datadog 2.0.0.beta1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (764) hide show
  1. checksums.yaml +7 -0
  2. data/CHANGELOG.md +4236 -0
  3. data/LICENSE +6 -0
  4. data/LICENSE-3rdparty.csv +7 -0
  5. data/LICENSE.Apache +200 -0
  6. data/LICENSE.BSD3 +24 -0
  7. data/NOTICE +4 -0
  8. data/README.md +25 -0
  9. data/bin/ddprofrb +15 -0
  10. data/ext/datadog_profiling_loader/datadog_profiling_loader.c +134 -0
  11. data/ext/datadog_profiling_loader/extconf.rb +72 -0
  12. data/ext/datadog_profiling_native_extension/NativeExtensionDesign.md +156 -0
  13. data/ext/datadog_profiling_native_extension/clock_id.h +22 -0
  14. data/ext/datadog_profiling_native_extension/clock_id_from_pthread.c +56 -0
  15. data/ext/datadog_profiling_native_extension/clock_id_noop.c +22 -0
  16. data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +1153 -0
  17. data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.c +422 -0
  18. data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.h +101 -0
  19. data/ext/datadog_profiling_native_extension/collectors_dynamic_sampling_rate.c +150 -0
  20. data/ext/datadog_profiling_native_extension/collectors_dynamic_sampling_rate.h +18 -0
  21. data/ext/datadog_profiling_native_extension/collectors_gc_profiling_helper.c +156 -0
  22. data/ext/datadog_profiling_native_extension/collectors_gc_profiling_helper.h +5 -0
  23. data/ext/datadog_profiling_native_extension/collectors_idle_sampling_helper.c +244 -0
  24. data/ext/datadog_profiling_native_extension/collectors_idle_sampling_helper.h +3 -0
  25. data/ext/datadog_profiling_native_extension/collectors_stack.c +372 -0
  26. data/ext/datadog_profiling_native_extension/collectors_stack.h +27 -0
  27. data/ext/datadog_profiling_native_extension/collectors_thread_context.c +1391 -0
  28. data/ext/datadog_profiling_native_extension/collectors_thread_context.h +15 -0
  29. data/ext/datadog_profiling_native_extension/extconf.rb +302 -0
  30. data/ext/datadog_profiling_native_extension/heap_recorder.c +970 -0
  31. data/ext/datadog_profiling_native_extension/heap_recorder.h +155 -0
  32. data/ext/datadog_profiling_native_extension/helpers.h +23 -0
  33. data/ext/datadog_profiling_native_extension/http_transport.c +375 -0
  34. data/ext/datadog_profiling_native_extension/libdatadog_helpers.c +62 -0
  35. data/ext/datadog_profiling_native_extension/libdatadog_helpers.h +42 -0
  36. data/ext/datadog_profiling_native_extension/native_extension_helpers.rb +319 -0
  37. data/ext/datadog_profiling_native_extension/private_vm_api_access.c +892 -0
  38. data/ext/datadog_profiling_native_extension/private_vm_api_access.h +61 -0
  39. data/ext/datadog_profiling_native_extension/profiling.c +267 -0
  40. data/ext/datadog_profiling_native_extension/ruby_helpers.c +267 -0
  41. data/ext/datadog_profiling_native_extension/ruby_helpers.h +119 -0
  42. data/ext/datadog_profiling_native_extension/setup_signal_handler.c +115 -0
  43. data/ext/datadog_profiling_native_extension/setup_signal_handler.h +11 -0
  44. data/ext/datadog_profiling_native_extension/stack_recorder.c +941 -0
  45. data/ext/datadog_profiling_native_extension/stack_recorder.h +27 -0
  46. data/ext/datadog_profiling_native_extension/time_helpers.c +53 -0
  47. data/ext/datadog_profiling_native_extension/time_helpers.h +26 -0
  48. data/lib/datadog/appsec/assets/blocked.html +99 -0
  49. data/lib/datadog/appsec/assets/blocked.json +1 -0
  50. data/lib/datadog/appsec/assets/blocked.text +5 -0
  51. data/lib/datadog/appsec/assets/waf_rules/README.md +7 -0
  52. data/lib/datadog/appsec/assets/waf_rules/processors.json +92 -0
  53. data/lib/datadog/appsec/assets/waf_rules/recommended.json +7703 -0
  54. data/lib/datadog/appsec/assets/waf_rules/scanners.json +114 -0
  55. data/lib/datadog/appsec/assets/waf_rules/strict.json +1635 -0
  56. data/lib/datadog/appsec/assets.rb +46 -0
  57. data/lib/datadog/appsec/autoload.rb +13 -0
  58. data/lib/datadog/appsec/component.rb +94 -0
  59. data/lib/datadog/appsec/configuration/settings.rb +202 -0
  60. data/lib/datadog/appsec/configuration.rb +11 -0
  61. data/lib/datadog/appsec/contrib/auto_instrument.rb +25 -0
  62. data/lib/datadog/appsec/contrib/devise/event.rb +57 -0
  63. data/lib/datadog/appsec/contrib/devise/ext.rb +13 -0
  64. data/lib/datadog/appsec/contrib/devise/integration.rb +42 -0
  65. data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb +76 -0
  66. data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb +54 -0
  67. data/lib/datadog/appsec/contrib/devise/patcher.rb +45 -0
  68. data/lib/datadog/appsec/contrib/devise/resource.rb +35 -0
  69. data/lib/datadog/appsec/contrib/devise/tracking.rb +49 -0
  70. data/lib/datadog/appsec/contrib/integration.rb +37 -0
  71. data/lib/datadog/appsec/contrib/patcher.rb +12 -0
  72. data/lib/datadog/appsec/contrib/rack/ext.rb +13 -0
  73. data/lib/datadog/appsec/contrib/rack/gateway/request.rb +104 -0
  74. data/lib/datadog/appsec/contrib/rack/gateway/response.rb +30 -0
  75. data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +162 -0
  76. data/lib/datadog/appsec/contrib/rack/integration.rb +44 -0
  77. data/lib/datadog/appsec/contrib/rack/patcher.rb +34 -0
  78. data/lib/datadog/appsec/contrib/rack/reactive/request.rb +81 -0
  79. data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +60 -0
  80. data/lib/datadog/appsec/contrib/rack/reactive/response.rb +66 -0
  81. data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +44 -0
  82. data/lib/datadog/appsec/contrib/rack/request_middleware.rb +196 -0
  83. data/lib/datadog/appsec/contrib/rails/ext.rb +13 -0
  84. data/lib/datadog/appsec/contrib/rails/framework.rb +16 -0
  85. data/lib/datadog/appsec/contrib/rails/gateway/request.rb +67 -0
  86. data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +71 -0
  87. data/lib/datadog/appsec/contrib/rails/integration.rb +43 -0
  88. data/lib/datadog/appsec/contrib/rails/patcher.rb +166 -0
  89. data/lib/datadog/appsec/contrib/rails/reactive/action.rb +66 -0
  90. data/lib/datadog/appsec/contrib/rails/request.rb +36 -0
  91. data/lib/datadog/appsec/contrib/rails/request_middleware.rb +20 -0
  92. data/lib/datadog/appsec/contrib/sinatra/ext.rb +14 -0
  93. data/lib/datadog/appsec/contrib/sinatra/framework.rb +20 -0
  94. data/lib/datadog/appsec/contrib/sinatra/gateway/request.rb +17 -0
  95. data/lib/datadog/appsec/contrib/sinatra/gateway/route_params.rb +23 -0
  96. data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +117 -0
  97. data/lib/datadog/appsec/contrib/sinatra/integration.rb +43 -0
  98. data/lib/datadog/appsec/contrib/sinatra/patcher.rb +168 -0
  99. data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +61 -0
  100. data/lib/datadog/appsec/contrib/sinatra/request_middleware.rb +20 -0
  101. data/lib/datadog/appsec/event.rb +171 -0
  102. data/lib/datadog/appsec/ext.rb +10 -0
  103. data/lib/datadog/appsec/extensions.rb +15 -0
  104. data/lib/datadog/appsec/instrumentation/gateway/argument.rb +22 -0
  105. data/lib/datadog/appsec/instrumentation/gateway.rb +64 -0
  106. data/lib/datadog/appsec/instrumentation.rb +9 -0
  107. data/lib/datadog/appsec/monitor/gateway/watcher.rb +67 -0
  108. data/lib/datadog/appsec/monitor/reactive/set_user.rb +58 -0
  109. data/lib/datadog/appsec/monitor.rb +11 -0
  110. data/lib/datadog/appsec/processor/actions.rb +49 -0
  111. data/lib/datadog/appsec/processor/rule_loader.rb +123 -0
  112. data/lib/datadog/appsec/processor/rule_merger.rb +152 -0
  113. data/lib/datadog/appsec/processor.rb +171 -0
  114. data/lib/datadog/appsec/rate_limiter.rb +60 -0
  115. data/lib/datadog/appsec/reactive/address_hash.rb +22 -0
  116. data/lib/datadog/appsec/reactive/engine.rb +47 -0
  117. data/lib/datadog/appsec/reactive/operation.rb +68 -0
  118. data/lib/datadog/appsec/reactive/subscriber.rb +19 -0
  119. data/lib/datadog/appsec/remote.rb +129 -0
  120. data/lib/datadog/appsec/response.rb +151 -0
  121. data/lib/datadog/appsec/sample_rate.rb +21 -0
  122. data/lib/datadog/appsec/scope.rb +61 -0
  123. data/lib/datadog/appsec/utils/http/media_range.rb +201 -0
  124. data/lib/datadog/appsec/utils/http/media_type.rb +87 -0
  125. data/lib/datadog/appsec/utils/http.rb +11 -0
  126. data/lib/datadog/appsec/utils.rb +9 -0
  127. data/lib/datadog/appsec.rb +60 -0
  128. data/lib/datadog/auto_instrument.rb +16 -0
  129. data/lib/datadog/auto_instrument_base.rb +8 -0
  130. data/lib/datadog/core/buffer/cruby.rb +55 -0
  131. data/lib/datadog/core/buffer/random.rb +134 -0
  132. data/lib/datadog/core/buffer/thread_safe.rb +58 -0
  133. data/lib/datadog/core/chunker.rb +35 -0
  134. data/lib/datadog/core/configuration/agent_settings_resolver.rb +352 -0
  135. data/lib/datadog/core/configuration/base.rb +91 -0
  136. data/lib/datadog/core/configuration/components.rb +177 -0
  137. data/lib/datadog/core/configuration/ext.rb +45 -0
  138. data/lib/datadog/core/configuration/option.rb +319 -0
  139. data/lib/datadog/core/configuration/option_definition.rb +165 -0
  140. data/lib/datadog/core/configuration/options.rb +128 -0
  141. data/lib/datadog/core/configuration/settings.rb +786 -0
  142. data/lib/datadog/core/configuration.rb +296 -0
  143. data/lib/datadog/core/diagnostics/environment_logger.rb +173 -0
  144. data/lib/datadog/core/diagnostics/health.rb +19 -0
  145. data/lib/datadog/core/encoding.rb +74 -0
  146. data/lib/datadog/core/environment/cgroup.rb +53 -0
  147. data/lib/datadog/core/environment/class_count.rb +21 -0
  148. data/lib/datadog/core/environment/container.rb +91 -0
  149. data/lib/datadog/core/environment/execution.rb +103 -0
  150. data/lib/datadog/core/environment/ext.rb +45 -0
  151. data/lib/datadog/core/environment/gc.rb +20 -0
  152. data/lib/datadog/core/environment/git.rb +25 -0
  153. data/lib/datadog/core/environment/identity.rb +84 -0
  154. data/lib/datadog/core/environment/platform.rb +40 -0
  155. data/lib/datadog/core/environment/socket.rb +24 -0
  156. data/lib/datadog/core/environment/thread_count.rb +20 -0
  157. data/lib/datadog/core/environment/variable_helpers.rb +53 -0
  158. data/lib/datadog/core/environment/vm_cache.rb +64 -0
  159. data/lib/datadog/core/environment/yjit.rb +58 -0
  160. data/lib/datadog/core/error.rb +100 -0
  161. data/lib/datadog/core/extensions.rb +16 -0
  162. data/lib/datadog/core/git/ext.rb +16 -0
  163. data/lib/datadog/core/header_collection.rb +43 -0
  164. data/lib/datadog/core/logger.rb +45 -0
  165. data/lib/datadog/core/logging/ext.rb +13 -0
  166. data/lib/datadog/core/metrics/client.rb +199 -0
  167. data/lib/datadog/core/metrics/ext.rb +18 -0
  168. data/lib/datadog/core/metrics/helpers.rb +25 -0
  169. data/lib/datadog/core/metrics/logging.rb +44 -0
  170. data/lib/datadog/core/metrics/metric.rb +14 -0
  171. data/lib/datadog/core/metrics/options.rb +52 -0
  172. data/lib/datadog/core/pin.rb +75 -0
  173. data/lib/datadog/core/remote/client/capabilities.rb +62 -0
  174. data/lib/datadog/core/remote/client.rb +234 -0
  175. data/lib/datadog/core/remote/component.rb +162 -0
  176. data/lib/datadog/core/remote/configuration/content.rb +111 -0
  177. data/lib/datadog/core/remote/configuration/digest.rb +62 -0
  178. data/lib/datadog/core/remote/configuration/path.rb +90 -0
  179. data/lib/datadog/core/remote/configuration/repository.rb +294 -0
  180. data/lib/datadog/core/remote/configuration/target.rb +74 -0
  181. data/lib/datadog/core/remote/configuration.rb +18 -0
  182. data/lib/datadog/core/remote/dispatcher.rb +59 -0
  183. data/lib/datadog/core/remote/ext.rb +13 -0
  184. data/lib/datadog/core/remote/negotiation.rb +70 -0
  185. data/lib/datadog/core/remote/tie/tracing.rb +39 -0
  186. data/lib/datadog/core/remote/tie.rb +27 -0
  187. data/lib/datadog/core/remote/transport/config.rb +60 -0
  188. data/lib/datadog/core/remote/transport/http/api/instance.rb +39 -0
  189. data/lib/datadog/core/remote/transport/http/api/spec.rb +21 -0
  190. data/lib/datadog/core/remote/transport/http/api.rb +58 -0
  191. data/lib/datadog/core/remote/transport/http/builder.rb +219 -0
  192. data/lib/datadog/core/remote/transport/http/client.rb +48 -0
  193. data/lib/datadog/core/remote/transport/http/config.rb +280 -0
  194. data/lib/datadog/core/remote/transport/http/negotiation.rb +146 -0
  195. data/lib/datadog/core/remote/transport/http.rb +147 -0
  196. data/lib/datadog/core/remote/transport/negotiation.rb +62 -0
  197. data/lib/datadog/core/remote/worker.rb +102 -0
  198. data/lib/datadog/core/remote.rb +24 -0
  199. data/lib/datadog/core/runtime/ext.rb +38 -0
  200. data/lib/datadog/core/runtime/metrics.rb +185 -0
  201. data/lib/datadog/core/telemetry/client.rb +87 -0
  202. data/lib/datadog/core/telemetry/collector.rb +248 -0
  203. data/lib/datadog/core/telemetry/emitter.rb +50 -0
  204. data/lib/datadog/core/telemetry/event.rb +83 -0
  205. data/lib/datadog/core/telemetry/ext.rb +15 -0
  206. data/lib/datadog/core/telemetry/heartbeat.rb +35 -0
  207. data/lib/datadog/core/telemetry/http/adapters/net.rb +113 -0
  208. data/lib/datadog/core/telemetry/http/env.rb +20 -0
  209. data/lib/datadog/core/telemetry/http/ext.rb +22 -0
  210. data/lib/datadog/core/telemetry/http/response.rb +66 -0
  211. data/lib/datadog/core/telemetry/http/transport.rb +56 -0
  212. data/lib/datadog/core/telemetry/v1/app_event.rb +59 -0
  213. data/lib/datadog/core/telemetry/v1/application.rb +94 -0
  214. data/lib/datadog/core/telemetry/v1/configuration.rb +27 -0
  215. data/lib/datadog/core/telemetry/v1/dependency.rb +45 -0
  216. data/lib/datadog/core/telemetry/v1/host.rb +59 -0
  217. data/lib/datadog/core/telemetry/v1/install_signature.rb +38 -0
  218. data/lib/datadog/core/telemetry/v1/integration.rb +66 -0
  219. data/lib/datadog/core/telemetry/v1/product.rb +36 -0
  220. data/lib/datadog/core/telemetry/v1/telemetry_request.rb +108 -0
  221. data/lib/datadog/core/telemetry/v2/app_client_configuration_change.rb +41 -0
  222. data/lib/datadog/core/telemetry/v2/request.rb +29 -0
  223. data/lib/datadog/core/transport/ext.rb +43 -0
  224. data/lib/datadog/core/transport/http/adapters/net.rb +159 -0
  225. data/lib/datadog/core/transport/http/adapters/registry.rb +29 -0
  226. data/lib/datadog/core/transport/http/adapters/test.rb +89 -0
  227. data/lib/datadog/core/transport/http/adapters/unix_socket.rb +83 -0
  228. data/lib/datadog/core/transport/http/api/endpoint.rb +31 -0
  229. data/lib/datadog/core/transport/http/api/fallbacks.rb +26 -0
  230. data/lib/datadog/core/transport/http/api/map.rb +18 -0
  231. data/lib/datadog/core/transport/http/env.rb +62 -0
  232. data/lib/datadog/core/transport/http/response.rb +60 -0
  233. data/lib/datadog/core/transport/parcel.rb +22 -0
  234. data/lib/datadog/core/transport/request.rb +17 -0
  235. data/lib/datadog/core/transport/response.rb +64 -0
  236. data/lib/datadog/core/utils/duration.rb +52 -0
  237. data/lib/datadog/core/utils/forking.rb +63 -0
  238. data/lib/datadog/core/utils/hash.rb +79 -0
  239. data/lib/datadog/core/utils/network.rb +121 -0
  240. data/lib/datadog/core/utils/only_once.rb +42 -0
  241. data/lib/datadog/core/utils/safe_dup.rb +40 -0
  242. data/lib/datadog/core/utils/sequence.rb +26 -0
  243. data/lib/datadog/core/utils/time.rb +52 -0
  244. data/lib/datadog/core/utils/url.rb +25 -0
  245. data/lib/datadog/core/utils.rb +94 -0
  246. data/lib/datadog/core/vendor/multipart-post/LICENSE +11 -0
  247. data/lib/datadog/core/vendor/multipart-post/multipart/post/composite_read_io.rb +118 -0
  248. data/lib/datadog/core/vendor/multipart-post/multipart/post/multipartable.rb +59 -0
  249. data/lib/datadog/core/vendor/multipart-post/multipart/post/parts.rb +137 -0
  250. data/lib/datadog/core/vendor/multipart-post/multipart/post/version.rb +11 -0
  251. data/lib/datadog/core/vendor/multipart-post/multipart/post.rb +10 -0
  252. data/lib/datadog/core/vendor/multipart-post/multipart.rb +14 -0
  253. data/lib/datadog/core/vendor/multipart-post/net/http/post/multipart.rb +34 -0
  254. data/lib/datadog/core/worker.rb +24 -0
  255. data/lib/datadog/core/workers/async.rb +185 -0
  256. data/lib/datadog/core/workers/interval_loop.rb +123 -0
  257. data/lib/datadog/core/workers/polling.rb +59 -0
  258. data/lib/datadog/core/workers/queue.rb +44 -0
  259. data/lib/datadog/core/workers/runtime_metrics.rb +62 -0
  260. data/lib/datadog/core.rb +45 -0
  261. data/lib/datadog/kit/appsec/events.rb +169 -0
  262. data/lib/datadog/kit/enable_core_dumps.rb +49 -0
  263. data/lib/datadog/kit/identity.rb +104 -0
  264. data/lib/datadog/kit.rb +11 -0
  265. data/lib/datadog/opentelemetry/api/context.rb +193 -0
  266. data/lib/datadog/opentelemetry/api/trace/span.rb +14 -0
  267. data/lib/datadog/opentelemetry/sdk/configurator.rb +37 -0
  268. data/lib/datadog/opentelemetry/sdk/id_generator.rb +26 -0
  269. data/lib/datadog/opentelemetry/sdk/propagator.rb +92 -0
  270. data/lib/datadog/opentelemetry/sdk/span_processor.rb +134 -0
  271. data/lib/datadog/opentelemetry/sdk/trace/span.rb +167 -0
  272. data/lib/datadog/opentelemetry/trace.rb +59 -0
  273. data/lib/datadog/opentelemetry.rb +51 -0
  274. data/lib/datadog/profiling/collectors/code_provenance.rb +113 -0
  275. data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +114 -0
  276. data/lib/datadog/profiling/collectors/dynamic_sampling_rate.rb +14 -0
  277. data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +70 -0
  278. data/lib/datadog/profiling/collectors/info.rb +103 -0
  279. data/lib/datadog/profiling/collectors/stack.rb +13 -0
  280. data/lib/datadog/profiling/collectors/thread_context.rb +61 -0
  281. data/lib/datadog/profiling/component.rb +418 -0
  282. data/lib/datadog/profiling/exporter.rb +103 -0
  283. data/lib/datadog/profiling/ext/forking.rb +98 -0
  284. data/lib/datadog/profiling/ext.rb +35 -0
  285. data/lib/datadog/profiling/flush.rb +43 -0
  286. data/lib/datadog/profiling/http_transport.rb +143 -0
  287. data/lib/datadog/profiling/load_native_extension.rb +28 -0
  288. data/lib/datadog/profiling/native_extension.rb +20 -0
  289. data/lib/datadog/profiling/preload.rb +5 -0
  290. data/lib/datadog/profiling/profiler.rb +64 -0
  291. data/lib/datadog/profiling/scheduler.rb +137 -0
  292. data/lib/datadog/profiling/stack_recorder.rb +69 -0
  293. data/lib/datadog/profiling/tag_builder.rb +60 -0
  294. data/lib/datadog/profiling/tasks/exec.rb +50 -0
  295. data/lib/datadog/profiling/tasks/help.rb +18 -0
  296. data/lib/datadog/profiling/tasks/setup.rb +60 -0
  297. data/lib/datadog/profiling.rb +152 -0
  298. data/lib/datadog/tracing/analytics.rb +25 -0
  299. data/lib/datadog/tracing/buffer.rb +129 -0
  300. data/lib/datadog/tracing/client_ip.rb +61 -0
  301. data/lib/datadog/tracing/component.rb +206 -0
  302. data/lib/datadog/tracing/configuration/dynamic/option.rb +71 -0
  303. data/lib/datadog/tracing/configuration/dynamic.rb +64 -0
  304. data/lib/datadog/tracing/configuration/ext.rb +98 -0
  305. data/lib/datadog/tracing/configuration/http.rb +74 -0
  306. data/lib/datadog/tracing/configuration/settings.rb +421 -0
  307. data/lib/datadog/tracing/context.rb +68 -0
  308. data/lib/datadog/tracing/context_provider.rb +82 -0
  309. data/lib/datadog/tracing/contrib/action_cable/configuration/settings.rb +39 -0
  310. data/lib/datadog/tracing/contrib/action_cable/event.rb +71 -0
  311. data/lib/datadog/tracing/contrib/action_cable/events/broadcast.rb +58 -0
  312. data/lib/datadog/tracing/contrib/action_cable/events/perform_action.rb +63 -0
  313. data/lib/datadog/tracing/contrib/action_cable/events/transmit.rb +59 -0
  314. data/lib/datadog/tracing/contrib/action_cable/events.rb +37 -0
  315. data/lib/datadog/tracing/contrib/action_cable/ext.rb +33 -0
  316. data/lib/datadog/tracing/contrib/action_cable/instrumentation.rb +90 -0
  317. data/lib/datadog/tracing/contrib/action_cable/integration.rb +50 -0
  318. data/lib/datadog/tracing/contrib/action_cable/patcher.rb +31 -0
  319. data/lib/datadog/tracing/contrib/action_mailer/configuration/settings.rb +43 -0
  320. data/lib/datadog/tracing/contrib/action_mailer/event.rb +52 -0
  321. data/lib/datadog/tracing/contrib/action_mailer/events/deliver.rb +60 -0
  322. data/lib/datadog/tracing/contrib/action_mailer/events/process.rb +47 -0
  323. data/lib/datadog/tracing/contrib/action_mailer/events.rb +34 -0
  324. data/lib/datadog/tracing/contrib/action_mailer/ext.rb +34 -0
  325. data/lib/datadog/tracing/contrib/action_mailer/integration.rb +50 -0
  326. data/lib/datadog/tracing/contrib/action_mailer/patcher.rb +29 -0
  327. data/lib/datadog/tracing/contrib/action_pack/action_controller/instrumentation.rb +138 -0
  328. data/lib/datadog/tracing/contrib/action_pack/action_controller/patcher.rb +29 -0
  329. data/lib/datadog/tracing/contrib/action_pack/configuration/settings.rb +40 -0
  330. data/lib/datadog/tracing/contrib/action_pack/ext.rb +23 -0
  331. data/lib/datadog/tracing/contrib/action_pack/integration.rb +51 -0
  332. data/lib/datadog/tracing/contrib/action_pack/patcher.rb +27 -0
  333. data/lib/datadog/tracing/contrib/action_pack/utils.rb +40 -0
  334. data/lib/datadog/tracing/contrib/action_view/configuration/settings.rb +43 -0
  335. data/lib/datadog/tracing/contrib/action_view/event.rb +35 -0
  336. data/lib/datadog/tracing/contrib/action_view/events/render_partial.rb +54 -0
  337. data/lib/datadog/tracing/contrib/action_view/events/render_template.rb +57 -0
  338. data/lib/datadog/tracing/contrib/action_view/events.rb +34 -0
  339. data/lib/datadog/tracing/contrib/action_view/ext.rb +25 -0
  340. data/lib/datadog/tracing/contrib/action_view/integration.rb +58 -0
  341. data/lib/datadog/tracing/contrib/action_view/patcher.rb +34 -0
  342. data/lib/datadog/tracing/contrib/action_view/utils.rb +36 -0
  343. data/lib/datadog/tracing/contrib/active_job/configuration/settings.rb +39 -0
  344. data/lib/datadog/tracing/contrib/active_job/event.rb +58 -0
  345. data/lib/datadog/tracing/contrib/active_job/events/discard.rb +50 -0
  346. data/lib/datadog/tracing/contrib/active_job/events/enqueue.rb +49 -0
  347. data/lib/datadog/tracing/contrib/active_job/events/enqueue_at.rb +49 -0
  348. data/lib/datadog/tracing/contrib/active_job/events/enqueue_retry.rb +51 -0
  349. data/lib/datadog/tracing/contrib/active_job/events/perform.rb +49 -0
  350. data/lib/datadog/tracing/contrib/active_job/events/retry_stopped.rb +50 -0
  351. data/lib/datadog/tracing/contrib/active_job/events.rb +42 -0
  352. data/lib/datadog/tracing/contrib/active_job/ext.rb +40 -0
  353. data/lib/datadog/tracing/contrib/active_job/integration.rb +50 -0
  354. data/lib/datadog/tracing/contrib/active_job/log_injection.rb +24 -0
  355. data/lib/datadog/tracing/contrib/active_job/patcher.rb +36 -0
  356. data/lib/datadog/tracing/contrib/active_model_serializers/configuration/settings.rb +37 -0
  357. data/lib/datadog/tracing/contrib/active_model_serializers/event.rb +68 -0
  358. data/lib/datadog/tracing/contrib/active_model_serializers/events/render.rb +45 -0
  359. data/lib/datadog/tracing/contrib/active_model_serializers/events/serialize.rb +47 -0
  360. data/lib/datadog/tracing/contrib/active_model_serializers/events.rb +34 -0
  361. data/lib/datadog/tracing/contrib/active_model_serializers/ext.rb +25 -0
  362. data/lib/datadog/tracing/contrib/active_model_serializers/integration.rb +45 -0
  363. data/lib/datadog/tracing/contrib/active_model_serializers/patcher.rb +32 -0
  364. data/lib/datadog/tracing/contrib/active_record/configuration/makara_resolver.rb +36 -0
  365. data/lib/datadog/tracing/contrib/active_record/configuration/resolver.rb +147 -0
  366. data/lib/datadog/tracing/contrib/active_record/configuration/settings.rb +48 -0
  367. data/lib/datadog/tracing/contrib/active_record/event.rb +30 -0
  368. data/lib/datadog/tracing/contrib/active_record/events/instantiation.rb +58 -0
  369. data/lib/datadog/tracing/contrib/active_record/events/sql.rb +77 -0
  370. data/lib/datadog/tracing/contrib/active_record/events.rb +34 -0
  371. data/lib/datadog/tracing/contrib/active_record/ext.rb +30 -0
  372. data/lib/datadog/tracing/contrib/active_record/integration.rb +57 -0
  373. data/lib/datadog/tracing/contrib/active_record/patcher.rb +27 -0
  374. data/lib/datadog/tracing/contrib/active_record/utils.rb +128 -0
  375. data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +186 -0
  376. data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +76 -0
  377. data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +47 -0
  378. data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +47 -0
  379. data/lib/datadog/tracing/contrib/active_support/ext.rb +32 -0
  380. data/lib/datadog/tracing/contrib/active_support/integration.rb +52 -0
  381. data/lib/datadog/tracing/contrib/active_support/notifications/event.rb +71 -0
  382. data/lib/datadog/tracing/contrib/active_support/notifications/subscriber.rb +71 -0
  383. data/lib/datadog/tracing/contrib/active_support/notifications/subscription.rb +164 -0
  384. data/lib/datadog/tracing/contrib/active_support/patcher.rb +27 -0
  385. data/lib/datadog/tracing/contrib/analytics.rb +28 -0
  386. data/lib/datadog/tracing/contrib/auto_instrument.rb +53 -0
  387. data/lib/datadog/tracing/contrib/aws/configuration/settings.rb +53 -0
  388. data/lib/datadog/tracing/contrib/aws/ext.rb +50 -0
  389. data/lib/datadog/tracing/contrib/aws/instrumentation.rb +119 -0
  390. data/lib/datadog/tracing/contrib/aws/integration.rb +47 -0
  391. data/lib/datadog/tracing/contrib/aws/parsed_context.rb +64 -0
  392. data/lib/datadog/tracing/contrib/aws/patcher.rb +57 -0
  393. data/lib/datadog/tracing/contrib/aws/service/base.rb +16 -0
  394. data/lib/datadog/tracing/contrib/aws/service/dynamodb.rb +22 -0
  395. data/lib/datadog/tracing/contrib/aws/service/eventbridge.rb +22 -0
  396. data/lib/datadog/tracing/contrib/aws/service/kinesis.rb +32 -0
  397. data/lib/datadog/tracing/contrib/aws/service/s3.rb +22 -0
  398. data/lib/datadog/tracing/contrib/aws/service/sns.rb +30 -0
  399. data/lib/datadog/tracing/contrib/aws/service/sqs.rb +27 -0
  400. data/lib/datadog/tracing/contrib/aws/service/states.rb +40 -0
  401. data/lib/datadog/tracing/contrib/aws/services.rb +139 -0
  402. data/lib/datadog/tracing/contrib/component.rb +41 -0
  403. data/lib/datadog/tracing/contrib/concurrent_ruby/async_patch.rb +20 -0
  404. data/lib/datadog/tracing/contrib/concurrent_ruby/configuration/settings.rb +24 -0
  405. data/lib/datadog/tracing/contrib/concurrent_ruby/context_composite_executor_service.rb +53 -0
  406. data/lib/datadog/tracing/contrib/concurrent_ruby/ext.rb +16 -0
  407. data/lib/datadog/tracing/contrib/concurrent_ruby/future_patch.rb +20 -0
  408. data/lib/datadog/tracing/contrib/concurrent_ruby/integration.rb +44 -0
  409. data/lib/datadog/tracing/contrib/concurrent_ruby/patcher.rb +49 -0
  410. data/lib/datadog/tracing/contrib/concurrent_ruby/promises_future_patch.rb +22 -0
  411. data/lib/datadog/tracing/contrib/configurable.rb +102 -0
  412. data/lib/datadog/tracing/contrib/configuration/resolver.rb +85 -0
  413. data/lib/datadog/tracing/contrib/configuration/resolvers/pattern_resolver.rb +43 -0
  414. data/lib/datadog/tracing/contrib/configuration/settings.rb +43 -0
  415. data/lib/datadog/tracing/contrib/dalli/configuration/settings.rb +58 -0
  416. data/lib/datadog/tracing/contrib/dalli/ext.rb +40 -0
  417. data/lib/datadog/tracing/contrib/dalli/instrumentation.rb +75 -0
  418. data/lib/datadog/tracing/contrib/dalli/integration.rb +52 -0
  419. data/lib/datadog/tracing/contrib/dalli/patcher.rb +28 -0
  420. data/lib/datadog/tracing/contrib/dalli/quantize.rb +26 -0
  421. data/lib/datadog/tracing/contrib/delayed_job/configuration/settings.rb +49 -0
  422. data/lib/datadog/tracing/contrib/delayed_job/ext.rb +29 -0
  423. data/lib/datadog/tracing/contrib/delayed_job/integration.rb +43 -0
  424. data/lib/datadog/tracing/contrib/delayed_job/patcher.rb +37 -0
  425. data/lib/datadog/tracing/contrib/delayed_job/plugin.rb +108 -0
  426. data/lib/datadog/tracing/contrib/delayed_job/server_internal_tracer/worker.rb +34 -0
  427. data/lib/datadog/tracing/contrib/elasticsearch/configuration/settings.rb +57 -0
  428. data/lib/datadog/tracing/contrib/elasticsearch/ext.rb +34 -0
  429. data/lib/datadog/tracing/contrib/elasticsearch/integration.rb +50 -0
  430. data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +164 -0
  431. data/lib/datadog/tracing/contrib/elasticsearch/quantize.rb +87 -0
  432. data/lib/datadog/tracing/contrib/ethon/configuration/settings.rb +56 -0
  433. data/lib/datadog/tracing/contrib/ethon/easy_patch.rb +223 -0
  434. data/lib/datadog/tracing/contrib/ethon/ext.rb +32 -0
  435. data/lib/datadog/tracing/contrib/ethon/integration.rb +48 -0
  436. data/lib/datadog/tracing/contrib/ethon/multi_patch.rb +102 -0
