Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new linting rule to detect and prevent the use of negated !REQUEST_COOKIES targets in SecRule directives, enforcing a policy change that cookie exclusions should be implemented using SecRuleUpdateTargetById directives in separate post-CRS configuration files instead.
Changes:
- Implements a new
NoNegatedRequestCookiesrule that detects negated REQUEST_COOKIES patterns in SecRule directives - Adds comprehensive test coverage with 195 lines of tests covering various edge cases
- Enhances the documentation generator with code block formatting functionality for better rendering of ModSecurity examples
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
src/crs_linter/rules/no_negated_request_cookies.py |
New linting rule that checks for !REQUEST_COOKIES targets and yields clear error messages directing users to use SecRuleUpdateTargetById |
tests/test_no_negated_request_cookies.py |
Comprehensive test suite covering valid/invalid patterns, case sensitivity, chained rules, and multiple negated cookies |
src/crs_linter/linter.py |
Imports the new rule module to enable auto-registration |
generate_rules_docs.py |
Adds format_code_blocks() function to properly format ModSecurity code examples in docstrings with markdown triple backticks |
README.md |
Auto-generated documentation updates including the new rule description and improved code block formatting for all examples |
airween
previously approved these changes
Jan 24, 2026
Contributor
|
Looks good to me. Probably we can merge after a new CRS release (current released version does not fit the expected rules). |
Member
Author
|
Moved the enhanced documentation generator to #115, as it has nothing to do with the intended changes here. |
fzipi
force-pushed
the
feat/add-lint-rule-negated-cookies
branch
3 times, most recently
from
0027130 to
da2c220
Compare
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
fzipi
force-pushed
the
feat/add-lint-rule-negated-cookies
branch
from
da2c220 to
109c792
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
what
why
refs
SecRuledirectives to remove targets from REQUEST_COOKIES #112