Skip to content

feat: optimize DSL rule phases and refactor zone types #3878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: optimize DSL rule phases and refactor zone types #3878

wants to merge 1 commit into from

Conversation

LaurenceJJones
Copy link
Contributor

  • Auto-optimize rules to phase 1 when possible (headers, method, URI, GET args)
  • Maintain phase 2 for body-dependent zones (POST args, files, raw body)
  • Enforce same-phase constraint for chained (AND) rules
  • Allow independent phase optimization for OR rules
  • Replace string maps with typed Zone struct for better maintainability
  • Add comprehensive tests for mixed-phase scenarios

@LaurenceJJones
feat: optimize DSL rule phases and refactor zone types
be45c60 
- Auto-optimize rules to phase 1 when possible (headers, method, URI, GET args)
- Maintain phase 2 for body-dependent zones (POST args, files, raw body)
- Enforce same-phase constraint for chained (AND) rules
- Allow independent phase optimization for OR rules
- Replace string maps with typed Zone struct for better maintainability
- Add comprehensive tests for mixed-phase scenarios
@github-actions GitHub Actions
Copy link

@LaurenceJJones: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind fix
  • /kind chore
  • /kind dependencies
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions GitHub Actions
Copy link

@LaurenceJJones: There are no area labels on this PR. You can add as many areas as you see fit.

  • /area agent
  • /area local-api
  • /area cscli
  • /area appsec
  • /area security
  • /area configuration
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@LaurenceJJones
Copy link
Contributor Author

/kind feature
/area appsec

@codecov Codecov
Copy link

codecov bot commented Sep 10, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 75.00000% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 61.67%. Comparing base (0b9a68d) to head (be45c60).
⚠️ Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
pkg/appsec/appsec_rule/modsecurity.go 75.00% 11 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3878      +/-   ##
==========================================
- Coverage   61.67%   61.67%   -0.01%     
==========================================
  Files         406      406              
  Lines       41839    41889      +50     
==========================================
+ Hits        25806    25833      +27     
- Misses      13914    13930      +16     
- Partials     2119     2126       +7
Flag Coverage Δ
bats 45.69% <69.64%> (+0.02%) ⬆️
unit-linux 34.70% <75.00%> (+0.06%) ⬆️
unit-windows 24.60% <75.00%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@LaurenceJJones LaurenceJJones added this to the Future release milestone Sep 10, 2025
@LaurenceJJones LaurenceJJones mentioned this pull request Sep 10, 2025
Open
@LaurenceJJones
Copy link
Contributor Author

LaurenceJJones commented Sep 10, 2025
edited
Loading

Manually run hub tests, results below 100% coverage, which makes sense since we changing phases should not impact effectiveness of rules.

