributor Author

Elnadrion commented Sep 4, 2025

Alrighty, I simplified the pattern and removed unnecessary tests 👍

@fzipi
Copy link
Member

fzipi commented Sep 4, 2025

Thanks for taking a second look. One of the things that I'm not 100% sure is the utility of those errors in the PHP leakage 🤔

This is a file that I've created automatically from the PHP source code, and tried to remove nonsense from it.

See https://github.com/coreruleset/coreruleset/blob/main/rules/php-errors.data#L1-L30. I'm maybe more inclined to do

coreruleset/rules/php-errors.data

Line 30 in 2bd0e9a

# Anything that is too short, or nonsense, we remove.
😄 . The SQLSTATE would be covered by 951100 rule.

What do you think?

@Elnadrion
Copy link
Contributor Author

Elnadrion commented Sep 4, 2025

Yeah, why not, also totally fine for me.
Anything, just to get rid of this nasty false positive 😄

@Elnadrion Elnadrion changed the title fix(953100): tighten SQLSTATE matching to avoid substring false positives fix(953100): remove generic SQLSTATE error codes causing false positives Sep 5, 2025
fzipi
fzipi approved these changes Sep 5, 2025
View reviewed changes
Copy link
Member

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for taking a look!

@fzipi fzipi added this pull request to the merge queue Sep 8, 2025
Merged via the queue into coreruleset:main with commit 6a6e3cd Sep 8, 2025
7 checks passed
@fzipi fzipi mentioned this pull request Oct 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Elnadrion @fzipi