  437. data/lib/datadog/tracing/contrib/ethon/patcher.rb +30 -0
  438. data/lib/datadog/tracing/contrib/excon/configuration/settings.rb +74 -0
  439. data/lib/datadog/tracing/contrib/excon/ext.rb +30 -0
  440. data/lib/datadog/tracing/contrib/excon/integration.rb +48 -0
  441. data/lib/datadog/tracing/contrib/excon/middleware.rb +196 -0
  442. data/lib/datadog/tracing/contrib/excon/patcher.rb +31 -0
  443. data/lib/datadog/tracing/contrib/ext.rb +55 -0
  444. data/lib/datadog/tracing/contrib/extensions.rb +228 -0
  445. data/lib/datadog/tracing/contrib/faraday/configuration/settings.rb +77 -0
  446. data/lib/datadog/tracing/contrib/faraday/connection.rb +22 -0
  447. data/lib/datadog/tracing/contrib/faraday/ext.rb +30 -0
  448. data/lib/datadog/tracing/contrib/faraday/integration.rb +48 -0
  449. data/lib/datadog/tracing/contrib/faraday/middleware.rb +112 -0
  450. data/lib/datadog/tracing/contrib/faraday/patcher.rb +56 -0
  451. data/lib/datadog/tracing/contrib/faraday/rack_builder.rb +22 -0
  452. data/lib/datadog/tracing/contrib/grape/configuration/settings.rb +55 -0
  453. data/lib/datadog/tracing/contrib/grape/endpoint.rb +256 -0
  454. data/lib/datadog/tracing/contrib/grape/ext.rb +30 -0
  455. data/lib/datadog/tracing/contrib/grape/instrumentation.rb +37 -0
  456. data/lib/datadog/tracing/contrib/grape/integration.rb +44 -0
  457. data/lib/datadog/tracing/contrib/grape/patcher.rb +33 -0
  458. data/lib/datadog/tracing/contrib/graphql/configuration/settings.rb +50 -0
  459. data/lib/datadog/tracing/contrib/graphql/ext.rb +20 -0
  460. data/lib/datadog/tracing/contrib/graphql/integration.rb +56 -0
  461. data/lib/datadog/tracing/contrib/graphql/patcher.rb +55 -0
  462. data/lib/datadog/tracing/contrib/graphql/trace_patcher.rb +24 -0
  463. data/lib/datadog/tracing/contrib/graphql/tracing_patcher.rb +28 -0
  464. data/lib/datadog/tracing/contrib/grpc/configuration/settings.rb +58 -0
  465. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +117 -0
  466. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/server.rb +96 -0
  467. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor.rb +107 -0
  468. data/lib/datadog/tracing/contrib/grpc/distributed/fetcher.rb +26 -0
  469. data/lib/datadog/tracing/contrib/grpc/distributed/propagation.rb +46 -0
  470. data/lib/datadog/tracing/contrib/grpc/ext.rb +29 -0
  471. data/lib/datadog/tracing/contrib/grpc/formatting.rb +127 -0
  472. data/lib/datadog/tracing/contrib/grpc/integration.rb +50 -0
  473. data/lib/datadog/tracing/contrib/grpc/intercept_with_datadog.rb +53 -0
  474. data/lib/datadog/tracing/contrib/grpc/patcher.rb +34 -0
  475. data/lib/datadog/tracing/contrib/grpc.rb +45 -0
  476. data/lib/datadog/tracing/contrib/hanami/action_tracer.rb +47 -0
  477. data/lib/datadog/tracing/contrib/hanami/configuration/settings.rb +23 -0
  478. data/lib/datadog/tracing/contrib/hanami/ext.rb +24 -0
  479. data/lib/datadog/tracing/contrib/hanami/integration.rb +44 -0
  480. data/lib/datadog/tracing/contrib/hanami/patcher.rb +33 -0
  481. data/lib/datadog/tracing/contrib/hanami/plugin.rb +23 -0
  482. data/lib/datadog/tracing/contrib/hanami/renderer_policy_tracing.rb +41 -0
  483. data/lib/datadog/tracing/contrib/hanami/router_tracing.rb +44 -0
  484. data/lib/datadog/tracing/contrib/http/circuit_breaker.rb +40 -0
  485. data/lib/datadog/tracing/contrib/http/configuration/settings.rb +69 -0
  486. data/lib/datadog/tracing/contrib/http/distributed/fetcher.rb +38 -0
  487. data/lib/datadog/tracing/contrib/http/distributed/propagation.rb +45 -0
  488. data/lib/datadog/tracing/contrib/http/ext.rb +29 -0
  489. data/lib/datadog/tracing/contrib/http/instrumentation.rb +144 -0
  490. data/lib/datadog/tracing/contrib/http/integration.rb +49 -0
  491. data/lib/datadog/tracing/contrib/http/patcher.rb +30 -0
  492. data/lib/datadog/tracing/contrib/http.rb +45 -0
  493. data/lib/datadog/tracing/contrib/http_annotation_helper.rb +17 -0
  494. data/lib/datadog/tracing/contrib/httpclient/configuration/settings.rb +68 -0
  495. data/lib/datadog/tracing/contrib/httpclient/ext.rb +30 -0
  496. data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +137 -0
  497. data/lib/datadog/tracing/contrib/httpclient/integration.rb +48 -0
  498. data/lib/datadog/tracing/contrib/httpclient/patcher.rb +42 -0
  499. data/lib/datadog/tracing/contrib/httprb/configuration/settings.rb +68 -0
  500. data/lib/datadog/tracing/contrib/httprb/ext.rb +29 -0
  501. data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +145 -0
  502. data/lib/datadog/tracing/contrib/httprb/integration.rb +48 -0
  503. data/lib/datadog/tracing/contrib/httprb/patcher.rb +42 -0
  504. data/lib/datadog/tracing/contrib/integration.rb +78 -0
  505. data/lib/datadog/tracing/contrib/kafka/configuration/settings.rb +39 -0
  506. data/lib/datadog/tracing/contrib/kafka/consumer_event.rb +19 -0
  507. data/lib/datadog/tracing/contrib/kafka/consumer_group_event.rb +18 -0
  508. data/lib/datadog/tracing/contrib/kafka/event.rb +53 -0
  509. data/lib/datadog/tracing/contrib/kafka/events/connection/request.rb +42 -0
  510. data/lib/datadog/tracing/contrib/kafka/events/consumer/process_batch.rb +49 -0
  511. data/lib/datadog/tracing/contrib/kafka/events/consumer/process_message.rb +47 -0
  512. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/heartbeat.rb +47 -0
  513. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/join_group.rb +37 -0
  514. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/leave_group.rb +37 -0
  515. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/sync_group.rb +37 -0
  516. data/lib/datadog/tracing/contrib/kafka/events/produce_operation/send_messages.rb +41 -0
  517. data/lib/datadog/tracing/contrib/kafka/events/producer/deliver_messages.rb +44 -0
  518. data/lib/datadog/tracing/contrib/kafka/events.rb +48 -0
  519. data/lib/datadog/tracing/contrib/kafka/ext.rb +55 -0
  520. data/lib/datadog/tracing/contrib/kafka/integration.rb +44 -0
  521. data/lib/datadog/tracing/contrib/kafka/patcher.rb +29 -0
  522. data/lib/datadog/tracing/contrib/lograge/configuration/settings.rb +24 -0
  523. data/lib/datadog/tracing/contrib/lograge/ext.rb +15 -0
  524. data/lib/datadog/tracing/contrib/lograge/instrumentation.rb +31 -0
  525. data/lib/datadog/tracing/contrib/lograge/integration.rb +50 -0
  526. data/lib/datadog/tracing/contrib/lograge/patcher.rb +29 -0
  527. data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +56 -0
  528. data/lib/datadog/tracing/contrib/mongodb/ext.rb +38 -0
  529. data/lib/datadog/tracing/contrib/mongodb/instrumentation.rb +47 -0
  530. data/lib/datadog/tracing/contrib/mongodb/integration.rb +48 -0
  531. data/lib/datadog/tracing/contrib/mongodb/parsers.rb +49 -0
  532. data/lib/datadog/tracing/contrib/mongodb/patcher.rb +34 -0
  533. data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +141 -0
  534. data/lib/datadog/tracing/contrib/mysql2/configuration/settings.rb +64 -0
  535. data/lib/datadog/tracing/contrib/mysql2/ext.rb +28 -0
  536. data/lib/datadog/tracing/contrib/mysql2/instrumentation.rb +95 -0
  537. data/lib/datadog/tracing/contrib/mysql2/integration.rb +43 -0
  538. data/lib/datadog/tracing/contrib/mysql2/patcher.rb +31 -0
  539. data/lib/datadog/tracing/contrib/opensearch/configuration/settings.rb +54 -0
  540. data/lib/datadog/tracing/contrib/opensearch/ext.rb +38 -0
  541. data/lib/datadog/tracing/contrib/opensearch/integration.rb +44 -0
  542. data/lib/datadog/tracing/contrib/opensearch/patcher.rb +135 -0
  543. data/lib/datadog/tracing/contrib/opensearch/quantize.rb +81 -0
  544. data/lib/datadog/tracing/contrib/patchable.rb +109 -0
  545. data/lib/datadog/tracing/contrib/patcher.rb +85 -0
  546. data/lib/datadog/tracing/contrib/pg/configuration/settings.rb +64 -0
  547. data/lib/datadog/tracing/contrib/pg/ext.rb +35 -0
  548. data/lib/datadog/tracing/contrib/pg/instrumentation.rb +211 -0
  549. data/lib/datadog/tracing/contrib/pg/integration.rb +43 -0
  550. data/lib/datadog/tracing/contrib/pg/patcher.rb +31 -0
  551. data/lib/datadog/tracing/contrib/presto/configuration/settings.rb +52 -0
  552. data/lib/datadog/tracing/contrib/presto/ext.rb +38 -0
  553. data/lib/datadog/tracing/contrib/presto/instrumentation.rb +138 -0
  554. data/lib/datadog/tracing/contrib/presto/integration.rb +43 -0
  555. data/lib/datadog/tracing/contrib/presto/patcher.rb +37 -0
  556. data/lib/datadog/tracing/contrib/propagation/sql_comment/comment.rb +41 -0
  557. data/lib/datadog/tracing/contrib/propagation/sql_comment/ext.rb +33 -0
  558. data/lib/datadog/tracing/contrib/propagation/sql_comment/mode.rb +28 -0
  559. data/lib/datadog/tracing/contrib/propagation/sql_comment.rb +55 -0
  560. data/lib/datadog/tracing/contrib/que/configuration/settings.rb +55 -0
  561. data/lib/datadog/tracing/contrib/que/ext.rb +33 -0
  562. data/lib/datadog/tracing/contrib/que/integration.rb +44 -0
  563. data/lib/datadog/tracing/contrib/que/patcher.rb +26 -0
  564. data/lib/datadog/tracing/contrib/que/tracer.rb +63 -0
  565. data/lib/datadog/tracing/contrib/racecar/configuration/settings.rb +47 -0
  566. data/lib/datadog/tracing/contrib/racecar/event.rb +81 -0
  567. data/lib/datadog/tracing/contrib/racecar/events/batch.rb +38 -0
  568. data/lib/datadog/tracing/contrib/racecar/events/consume.rb +35 -0
  569. data/lib/datadog/tracing/contrib/racecar/events/message.rb +38 -0
  570. data/lib/datadog/tracing/contrib/racecar/events.rb +36 -0
  571. data/lib/datadog/tracing/contrib/racecar/ext.rb +33 -0
  572. data/lib/datadog/tracing/contrib/racecar/integration.rb +44 -0
  573. data/lib/datadog/tracing/contrib/racecar/patcher.rb +29 -0
  574. data/lib/datadog/tracing/contrib/rack/configuration/settings.rb +59 -0
  575. data/lib/datadog/tracing/contrib/rack/ext.rb +30 -0
  576. data/lib/datadog/tracing/contrib/rack/header_collection.rb +40 -0
  577. data/lib/datadog/tracing/contrib/rack/header_tagging.rb +63 -0
  578. data/lib/datadog/tracing/contrib/rack/integration.rb +50 -0
  579. data/lib/datadog/tracing/contrib/rack/middlewares.rb +265 -0
  580. data/lib/datadog/tracing/contrib/rack/patcher.rb +119 -0
  581. data/lib/datadog/tracing/contrib/rack/request_queue.rb +48 -0
  582. data/lib/datadog/tracing/contrib/rack/trace_proxy_middleware.rb +52 -0
  583. data/lib/datadog/tracing/contrib/rails/auto_instrument_railtie.rb +10 -0
  584. data/lib/datadog/tracing/contrib/rails/configuration/settings.rb +76 -0
  585. data/lib/datadog/tracing/contrib/rails/ext.rb +23 -0
  586. data/lib/datadog/tracing/contrib/rails/framework.rb +148 -0
  587. data/lib/datadog/tracing/contrib/rails/integration.rb +52 -0
  588. data/lib/datadog/tracing/contrib/rails/log_injection.rb +29 -0
  589. data/lib/datadog/tracing/contrib/rails/middlewares.rb +46 -0
  590. data/lib/datadog/tracing/contrib/rails/patcher.rb +88 -0
  591. data/lib/datadog/tracing/contrib/rails/railtie.rb +19 -0
  592. data/lib/datadog/tracing/contrib/rails/utils.rb +26 -0
  593. data/lib/datadog/tracing/contrib/rake/configuration/settings.rb +55 -0
  594. data/lib/datadog/tracing/contrib/rake/ext.rb +27 -0
  595. data/lib/datadog/tracing/contrib/rake/instrumentation.rb +103 -0
  596. data/lib/datadog/tracing/contrib/rake/integration.rb +43 -0
  597. data/lib/datadog/tracing/contrib/rake/patcher.rb +33 -0
  598. data/lib/datadog/tracing/contrib/redis/configuration/resolver.rb +49 -0
  599. data/lib/datadog/tracing/contrib/redis/configuration/settings.rb +57 -0
  600. data/lib/datadog/tracing/contrib/redis/ext.rb +35 -0
  601. data/lib/datadog/tracing/contrib/redis/instrumentation.rb +53 -0
  602. data/lib/datadog/tracing/contrib/redis/integration.rb +80 -0
  603. data/lib/datadog/tracing/contrib/redis/patcher.rb +92 -0
  604. data/lib/datadog/tracing/contrib/redis/quantize.rb +80 -0
  605. data/lib/datadog/tracing/contrib/redis/tags.rb +68 -0
  606. data/lib/datadog/tracing/contrib/redis/trace_middleware.rb +85 -0
  607. data/lib/datadog/tracing/contrib/redis/vendor/LICENSE +20 -0
  608. data/lib/datadog/tracing/contrib/redis/vendor/resolver.rb +160 -0
  609. data/lib/datadog/tracing/contrib/registerable.rb +50 -0
  610. data/lib/datadog/tracing/contrib/registry.rb +52 -0
  611. data/lib/datadog/tracing/contrib/resque/configuration/settings.rb +42 -0
  612. data/lib/datadog/tracing/contrib/resque/ext.rb +22 -0
  613. data/lib/datadog/tracing/contrib/resque/integration.rb +48 -0
  614. data/lib/datadog/tracing/contrib/resque/patcher.rb +29 -0
  615. data/lib/datadog/tracing/contrib/resque/resque_job.rb +106 -0
  616. data/lib/datadog/tracing/contrib/rest_client/configuration/settings.rb +55 -0
  617. data/lib/datadog/tracing/contrib/rest_client/ext.rb +28 -0
  618. data/lib/datadog/tracing/contrib/rest_client/integration.rb +43 -0
  619. data/lib/datadog/tracing/contrib/rest_client/patcher.rb +28 -0
  620. data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +129 -0
  621. data/lib/datadog/tracing/contrib/roda/configuration/settings.rb +38 -0
  622. data/lib/datadog/tracing/contrib/roda/ext.rb +19 -0
  623. data/lib/datadog/tracing/contrib/roda/instrumentation.rb +76 -0
  624. data/lib/datadog/tracing/contrib/roda/integration.rb +45 -0
  625. data/lib/datadog/tracing/contrib/roda/patcher.rb +30 -0
  626. data/lib/datadog/tracing/contrib/semantic_logger/configuration/settings.rb +24 -0
  627. data/lib/datadog/tracing/contrib/semantic_logger/ext.rb +15 -0
  628. data/lib/datadog/tracing/contrib/semantic_logger/instrumentation.rb +35 -0
  629. data/lib/datadog/tracing/contrib/semantic_logger/integration.rb +52 -0
  630. data/lib/datadog/tracing/contrib/semantic_logger/patcher.rb +29 -0
  631. data/lib/datadog/tracing/contrib/sequel/configuration/settings.rb +37 -0
  632. data/lib/datadog/tracing/contrib/sequel/database.rb +62 -0
  633. data/lib/datadog/tracing/contrib/sequel/dataset.rb +67 -0
  634. data/lib/datadog/tracing/contrib/sequel/ext.rb +23 -0
  635. data/lib/datadog/tracing/contrib/sequel/integration.rb +43 -0
  636. data/lib/datadog/tracing/contrib/sequel/patcher.rb +37 -0
  637. data/lib/datadog/tracing/contrib/sequel/utils.rb +90 -0
  638. data/lib/datadog/tracing/contrib/shoryuken/configuration/settings.rb +43 -0
  639. data/lib/datadog/tracing/contrib/shoryuken/ext.rb +27 -0
  640. data/lib/datadog/tracing/contrib/shoryuken/integration.rb +44 -0
  641. data/lib/datadog/tracing/contrib/shoryuken/patcher.rb +28 -0
