Skip to content

DOC: SecRuleUpdateActionById and chain docs are errant for both 2.x and 3.x  #2860

New issue
New issue
Open
Open
DOC: SecRuleUpdateActionById and chain docs are errant for both 2.x and 3.x #2860
Labels
2.xRelated to ModSecurity version 2.x3.xRelated to ModSecurity version 3.xdocumentationSomehow related to documentation
@diablodale

Description

@diablodale
diablodale
opened on Jan 12, 2023

The official doc for modsecurity 2.x and 3.x for both SecRuleUpdateActionById and chain are errant. They lead to errant rule writing and/or exposing underlying modsecurity bugs. I request clarification/rewrite of at least these two sections of both 2.x and 3.x docs.

This is a cascade issue from coreruleset/coreruleset#3080 (comment). I recommend reviewing that whole issue to understand the errant docs and gaps in information.

Doc Problems

  1. SecRuleUpdateActionById doesn't organize limitations/workarounds together; e.g. modsec 2.x SecRuleUpdateActionById on rule chains has a chain workaround (see issue above) and limitation (see issue above) and may have additional behavior/workaround changes in 3.x (I can't test 3.x)
  2. chain has wrong language, e.g. "Non-disruptive rules" should be "Non-disruptive actions"
  3. chain has wrong facts, e.g. "they [non-disruptive actions] will be executed if the rule that contains them matches and not only when the entire chain matches". That statement is false since it has been proven in 2.x (can't test myself in 3.x) that setvar does NOT "not only when the entire chain matches".
  4. Coordinate chain with SecRuleUpdateActionById docs so they match each other's limitations/workarounds.

Docs problems of these areas exist in both 2.x and 3.x docs; sometimes similar, sometimes identical.
I recommend adding some rule + rule update examples to demonstrate how to use them correctly on each 2.x and 3.x. The issue above has premade examples.

Below is one suggestion for the 3.x docs.

Example 3.x docs for SecRuleUpdateActionById

...It has two limitations: it cannot be used to change the ID or phase of a rule. Only the actions that  
can appear only once are overwritten. The actions that are allowed to appear multiple times in a list,  
will be appended to the end of the list.

Example foo bar...

then 3 paragraphs and 2 examples under that is another limitation

Note : If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.

These need to be combined together. Perhaps something like

...It has limitations

1. it cannot be used to change the ID or phase of a rule.
2. Only the actions that can appear only once are overwritten. The actions that are allowed to appear  
   multiple times in a list, will be appended to the end of the list.
3. If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.  
   This is a tighter restriction than modsecurity 2.x.

Example foo bar...

Metadata

Metadata

Assignees

No one assigned

    Labels

    2.xRelated to ModSecurity version 2.x3.xRelated to ModSecurity version 3.xdocumentationSomehow related to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions