Skip to content

Update SQLi/XSS operators for libinjection v4.0.0 cleaned#3528

Open
Easton97-Jens wants to merge 26 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-libinjection-v4.0-final
Open

Update SQLi/XSS operators for libinjection v4.0.0 cleaned#3528
Easton97-Jens wants to merge 26 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-libinjection-v4.0-final

Conversation

@Easton97-Jens
Copy link
Copy Markdown
Contributor

@Easton97-Jens Easton97-Jens commented Mar 29, 2026

what

  • Updated the SQLi and XSS detection operators to support the newer libinjection return codes (injection_result_t).
  • Added explicit handling for TRUE, FALSE, and ERROR results from libinjection_sqli and libinjection_xss.
  • Treated LIBINJECTION_RESULT_ERROR as a fail-safe match to avoid missing potentially malicious input.
  • Preserved diagnostic context by storing raw input in TX.0 when capture is enabled, even on parser errors.
  • Maintained previous behavior for positive detections (fingerprints for SQLi, input storage for XSS).
  • Added regression tests for benign inputs to ensure no false positives are introduced.

why

  • Newer versions of libinjection introduced injection_result_t, requiring explicit handling in ModSecurity operators.
  • Without this update, parser errors could be handled inconsistently and weaken fail-safe detection behavior.
  • Treating parser errors as matches ensures conservative and security-focused handling when input cannot be reliably parsed.
  • Preserving captured input during error cases improves debugging and visibility for rule authors.
  • Regression tests ensure the updated logic does not introduce false positives for safe inputs.

references

  • Related to adapting ModSecurity to newer libinjection APIs.
  • Adds regression coverage for parser error handling and safe input validation.

@airween airween requested a review from Copilot March 30, 2026 06:59
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates ModSecurity’s @detectSQLi / @detectXSS operators to support libinjection v4’s injection_result_t return codes, including explicit fail-safe handling for parser errors, and expands regression coverage around detection/false-positive behavior.

Changes:

  • Add shared helpers for interpreting libinjection TRUE/FALSE/ERROR results.
  • Update DetectSQLi / DetectXSS to treat LIBINJECTION_RESULT_ERROR as a match and preserve capture behavior.
  • Expand regression test cases for multiple XSS/SQLi payloads and benign inputs.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
src/operators/libinjection_utils.h Adds shared helpers to map libinjection results to match/no-match semantics and diagnostic strings.
src/operators/detect_xss.cc Switches XSS operator logic to injection_result_t and adds explicit handling for TRUE/FALSE/ERROR.
src/operators/detect_sqli.cc Switches SQLi operator logic to injection_result_t, modernizes fingerprint storage, and handles TRUE/FALSE/ERROR.
test/test-cases/regression/operator-detectxss.json Adds multiple positive and negative XSS regression cases.
test/test-cases/regression/operator-detectsqli.json Adds multiple positive and negative SQLi regression cases (including fingerprint expectations).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jens and others added 3 commits March 30, 2026 10:10
@Easton97-Jens Easton97-Jens requested a review from airween March 30, 2026 15:24
@airween airween requested a review from Copilot April 1, 2026 12:23
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@airween airween requested a review from Copilot April 1, 2026 20:02
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@airween
Copy link
Copy Markdown
Member

airween commented Apr 3, 2026

Hi @Easton97-Jens,

thanks for this PR - tests were failed (eg this), I'll check this merge request if all tests will be passed.

@airween airween requested a review from Copilot April 3, 2026 12:30
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Apr 3, 2026
Open
Open
@Easton97-Jens Easton97-Jens force-pushed the v3/master-libinjection-v4.0-final branch from 9493ea3 to 7c104e4 Compare April 5, 2026 16:55
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 5, 2026

Quality Gate Passed Quality Gate passed

Issues
4 New issues
6 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@airween airween Awaiting requested review from airween

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Easton97-Jens @airween