  642. data/lib/datadog/tracing/contrib/shoryuken/tracer.rb +65 -0
  643. data/lib/datadog/tracing/contrib/sidekiq/client_tracer.rb +62 -0
  644. data/lib/datadog/tracing/contrib/sidekiq/configuration/settings.rb +47 -0
  645. data/lib/datadog/tracing/contrib/sidekiq/distributed/propagation.rb +46 -0
  646. data/lib/datadog/tracing/contrib/sidekiq/ext.rb +44 -0
  647. data/lib/datadog/tracing/contrib/sidekiq/integration.rb +61 -0
  648. data/lib/datadog/tracing/contrib/sidekiq/patcher.rb +90 -0
  649. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/heartbeat.rb +61 -0
  650. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/job_fetch.rb +36 -0
  651. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/redis_info.rb +34 -0
  652. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/scheduled_poller.rb +57 -0
  653. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/stop.rb +34 -0
  654. data/lib/datadog/tracing/contrib/sidekiq/server_tracer.rb +88 -0
  655. data/lib/datadog/tracing/contrib/sidekiq/utils.rb +44 -0
  656. data/lib/datadog/tracing/contrib/sidekiq.rb +37 -0
  657. data/lib/datadog/tracing/contrib/sinatra/configuration/settings.rb +46 -0
  658. data/lib/datadog/tracing/contrib/sinatra/env.rb +38 -0
  659. data/lib/datadog/tracing/contrib/sinatra/ext.rb +31 -0
  660. data/lib/datadog/tracing/contrib/sinatra/framework.rb +116 -0
  661. data/lib/datadog/tracing/contrib/sinatra/integration.rb +43 -0
  662. data/lib/datadog/tracing/contrib/sinatra/patcher.rb +75 -0
  663. data/lib/datadog/tracing/contrib/sinatra/tracer.rb +86 -0
  664. data/lib/datadog/tracing/contrib/sinatra/tracer_middleware.rb +109 -0
  665. data/lib/datadog/tracing/contrib/sneakers/configuration/settings.rb +43 -0
  666. data/lib/datadog/tracing/contrib/sneakers/ext.rb +27 -0
  667. data/lib/datadog/tracing/contrib/sneakers/integration.rb +44 -0
  668. data/lib/datadog/tracing/contrib/sneakers/patcher.rb +27 -0
  669. data/lib/datadog/tracing/contrib/sneakers/tracer.rb +60 -0
  670. data/lib/datadog/tracing/contrib/span_attribute_schema.rb +92 -0
  671. data/lib/datadog/tracing/contrib/status_range_env_parser.rb +33 -0
  672. data/lib/datadog/tracing/contrib/status_range_matcher.rb +25 -0
  673. data/lib/datadog/tracing/contrib/stripe/configuration/settings.rb +37 -0
  674. data/lib/datadog/tracing/contrib/stripe/ext.rb +27 -0
  675. data/lib/datadog/tracing/contrib/stripe/integration.rb +43 -0
  676. data/lib/datadog/tracing/contrib/stripe/patcher.rb +28 -0
  677. data/lib/datadog/tracing/contrib/stripe/request.rb +67 -0
  678. data/lib/datadog/tracing/contrib/sucker_punch/configuration/settings.rb +39 -0
  679. data/lib/datadog/tracing/contrib/sucker_punch/exception_handler.rb +28 -0
  680. data/lib/datadog/tracing/contrib/sucker_punch/ext.rb +28 -0
  681. data/lib/datadog/tracing/contrib/sucker_punch/instrumentation.rb +104 -0
  682. data/lib/datadog/tracing/contrib/sucker_punch/integration.rb +43 -0
  683. data/lib/datadog/tracing/contrib/sucker_punch/patcher.rb +35 -0
  684. data/lib/datadog/tracing/contrib/trilogy/configuration/settings.rb +58 -0
  685. data/lib/datadog/tracing/contrib/trilogy/ext.rb +27 -0
  686. data/lib/datadog/tracing/contrib/trilogy/instrumentation.rb +94 -0
  687. data/lib/datadog/tracing/contrib/trilogy/integration.rb +43 -0
  688. data/lib/datadog/tracing/contrib/trilogy/patcher.rb +31 -0
  689. data/lib/datadog/tracing/contrib/utils/database.rb +31 -0
  690. data/lib/datadog/tracing/contrib/utils/quantization/hash.rb +111 -0
  691. data/lib/datadog/tracing/contrib/utils/quantization/http.rb +179 -0
  692. data/lib/datadog/tracing/contrib.rb +81 -0
  693. data/lib/datadog/tracing/correlation.rb +103 -0
  694. data/lib/datadog/tracing/diagnostics/environment_logger.rb +159 -0
  695. data/lib/datadog/tracing/diagnostics/ext.rb +36 -0
  696. data/lib/datadog/tracing/diagnostics/health.rb +40 -0
  697. data/lib/datadog/tracing/distributed/b3_multi.rb +73 -0
  698. data/lib/datadog/tracing/distributed/b3_single.rb +69 -0
  699. data/lib/datadog/tracing/distributed/datadog.rb +200 -0
  700. data/lib/datadog/tracing/distributed/datadog_tags_codec.rb +84 -0
  701. data/lib/datadog/tracing/distributed/fetcher.rb +21 -0
  702. data/lib/datadog/tracing/distributed/helpers.rb +65 -0
  703. data/lib/datadog/tracing/distributed/none.rb +18 -0
  704. data/lib/datadog/tracing/distributed/propagation.rb +121 -0
  705. data/lib/datadog/tracing/distributed/trace_context.rb +436 -0
  706. data/lib/datadog/tracing/event.rb +76 -0
  707. data/lib/datadog/tracing/flush.rb +96 -0
  708. data/lib/datadog/tracing/metadata/analytics.rb +26 -0
  709. data/lib/datadog/tracing/metadata/errors.rb +24 -0
  710. data/lib/datadog/tracing/metadata/ext.rb +193 -0
  711. data/lib/datadog/tracing/metadata/tagging.rb +131 -0
  712. data/lib/datadog/tracing/metadata.rb +20 -0
  713. data/lib/datadog/tracing/pipeline/span_filter.rb +46 -0
  714. data/lib/datadog/tracing/pipeline/span_processor.rb +39 -0
  715. data/lib/datadog/tracing/pipeline.rb +63 -0
  716. data/lib/datadog/tracing/remote.rb +78 -0
  717. data/lib/datadog/tracing/runtime/metrics.rb +17 -0
  718. data/lib/datadog/tracing/sampling/all_sampler.rb +24 -0
  719. data/lib/datadog/tracing/sampling/ext.rb +56 -0
  720. data/lib/datadog/tracing/sampling/matcher.rb +65 -0
  721. data/lib/datadog/tracing/sampling/priority_sampler.rb +160 -0
  722. data/lib/datadog/tracing/sampling/rate_by_key_sampler.rb +87 -0
  723. data/lib/datadog/tracing/sampling/rate_by_service_sampler.rb +63 -0
  724. data/lib/datadog/tracing/sampling/rate_limiter.rb +185 -0
  725. data/lib/datadog/tracing/sampling/rate_sampler.rb +58 -0
  726. data/lib/datadog/tracing/sampling/rule.rb +61 -0
  727. data/lib/datadog/tracing/sampling/rule_sampler.rb +148 -0
  728. data/lib/datadog/tracing/sampling/sampler.rb +32 -0
  729. data/lib/datadog/tracing/sampling/span/ext.rb +25 -0
  730. data/lib/datadog/tracing/sampling/span/matcher.rb +89 -0
  731. data/lib/datadog/tracing/sampling/span/rule.rb +78 -0
  732. data/lib/datadog/tracing/sampling/span/rule_parser.rb +104 -0
  733. data/lib/datadog/tracing/sampling/span/sampler.rb +77 -0
  734. data/lib/datadog/tracing/span.rb +207 -0
  735. data/lib/datadog/tracing/span_operation.rb +498 -0
  736. data/lib/datadog/tracing/sync_writer.rb +67 -0
  737. data/lib/datadog/tracing/trace_digest.rb +185 -0
  738. data/lib/datadog/tracing/trace_operation.rb +492 -0
  739. data/lib/datadog/tracing/trace_segment.rb +222 -0
  740. data/lib/datadog/tracing/tracer.rb +531 -0
  741. data/lib/datadog/tracing/transport/http/api/instance.rb +37 -0
  742. data/lib/datadog/tracing/transport/http/api/spec.rb +19 -0
  743. data/lib/datadog/tracing/transport/http/api.rb +43 -0
  744. data/lib/datadog/tracing/transport/http/builder.rb +162 -0
  745. data/lib/datadog/tracing/transport/http/client.rb +57 -0
  746. data/lib/datadog/tracing/transport/http/statistics.rb +47 -0
  747. data/lib/datadog/tracing/transport/http/traces.rb +152 -0
  748. data/lib/datadog/tracing/transport/http.rb +97 -0
  749. data/lib/datadog/tracing/transport/io/client.rb +89 -0
  750. data/lib/datadog/tracing/transport/io/response.rb +27 -0
  751. data/lib/datadog/tracing/transport/io/traces.rb +101 -0
  752. data/lib/datadog/tracing/transport/io.rb +30 -0
  753. data/lib/datadog/tracing/transport/serializable_trace.rb +126 -0
  754. data/lib/datadog/tracing/transport/statistics.rb +77 -0
  755. data/lib/datadog/tracing/transport/trace_formatter.rb +240 -0
  756. data/lib/datadog/tracing/transport/traces.rb +224 -0
  757. data/lib/datadog/tracing/utils.rb +83 -0
  758. data/lib/datadog/tracing/workers/trace_writer.rb +196 -0
  759. data/lib/datadog/tracing/workers.rb +125 -0
  760. data/lib/datadog/tracing/writer.rb +188 -0
  761. data/lib/datadog/tracing.rb +169 -0
  762. data/lib/datadog/version.rb +26 -0
  763. data/lib/datadog.rb +10 -0
  764. metadata +886 -0
@@ -0,0 +1,1635 @@
1
+ {
2
+ "version": "2.2",
3
+ "metadata": {
4
+ "rules_version": "1.8.0"
5
+ },
6
+ "rules": [
7
+ {
8
+ "id": "crs-913-100",
9
+ "name": "Found User-Agent associated with security scanner",
10
+ "tags": {
11
+ "type": "security_scanner",
12
+ "crs_id": "913100",
13
+ "category": "attack_attempt"
14
+ },
15
+ "conditions": [
16
+ {
17
+ "parameters": {
18
+ "inputs": [
19
+ {
20
+ "address": "server.request.headers.no_cookies",
21
+ "key_path": [
22
+ "user-agent"
23
+ ]
24
+ }
25
+ ],
26
+ "list": [
27
+ "(hydra)",
28
+ "absinthe",
29
+ "autogetcontent",
30
+ "bilbo",
31
+ "bfac",
32
+ "cisco-torch",
33
+ "core-project/1.0",
34
+ "crimscanner/",
35
+ "datacha0s",
36
+ "domino hunter",
37
+ "dotdotpwn",
38
+ "email extractor",
39
+ "fhscan core 1.",
40
+ "floodgate",
41
+ "f-secure radar",
42
+ "get-minimal",
43
+ "gootkit auto-rooter scanner",
44
+ "grabber",
45
+ "grendel-scan",
46
+ "inspath",
47
+ "internet ninja",
48
+ "masscan",
49
+ "morfeus fucking scanner",
50
+ "mysqloit",
51
+ "prog.customcrawler",
52
+ "qqgamehall",
53
+ "s.t.a.l.k.e.r.",
54
+ "springenwerk",
55
+ "sql power injector",
56
+ "struts-pwn",
57
+ "sysscan",
58
+ "tbi-webscanner",
59
+ "teh forest lobster",
60
+ "toata dragostea",
61
+ "uil2pn",
62
+ "user-agent:",
63
+ "vega/",
64
+ "voideye",
65
+ "webbandit",
66
+ "webshag",
67
+ "webvulnscan",
68
+ "whatweb",
69
+ "whcc/",
70
+ "wordpress hash grabber",
71
+ "xmlrpc exploit"
72
+ ]
73
+ },
74
+ "operator": "phrase_match"
75
+ }
76
+ ],
77
+ "transformers": [
78
+ "lowercase"
79
+ ]
80
+ },
81
+ {
82
+ "id": "crs-921-120",
83
+ "name": "HTTP Response Splitting Attack",
84
+ "tags": {
85
+ "type": "http_protocol_violation",
86
+ "crs_id": "921120",
87
+ "category": "attack_attempt"
88
+ },
89
+ "conditions": [
90
+ {
91
+ "parameters": {
92
+ "inputs": [
93
+ {
94
+ "address": "server.request.query"
95
+ },
96
+ {
97
+ "address": "server.request.body"
98
+ },
99
+ {
100
+ "address": "server.request.path_params"
101
+ },
102
+ {
103
+ "address": "graphql.server.all_resolvers"
104
+ }
105
+ ],
106
+ "regex": "[\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w",
107
+ "options": {
108
+ "case_sensitive": true,
109
+ "min_length": 11
110
+ }
111
+ },
112
+ "operator": "match_regex"
113
+ }
114
+ ],
115
+ "transformers": [
116
+ "lowercase"
117
+ ]
118
+ },
119
+ {
120
+ "id": "crs-921-140",
121
+ "name": "HTTP Header Injection Attack via headers",
122
+ "tags": {
123
+ "type": "http_protocol_violation",
124
+ "crs_id": "921140",
125
+ "category": "attack_attempt",
126
+ "capec": "1000/210/272/220/273",
127
+ "cwe": "113"
128
+ },
129
+ "conditions": [
130
+ {
131
+ "parameters": {
132
+ "inputs": [
133
+ {
134
+ "address": "server.request.headers.no_cookies"
135
+ }
136
+ ],
137
+ "regex": "[\\n\\r]",
138
+ "options": {
139
+ "case_sensitive": true,
140
+ "min_length": 1
141
+ }
142
+ },
143
+ "operator": "match_regex"
144
+ }
145
+ ],
146
+ "transformers": []
147
+ },
148
+ {
149
+ "id": "crs-932-100",
150
+ "name": "Remote Command Execution: Unix Command Injection",
151
+ "tags": {
152
+ "type": "command_injection",
153
+ "crs_id": "932100",
154
+ "category": "attack_attempt"
155
+ },
156
+ "conditions": [
157
+ {
158
+ "parameters": {
159
+ "inputs": [
160
+ {
161
+ "address": "server.request.query"
162
+ },
163
+ {
164
+ "address": "server.request.body"
165
+ },
166
+ {
167
+ "address": "server.request.path_params"
168
+ },
169
+ {
170
+ "address": "graphql.server.all_resolvers"
171
+ }
172
+ ],
173
+ "regex": "(?:[;\\n\\r`]|\\$(?:\\(?\\(|{)|(?:\\|)?\\||\\(\\s*\\)|[<>]\\(|&?&|\\{)\\s*(?:(?:\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|(?:\\s*\\(|!)\\s*|\\{|\\$))*\\s*(?:['\\\"])*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\x5c]+/)?[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*(?:w[\\x5c'\\\"]*p[\\x5c'\\\"]*-[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*w[\\x5c'\\\"]*n[\\x5c'\\\"]*l[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*d|u[\\x5c'\\\"]*m[\\x5c'\\\"]*p)|r[\\x5c'\\\"]*e[\\x5c'\\\"]*q[\\x5c'\\\"]*u[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|m[\\x5c'\\\"]*i[\\x5c'\\\"]*r[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*r)|s(?:[\\x5c'\\\"]*(?:b[\\x5c'\\\"]*_[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*e|c[\\x5c'\\\"]*p[\\x5c'\\\"]*u|m[\\x5c'\\\"]*o[\\x5c'\\\"]*d|p[\\x5c'\\\"]*c[\\x5c'\\\"]*i|u[\\x5c'\\\"]*s[\\x5c'\\\"]*b|-[\\x5c'\\\"]*F|h[\\x5c'\\\"]*w|o[\\x5c'\\\"]*f))?|z[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|m[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|a)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s)|o[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*(?:(?:n[\\x5c'\\\"]*a[\\x5c'\\\"]*m|s[\\x5c'\\\"]*a[\\x5c'\\\"]*v)[\\x5c'\\\"]*e|i[\\x5c'\\\"]*n[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l)|c[\\x5c'\\\"]*a[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*e|l)[\\x5c'\\\"]*(?:\\s|<|>).*)|e[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:(?:f[\\x5c'\\\"]*i[\\x5c'\\\"]*l|p[\\x5c'\\\"]*i[\\x5c'\\\"]*p)[\\x5c'\\\"]*e|e[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*o|(?:\\s|<|>).*)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*o[\\x5c'\\\"]*g(?:[\\x5c'\\\"]*i[\\x5c'\\\"]*n)?|c[\\x5c'\\\"]*o[\\x5c'\\\"]*m[\\x5c'\\\"]*m|(?:\\s|<|>).*)|d[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*i[\\x5c'\\\"]*g|d[\\x5c'\\\"]*(?:\\s|<|>).*)|(?:[np]|i[\\x5c'\\\"]*n[\\x5c'\\\"]*k[\\x5c'\\\"]*s|y[\\x5c'\\\"]*n[\\x5c'\\\"]*x)[\\x5c'\\\"]*(?:\\s|<|>).*|u[\\x5c'\\\"]*a[\\x5c'\\\"]*(?:5[\\x5c'\\\"]*\\.[\\x5c'\\\"]*[1234]|(?:\\s|<|>).*)|f[\\x5c'\\\"]*t[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*t)?|t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e)|c[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:r[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:\\s|<|>).*|o[\\x5c'\\\"]*s[\\x5c'\\\"]*e[\\x5c'\\\"]*r)|m[\\x5c'\\\"]*a[\\x5c'\\\"]*n[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:\\s|<|>).*)|p[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*c)|h[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:\\s|<|>).*|f[\\x5c'\\\"]*l[\\x5c'\\\"]*a[\\x5c'\\\"]*g[\\x5c'\\\"]*s|a[\\x5c'\\\"]*t[\\x5c'\\\"]*t[\\x5c'\\\"]*r|m[\\x5c'\\\"]*o[\\x5c'\\\"]*d)|p[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*m[\\x5c'\\\"]*i[\\x5c'\\\"]*t|(?:\\s|<|>).*|a[\\x5c'\\\"]*n|i[\\x5c'\\\"]*o)|(?:a[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*s[\\x5c'\\\"]*h|t)|c)[\\x5c'\\\"]*(?:\\s|<|>).*|e[\\x5c'\\\"]*r[\\x5c'\\\"]*t[\\x5c'\\\"]*b[\\x5c'\\\"]*o[\\x5c'\\\"]*t|r[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*b|u[\\x5c'\\\"]*r[\\x5c'\\\"]*l|[89][\\x5c'\\\"]*9|s[\\x5c'\\\"]*h)|b[\\x5c'\\\"]*(?:z[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*p[\\x5c'\\\"]*2)|u[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*(?:y[\\x5c'\\\"]*b[\\x5c'\\\"]*o[\\x5c'\\\"]*x|c[\\x5c'\\\"]*t[\\x5c'\\\"]*l)|n[\\x5c'\\\"]*d[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:\\s|<|>).*|i[\\x5c'\\\"]*l[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*n)|s[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|t[\\x5c'\\\"]*a[\\x5c'\\\"]*r)|a[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*(?:\\s|<|>).*|s[\\x5c'\\\"]*h)|r[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*k[\\x5c'\\\"]*s[\\x5c'\\\"]*w)|e[\\x5c'\\\"]*(?:x[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:\\s|<|>).*|a[\\x5c'\\\"]*n[\\x5c'\\\"]*d|o[\\x5c'\\\"]*r[\\x5c'\\\"]*t|r)|(?:e[\\x5c'\\\"]*c[\\x5c'\\\"]*)?(?:\\s|<|>).*)|n[\\x5c'\\\"]*(?:v(?:[\\x5c'\\\"]*-[\\x5c'\\\"]*u[\\x5c'\\\"]*p[\\x5c'\\\"]*d[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*e)?|d[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*f|s[\\x5c'\\\"]*w))|(?:a[\\x5c'\\\"]*s[\\x5c'\\\"]*y[\\x5c'\\\"]*_[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*l|v[\\x5c'\\\"]*a)[\\x5c'\\\"]*l|(?:c[\\x5c'\\\"]*h[\\x5c'\\\"]*o|d)[\\x5c'\\\"]*(?:\\s|<|>).*|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|m[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*s|s[\\x5c'\\\"]*a[\\x5c'\\\"]*c)|f[\\x5c'\\\"]*(?:i(?:[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*e[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|(?:\\s|<|>).*)|n[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:\\s|<|>).*|s[\\x5c'\\\"]*h))?|t[\\x5c'\\\"]*p[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*s|w[\\x5c'\\\"]*h[\\x5c'\\\"]*o|(?:\\s|<|>).*)|(?:e[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*h|l[\\x5c'\\\"]*o[\\x5c'\\\"]*c[\\x5c'\\\"]*k|c)[\\x5c'\\\"]*(?:\\s|<|>).*|u[\\x5c'\\\"]*n[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*o[\\x5c'\\\"]*n|o[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*h|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p)|i[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:(?:6[\\x5c'\\\"]*)?t[\\x5c'\\\"]*a[\\x5c'\\\"]*b[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*s|c[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*i[\\x5c'\\\"]*g)|r[\\x5c'\\\"]*b(?:[\\x5c'\\\"]*(?:2[\\x5c'\\\"]*[01234567]|1(?:[\\x5c'\\\"]*[89])?|3[\\x5c'\\\"]*0))?|f[\\x5c'\\\"]*c[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*i[\\x5c'\\\"]*g|o[\\x5c'\\\"]*n[\\x5c'\\\"]*i[\\x5c'\\\"]*c[\\x5c'\\\"]*e|d[\\x5c'\\\"]*(?:\\s|<|>).*)|h[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|p[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*w[\\x5c'\\\"]*d)|o[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:n[\\x5c'\\\"]*a[\\x5c'\\\"]*m[\\x5c'\\\"]*e|i[\\x5c'\\\"]*d)|(?:e[\\x5c'\\\"]*a[\\x5c'\\\"]*d|u[\\x5c'\\\"]*p)[\\x5c'\\\"]*(?:\\s|<|>).*|i[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*y)|a[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:\\s|<|>).*|p[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*e)|p[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:-[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*t|(?:\\s|<|>).*)|d[\\x5c'\\\"]*d[\\x5c'\\\"]*u[\\x5c'\\\"]*s[\\x5c'\\\"]*e[\\x5c'\\\"]*r|r[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*h[\\x5c'\\\"]*(?:\\s|<|>).*|p)|(?:w[\\x5c'\\\"]*[ks]|t)[\\x5c'\\\"]*(?:\\s|<|>).*)|g[\\x5c'\\\"]*(?:(?:e[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*f[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*l|m)|r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|o)[\\x5c'\\\"]*(?:\\s|<|>).*|z[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*p)|u[\\x5c'\\\"]*n[\\x5c'\\\"]*z[\\x5c'\\\"]*i[\\x5c'\\\"]*p|c[\\x5c'\\\"]*c(?:[\\x5c'\\\"]*(?:\\s|<|>).*)?|i[\\x5c'\\\"]*t(?:[\\x5c'\\\"]*(?:\\s|<|>).*)?|d[\\x5c'\\\"]*b)|d[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*c[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*e[\\x5c'\\\"]*n[\\x5c'\\\"]*t|(?:i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|u)[\\x5c'\\\"]*(?:\\s|<|>).*|(?:m[\\x5c'\\\"]*e[\\x5c'\\\"]*s|p[\\x5c'\\\"]*k)[\\x5c'\\\"]*g|o[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*s|n[\\x5c'\\\"]*e)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*h)|j[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*r[\\x5c'\\\"]*n[\\x5c'\\\"]*a[\\x5c'\\\"]*l[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l|b[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:\\s|<|>).*)|a[\\x5c'\\\"]*v[\\x5c'\\\"]*a[\\x5c'\\\"]*(?:\\s|<|>).*|e[\\x5c'\\\"]*x[\\x5c'\\\"]*e[\\x5c'\\\"]*c)|k[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*l[\\x5c'\\\"]*l[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*l[\\x5c'\\\"]*l|(?:\\s|<|>).*)|s[\\x5c'\\\"]*h)|G[\\x5c'\\\"]*E[\\x5c'\\\"]*T[\\x5c'\\\"]*(?:\\s|<|>).*|7[\\x5c'\\\"]*z(?:[\\x5c'\\\"]*[ar])?)\\b",
174
+ "options": {
175
+ "case_sensitive": true,
176
+ "min_length": 3
177
+ }
178
+ },
179
+ "operator": "match_regex"
180
+ }
181
+ ],
182
+ "transformers": []
183
+ },
184
+ {
185
+ "id": "crs-932-115",
186
+ "name": "Remote Command Execution: Windows Command Injection",
187
+ "tags": {
188
+ "type": "command_injection",
189
+ "crs_id": "932115",
190
+ "category": "attack_attempt"
191
+ },
192
+ "conditions": [
193
+ {
194
+ "parameters": {
195
+ "inputs": [
196
+ {
197
+ "address": "server.request.query"
198
+ },
199
+ {
200
+ "address": "server.request.body"
201
+ },
202
+ {
203
+ "address": "server.request.path_params"
204
+ },
205
+ {
206
+ "address": "graphql.server.all_resolvers"
207
+ }
208
+ ],
209
+ "regex": "(?:[;\\n\\r`]|(?:$\\(|<)\\(|(?:\\|)?\\||\\(\\s*\\)|\\$[(?:{]|&?&|>\\|\\{)\\s*(?:(?:\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|(?:\\s*\\(|!)\\s*|\\{|\\$))*\\s*(?:['\\\"])*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\x5c]+/)?[\\x5c'\\\"]*(?:s[\\\"\\^]*(?:y[\\\"\\^]*s[\\\"\\^]*(?:t[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*(?:p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*(?:d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*p[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n|(?:p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*m[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*c|h[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*d[\\\"\\^]*w[\\\"\\^]*a[\\\"\\^]*r)[\\\"\\^]*e|a[\\\"\\^]*d[\\\"\\^]*v[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*d)|i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o)|k[\\\"\\^]*e[\\\"\\^]*y|d[\\\"\\^]*m)|h[\\\"\\^]*(?:o[\\\"\\^]*(?:w[\\\"\\^]*(?:g[\\\"\\^]*r[\\\"\\^]*p|m[\\\"\\^]*b[\\\"\\^]*r)[\\\"\\^]*s|r[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t)|e[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*s|u[\\\"\\^]*t[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n|r[\\\"\\^]*p[\\\"\\^]*u[\\\"\\^]*b[\\\"\\^]*w|a[\\\"\\^]*r[\\\"\\^]*e|i[\\\"\\^]*f[\\\"\\^]*t)|e[\\\"\\^]*(?:t[\\\"\\^]*(?:(?:x[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|l[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*l)|c[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*l|l[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*t)|c[\\\"\\^]*(?:h[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*s|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t)|u[\\\"\\^]*b[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l|s[\\\"\\^]*t)|(?:t[\\\"\\^]*a|o)[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|i[\\\"\\^]*g[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f|l[\\\"\\^]*(?:e[\\\"\\^]*e[\\\"\\^]*p|m[\\\"\\^]*g[\\\"\\^]*r)|f[\\\"\\^]*c|v[\\\"\\^]*n)|p[\\\"\\^]*(?:s[\\\"\\^]*(?:s[\\\"\\^]*(?:h[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n|e[\\\"\\^]*r[\\\"\\^]*v[\\\"\\^]*i[\\\"\\^]*c[\\\"\\^]*e|u[\\\"\\^]*s[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*d)|l[\\\"\\^]*(?:o[\\\"\\^]*g[\\\"\\^]*(?:g[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*n|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t)|i[\\\"\\^]*s[\\\"\\^]*t)|p[\\\"\\^]*(?:a[\\\"\\^]*s[\\\"\\^]*s[\\\"\\^]*w[\\\"\\^]*d|i[\\\"\\^]*n[\\\"\\^]*g)|g[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*i[\\\"\\^]*d|e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c|f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e|i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o|k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l)|o[\\\"\\^]*(?:w[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*(?:s[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*l(?:[\\\"\\^]*_[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*e)?|c[\\\"\\^]*f[\\\"\\^]*g)|r[\\\"\\^]*t[\\\"\\^]*q[\\\"\\^]*r[\\\"\\^]*y|p[\\\"\\^]*d)|r[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|b[\\\"\\^]*r[\\\"\\^]*m)|n[\\\"\\^]*(?:c[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*g|m[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*r)|o[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*t)|a[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*(?:p[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g|(?:[\\s,;]|\\.|/|<|>).*)|e[\\\"\\^]*r[\\\"\\^]*(?:l(?:[\\\"\\^]*(?:s[\\\"\\^]*h|5))?|f[\\\"\\^]*m[\\\"\\^]*o[\\\"\\^]*n)|y[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*n(?:[\\\"\\^]*(?:3(?:[\\\"\\^]*m)?|2))?|k[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|h[\\\"\\^]*p(?:[\\\"\\^]*[57])?|u[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*d|i[\\\"\\^]*n[\\\"\\^]*g)|r[\\\"\\^]*(?:e[\\\"\\^]*(?:(?:p[\\\"\\^]*l[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*e|n(?:[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*e)?|s[\\\"\\^]*e[\\\"\\^]*t)[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|g[\\\"\\^]*(?:s[\\\"\\^]*v[\\\"\\^]*r[\\\"\\^]*3[\\\"\\^]*2|e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*t|(?:[\\s,;]|\\.|/|<|>).*|i[\\\"\\^]*n[\\\"\\^]*i)|c[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*c|o[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r)|k[\\\"\\^]*e[\\\"\\^]*y[\\\"\\^]*w[\\\"\\^]*i[\\\"\\^]*z)|u[\\\"\\^]*(?:n[\\\"\\^]*(?:d[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*3[\\\"\\^]*2|a[\\\"\\^]*s)|b[\\\"\\^]*y[\\\"\\^]*(?:1(?:[\\\"\\^]*[89])?|2[\\\"\\^]*[012]))|a[\\\"\\^]*(?:s[\\\"\\^]*(?:p[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*e|d[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*l)|r[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|m[\\\"\\^]*(?:(?:d[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|t[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*e)|o[\\\"\\^]*(?:u[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|b[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*y)|s[\\\"\\^]*(?:t[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*i|y[\\\"\\^]*n[\\\"\\^]*c)|d[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|t[\\\"\\^]*(?:a[\\\"\\^]*(?:s[\\\"\\^]*k[\\\"\\^]*(?:k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t|s[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*d|m[\\\"\\^]*g[\\\"\\^]*r)|k[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n)|(?:i[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*u|p[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*i|e[\\\"\\^]*l[\\\"\\^]*n[\\\"\\^]*e|l[\\\"\\^]*i[\\\"\\^]*s)[\\\"\\^]*t|s[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*c[\\\"\\^]*o|s[\\\"\\^]*h[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*d)[\\\"\\^]*n|y[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*(?:p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*f|(?:[\\s,;]|\\.|/|<|>).*)|r[\\\"\\^]*(?:a[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*t|e[\\\"\\^]*e))|w[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*f|m[\\\"\\^]*s[\\\"\\^]*d[\\\"\\^]*p|v[\\\"\\^]*a[\\\"\\^]*r|r[\\\"\\^]*[ms])|u[\\\"\\^]*(?:a[\\\"\\^]*(?:u[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*t|p[\\\"\\^]*p)|s[\\\"\\^]*a)|s[\\\"\\^]*c[\\\"\\^]*(?:r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t|u[\\\"\\^]*i)|e[\\\"\\^]*v[\\\"\\^]*t[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|m[\\\"\\^]*i[\\\"\\^]*(?:m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t|c)|a[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*r|h[\\\"\\^]*o[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*i|g[\\\"\\^]*e[\\\"\\^]*t)|u[\\\"\\^]*(?:s[\\\"\\^]*(?:e[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*s|r[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t)|n[\\\"\\^]*(?:r[\\\"\\^]*a[\\\"\\^]*r|z[\\\"\\^]*i[\\\"\\^]*p))|q[\\\"\\^]*(?:u[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*y[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*s|w[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a|g[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*p)|o[\\\"\\^]*(?:d[\\\"\\^]*b[\\\"\\^]*c[\\\"\\^]*(?:a[\\\"\\^]*d[\\\"\\^]*3[\\\"\\^]*2|c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f)|p[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s)|v[\\\"\\^]*(?:o[\\\"\\^]*l[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*y)|x[\\\"\\^]*c[\\\"\\^]*(?:a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s|o[\\\"\\^]*p[\\\"\\^]*y)|z[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)",
210
+ "options": {
211
+ "min_length": 4
212
+ }
213
+ },
214
+ "operator": "match_regex"
215
+ }
216
+ ],
217
+ "transformers": []
218
+ },
219
+ {
220
+ "id": "crs-932-120",
221
+ "name": "Remote Command Execution: Windows PowerShell Command Found",
222
+ "tags": {
223
+ "type": "command_injection",
224
+ "crs_id": "932120",
225
+ "category": "attack_attempt"
226
+ },
227
+ "conditions": [
228
+ {
229
+ "parameters": {
230
+ "inputs": [
231
+ {
232
+ "address": "server.request.query"
233
+ },
234
+ {
235
+ "address": "server.request.body"
236
+ },
237
+ {
238
+ "address": "server.request.path_params"
239
+ },
240
+ {
241
+ "address": "graphql.server.all_resolvers"
242
+ }
243
+ ],
244
+ "list": [
245
+ "powershell",
246
+ "add-computer",
247
+ "add-content",
248
+ "add-history",
249
+ "add-jobtrigger",
250
+ "add-localgroupmember",
251
+ "add-member",
252
+ "add-pssnapin",
253
+ "add-type",
254
+ "checkpoint-computer",
255
+ "clear-content",
256
+ "clear-eventlog",
257
+ "clear-history",
258
+ "clear-host",
259
+ "clear-item",
260
+ "clear-itemproperty",
261
+ "clear-recyclebin",
262
+ "clear-variable",
263
+ "compare-object",
264
+ "complete-transaction",
265
+ "compress-archive",
266
+ "connect-pssession",
267
+ "connect-wsman",
268
+ "convert-path",
269
+ "convert-string",
270
+ "convertfrom-csv",
271
+ "convertfrom-json",
272
+ "convertfrom-markdown",
273
+ "convertfrom-sddlstring",
274
+ "convertfrom-securestring",
275
+ "convertfrom-string",
276
+ "convertfrom-stringdata",
277
+ "convertto-csv",
278
+ "convertto-html",
279
+ "convertto-json",
280
+ "convertto-securestring",
281
+ "convertto-xml",
282
+ "copy-item",
283
+ "copy-itemproperty",
284
+ "debug-job",
285
+ "debug-process",
286
+ "debug-runspace",
287
+ "disable-computerrestore",
288
+ "disable-experimentalfeature",
289
+ "disable-jobtrigger",
290
+ "disable-localuser",
291
+ "disable-psbreakpoint",
292
+ "disable-psremoting",
293
+ "disable-pssessionconfiguration",
294
+ "disable-pstrace",
295
+ "disable-pswsmancombinedtrace",
296
+ "disable-runspacedebug",
297
+ "disable-scheduledjob",
298
+ "disable-wsmancredssp",
299
+ "disable-wsmantrace",
300
+ "disconnect-pssession",
301
+ "disconnect-wsman",
302
+ "enable-computerrestore",
303
+ "enable-experimentalfeature",
304
+ "enable-jobtrigger",
305
+ "enable-localuser",
306
+ "enable-psbreakpoint",
307
+ "enable-psremoting",
308
+ "enable-pssessionconfiguration",
309
+ "enable-pstrace",
310
+ "enable-pswsmancombinedtrace",
311
+ "enable-runspacedebug",
312
+ "enable-scheduledjob",
313
+ "enable-wsmancredssp",
314
+ "enable-wsmantrace",
315
+ "enter-pshostprocess",
316
+ "enter-pssession",
317
+ "exit-pshostprocess",
318
+ "exit-pssession",
319
+ "expand-archive",
320
+ "export-alias",
321
+ "export-binarymilog",
322
+ "export-clixml",
323
+ "export-console",
324
+ "export-counter",
325
+ "export-csv",
326
+ "export-formatdata",
327
+ "export-modulemember",
328
+ "export-odataendpointproxy",
329
+ "export-pssession",
330
+ "find-command",
331
+ "find-dscresource",
332
+ "find-module",
333
+ "find-package",
334
+ "find-packageprovider",
335
+ "find-rolecapability",
336
+ "find-script",
337
+ "foreach-object",
338
+ "format-custom",
339
+ "format-hex",
340
+ "format-list",
341
+ "format-table",
342
+ "format-wide",
343
+ "get-acl",
344
+ "get-alias",
345
+ "get-authenticodesignature",
346
+ "get-childitem",
347
+ "get-cimassociatedinstance",
348
+ "get-cimclass",
349
+ "get-ciminstance",
350
+ "get-cimsession",
351
+ "get-clipboard",
352
+ "get-cmsmessage",
353
+ "get-command",
354
+ "get-computerinfo",
355
+ "get-computerrestorepoint",
356
+ "get-content",
357
+ "get-controlpanelitem",
358
+ "get-counter",
359
+ "get-credential",
360
+ "get-date",
361
+ "get-error",
362
+ "get-event",
363
+ "get-eventlog",
364
+ "get-eventsubscriber",
365
+ "get-executionpolicy",
366
+ "get-experimentalfeature",
367
+ "get-filehash",
368
+ "get-formatdata",
369
+ "get-help",
370
+ "get-history",
371
+ "get-host",
372
+ "get-hotfix",
373
+ "get-installedmodule",
374
+ "get-installedscript",
375
+ "get-isesnippet",
376
+ "get-item",
377
+ "get-itemproperty",
378
+ "get-itempropertyvalue",
379
+ "get-job",
380
+ "get-jobtrigger",
381
+ "get-localgroup",
382
+ "get-localgroupmember",
383
+ "get-localuser",
384
+ "get-location",
385
+ "get-logproperties",
386
+ "get-markdownoption",
387
+ "get-module",
388
+ "get-operationvalidation",
389
+ "get-psbreakpoint",
390
+ "get-pscallstack",
391
+ "get-psdrive",
392
+ "get-pshostprocessinfo",
393
+ "get-psprovider",
394
+ "get-psreadlinekeyhandler",
395
+ "get-psreadlineoption",
396
+ "get-psrepository",
397
+ "get-pssession",
398
+ "get-pssessioncapability",
399
+ "get-pssessionconfiguration",
400
+ "get-pssnapin",
401
+ "get-pssubsystem",
402
+ "get-package",
403
+ "get-packageprovider",
404
+ "get-packagesource",
405
+ "get-pfxcertificate",
406
+ "get-process",
407
+ "get-random",
408
+ "get-runspace",
409
+ "get-runspacedebug",
410
+ "get-scheduledjob",
411
+ "get-scheduledjoboption",
412
+ "get-service",
413
+ "get-timezone",
414
+ "get-tracesource",
415
+ "get-transaction",
416
+ "get-typedata",
417
+ "get-uiculture",
418
+ "get-unique",
419
+ "get-uptime",
420
+ "get-variable",
421
+ "get-verb",
422
+ "get-wsmancredssp",
423
+ "get-wsmaninstance",
424
+ "get-winevent",
425
+ "get-wmiobject",
426
+ "group-object",
427
+ "import-alias",
428
+ "import-binarymilog",
429
+ "import-clixml",
430
+ "import-counter",
431
+ "import-csv",
432
+ "import-isesnippet",
433
+ "import-localizeddata",
434
+ "import-module",
435
+ "import-pssession",
436
+ "import-packageprovider",
437
+ "import-powershelldatafile",
438
+ "install-module",
439
+ "install-package",
440
+ "install-packageprovider",
441
+ "install-script",
442
+ "invoke-asworkflow",
443
+ "invoke-cimmethod",
444
+ "invoke-command",
445
+ "invoke-expression",
446
+ "invoke-history",
447
+ "invoke-item",
448
+ "invoke-operationvalidation",
449
+ "invoke-restmethod",
450
+ "invoke-wsmanaction",
451
+ "invoke-webrequest",
452
+ "invoke-wmimethod",
453
+ "join-path",
454
+ "join-string",
455
+ "limit-eventlog",
456
+ "measure-command",
457
+ "measure-object",
458
+ "move-item",
459
+ "move-itemproperty",
460
+ "new-alias",
461
+ "new-ciminstance",
462
+ "new-cimsession",
463
+ "new-cimsessionoption",
464
+ "new-event",
465
+ "new-eventlog",
466
+ "new-filecatalog",
467
+ "new-guid",
468
+ "new-isesnippet",
469
+ "new-item",
470
+ "new-itemproperty",
471
+ "new-jobtrigger",
472
+ "new-localgroup",
473
+ "new-localuser",
474
+ "new-module",
475
+ "new-modulemanifest",
476
+ "new-object",
477
+ "new-psdrive",
478
+ "new-psrolecapabilityfile",
479
+ "new-pssession",
480
+ "new-pssessionconfigurationfile",
481
+ "new-pssessionoption",
482
+ "new-pstransportoption",
483
+ "new-psworkflowexecutionoption",
484
+ "new-psworkflowsession",
485
+ "new-scheduledjoboption",
486
+ "new-scriptfileinfo",
487
+ "new-service",
488
+ "new-temporaryfile",
489
+ "new-timespan",
490
+ "new-variable",
491
+ "new-wsmaninstance",
492
+ "new-wsmansessionoption",
493
+ "new-webserviceproxy",
494
+ "new-winevent",
495
+ "out-default",
496
+ "out-file",
497
+ "out-gridview",
498
+ "out-host",
499
+ "out-null",
500
+ "out-printer",
501
+ "out-string",
502
+ "pop-location",
503
+ "protect-cmsmessage",
504
+ "publish-module",
505
+ "publish-script",
506
+ "push-location",
507
+ "read-host",
508
+ "receive-job",
509
+ "receive-pssession",
510
+ "register-argumentcompleter",
511
+ "register-cimindicationevent",
512
+ "register-engineevent",
513
+ "register-objectevent",
514
+ "register-psrepository",
515
+ "register-pssessionconfiguration",
516
+ "register-packagesource",
517
+ "register-scheduledjob",
518
+ "register-wmievent",
519
+ "remove-alias",
520
+ "remove-ciminstance",
521
+ "remove-cimsession",
522
+ "remove-computer",
523
+ "remove-event",
524
+ "remove-eventlog",
525
+ "remove-item",
526
+ "remove-itemproperty",
527
+ "remove-job",
528
+ "remove-jobtrigger",
529
+ "remove-localgroup",
530
+ "remove-localgroupmember",
531
+ "remove-localuser",
532
+ "remove-module",
533
+ "remove-psbreakpoint",
534
+ "remove-psdrive",
535
+ "remove-psreadlinekeyhandler",
536
+ "remove-pssession",
537
+ "remove-pssnapin",
538
+ "remove-service",
539
+ "remove-typedata",
540
+ "remove-variable",
541
+ "remove-wsmaninstance",
542
+ "remove-wmiobject",
543
+ "rename-computer",
544
+ "rename-item",
545
+ "rename-itemproperty",
546
+ "rename-localgroup",
547
+ "rename-localuser",
548
+ "reset-computermachinepassword",
549
+ "resolve-path",
550
+ "restart-computer",
551
+ "restart-service",
552
+ "restore-computer",
553
+ "resume-job",
554
+ "resume-service",
555
+ "save-help",
556
+ "save-module",
557
+ "save-package",
558
+ "save-script",
559
+ "select-object",
560
+ "select-string",
561
+ "select-xml",
562
+ "send-mailmessage",
563
+ "set-acl",
564
+ "set-alias",
565
+ "set-authenticodesignature",
566
+ "set-ciminstance",
567
+ "set-clipboard",
568
+ "set-content",
569
+ "set-date",
570
+ "set-executionpolicy",
571
+ "set-item",
572
+ "set-itemproperty",
573
+ "set-jobtrigger",
574
+ "set-localgroup",
575
+ "set-localuser",
576
+ "set-location",
577
+ "set-logproperties",
578
+ "set-markdownoption",
579
+ "set-psbreakpoint",
580
+ "set-psdebug",
581
+ "set-psreadlinekeyhandler",
582
+ "set-psreadlineoption",
583
+ "set-psrepository",
584
+ "set-pssessionconfiguration",
585
+ "set-packagesource",
586
+ "set-scheduledjob",
587
+ "set-scheduledjoboption",
588
+ "set-service",
589
+ "set-strictmode",
590
+ "set-timezone",
591
+ "set-tracesource",
592
+ "set-variable",
593
+ "set-wsmaninstance",
594
+ "set-wsmanquickconfig",
595
+ "set-wmiinstance",
596
+ "show-command",
597
+ "show-controlpanelitem",
598
+ "show-eventlog",
599
+ "show-markdown",
600
+ "sort-object",
601
+ "split-path",
602
+ "start-job",
603
+ "start-process",
604
+ "start-service",
605
+ "start-sleep",
606
+ "start-threadjob",
607
+ "start-trace",
608
+ "start-transaction",
609
+ "stop-computer",
610
+ "stop-job",
611
+ "stop-process",
612
+ "stop-service",
613
+ "stop-trace",
614
+ "stop-transcript",
615
+ "suspend-job",
616
+ "suspend-service",
617
+ "switch-process",
618
+ "tee-object",
619
+ "test-computersecurechannel",
620
+ "test-connection",
621
+ "test-filecatalog",
622
+ "test-json",
623
+ "test-modulemanifest",
624
+ "test-pssessionconfigurationfile",
625
+ "test-path",
626
+ "test-scriptfileinfo",
627
+ "test-wsman",
628
+ "trace-command",
629
+ "unblock-file",
630
+ "undo-transaction",
631
+ "uninstall-module",
632
+ "uninstall-package",
633
+ "uninstall-script",
634
+ "unprotect-cmsmessage",
635
+ "unregister-event",
636
+ "unregister-psrepository",
637
+ "unregister-pssessionconfiguration",
638
+ "unregister-packagesource",
639
+ "unregister-scheduledjob",
640
+ "update-formatdata",
641
+ "update-help",
642
+ "update-list",
643
+ "update-module",
644
+ "update-modulemanifest",
645
+ "update-script",
646
+ "update-scriptfileinfo",
647
+ "update-typedata",
648
+ "use-transaction",
649
+ "wait-debugger",
650
+ "wait-event",
651
+ "wait-job",
652
+ "wait-process",
653
+ "where-object",
654
+ "write-debug",
655
+ "write-error",
656
+ "write-eventlog",
657
+ "write-host",
658
+ "write-information",
659
+ "write-output",
660
+ "write-progress",
661
+ "write-verbose",
662
+ "write-warning"
663
+ ]
664
+ },
665
+ "operator": "phrase_match"
666
+ }
667
+ ],
668
+ "transformers": [
669
+ "lowercase"
670
+ ]
671
+ },
672
+ {
673
+ "id": "crs-932-130",
674
+ "name": "Remote Command Execution: Unix Shell Expression Found",
675
+ "tags": {
676
+ "type": "command_injection",
677
+ "crs_id": "932130",
678
+ "category": "attack_attempt"
679
+ },
680
+ "conditions": [
681
+ {
682
+ "parameters": {
683
+ "inputs": [
684
+ {
685
+ "address": "server.request.query"
686
+ },
687
+ {
688
+ "address": "server.request.body"
689
+ },
690
+ {
691
+ "address": "server.request.path_params"
692
+ },
693
+ {
694
+ "address": "graphql.server.all_resolvers"
695
+ }
696
+ ],
697
+ "regex": "(?:\\$(?:\\((?:\\(.*\\)|.*)\\)|\\{.*})|\\/\\w*\\[!?.+\\]|[<>]\\(.*\\))",
698
+ "options": {
699
+ "case_sensitive": true,
700
+ "min_length": 3
701
+ }
702
+ },
703
+ "operator": "match_regex"
704
+ }
705
+ ],
706
+ "transformers": []
707
+ },
708
+ {
709
+ "id": "crs-932-150",
710
+ "name": "Remote Command Execution: Direct Unix Command Execution",
711
+ "tags": {
712
+ "type": "command_injection",
713
+ "crs_id": "932150",
714
+ "category": "attack_attempt"
715
+ },
716
+ "conditions": [
717
+ {
718
+ "parameters": {
719
+ "inputs": [
720
+ {
721
+ "address": "server.request.query"
722
+ },
723
+ {
724
+ "address": "server.request.body"
725
+ },
726
+ {
727
+ "address": "server.request.path_params"
728
+ },
729
+ {
730
+ "address": "graphql.server.all_resolvers"
731
+ }
732
+ ],
733
+ "regex": "(?:(?:^|=)\\s*(?:(?:\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|(?:\\s*\\(|!)\\s*|\\{|\\$))*\\s*(?:[\\\"'])*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\x5c]+/)?[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*(?:z(?:[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*(?:a(?:[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*o|d[\\x5c'\\\"]*e[\\x5c'\\\"]*c))?|o[\\x5c'\\\"]*r[\\x5c'\\\"]*e)|(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|4(?:[\\x5c'\\\"]*c(?:[\\x5c'\\\"]*a[\\x5c'\\\"]*t)?)?|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s))?|s(?:[\\x5c'\\\"]*(?:b[\\x5c'\\\"]*_[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*e|c[\\x5c'\\\"]*p[\\x5c'\\\"]*u|m[\\x5c'\\\"]*o[\\x5c'\\\"]*d|p[\\x5c'\\\"]*c[\\x5c'\\\"]*i|u[\\x5c'\\\"]*s[\\x5c'\\\"]*b|-[\\x5c'\\\"]*F|o[\\x5c'\\\"]*f))?|e[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:(?:f[\\x5c'\\\"]*i[\\x5c'\\\"]*l|p[\\x5c'\\\"]*i[\\x5c'\\\"]*p)[\\x5c'\\\"]*e|e[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*o)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*o[\\x5c'\\\"]*g(?:[\\x5c'\\\"]*i[\\x5c'\\\"]*n)?|c[\\x5c'\\\"]*o[\\x5c'\\\"]*m[\\x5c'\\\"]*m)|w[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*-[\\x5c'\\\"]*d[\\x5c'\\\"]*o[\\x5c'\\\"]*w[\\x5c'\\\"]*n[\\x5c'\\\"]*l[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*d)?|f[\\x5c'\\\"]*t[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*t)?|y[\\x5c'\\\"]*n[\\x5c'\\\"]*x)|z[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*(?:(?:m[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*g|n[\\x5c'\\\"]*o[\\x5c'\\\"]*t)[\\x5c'\\\"]*e|d[\\x5c'\\\"]*e[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l[\\x5c'\\\"]*s|c[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*k|m[\\x5c'\\\"]*p)|s[\\x5c'\\\"]*p[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*t|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|i[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*o|t[\\x5c'\\\"]*o[\\x5c'\\\"]*o[\\x5c'\\\"]*l))?|s[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*d(?:[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|(?:c[\\x5c'\\\"]*a|m)[\\x5c'\\\"]*t))?|h)|(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|r[\\x5c'\\\"]*u[\\x5c'\\\"]*n)|b[\\x5c'\\\"]*(?:z[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*p[\\x5c'\\\"]*2(?:[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*c[\\x5c'\\\"]*o[\\x5c'\\\"]*v[\\x5c'\\\"]*e[\\x5c'\\\"]*r)?