───────────────────────────────────────────────────────
 Test                               Result  Assertions
───────────────────────────────────────────────────────
 CVE-2023-34362                     ✅      0
 CVE-2023-3519                      ✅      0
 vpatch-CVE-2020-5902               ✅      0
 vpatch-CVE-2025-29306              ✅      0
 CVE-2020-11738                     ✅      0
 CVE-2023-28121                     ✅      0
 CVE-2023-6623                      ✅      0
 vpatch-CVE-2024-23897              ✅      0
 vpatch-CVE-2024-57727              ✅      0
 vpatch-CVE-2025-31161              ✅      0
 vpatch-CVE-2025-47812              ✅      0
 CVE-2021-3129                      ✅      0
 CVE-2022-22954                     ✅      0
 vpatch-CVE-2023-23488              ✅      0
 vpatch-laravel-debug-mode          ✅      0
 CVE-2021-22941                     ✅      0
 vpatch-CVE-2024-27956              ✅      0
 vpatch-git-config                  ✅      0
 CVE-2022-46169                     ✅      0
 CVE-2023-6360                      ✅      0
 vpatch-CVE-2021-26086              ✅      0
 vpatch-CVE-2024-8190               ✅      0
 vpatch-CVE-2025-52488              ✅      0
 CVE-2017-9841                      ✅      0
 CVE-2022-27926                     ✅      0
 CVE-2023-0600                      ✅      0
 CVE-2023-6567                      ✅      0
 CVE-2024-1212                      ✅      0
 CVE-2023-20198                     ✅      0
 CVE-2023-22527                     ✅      0
 vpatch-CVE-2024-29824              ✅      0
 vpatch-CVE-2024-51567              ✅      0
 vpatch-CVE-2024-6205               ✅      0
 vpatch-CVE-2024-9474               ✅      0
 CVE-2023-24489                     ✅      0
 generic-freemarker-ssti-args       ✅      0
 vpatch-CVE-2018-20062              ✅      0
 vpatch-CVE-2020-9054               ✅      0
 vpatch-CVE-2024-32113              ✅      0
 CVE-2020-17496                     ✅      0
 vpatch-CVE-2002-1131               ✅      0
 vpatch-CVE-2023-47218              ✅      0
 vpatch-CVE-2024-4577               ✅      0
 vpatch-CVE-2024-52301              ✅      0
 CVE-2023-2009                      ✅      0
 vpatch-CVE-2019-1003030            ✅      0
 vpatch-CVE-2024-27954              ✅      0
 vpatch-CVE-2024-41713              ✅      0
 vpatch-CVE-2025-24893              ✅      0
 cve-2023-42793                     ✅      0
 vpatch-CVE-2019-5418               ✅      0
 vpatch-CVE-2021-26294              ✅      0
 vpatch-CVE-2022-25488              ✅      0
 vpatch-CVE-2022-41082              ✅      0
 vpatch-CVE-2024-27564              ✅      0
 CVE-2023-23752                     ✅      0
 generic-wordpress-uploads-listing  ✅      0
 vpatch-CVE-2018-13379              ✅      0
 CVE-2022-44877                     ✅      0
 CVE-2023-6553                      ✅      0
 appsec-generic-test                ✅      0
 vpatch-CVE-2019-18935              ✅      0
 vpatch-CVE-2025-25257              ✅      0
 vpatch-CVE-2022-26134              ✅      0
 vpatch-CVE-2024-51378              ✅      0
 CVE-2024-1061                      ✅      0
 vpatch-CVE-2024-27348              ✅      0
 CVE-2023-22515                     ✅      0
 CVE-2023-38205                     ✅      0
 CVE-2024-1071                      ✅      0
 vpatch-CVE-2022-1388               ✅      0
 CVE-2023-4634                      ✅      0
 CVE-2023-49070                     ✅      0
 vpatch-CVE-2024-27292              ✅      0
 vpatch-CVE-2025-49132              ✅      0
 CVE-2022-22965                     ✅      0
 generic-freemarker-ssti-body       ✅      0
 CVE-2023-35078                     ✅      0
 vpatch-CVE-2024-32870              ✅      0
 vpatch-CVE-2024-38816              ✅      0
 CVE-2023-46805                     ✅      0
 CVE-2023-50164                     ✅      0
 CVE-2024-22024                     ✅      0
 vpatch-CVE-2024-7593               ✅      0
 vpatch-CVE-2025-49113              ✅      0
 CVE-2019-12989                     ✅      0
 CVE-2023-23489                     ✅      0
 generic-wordpress-uploads-php      ✅      0
 vpatch-CVE-2021-43798              ✅      0
 vpatch-CVE-2021-44529              ✅      0
 vpatch-CVE-2024-28987              ✅      0
 connectwise-auth-bypass            ✅      0
 vpatch-CVE-2024-9465               ✅      0
 CVE-2023-35082                     ✅      0
 vpatch-CVE-2024-51977              ✅      0
 vpatch-CVE-2025-3248               ✅      0
 CVE-2024-29849                     ✅      0
 CVE-2023-33617                     ✅      0
 CVE-2022-35914                     ✅      0
 CVE-2023-7028                      ✅      0
 vpatch-CVE-2022-31499              ✅      0
 vpatch-CVE-2024-29973              ✅      0
 vpatch-CVE-2025-31324              ✅      0
 CVE-2018-10562                     ✅      0
 vpatch-CVE-2024-38856              ✅      0
 vpatch-CVE-2025-28367              ✅      0
 CVE-2023-1389                      ✅      0
 vpatch-CVE-2023-0297               ✅      0
 vpatch-CVE-2024-27198              ✅      0
 CVE-2023-0900                      ✅      0
 CVE-2024-3273                      ✅      0
 symfony_profiler                   ✅      0
 vpatch-CVE-2007-0885               ✅      0
 vpatch-CVE-2024-28255              ✅      0
 vpatch-CVE-2024-3272               ✅      0
 vpatch-CVE-2024-8963               ✅      0
 vpatch-env-access                  ✅      0
 vpatch-CVE-2024-0012               ✅      0
 vpatch-CVE-2024-34102              ✅      0
 vpatch-CVE-2025-29927              ✅      0
───────────────────────────────────────────────────────

