ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / regex-assembly

##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Word list for rule 932125 (RCE Windows command injection - PowerShell aliases)
##!
##! This list comes from the powershell source code. Can be updated using this oneliner:
##! curl -s https://raw.githubusercontent.com/PowerShell/PowerShell/master/src/System.Management.Automation/engine/InitialSessionState.cs -o - | awk -F\" '/new SessionStateAliasEntry\("/ { print $2; }'
##! To prevent some FP for a command, you can require command parameters
##! after a command. Only do this if the command regularly causes FP and if
##! allowing the bare command (without parameters) is not too dangerous.
##! (Note: due to \b following the regexp, a word boundary is also required
##! further on, so some letter/number is needed for a match). Example:
##!
##!   diff@

##!+ i

##! Note: the quoting prefixes are part of the command prefixes, except for ^
##!       which, for unknown reasons, is not part of the expression

##! extension/switches suffix
##! cmd.com, cmd.exe, etc.
##!$ (?:\.[\"\^]*\w+)?
##! cmd/h
##!$ \b

##! starting tokens prefix
##!> assemble
  ##! ;cmd
  ;
  ##! {cmd
  \{
  ##! |cmd
  \|
  ##! ||cmd
  \|\|
  ##! &cmd
  &
  ##! &&cmd
  &&
  ##! \ncmd
  \n
  ##! \rcmd
  \r
  ##! `cmd
  `
  ##!=>

##! match possible white space between prefix expressions
  \s*
  ##!=>

##! commands prefix
  ##!> assemble
    ##! (cmd)
    \(
    ##! ,cmd
    ,
    ##! @cmd
    @
    ##! 'cmd'
    '
    ##! "cmd"
    \"
    ##! spacing+cmd
    \s
  ##!<
  ##!=>

*
  ##!=>

##! paths prefix
  ##!> assemble
    ##! /path/cmd
    [\w'\"\./]+/
    ##! C:\Program Files\cmd
    [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c
    ##! \\net\share\dir\cmd
    [\^\.\w '\"/\x5c]*\x5c
  ##!<
  ##!=>

?[\"\^]*
  ##!=>

##!> cmdline windows

ac@
    asnp@
    cd@
    ##! disabled for FP: cat@
    chdir@
    clc@
    ##! disabled for FP: clear
    clhy@
    cli@
    clp@
    cls
    clv@
    cnsn
    ##! disabled for FP: compare@
    ##! disabled for FP: copy@
    cp@
    cpi@
    cpp@
    cvpa@
    dbp@
    del@
    diff@
    dir@
    dnsn
    ebp@
    epal@
    epcsv@
    epsn@
    ##! disabled for FP: erase@
    etsn@
    exsn@
    fc@
    fl@
    foreach@
    ft@
    fw@
    gal@
    gbp@
    gc@
    gci@
    gcm@
    gcs@
    gdr@
    gerr
    ghy@
    gi@
    gjb@
    gl@
    gm@
    gmo@
    gp@
    gps@
    gpv
    ##! disabled for FP: group
    gsn@
    gsnp@
    gsv@
    gu@
    gv@
    gwmi@
    ##! disabled for FP: h
    ##! disabled for FP: history
    icm@
    iex@
    ihy@
    ii@
    ipal@
    ipcsv@
    ipmo@
    ipsn@
    irm@
    ise@
    iwmi@
    iwr@
    ##! disabled for FP: kill
    ls
    man@
    md@
    ##! disabled for FP: measure
    mi@
    mount@
    ##! disabled for FP: move
    mp@
    mv@
    nal@
    ndr@
    ni@
    nmo@
    npssc
    nsn@
    nv@
    ogv@
    ##! disabled for FP: oh
    popd@
    pushd@
    ##! disabled for FP: pwd
    ##! disabled for FP: r
    rbp@
    rcjb@
    rcsn
    rd@
    rdr@
    ren@
    ri@
    rjb@
    rm@
    rmdir@
    rmo@
    rni@
    rnp@
    rp@
    rsn@
    rsnp@
    rujb
    rv@
    rvpa@
    rwmi@
    sajb@
    sal@
    saps@
    sasv@
    sbp@
    sc@
    ##! disabled for FP: select
    ##! disabled for FP: set
    shcm
    si@
    sl@
    ##! disabled for FP: sleep
    sls@
    ##! disabled for FP: sort
    sp@
    spjb@
    spps@
    spsv@
    ##! disabled for FP: start
    sujb
    sv@
    swmi@
    ##! disabled for FP: tee
    trcm@
    ##! disabled for FP: type
    ##! disabled for FP: where
    wjb@
    ##! disabled for FP: write@
  ##!<
##!<

[-] 920220-chain1.ra [edit]
[-] 942370.ra [edit]
[-] 922110-chain1.ra [edit]
[-] 932237.ra [edit]
[-] 942280.ra [edit]
[-] 942470.ra [edit]
[-] 932220.ra [edit]
[-] 933131.ra [edit]
[-] 942200.ra [edit]
[-] 932320.ra [edit]
[-] 942520.ra [edit]
[-] 942290.ra [edit]
[-] 932301.ra [edit]
[-] 932260.ra [edit]
[-] toolchain.yaml [edit]
[-] 931131.ra [edit]
[-] 942500.ra [edit]
[-] 920100.ra [edit]
[-] 941220.ra [edit]
[-] 942480.ra [edit]
[-] 921421.ra [edit]
[-] 932232.ra [edit]
[+] ..
[-] 932175.ra [edit]
[-] 934101.ra [edit]
[-] 942410.ra [edit]
[-] 932236.ra [edit]
[-] 920120.ra [edit]
[-] 933160.ra [edit]
[-] 920260.ra [edit]
[-] 920221.ra [edit]
[-] 942390.ra [edit]
[-] 941390.ra [edit]
[-] 942521.ra [edit]
[-] 934170.ra [edit]
[-] 932205-chain1.ra [edit]
[-] 942190.ra [edit]
[-] 942350.ra [edit]
[-] 942380.ra [edit]
[-] 932140.ra [edit]
[-] 944150.ra [edit]
[-] 951240.ra [edit]
[-] 942180.ra [edit]
[-] 932131.ra [edit]
[-] 932206.ra [edit]
[-] 932235.ra [edit]
[-] 944152.ra [edit]
[-] 932210.ra [edit]
[-] 942550.ra [edit]
[-] 933200.ra [edit]
[-] 920521.ra [edit]
[-] 942362.ra [edit]
[-] 951230.ra [edit]
[-] 932130.ra [edit]
[-] 932321.ra [edit]
[-] 933211.ra [edit]
[-] 932238.ra [edit]
[-] 932200.ra [edit]
[-] 932230.ra [edit]
[-] 934120.ra [edit]
[-] 932205.ra [edit]
[-] 932310.ra [edit]
[-] 933210.ra [edit]
[-] 932311.ra [edit]
[-] 934150.ra [edit]
[-] 942150.ra [edit]
[-] 944151.ra [edit]
[-] 941210.ra [edit]
[-] 942120.ra [edit]
[-] 942240.ra [edit]
[-] 941130.ra [edit]
[-] 942230.ra [edit]
[-] 932239.ra [edit]
[-] 934100.ra [edit]
[-] 942152.ra [edit]
[-] 933161.ra [edit]
[-] 934160.ra [edit]
[-] 942260.ra [edit]
[-] 942400.ra [edit]
[+] include
[-] 942330.ra [edit]
[-] 942140.ra [edit]
[-] 932380.ra [edit]
[-] 941160.ra [edit]
[-] 920600.ra [edit]
[-] 932231.ra [edit]
[-] 942321.ra [edit]
[-] 942360.ra [edit]
[-] 942131.ra [edit]
[-] 942320.ra [edit]
[-] 934140.ra [edit]
[+] exclude
[-] 931130.ra [edit]
[-] 942440.ra [edit]
[-] 942340.ra [edit]
[-] 942310.ra [edit]
[-] 932125.ra [edit]
[-] 932240.ra [edit]
[-] 921422.ra [edit]
[-] 942170.ra [edit]
[-] 932370.ra [edit]
[-] 942440-chain1.ra [edit]
[-] 930100.ra [edit]
[-] 942210.ra [edit]
[-] 942540.ra [edit]
[-] 932300.ra [edit]
[-] 942130.ra [edit]
[-] 942300.ra [edit]
[-] 932250.ra [edit]
[-] 942560.ra [edit]
[-] 942151.ra [edit]