Skip to content

feat: add lint rule for ARGS_NAMES start-anchored operators missing json prefix#155

Open
fzipi wants to merge 4 commits into
mainfrom
feat/add-lint-rule-args-names-json-prefix
Open

feat: add lint rule for ARGS_NAMES start-anchored operators missing json prefix#155
fzipi wants to merge 4 commits into
mainfrom
feat/add-lint-rule-args-names-json-prefix

Conversation

@fzipi

@fzipi fzipi commented Jun 26, 2026

Copy link
Copy Markdown
Member

Summary

  • Adds a new args_names_json_prefix rule that flags SecRule directives targeting ARGS_NAMES with start-anchored operators that don't account for the json. prefix added by libModSecurity3/Coraza to JSON body parameter names
  • Flags @rx ^pattern (start-anchored without (?:json\.)?), @beginsWith, and @streq when used with ARGS_NAMES
  • 24 new tests covering all operator variants, multi-target rules, chained rules, and negated variables

Background

libModSecurity3 and Coraza prefix JSON body parameter names with json. (e.g. usernamejson.username), while ModSecurity2 does not. A rule like SecRule ARGS_NAMES "@rx ^username$" silently misses JSON parameters on libModSecurity3/Coraza. The fix is to use ^(?:json\.)?username$ instead.

This is the same class of bug fixed in coreruleset/coreruleset#4672.

Prerequisites

Test plan

  • uv run pytest tests/test_args_names_json_prefix.py -vs — all 24 new tests pass
  • uv run pytest -q — full suite (407 tests) passes
  • uv run python generate_rules_docs.py --check — README is up to date

Closes #154

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added a new linter rule to detect SecRule uses of start-anchored ARGS_NAMES that don’t account for the optional json.-prefixed parameter naming.
    • Updated the linting rules reference and exemptions list with the new rule details and examples.
  • Tests

    • Added pytest coverage for passing and failing ARGS_NAMES scenarios, including chained rules, negation behavior, and JSON-prefix matching edge cases.

…son prefix

libModSecurity3 and Coraza prefix JSON body parameter names with 'json.'
(e.g. 'username' becomes 'json.username'), while ModSecurity2 does not.
Rules targeting ARGS_NAMES with @rx anchored to '^', @beginswith, or
@Streq will silently miss JSON parameters on libModSecurity3/Coraza unless
they include a '(?:json\.)?' prefix.

The new 'args_names_json_prefix' rule flags these cases and guides
rule-writers to use '^(?:json\.)?...' instead.

Closes #154

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c7041e30-a652-4994-90a4-17a5ffb98a87

📥 Commits

Reviewing files that changed from the base of the PR and between 24dbe84 and 60c7cdc.

📒 Files selected for processing (2)
  • src/crs_linter/rules/args_names_json_prefix.py
  • tests/test_args_names_json_prefix.py
🚧 Files skipped from review as they are similar to previous changes (2)
  • tests/test_args_names_json_prefix.py
  • src/crs_linter/rules/args_names_json_prefix.py

📝 Walkthrough

Walkthrough

Adds a new ArgsNamesJsonPrefix lint rule, wires it into the linter, documents it in the README, and adds pytest coverage for ARGS_NAMES start-anchoring cases, chained rules, and error-message content.

Changes

ArgsNamesJsonPrefix lint rule

Layer / File(s) Summary
Rule matching and problem emission
src/crs_linter/rules/args_names_json_prefix.py
Defines ArgsNamesJsonPrefix and its check() logic for start-anchored ARGS_NAMES patterns, including chained-rule id handling, regex tolerance checks, and LintProblem emission.
Rule registration and README reference
src/crs_linter/linter.py, README.md
Imports the new rule into the linter rule set and adds its name plus the new reference section to the README.
Lint rule tests
tests/test_args_names_json_prefix.py
Adds parameterized and targeted pytest coverage for passing and failing ARGS_NAMES cases, reported message contents, multiple offending rules, and chained rules.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related issues

Suggested reviewers: airween

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the new ARGS_NAMES lint rule and its JSON prefix check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/add-lint-rule-args-names-json-prefix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@fzipi
fzipi requested a review from airween June 26, 2026 08:57

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/crs_linter/rules/args_names_json_prefix.py`:
- Around line 8-9: The missing-prefix check in args_names_json_prefix.py is too
broad because _MISSING_JSON_PREFIX_RE only excludes the partial "^(?:json" stem,
so anchored `@rx` patterns like "^(?:json\\.)foo" or "^(?:jsonx)" are incorrectly
exempted. Tighten the regex used by the rule to match only the full optional
"json." prefix form, and update the related logic in args_names_json_prefix.py
so it compares against the complete allowed engine prefix rather than just the
beginning of it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 8fdeafe1-0173-4a0f-af51-a2dc34b3ec40

📥 Commits

Reviewing files that changed from the base of the PR and between 486df04 and 24dbe84.

📒 Files selected for processing (4)
  • README.md
  • src/crs_linter/linter.py
  • src/crs_linter/rules/args_names_json_prefix.py
  • tests/test_args_names_json_prefix.py

Comment thread src/crs_linter/rules/args_names_json_prefix.py Outdated
fzipi and others added 2 commits June 26, 2026 11:17
…token

The previous lookahead (?!\(\?:json) only checked for the stem "(?:json",
which incorrectly exempted malformed patterns such as:
  - ^(?:json\.)foo  — mandatory group (missing trailing ?)
  - ^(?:jsonx)?foo  — wrong prefix name
  - ^(?:json)?foo   — missing dot

The new lookahead (?!\(\?:json\\?\.\)\?) matches the complete optional
group, so only well-formed ^(?:json\.)?  or ^(?:json.)?  prefixes are
accepted.  Three regression test cases added.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 8, 2026 14:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new CRS Linter rule to catch a subtle portability issue in ModSecurity rules: when targeting ARGS_NAMES, start-anchored operators can miss JSON parameters on libModSecurity3/Coraza unless the pattern accounts for the json. prefix.

Changes:

  • Introduces a new lint rule args_names_json_prefix to flag ARGS_NAMES usage with start-anchored @rx ^..., plus @beginsWith and @streq.
  • Adds a dedicated test suite covering a range of operator/target combinations, chaining, and multi-rule input.
  • Updates rule auto-registration import and README rule documentation/index.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
src/crs_linter/rules/args_names_json_prefix.py Implements the new lint rule and its detection logic + messaging.
tests/test_args_names_json_prefix.py Adds parametrized coverage and additional assertion-focused tests for the new rule.
src/crs_linter/linter.py Imports the new rule module to trigger metaclass auto-registration.
README.md Adds generated documentation entry for the new rule.

Comment thread src/crs_linter/rules/args_names_json_prefix.py Outdated
Comment thread tests/test_args_names_json_prefix.py Outdated
Skip flagging ^-anchored @rx patterns whose leading branch is a negated
character class that doesn't exclude any character in "json." (e.g. CRS
rules 921200, 942540) — that class absorbs the prefix, so the pattern
still matches JSON-prefixed ARGS_NAMES values without an explicit
(?:json\.)? group. Verified against the real CRS 4.28.0 rules: 932171
is still flagged since it has no such tolerance.

Also keep the original operator casing (e.g. @beginswith) in error
messages instead of the lowercased comparison value.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@fzipi

fzipi commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

Needs coreruleset/coreruleset#4703 and release 4.29.0 before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: Require (?:json\.)? prefix when targeting ARGS_NAMES and anchoring to start/full-string

2 participants