I’ve got a question to you about Pimcore compatibility with the CRS project (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).
In the CRS there is one rule which checks to don’t have too many special chars in the SQL query (11 is max): https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L980
One of these chars is backtick (`) and Pimcore is wrapping all single identifier with backticks:
- hardcoded: https://github.com/pimcore/pimcore/blob/8ef2d6610e438198e11fd381b0172883856213d7/models/Translation/AbstractTranslation/Dao.php#L36
- or using doctrine dbal: https://github.com/pimcore/pimcore/blob/4c986d60d890898e466533a21dfd29bde2acb9f6/lib/Db/PimcoreExtensionsTrait.php#L385
In my opinion, this rule is very strict and to be true I’m not sure why it have got some connection with security, but if we would like to have Pimcore on Azure with WAF these CRS rules are enabled by default (as far as I know): https://azure.microsoft.com/pl-pl/blog/azure-web-application-firewall-waf-generally-available/
So my final questions are:
- do you have any idea is it possible to have Pimcore compatible with OWASP ModSecurity CRS (Paranoia Level 2)?
- should we try to change CRS rule or maybe Pimcore code in the case of
- did some of you use Pimcore on Azure? is it with WAF enabled?
I’m just curious about your opinions because ModSecurity looks generally very nice, but on the other had so strict rules seems to be impossible to use with Pimcore easily.