phase 2 rules:

crowdsecurity/generic-freemarker-ssti
crowdsecurity/vpatch-CVE-2018-10562
crowdsecurity/vpatch-CVE-2019-12989
crowdsecurity/vpatch-CVE-2020-17496
crowdsecurity/vpatch-CVE-2021-3129
crowdsecurity/vpatch-CVE-2022-22965
crowdsecurity/vpatch-CVE-2023-0297
crowdsecurity/vpatch-CVE-2023-1389
crowdsecurity/vpatch-CVE-2023-22527
crowdsecurity/vpatch-CVE-2023-24489
crowdsecurity/vpatch-CVE-2023-33617
crowdsecurity/vpatch-CVE-2023-40044
crowdsecurity/vpatch-CVE-2023-50164
crowdsecurity/vpatch-CVE-2023-7028
crowdsecurity/vpatch-CVE-2024-22024
crowdsecurity/vpatch-CVE-2024-23897
crowdsecurity/vpatch-CVE-2024-27348
crowdsecurity/vpatch-CVE-2024-27956
crowdsecurity/vpatch-CVE-2024-29824
crowdsecurity/vpatch-CVE-2024-29849
crowdsecurity/vpatch-CVE-2024-29973
crowdsecurity/vpatch-CVE-2024-34102
crowdsecurity/vpatch-CVE-2024-38856
crowdsecurity/vpatch-CVE-2024-51378
crowdsecurity/vpatch-CVE-2024-51567
crowdsecurity/vpatch-CVE-2024-7593
crowdsecurity/vpatch-CVE-2024-8190
crowdsecurity/vpatch-CVE-2024-9465
crowdsecurity/vpatch-CVE-2024-9474
crowdsecurity/vpatch-CVE-2025-31324
crowdsecurity/vpatch-CVE-2025-3248
crowdsecurity/vpatch-CVE-2025-47812
crowdsecurity/vpatch-CVE-2025-52488
crowdsecurity/vpatch-laravel-debug-mode

phase 1 rules:

crowdsecurity/appsec-generic-test
crowdsecurity/base-config
crowdsecurity/experimental-no-user-agent
crowdsecurity/generic-wordpress-uploads-listing
crowdsecurity/generic-wordpress-uploads-php
crowdsecurity/vpatch-connectwise-auth-bypass
crowdsecurity/vpatch-CVE-2002-1131
crowdsecurity/vpatch-CVE-2007-0885
crowdsecurity/vpatch-CVE-2017-9841
crowdsecurity/vpatch-CVE-2018-1000861
crowdsecurity/vpatch-CVE-2018-13379
crowdsecurity/vpatch-CVE-2018-20062
crowdsecurity/vpatch-CVE-2019-1003030
crowdsecurity/vpatch-CVE-2019-18935
crowdsecurity/vpatch-CVE-2019-5418
crowdsecurity/vpatch-CVE-2020-11738
crowdsecurity/vpatch-CVE-2020-5902
crowdsecurity/vpatch-CVE-2020-9054
crowdsecurity/vpatch-CVE-2021-22941
crowdsecurity/vpatch-CVE-2021-26086
crowdsecurity/vpatch-CVE-2021-26294
crowdsecurity/vpatch-CVE-2021-43798
crowdsecurity/vpatch-CVE-2021-44529
crowdsecurity/vpatch-CVE-2022-1388
crowdsecurity/vpatch-CVE-2022-22954
crowdsecurity/vpatch-CVE-2022-25488
crowdsecurity/vpatch-CVE-2022-26134
crowdsecurity/vpatch-CVE-2022-27926
crowdsecurity/vpatch-CVE-2022-31499
crowdsecurity/vpatch-CVE-2022-35914
crowdsecurity/vpatch-CVE-2022-41082
crowdsecurity/vpatch-CVE-2022-44877
crowdsecurity/vpatch-CVE-2022-46169
crowdsecurity/vpatch-CVE-2023-20198
crowdsecurity/vpatch-CVE-2023-22515
crowdsecurity/vpatch-CVE-2023-23752
crowdsecurity/vpatch-CVE-2023-28121
crowdsecurity/vpatch-CVE-2023-34362
crowdsecurity/vpatch-CVE-2023-35078
crowdsecurity/vpatch-CVE-2023-35082
crowdsecurity/vpatch-CVE-2023-3519
crowdsecurity/vpatch-CVE-2023-38205
crowdsecurity/vpatch-CVE-2023-42793
crowdsecurity/vpatch-CVE-2023-46805
crowdsecurity/vpatch-CVE-2023-47218
crowdsecurity/vpatch-CVE-2023-49070
crowdsecurity/vpatch-CVE-2023-6553
crowdsecurity/vpatch-CVE-2024-0012
crowdsecurity/vpatch-CVE-2024-1212
crowdsecurity/vpatch-CVE-2024-27198
crowdsecurity/vpatch-CVE-2024-27292
crowdsecurity/vpatch-CVE-2024-27564
crowdsecurity/vpatch-CVE-2024-27954
crowdsecurity/vpatch-CVE-2024-28255
crowdsecurity/vpatch-CVE-2024-28987
crowdsecurity/vpatch-CVE-2024-32113
crowdsecurity/vpatch-CVE-2024-3272
crowdsecurity/vpatch-CVE-2024-3273
crowdsecurity/vpatch-CVE-2024-32870
crowdsecurity/vpatch-CVE-2024-38816
crowdsecurity/vpatch-CVE-2024-41713
crowdsecurity/vpatch-CVE-2024-4577
crowdsecurity/vpatch-CVE-2024-51977
crowdsecurity/vpatch-CVE-2024-52301
crowdsecurity/vpatch-CVE-2024-57727
crowdsecurity/vpatch-CVE-2024-6205
crowdsecurity/vpatch-CVE-2024-8963
crowdsecurity/vpatch-CVE-2025-24893
crowdsecurity/vpatch-CVE-2025-25257
crowdsecurity/vpatch-CVE-2025-28367
crowdsecurity/vpatch-CVE-2025-29306
crowdsecurity/vpatch-CVE-2025-29927
crowdsecurity/vpatch-CVE-2025-31161
crowdsecurity/vpatch-CVE-2025-49113
crowdsecurity/vpatch-CVE-2025-49132
crowdsecurity/vpatch-env-access
crowdsecurity/vpatch-git-config
crowdsecurity/vpatch-symfony-profiler

You can see most rules will optimize into phase:1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/appsec kind/feature
Projects
None yet
Milestone
Future release
Development

Successfully merging this pull request may close these issues.
1 participant
@LaurenceJJones