|e[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|x[\\x5c'\\\"]*e)|(?:f[\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|z)|u[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*l[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*n|n[\\x5c'\\\"]*z[\\x5c'\\\"]*i[\\x5c'\\\"]*p[\\x5c'\\\"]*2|s[\\x5c'\\\"]*y[\\x5c'\\\"]*b[\\x5c'\\\"]*o[\\x5c'\\\"]*x)|s[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|t[\\x5c'\\\"]*a[\\x5c'\\\"]*r)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:3[\\x5c'\\\"]*2|6[\\x5c'\\\"]*4|n[\\x5c'\\\"]*c)|h))|s[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*n[\\x5c'\\\"]*v|s[\\x5c'\\\"]*i[\\x5c'\\\"]*d)|n[\\x5c'\\\"]*d[\\x5c'\\\"]*m[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l|d)|h(?:[\\x5c'\\\"]*\\.[\\x5c'\\\"]*d[\\x5c'\\\"]*i[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*r[\\x5c'\\\"]*i[\\x5c'\\\"]*b)?|o[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*r[\\x5c'\\\"]*c[\\x5c'\\\"]*e|c[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|t[\\x5c'\\\"]*r[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*g[\\x5c'\\\"]*s|y[\\x5c'\\\"]*s[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l|c[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*e[\\x5c'\\\"]*d|p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|f[\\x5c'\\\"]*t[\\x5c'\\\"]*p|u[\\x5c'\\\"]*d[\\x5c'\\\"]*o|s[\\x5c'\\\"]*h|v[\\x5c'\\\"]*n)|p[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*a[\\x5c'\\\"]*r(?:[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p))?|y[\\x5c'\\\"]*t[\\x5c'\\\"]*h[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*[23]?[\\x5c'\\\"]*(?:\\.[0-9.\\x5c'\\\"]+)?(?:[dmu]+)?|k[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*x[\\x5c'\\\"]*e[\\x5c'\\\"]*c|i[\\x5c'\\\"]*l[\\x5c'\\\"]*l)|r[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*n[\\x5c'\\\"]*v|f)|(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e|f[\\x5c'\\\"]*t)[\\x5c'\\\"]*p|e[\\x5c'\\\"]*r[\\x5c'\\\"]*l(?:[\\x5c'\\\"]*5)?|h[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*[57])?|(?:i[\\x5c'\\\"]*g|x)[\\x5c'\\\"]*z|o[\\x5c'\\\"]*p[\\x5c'\\\"]*d)|n[\\x5c'\\\"]*(?:c(?:[\\x5c'\\\"]*(?:\\.[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*d[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*a[\\x5c'\\\"]*l|o[\\x5c'\\\"]*p[\\x5c'\\\"]*e[\\x5c'\\\"]*n[\\x5c'\\\"]*b[\\x5c'\\\"]*s[\\x5c'\\\"]*d)|a[\\x5c'\\\"]*t))?|e[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:k[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*-[\\x5c'\\\"]*f[\\x5c'\\\"]*t[\\x5c'\\\"]*p|(?:s[\\x5c'\\\"]*t|c)[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|o[\\x5c'\\\"]*h[\\x5c'\\\"]*u[\\x5c'\\\"]*p|p[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*g|s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|t[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*u[\\x5c'\\\"]*t[\\x5c'\\\"]*e|i[\\x5c'\\\"]*n[\\x5c'\\\"]*g)|s[\\x5c'\\\"]*h)|r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*u[\\x5c'\\\"]*t[\\x5c'\\\"]*e(?:[\\x5c'\\\"]*6)?|(?:i[\\x5c'\\\"]*m[\\x5c'\\\"]*e[\\x5c'\\\"]*o[\\x5c'\\\"]*u|e[\\x5c'\\\"]*l[\\x5c'\\\"]*n[\\x5c'\\\"]*e)[\\x5c'\\\"]*t|a[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*l(?:[\\x5c'\\\"]*f)?|r))|r[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e|e[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|a[\\x5c'\\\"]*l[\\x5c'\\\"]*p[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*h|n[\\x5c'\\\"]*a[\\x5c'\\\"]*m[\\x5c'\\\"]*e)|u[\\x5c'\\\"]*b[\\x5c'\\\"]*y(?:[\\x5c'\\\"]*(?:1(?:[\\x5c'\\\"]*[89])?|2[\\x5c'\\\"]*[012]))?|m[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*s[\\x5c'\\\"]*e|d[\\x5c'\\\"]*i)[\\x5c'\\\"]*r|n[\\x5c'\\\"]*a[\\x5c'\\\"]*n[\\x5c'\\\"]*o|s[\\x5c'\\\"]*y[\\x5c'\\\"]*n[\\x5c'\\\"]*c|c[\\x5c'\\\"]*p)|u[\\x5c'\\\"]*(?:n[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*o[\\x5c'\\\"]*m[\\x5c'\\\"]*p[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|z[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*t[\\x5c'\\\"]*d|i[\\x5c'\\\"]*p)|(?:p[\\x5c'\\\"]*i[\\x5c'\\\"]*g|x)[\\x5c'\\\"]*z|l[\\x5c'\\\"]*z[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*a|4)|a[\\x5c'\\\"]*m[\\x5c'\\\"]*e|r[\\x5c'\\\"]*a[\\x5c'\\\"]*r|s[\\x5c'\\\"]*e[\\x5c'\\\"]*t)|s[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:(?:a[\\x5c'\\\"]*d|m[\\x5c'\\\"]*o)[\\x5c'\\\"]*d|d[\\x5c'\\\"]*e[\\x5c'\\\"]*l))|m[\\x5c'\\\"]*(?:y[\\x5c'\\\"]*s[\\x5c'\\\"]*q[\\x5c'\\\"]*l[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*u[\\x5c'\\\"]*m[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*s[\\x5c'\\\"]*l[\\x5c'\\\"]*o[\\x5c'\\\"]*w)?|h[\\x5c'\\\"]*o[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*o[\\x5c'\\\"]*p[\\x5c'\\\"]*y|a[\\x5c'\\\"]*d[\\x5c'\\\"]*m[\\x5c'\\\"]*i[\\x5c'\\\"]*n|s[\\x5c'\\\"]*h[\\x5c'\\\"]*o[\\x5c'\\\"]*w)|l[\\x5c'\\\"]*o[\\x5c'\\\"]*c[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*e|a[\\x5c'\\\"]*i[\\x5c'\\\"]*l[\\x5c'\\\"]*q)|c[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*(?:r[\\x5c'\\\"]*e[\\x5c'\\\"]*_[\\x5c'\\\"]*p[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*l[\\x5c'\\\"]*\\/[\\x5c'\\\"]*z[\\x5c'\\\"]*i[\\x5c'\\\"]*p[\\x5c'\\\"]*d[\\x5c'\\\"]*e[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l[\\x5c'\\\"]*s|m[\\x5c'\\\"]*m[\\x5c'\\\"]*a[\\x5c'\\\"]*n[\\x5c'\\\"]*d|p[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*c)|u[\\x5c'\\\"]*r[\\x5c'\\\"]*l|9[\\x5c'\\\"]*9|s[\\x5c'\\\"]*h|c)|x[\\x5c'\\\"]*(?:z(?:[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|d[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|e[\\x5c'\\\"]*c)|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e))?|a[\\x5c'\\\"]*r[\\x5c'\\\"]*g[\\x5c'\\\"]*s)|f[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*p[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*s|w[\\x5c'\\\"]*h[\\x5c'\\\"]*o)|i[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*t[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|e[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*h|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p)|g[\\x5c'\\\"]*(?:z[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|e[\\x5c'\\\"]*x[\\x5c'\\\"]*e|i[\\x5c'\\\"]*p)|(?:u[\\x5c'\\\"]*n[\\x5c'\\\"]*z[\\x5c'\\\"]*i|r[\\x5c'\\\"]*e)[\\x5c'\\\"]*p|c[\\x5c'\\\"]*c)|e[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*h[\\x5c'\\\"]*o|v[\\x5c'\\\"]*a[\\x5c'\\\"]*l|x[\\x5c'\\\"]*e[\\x5c'\\\"]*c|n[\\x5c'\\\"]*v)|d[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*g|a[\\x5c'\\\"]*s[\\x5c'\\\"]*h|i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|o[\\x5c'\\\"]*a[\\x5c'\\\"]*s)|j[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*b[\\x5c'\\\"]*s[\\x5c'\\\"]*\\s+[\\x5c'\\\"]*-[\\x5c'\\\"]*x|a[\\x5c'\\\"]*v[\\x5c'\\\"]*a)|w[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*m[\\x5c'\\\"]*i|g[\\x5c'\\\"]*e[\\x5c'\\\"]*t|3[\\x5c'\\\"]*m)|i[\\x5c'\\\"]*r[\\x5c'\\\"]*b(?:[\\x5c'\\\"]*(?:1(?:[\\x5c'\\\"]*[89])?|2[\\x5c'\\\"]*[012]))?|o[\\x5c'\\\"]*n[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*r|h[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*a[\\x5c'\\\"]*d|u[\\x5c'\\\"]*p)|v[\\x5c'\\\"]*i[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r|p[\\x5c'\\\"]*w)|7[\\x5c'\\\"]*z(?:[\\x5c'\\\"]*[ar])?|G[\\x5c'\\\"]*E[\\x5c'\\\"]*T|k[\\x5c'\\\"]*s[\\x5c'\\\"]*h)|\\$[\\x5c'\\\"]*(?:\\{[\\x5c'\\\"]*S[\\x5c'\\\"]*H[\\x5c'\\\"]*E[\\x5c'\\\"]*L[\\x5c'\\\"]*L[\\x5c'\\\"]*}|S[\\x5c'\\\"]*H[\\x5c'\\\"]*E[\\x5c'\\\"]*L[\\x5c'\\\"]*L))[\\x5c'\\\"]*(?:\\s|;|\\||&|<|>)",
734
+ "options": {
735
+ "case_sensitive": true,
736
+ "min_length": 3
737
+ }
738
+ },
739
+ "operator": "match_regex"
740
+ }
741
+ ],
742
+ "transformers": []
743
+ },
744
+ {
745
+ "id": "crs-933-110",
746
+ "name": "PHP Injection Attack: PHP Script File Upload Found",
747
+ "tags": {
748
+ "type": "php_code_injection",
749
+ "crs_id": "933110",
750
+ "category": "attack_attempt"
751
+ },
752
+ "conditions": [
753
+ {
754
+ "parameters": {
755
+ "inputs": [
756
+ {
757
+ "address": "server.request.headers.no_cookies",
758
+ "key_path": [
759
+ "x-filename"
760
+ ]
761
+ },
762
+ {
763
+ "address": "server.request.headers.no_cookies",
764
+ "key_path": [
765
+ "x_filename"
766
+ ]
767
+ },
768
+ {
769
+ "address": "server.request.headers.no_cookies",
770
+ "key_path": [
771
+ "x.filename"
772
+ ]
773
+ },
774
+ {
775
+ "address": "server.request.headers.no_cookies",
776
+ "key_path": [
777
+ "x-file-name"
778
+ ]
779
+ }
780
+ ],
781
+ "regex": ".*\\.ph(?:p\\d*|tml|ar|ps|t|pt)\\.*$",
782
+ "options": {
783
+ "case_sensitive": true,
784
+ "min_length": 4
785
+ }
786
+ },
787
+ "operator": "match_regex"
788
+ }
789
+ ],
790
+ "transformers": [
791
+ "lowercase"
792
+ ]
793
+ },
794
+ {
795
+ "id": "crs-933-180",
796
+ "name": "PHP Injection Attack: Variable Function Call Found",
797
+ "tags": {
798
+ "type": "php_code_injection",
799
+ "crs_id": "933180",
800
+ "category": "attack_attempt"
801
+ },
802
+ "conditions": [
803
+ {
804
+ "parameters": {
805
+ "inputs": [
806
+ {
807
+ "address": "server.request.query"
808
+ },
809
+ {
810
+ "address": "server.request.body"
811
+ },
812
+ {
813
+ "address": "server.request.path_params"
814
+ },
815
+ {
816
+ "address": "graphql.server.all_resolvers"
817
+ }
818
+ ],
819
+ "regex": "\\$+(?:[a-zA-Z_\\x7f-\\xff][a-zA-Z0-9_\\x7f-\\xff]*|\\s*{.+})(?:\\s|\\[.+\\]|{.+}|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
820
+ "options": {
821
+ "case_sensitive": true,
822
+ "min_length": 4
823
+ }
824
+ },
825
+ "operator": "match_regex"
826
+ }
827
+ ],
828
+ "transformers": []
829
+ },
830
+ {
831
+ "id": "crs-933-210",
832
+ "name": "PHP Injection Attack: Variable Function Call Found",
833
+ "tags": {
834
+ "type": "php_code_injection",
835
+ "crs_id": "933210",
836
+ "category": "attack_attempt"
837
+ },
838
+ "conditions": [
839
+ {
840
+ "parameters": {
841
+ "inputs": [
842
+ {
843
+ "address": "server.request.query"
844
+ },
845
+ {
846
+ "address": "server.request.body"
847
+ },
848
+ {
849
+ "address": "server.request.path_params"
850
+ },
851
+ {
852
+ "address": "graphql.server.all_resolvers"
853
+ }
854
+ ],
855
+ "regex": "(?:\\(.+\\)\\(.+\\)|\\(.+\\)['\\\"][a-zA-Z-_0-9]+['\\\"]\\(.+\\)|\\[\\d+\\]\\(.+\\)|\\{\\d+\\}\\(.+\\)|\\$[^(?:\\),.;\\x5c/]+\\(.+\\)|[\\\"'][a-zA-Z0-9-_\\x5c]+[\\\"']\\(.+\\)|\\([^\\)]*string[^\\)]*\\)[a-zA-Z-_0-9\\\"'.{}\\[\\]\\s]+\\([^\\)]*\\));",
856
+ "options": {
857
+ "case_sensitive": true,
858
+ "min_length": 6
859
+ }
860
+ },
861
+ "operator": "match_regex"
862
+ }
863
+ ],
864
+ "transformers": []
865
+ },
866
+ {
867
+ "id": "crs-941-100",
868
+ "name": "XSS Attack Detected via libinjection",
869
+ "tags": {
870
+ "type": "xss",
871
+ "crs_id": "941100",
872
+ "category": "attack_attempt",
873
+ "cwe": "79"
874
+ },
875
+ "conditions": [
876
+ {
877
+ "parameters": {
878
+ "inputs": [
879
+ {
880
+ "address": "server.request.headers.no_cookies",
881
+ "key_path": [
882
+ "user-agent"
883
+ ]
884
+ },
885
+ {
886
+ "address": "server.request.headers.no_cookies",
887
+ "key_path": [
888
+ "referer"
889
+ ]
890
+ },
891
+ {
892
+ "address": "server.request.query"
893
+ },
894
+ {
895
+ "address": "server.request.body"
896
+ },
897
+ {
898
+ "address": "server.request.path_params"
899
+ },
900
+ {
901
+ "address": "grpc.server.request.message"
902
+ },
903
+ {
904
+ "address": "graphql.server.all_resolvers"
905
+ }
906
+ ]
907
+ },
908
+ "operator": "is_xss"
909
+ }
910
+ ],
911
+ "transformers": [
912
+ "removeNulls"
913
+ ]
914
+ },
915
+ {
916
+ "id": "crs-941-130",
917
+ "name": "XSS Filter - Category 3: Attribute Vector",
918
+ "tags": {
919
+ "type": "xss",
920
+ "crs_id": "941130",
921
+ "category": "attack_attempt"
922
+ },
923
+ "conditions": [
924
+ {
925
+ "parameters": {
926
+ "inputs": [
927
+ {
928
+ "address": "server.request.headers.no_cookies",
929
+ "key_path": [
930
+ "user-agent"
931
+ ]
932
+ },
933
+ {
934
+ "address": "server.request.query"
935
+ },
936
+ {
937
+ "address": "server.request.body"
938
+ },
939
+ {
940
+ "address": "server.request.path_params"
941
+ },
942
+ {
943
+ "address": "graphql.server.all_resolvers"
944
+ }
945
+ ],
946
+ "regex": "[\\s\\S](?:\\b(?:x(?:link:href|html|mlns)|data:text\\/html|pattern\\b.*?=|formaction)|!ENTITY\\s+(?:\\S+|%\\s+\\S+)\\s+(?:PUBLIC|SYSTEM)|;base64|@import)\\b",
947
+ "options": {
948
+ "min_length": 6
949
+ }
950
+ },
951
+ "operator": "match_regex"
952
+ }
953
+ ],
954
+ "transformers": [
955
+ "removeNulls"
956
+ ]
957
+ },
958
+ {
959
+ "id": "crs-941-150",
960
+ "name": "XSS Filter - Category 5: Disallowed HTML Attributes",
961
+ "tags": {
962
+ "type": "xss",
963
+ "crs_id": "941150",
964
+ "category": "attack_attempt"
965
+ },
966
+ "conditions": [
967
+ {
968
+ "parameters": {
969
+ "inputs": [
970
+ {
971
+ "address": "server.request.headers.no_cookies",
972
+ "key_path": [
973
+ "user-agent"
974
+ ]
975
+ },
976
+ {
977
+ "address": "server.request.query"
978
+ },
979
+ {
980
+ "address": "server.request.body"
981
+ },
982
+ {
983
+ "address": "server.request.path_params"
984
+ },
985
+ {
986
+ "address": "graphql.server.all_resolvers"
987
+ }
988
+ ],
989
+ "regex": "\\b(?:s(?:tyle|rc)|href)\\b\\s*?=",
990
+ "options": {
991
+ "case_sensitive": true,
992
+ "min_length": 4
993
+ }
994
+ },
995
+ "operator": "match_regex"
996
+ }
997
+ ],
998
+ "transformers": [
999
+ "removeNulls"
1000
+ ]
1001
+ },
1002
+ {
1003
+ "id": "crs-941-160",
1004
+ "name": "NoScript XSS InjectionChecker: HTML Injection",
1005
+ "tags": {
1006
+ "type": "xss",
1007
+ "crs_id": "941160",
1008
+ "category": "attack_attempt"
1009
+ },
1010
+ "conditions": [
1011
+ {
1012
+ "parameters": {
1013
+ "inputs": [
1014
+ {
1015
+ "address": "server.request.headers.no_cookies",
1016
+ "key_path": [
1017
+ "user-agent"
1018
+ ]
1019
+ },
1020
+ {
1021
+ "address": "server.request.headers.no_cookies",
1022
+ "key_path": [
1023
+ "referer"
1024
+ ]
1025
+ },
1026
+ {
1027
+ "address": "server.request.query"
1028
+ },
1029
+ {
1030
+ "address": "server.request.body"
1031
+ },
1032
+ {
1033
+ "address": "server.request.path_params"
1034
+ },
1035
+ {
1036
+ "address": "graphql.server.all_resolvers"
1037
+ }
1038
+ ],
1039
