The word "Warning" causes "PCRE limit exceeded"

[mricherzhagen]

Describe the bug

When the word "Warning" is used in a response in any way (e.g. as part of bootstraps CSS classtext-warning) and there is more content on the page this results in PCRE limits beeing exceeded.

Steps to reproduce

Have a simple file with the Word "Warning" at the beginning and 200 words of lorem ipsum after that.

Expected behaviour

PCRE limits not being exceeded by such a common word.

Actual behaviour

PCRE limits are exceeded by multiple of the rules that are defined in RESPONSE-951-DATA-LEAKAGES-SQL.conf

Additional context

Message: Rule 1eecd98 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "89"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 1f22f10 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "266"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 1f2de68 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "317"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 1f361c8 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "342"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 1f40b60 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "367"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 1f48008 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "392"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 1f4cc50 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "417"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 1f511b0 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "442"] - Execution error - PCRE limits exceeded (-8): (null).

Warning: Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.   

Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Lorem ipsum dolor sit amet,
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.   

Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Lorem ipsum dolor sit amet,
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.   

Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Lorem ipsum dolor sit amet,
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.   

Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Lorem ipsum dolor sit amet,

Your Environment

• CRS version (e.g., v3.2.0): v3.2.0
• ModSecurity version: 2.9.3
• Web Server and version: Apache/2.4.41

[dune73]

Hey Matthias, sorry for the inconvenience.

Can you tell me what your SecPcreMatchLimit / SecPcreMatchLimitRecursion is? It's probably too low.

But even if it is high enough, these errors are still possible. I would probably disable said rules for CSS files in your situation. Like you treat a false positive, actually.

[mricherzhagen]

These are the limits:

SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000

I don't think that increasing the limits is the solution here, though. If i look at the regex they all have something like Warning.*something. Which causes the regex engine to go until the end of the file and then try to backtrack to find the biggest possible match - if i understand regex correctly.

Can replacing the .* with .*? fix this while keeping the regex functional? I don't think that we are looking for the biggest possible match here anyway. But I'm by no means an expert on Regex. These Lazy Quantifiers are just one "regex performance improvement" I've heard of.

The problem does not only occur for CSS files, but also for HTML results from PHP scripts, which use these *-warning bootstrap classes in their output. For these the rules might actually be useful.

[mricherzhagen]

I tried a sed -i -E -e 's/Warning\.\*([^?])/Warning.*?\1/g' RESPONSE-951-DATA-LEAKAGES-SQL.conf to change all the .* after "Warning" to .*? and it did indeed fix the PCRE limit exceeded errors. At least for my simple Test-Case with the word "Warning" and lorem ipsum. Didn't test if it still detects the real warning messages, though. But i guess you have automated test examples for these?

Edit: After more testing it turns out, that the problem is still reproducable with that change, but it needs more lorem ipsum to trigger it.

I now tried to change the Regex from Warning.*abc to Warning.{0,200}?abc, which seems to fix it, but comes with the increased risk of not matching an actual warning, i guess. Could increase the number to lower that risk, though.