Skip to content

fix(lexer): rejection of '@' in ctl:ruleRemoveTarget actions (#3565)#3589

Merged
airween merged 13 commits into
owasp-modsecurity:v3/masterfrom
airween:Jitterx69/fix/issue-3565-ctl-removerule-xpath
Jun 28, 2026
Merged

fix(lexer): rejection of '@' in ctl:ruleRemoveTarget actions (#3565)#3589
airween merged 13 commits into
owasp-modsecurity:v3/masterfrom
airween:Jitterx69/fix/issue-3565-ctl-removerule-xpath

Conversation

@airween

@airween airween commented Jun 28, 2026

Copy link
Copy Markdown
Member

what

This is the modified version of #3566.

why

There I asked the author to add tests the excellent parser error checking in the code. I also asked him to fix Copilot suggestions.

This PR based on his one, but added these changes. I kept him commits.

references

#3566 is the original PR.

@airween airween requested review from Copilot and fzipi June 28, 2026 13:29
@airween airween added the 3.x Related to ModSecurity version 3.x label Jun 28, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes SecLang lexing/parsing for ctl:ruleRemove* actions so targets containing XPath-relevant characters (notably @) are accepted, and expands regression coverage to validate both the corrected behavior and improved parser error reporting.

Changes:

  • Expands the Flex REMOVE_RULE_BY macro to allow @, =, (, ), and ' in ctl:ruleRemove* action payloads.
  • Makes ctl action initializers parse payloads by locating = instead of using hardcoded offsets, improving robustness and error messages.
  • Adds regression tests for both valid cases (special characters in variable targets) and invalid syntax cases (ensuring parser errors are correctly reported).

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
test/test-cases/regression/action-ctl_rule_remove_target_by_tag.json Adds regression cases for syntax validation and for @, =, (, ), ' in ruleRemoveTargetByTag targets.
test/test-cases/regression/action-ctl_rule_remove_target_by_id.json Adds regression cases for syntax validation and for @, =, (, ), ' in ruleRemoveTargetById targets.
test/test-cases/regression/action-ctl_rule_remove_by_tag.json Adds a regression case ensuring malformed ctl:ruleRemoveByTag syntax is rejected with the expected parser error.
test/test-cases/regression/action-ctl_rule_remove_by_id.json Adds a regression case ensuring malformed ctl:ruleRemoveById syntax is rejected with the expected parser error.
src/parser/seclang-scanner.ll Updates the lexer character class used for ctl:ruleRemove* tokens so @ and related XPath characters are accepted.
src/actions/ctl/rule_remove_target_by_tag.cc Switches payload parsing to split on = and improves invalid TAG;VARIABLE error formatting.
src/actions/ctl/rule_remove_target_by_id.cc Switches payload parsing to split on = and improves invalid ID;VARIABLE error formatting.
src/actions/ctl/rule_remove_by_tag.cc Switches payload parsing to split on = and adds a defensive error for missing =.
src/actions/ctl/rule_remove_by_id.cc Switches payload parsing to split on = and adds a defensive error for missing =.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread test/test-cases/regression/action-ctl_rule_remove_by_id.json Outdated
airween and others added 3 commits June 28, 2026 15:34
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@fzipi fzipi changed the title Fix lexer rejection of '@' in ctl:ruleRemoveTarget actions (#3565) fix(lexer): rejection of '@' in ctl:ruleRemoveTarget actions (#3565) Jun 28, 2026

@fzipi fzipi left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@airween airween merged commit 1c38a61 into owasp-modsecurity:v3/master Jun 28, 2026
98 checks passed
@sonarqubecloud

Copy link
Copy Markdown

EsadCetiner pushed a commit to EsadCetiner/coreruleset that referenced this pull request Jul 3, 2026
…coreruleset#4690)

main ships XML attribute inspection (XML://@*) unconditionally, with no
ctl:ruleRemoveTargetByTag/ById opt-out gate and no '@' character in any
ctl:ruleRemoveTarget* target anywhere in the ruleset. The libmodsecurity
3.0.16 requirement from owasp-modsecurity/ModSecurity#3589 (lexer
rejecting '@' in ctl:ruleRemoveTarget* actions) only applies to the LTS
branches, which implement this feature behind a runtime opt-in/opt-out
gate using that exact ctl syntax. main has no such gate, so the note
doesn't reflect what actually shipped.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.x Related to ModSecurity version 3.x

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants