Skip to content

Wildcard hostnames create false positive OWASP rule detection #9186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
timquinlan opened this issue Aug 18, 2023 · 1 comment
Closed

Wildcard hostnames create false positive OWASP rule detection #9186

timquinlan opened this issue Aug 18, 2023 · 1 comment
Labels
s2 Broken use cases or features (with a workaround). Only humans may set this. stale This issue is like stale bread.

Comments

@timquinlan
Copy link
Contributor

timquinlan commented Aug 18, 2023
edited
Loading

Coder wildcard hostnames use a double dash ( -- ) to delimit username, workspace name, agent name, and app name in coder_app URLs. A WAF that enforces OSWASP rule 942440 (SQL Comment Sequence Detected) will trigger a false positive based on the presence of a double-dash ( -- ) in the URL. To remediate, create a WAF policy that does not enforce rule 942440 for your Coder traffic.
@cdr-bot cdr-bot bot added the bug label Aug 18, 2023
@matifali matifali added the s2 Broken use cases or features (with a workaround). Only humans may set this. label Oct 2, 2023
@MrPeacockNLB MrPeacockNLB mentioned this issue Oct 10, 2023
Merged
1 task
@deansheather
Copy link
Member

We use double hyphens so we can support single hyphens in app names, agent names, workspace names and usernames. There aren't any other separator characters we can use so we have no plans to fix this.

Please disable the WAF policy to avoid this issue or avoid using subdomain apps

@github-actions github-actions bot added the stale This issue is like stale bread. label Apr 8, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
s2 Broken use cases or features (with a workaround). Only humans may set this. stale This issue is like stale bread.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matifali @deansheather @timquinlan