HEX
Server: nginx/1.28.0
System: Linux w3c-2 6.8.0-78-generic #78-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 12 11:34:18 UTC 2025 x86_64
User: inpa_co_1 (1082)
PHP: 8.3.29
Disabled: NONE
$ pwd: /etc/modsecurity.d/owasp/regex-assembly/
Upload Files
File: //etc/modsecurity.d/owasp/regex-assembly/toolchain.yaml
# # # # # # # # # # # # # # # # # # # #
# configuration file for crs-toolchain
# # # # # # # # # # # # # # # # # # # #
patterns:
  # The Unix evasion patterns, were extended per decision in https://github.com/coreruleset/coreruleset/issues/2632.
  anti_evasion:
    # - [\x5c'\"\[)]: common evasion tokens and path expansion, e.g., `/bin/[c]''a""\t`
    # - (?:\|\||&&)\s*: hiding of empty variables through logical operators, e.g., `nc&&$u -p 777`
    # - \$[a-z0-9_@?!#{(*-]*: empty variable evasion, e.g., `n\$uc -p 777`
    # - [\x5c'\"\[)], \$[a-z0-9_@?!#{(*-]*: arithmetic expansion evasion, e.g., `c$((9))9`
    unix: |
      [\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?
    windows: |
      [\"\^]*
  # Suffix marker `@`.
  anti_evasion_suffix:
    # - \s$: end of line / string
    # - <>: redirection, e.g., `cat<foo`
    # - ,: brace expansion, e.g., `""{nc,-p,777}`
    # - &|: logical operators in headers, e.g., `a=nc&&$a -nlvp 555`
    # - ): subshell, e.g, `(ifconfig)`
    unix: |
      [\s<>&|),].*
    # "more foo", "more,foo", "more;foo", "more.com", "more/e",
    # "more<foo", "more>foo"
    windows: |
      [\s,;./<>].*
  # Suffix marker `~`.
  # Same as above but does not allow any white space as the next token.
  # This is useful for words like `python3`, where `python@` would
  # create too many false positives because it would match `python `.
  # These patterns consist mainly of combinations of the `anti_evasion`
  # and `anti_evasion_suffix` patterns above, with only a few bits of
  # additional matching logic.
  anti_evasion_no_space_suffix:
    # This will match:
    #
    # python<<<foo
    # python2 foo
    #
    # It will _not_ match:
    # python foo
    #
    # [<>&|),]{1,10}: anti-evasion suffix without space, limited to 10 matches
    # (?:[\w\d._-][\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?){1,10}: non-whitespace followed by anti-evasion pattern, limited to 10 matches
    # [\s<>&|),}]{1,10}): anti-evasion suffix, including `}` (to match command names within expansions, e.g. `${gcc7.4}gcc7.4`), limited to 10 matches
    unix: |
      (?:[<>&|),]{1,10}|(?:[\w\d._-][\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?){1,10}[\s<>&|),}]{1,10})
    # This will match:
    #
    # python,foo
    # python2 foo
    #
    # It will _not_ match:
    # python foo
    #
    # [,;./<>]{1,10}: anti-evasion suffix without space, limited to 10 matches
    # (?:[\w\d._-][\"\^]*){1,10}: non-whitespace followed by anti-evasion pattern, limited to 10 matches
    # [\s,;./<>]{1,10}: anti-evasion suffix, limited to 10 matches
    windows: |
      (?:[,;./<>]{1,10}|(?:[\w\d._-][\"\^]*){1,10}[\s,;./<>]{1,10})
@ Telegram