Giters

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Home Page:https://modsecurity.org/crs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Monthly Chat Agenda March (2020-03-02)

dune73 opened this issue · comments

commented

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, March 2, at 20:30 CET.

Items on the Agenda:

PRs

In light of the planned migration or our github, cleaning out the open PRs would be welcome.

  • #1310 - Checking for presence CT in combo with LE, Travis fails on 942350-2
  • #1616 - Revert of an older PR - waiting for an update to the commit msg and now we have conflicts
  • #1690 - Coverage of more exotic CT headers - PR needs work and contributor probably grew tired
  • #1695 - Ignore CT header for HTTP/2
  • #1707 - New LDAP injection rule 921200 (fix for #276)

PRs on hold

  • #1602 - PR against 932200 bypass - this has been in DRAFT for + 4 months
  • #1663 - on hold - @dune73 tries to get this tested with CDN support
  • #1667 - on hold - Remove /util/docker folder
  • #1674 - on hold - @dune73 tries to get this tested with CDN support

Other items

  • GitHub migration scheduled for March 18 (unconfirmed). Migration team: @dune73, @lifeforms and @fzipi.
  • travis-ci status: We are still only working on a workaround. Yet @fzipi has been working on a replacement of our Travis integration with github actions. Status update?
  • Drop support for python 2 in FTW
  • General problem with newly discovered DoS issues in our rules

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

  • Issue slot 1: #998 - Reflection on reverting a change around the topic of @pmf
  • Issue slot 2: #1609, FP on 921130 (@franbuehler will look into this)
  • Issue slot 3: #1615, FP on 921120 (@franbuehler will look into this)
  • Issue slot 4: #610 - consistent support for "severity" action
  • Issue slot 5: #650 - consistent support for "ver" action
  • Issue slot 6: #794 - FP on 942100
  • Issue slot 7: #820 - FP on 941100
  • Issue slot 8: #823 - FP on 942120
  • Issue slot 9: #833 - FP on 942450
  • Issue slot 10: #1645 - FP on 941310

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

commented

Decisions

PRs

PRs on hold

Other issues

  • @lifeforms is going to be release manager for 3.3.
  • Github migration is scheduled for March 18, confirmation with Trustwave pending. Migration team is @dune73, @lifeforms and @fzipi. The idea is to move our github to github.com/coreruleset and to let crs-support die.
  • FTW + Python 2: @fgsch is very close to a PR that moves FTP to Python 3. We will keep Python 2 for the upcoming CRS 3.3 release intact, but will drop afterwards.
  • There are more ReDoS issues with some our rules around. @airween has been trying to sort this out for some time. After the meeting, @allanrbo spoke up and immediately submitted some ideas in a PR at #1708.

Issues