+ "regex": "(?:(?:<\\w[\\s\\S]*[\\s/]|['\\\"](?:[\\s\\S]*[\\s/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\\s\\x08]*?=|<[^\\w<>]*(?:[^<>\\\"'\\s]*:)?[^\\w<>]*\\W*?(?:(?:a\\W*?(?:n\\W*?i\\W*?m\\W*?a\\W*?t\\W*?e|p\\W*?p\\W*?l\\W*?e\\W*?t|u\\W*?d\\W*?i\\W*?o)|b\\W*?(?:i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g\\W*?s|a\\W*?s\\W*?e|o\\W*?d\\W*?y)|i?\\W*?f\\W*?r\\W*?a\\W*?m\\W*?e|o\\W*?b\\W*?j\\W*?e\\W*?c\\W*?t|i\\W*?m\\W*?a?\\W*?g\\W*?e?|e\\W*?m\\W*?b\\W*?e\\W*?d|p\\W*?a\\W*?r\\W*?a\\W*?m|v\\W*?i\\W*?d\\W*?e\\W*?o|l\\W*?i\\W*?n\\W*?k)[^>\\w]|s\\W*?(?:c\\W*?r\\W*?i\\W*?p\\W*?t|t\\W*?y\\W*?l\\W*?e|e\\W*?t[^>\\w]|v\\W*?g)|m\\W*?(?:a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|e\\W*?t\\W*?a[^>\\w])|f\\W*?o\\W*?r\\W*?m))",
1040
+ "options": {
1041
+ "min_length": 4
1042
+ }
1043
+ },
1044
+ "operator": "match_regex"
1045
+ }
1046
+ ],
1047
+ "transformers": [
1048
+ "removeNulls"
1049
+ ]
1050
+ },
1051
+ {
1052
+ "id": "crs-941-190",
1053
+ "name": "IE XSS Filters - Attack Detected",
1054
+ "tags": {
1055
+ "type": "xss",
1056
+ "crs_id": "941190",
1057
+ "category": "attack_attempt"
1058
+ },
1059
+ "conditions": [
1060
+ {
1061
+ "parameters": {
1062
+ "inputs": [
1063
+ {
1064
+ "address": "server.request.query"
1065
+ },
1066
+ {
1067
+ "address": "server.request.body"
1068
+ },
1069
+ {
1070
+ "address": "server.request.path_params"
1071
+ },
1072
+ {
1073
+ "address": "graphql.server.all_resolvers"
1074
+ }
1075
+ ],
1076
+ "regex": "(?i:<style.*?>.*?(?:@[i\\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(?:\\x5c]|&#x?0*(?:40|28|92|5C);?)))",
1077
+ "options": {
1078
+ "case_sensitive": true,
1079
+ "min_length": 9
1080
+ }
1081
+ },
1082
+ "operator": "match_regex"
1083
+ }
1084
+ ],
1085
+ "transformers": [
1086
+ "removeNulls"
1087
+ ]
1088
+ },
1089
+ {
1090
+ "id": "crs-941-250",
1091
+ "name": "IE XSS Filters - Attack Detected",
1092
+ "tags": {
1093
+ "type": "xss",
1094
+ "crs_id": "941250",
1095
+ "category": "attack_attempt"
1096
+ },
1097
+ "conditions": [
1098
+ {
1099
+ "parameters": {
1100
+ "inputs": [
1101
+ {
1102
+ "address": "server.request.query"
1103
+ },
1104
+ {
1105
+ "address": "server.request.body"
1106
+ },
1107
+ {
1108
+ "address": "server.request.path_params"
1109
+ },
1110
+ {
1111
+ "address": "graphql.server.all_resolvers"
1112
+ }
1113
+ ],
1114
+ "regex": "(?i:<META[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\\\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))",
1115
+ "options": {
1116
+ "case_sensitive": true,
1117
+ "min_length": 18
1118
+ }
1119
+ },
1120
+ "operator": "match_regex"
1121
+ }
1122
+ ],
1123
+ "transformers": [
1124
+ "removeNulls"
1125
+ ]
1126
+ },
1127
+ {
1128
+ "id": "crs-941-260",
1129
+ "name": "IE XSS Filters - Attack Detected",
1130
+ "tags": {
1131
+ "type": "xss",
1132
+ "crs_id": "941260",
1133
+ "category": "attack_attempt"
1134
+ },
1135
+ "conditions": [
1136
+ {
1137
+ "parameters": {
1138
+ "inputs": [
1139
+ {
1140
+ "address": "server.request.query"
1141
+ },
1142
+ {
1143
+ "address": "server.request.body"
1144
+ },
1145
+ {
1146
+ "address": "server.request.path_params"
1147
+ },
1148
+ {
1149
+ "address": "graphql.server.all_resolvers"
1150
+ }
1151
+ ],
1152
+ "regex": "(?i:<META[\\s/+].*?charset[\\s/+]*=)",
1153
+ "options": {
1154
+ "case_sensitive": true,
1155
+ "min_length": 14
1156
+ }
1157
+ },
1158
+ "operator": "match_regex"
1159
+ }
1160
+ ],
1161
+ "transformers": [
1162
+ "removeNulls"
1163
+ ]
1164
+ },
1165
+ {
1166
+ "id": "crs-941-370",
1167
+ "name": "JavaScript global variable found",
1168
+ "tags": {
1169
+ "type": "xss",
1170
+ "crs_id": "941370",
1171
+ "category": "attack_attempt"
1172
+ },
1173
+ "conditions": [
1174
+ {
1175
+ "parameters": {
1176
+ "inputs": [
1177
+ {
1178
+ "address": "server.request.query"
1179
+ },
1180
+ {
1181
+ "address": "server.request.body"
1182
+ },
1183
+ {
1184
+ "address": "server.request.path_params"
1185
+ },
1186
+ {
1187
+ "address": "graphql.server.all_resolvers"
1188
+ }
1189
+ ],
1190
+ "regex": "(?:self|document|this|top|window)\\s*(?:/\\*|[\\[)]).+?(?:\\]|\\*/)",
1191
+ "options": {
1192
+ "case_sensitive": true,
1193
+ "min_length": 6
1194
+ }
1195
+ },
1196
+ "operator": "match_regex"
1197
+ }
1198
+ ],
1199
+ "transformers": []
1200
+ },
1201
+ {
1202
+ "id": "crs-941-380",
1203
+ "name": "AngularJS client side template injection detected",
1204
+ "tags": {
1205
+ "type": "js_code_injection",
1206
+ "crs_id": "941380",
1207
+ "category": "attack_attempt"
1208
+ },
1209
+ "conditions": [
1210
+ {
1211
+ "parameters": {
1212
+ "inputs": [
1213
+ {
1214
+ "address": "server.request.query"
1215
+ },
1216
+ {
1217
+ "address": "server.request.body"
1218
+ },
1219
+ {
1220
+ "address": "server.request.path_params"
1221
+ },
1222
+ {
1223
+ "address": "graphql.server.all_resolvers"
1224
+ }
1225
+ ],
1226
+ "regex": "^{{[\\w\\s\\.]*[^\\w\\.\\s}][^}]*}}$",
1227
+ "options": {
1228
+ "case_sensitive": true,
1229
+ "min_length": 5
1230
+ }
1231
+ },
1232
+ "operator": "match_regex"
1233
+ }
1234
+ ],
1235
+ "transformers": []
1236
+ },
1237
+ {
1238
+ "id": "crs-942-151",
1239
+ "name": "SQL function injection Attack",
1240
+ "tags": {
1241
+ "type": "sql_injection",
1242
+ "crs_id": "942151",
1243
+ "category": "attack_attempt"
1244
+ },
1245
+ "conditions": [
1246
+ {
1247
+ "parameters": {
1248
+ "inputs": [
1249
+ {
1250
+ "address": "server.request.query"
1251
+ },
1252
+ {
1253
+ "address": "server.request.body"
1254
+ },
1255
+ {
1256
+ "address": "server.request.path_params"
1257
+ },
1258
+ {
1259
+ "address": "graphql.server.all_resolvers"
1260
+ }
1261
+ ],
1262
+ "regex": "\\b(?:s(?:q(?:lite_(?:compileoption_(?:used|get)|source_id)|rt)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|ub(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|e(?:ssion_user|c_to_time)|ys(?:tem_user|date)|ha[12]?|oundex|chema|pace|in)|c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|llation|alesce|t)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|ha(?:racte)?r_length|iel(?:ing)?|r32)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)|fnull)|l(?:o(?:ca(?:ltimestamp|te)|g(?:10|2)|ad_file|wer)|i(?:kel(?:ihood|y)|nestring)|ast_(?:inser_id|day)|e(?:as|f)t|case|trim|pad)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)|abase)|y(?:of(?:month|week|year)|name))|e(?:s_(?:de|en)crypt|grees|code)|count|ump)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|likely|hex)|tc_(?:time(?:stamp)?|date)|uid(?:_short)?|pdatexml|case)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im))|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|ulti(?:po(?:lygon|int)|linestring)|i(?:crosecon)?d|onthname|d5)|g(?:e(?:t_(?:format|lock)|ometrycollection)|(?:r(?:oup_conca|eates)|tid_subse)t)|p(?:o(?:(?:siti|lyg)on|w)|eriod_(?:diff|add)|rocedure_analyse|g_sleep)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|tan2?)|f(?:rom_(?:unixtime|base64|days)|i(?:el|n)d_in_set|ound_rows)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|b(?:i(?:t_(?:length|count|x?or|and)|n_to_num)|enchmark)|r(?:a(?:wtohex|dians|nd)|elease_lock|ow_count|trim|pad)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)|ight_string)|json(?:_(?:object|array))?|n(?:ame_const|ot_in|ullif)|var(?:_(?:sam|po)p|iance)|qu(?:arter|ote)|hex(?:toraw)?|yearweek|xmltype)\\W*\\(",
1263
+ "options": {
1264
+ "case_sensitive": false,
1265
+ "min_length": 4
1266
+ }
1267
+ },
1268
+ "operator": "match_regex"
1269
+ }
1270
+ ],
1271
+ "transformers": []
1272
+ },
1273
+ {
1274
+ "id": "crs-942-170",
1275
+ "name": "Detects SQL benchmark and sleep injection attempts including conditional queries",
1276
+ "tags": {
1277
+ "type": "sql_injection",
1278
+ "crs_id": "942170",
1279
+ "category": "attack_attempt"
1280
+ },
1281
+ "conditions": [
1282
+ {
1283
+ "parameters": {
1284
+ "inputs": [
1285
+ {
1286
+ "address": "server.request.query"
1287
+ },
1288
+ {
1289
+ "address": "server.request.body"
1290
+ },
1291
+ {
1292
+ "address": "server.request.path_params"
1293
+ },
1294
+ {
1295
+ "address": "graphql.server.all_resolvers"
1296
+ }
1297
+ ],
1298
+ "regex": "(?:select|;)\\s+(?:benchmark|sleep|if)\\s*?\\(\\s*?\\(?\\s*?\\w+",
1299
+ "options": {
1300
+ "min_length": 6
1301
+ }
1302
+ },
1303
+ "operator": "match_regex"
1304
+ }
1305
+ ],
1306
+ "transformers": []
1307
+ },
1308
+ {
1309
+ "id": "crs-942-190",
1310
+ "name": "Detects MSSQL code execution and information gathering attempts",
1311
+ "tags": {
1312
+ "type": "sql_injection",
1313
+ "crs_id": "942190",
1314
+ "category": "attack_attempt",
1315
+ "cwe": "89"
1316
+ },
1317
+ "conditions": [
1318
+ {
1319
+ "parameters": {
1320
+ "inputs": [
1321
+ {
1322
+ "address": "server.request.query"
1323
+ },
1324
+ {
1325
+ "address": "server.request.body"
1326
+ },
1327
+ {
1328
+ "address": "server.request.path_params"
1329
+ },
1330
+ {
1331
+ "address": "grpc.server.request.message"
1332
+ },
1333
+ {
1334
+ "address": "graphql.server.all_resolvers"
1335
+ }
1336
+ ],
1337
+ "regex": "(?:\\b(?:u(?:nion(?:[\\w(?:\\s]*?select|\\sselect\\s@)|ser\\s*?\\([^\\)]*?)|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()",
1338
+ "options": {
1339
+ "min_length": 3
1340
+ }
1341
+ },
1342
+ "operator": "match_regex"
1343
+ }
1344
+ ],
1345
+ "transformers": []
1346
+ },
1347
+ {
1348
+ "id": "crs-942-230",
1349
+ "name": "Detects conditional SQL injection attempts",
1350
+ "tags": {
1351
+ "type": "sql_injection",
1352
+ "crs_id": "942230",
1353
+ "category": "attack_attempt"
1354
+ },
1355
+ "conditions": [
1356
+ {
1357
+ "parameters": {
1358
+ "inputs": [
1359
+ {
1360
+ "address": "server.request.query"
1361
+ },
1362
+ {
1363
+ "address": "server.request.body"
1364
+ },
1365
+ {
1366
+ "address": "server.request.path_params"
1367
+ },
1368
+ {
1369
+ "address": "graphql.server.all_resolvers"
1370
+ }
1371
+ ],
1372
+ "regex": "(?:select.*?having\\s*?[^\\s]+\\s*?[^\\w\\s]|[\\s(?:)]case\\s+when.*?then|\\)\\s*?like\\s*?\\()",
1373
+ "options": {
1374
+ "case_sensitive": false,
1375
+ "min_length": 5
1376
+ }
1377
+ },
1378
+ "operator": "match_regex"
1379
+ }
1380
+ ],
1381
+ "transformers": []
1382
+ },
1383
+ {
1384
+ "id": "crs-942-320",
1385
+ "name": "Detects MySQL and PostgreSQL stored procedure/function injections",
1386
+ "tags": {
1387
+ "type": "sql_injection",
1388
+ "crs_id": "942320",
1389
+ "category": "attack_attempt"
1390
+ },
1391
+ "conditions": [
1392
+ {
1393
+ "parameters": {
1394
+ "inputs": [
1395
+ {
1396
+ "address": "server.request.query"
1397
+ },
1398
+ {
1399
+ "address": "server.request.body"
1400
+ },
1401
+ {
1402
+ "address": "server.request.path_params"
1403
+ },
1404
+ {
1405
+ "address": "graphql.server.all_resolvers"
1406
+ }
1407
+ ],
1408
+ "regex": "(?:create\\s+(?:procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-|;\\s*?(?:declare|open)\\s+[\\w-]+|procedure\\s+analyse\\s*?\\(|declare[^\\w]+[@#]\\s*?\\w+|exec\\s*?\\(\\s*?@)",
1409
+ "options": {
1410
+ "min_length": 6
1411
+ }
1412
+ },
1413
+ "operator": "match_regex"
1414
+ }
1415
+ ],
1416
+ "transformers": []
1417
+ },
1418
+ {
1419
+ "id": "crs-942-350",
1420
+ "name": "Detects MySQL UDF injection and other data/structure manipulation attempts",
1421
+ "tags": {
1422
+ "type": "sql_injection",
1423
+ "crs_id": "942350",
1424
+ "category": "attack_attempt"
1425
+ },
1426
+ "conditions": [
1427
+ {
1428
+ "parameters": {
1429
+ "inputs": [
1430
+ {
1431
+ "address": "server.request.query"
1432
+ },
1433
+ {
1434
+ "address": "server.request.body"
1435
+ },
1436
+ {
1437
+ "address": "server.request.path_params"
1438
+ },
1439
+ {
1440
+ "address": "graphql.server.all_resolvers"
1441
+ }
1442
+ ],
1443
+ "regex": "(?:;\\s*?(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\\b\\s*?[\\[(?:]?\\w{2,}|create\\s+function\\s.+\\sreturns)",
1444
+ "options": {
1445
+ "min_length": 7
1446
+ }
1447
+ },
1448
+ "operator": "match_regex"
1449
+ }
1450
+ ],
1451
+ "transformers": []
1452
+ },
1453
+ {
1454
+ "id": "crs-944-240",
1455
+ "name": "Remote Command Execution: Java serialization (CVE-2015-4852)",
1456
+ "tags": {
1457
+ "type": "java_code_injection",
1458
+ "crs_id": "944240",
1459
+ "category": "attack_attempt"
1460
+ },
1461
+ "conditions": [
1462
+ {
1463
+ "parameters": {
1464
+ "inputs": [
1465
+ {
1466
+ "address": "server.request.query"
1467
+ },
1468
+ {
1469
+ "address": "server.request.body"
1470
+ },
1471
+ {
1472
+ "address": "server.request.path_params"
1473
+ },
1474
+ {
1475
+ "address": "graphql.server.all_resolvers"
1476
+ },
1477
+ {
1478
+ "address": "server.request.headers.no_cookies"
1479
+ }
1480
+ ],
1481
+ "regex": "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)",
1482
+ "options": {
1483
+ "case_sensitive": true,
1484
+ "min_length": 10
1485
+ }
1486
+ },
1487
+ "operator": "match_regex"
1488
+ }
1489
+ ],
1490
+ "transformers": [
1491
+ "lowercase"
1492
+ ]
1493
+ },
1494
+ {
1495
+ "id": "sqr-000-003",
1496
+ "name": "Obfuscated Path Traversal Attack (/../) on any parameter",
1497
+ "tags": {
1498
+ "type": "lfi",
1499
+ "category": "attack_attempt",
1500
+ "cwe": "22",
1501
+ "capec": "1000/255/153/126"
1502
+ },
1503
+ "conditions": [
1504
+ {
1505
+ "parameters": {
1506
+ "inputs": [
1507
+ {
1508
+ "address": "server.request.query"
1509
+ },
1510
+ {
1511
+ "address": "server.request.body"
1512
+ },
1513
+ {
1514
+ "address": "server.request.path_params"
1515
+ },
1516
+ {
1517
+ "address": "graphql.server.all_resolvers"
1518
+ }
1519
+ ],
1520
+ "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
1521
+ "options": {
1522
+ "min_length": 4
1523
+ }
1524
+ },
1525
+ "operator": "match_regex"
1526
+ }
1527
+ ],
1528
+ "transformers": []
1529
+ },
1530
+ {
1531
+ "id": "sqr-000-004",
1532
+ "name": "Obfuscated Path Traversal Attack (/../) on any parameter",
1533
+ "tags": {
1534
+ "type": "lfi",
1535
+ "category": "attack_attempt",
1536
+ "cwe": "22",
1537
+ "capec": "1000/255/153/126"
1538
+ },
1539
+ "conditions": [
1540
+ {
1541
+ "parameters": {
1542
+ "inputs": [
1543
+ {
1544
+ "address": "server.request.query"
1545
+ },
1546
+ {
1547
+ "address": "server.request.body"
1548
+ },
1549
+ {
1550
+ "address": "server.request.path_params"
1551
+ },
1552
+ {
1553
+ "address": "graphql.server.all_resolvers"
1554
+ }
1555
+ ],
1556
+ "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))",
1557
+ "options": {
1558
+ "case_sensitive": true,
1559
+ "min_length": 3
1560
+ }
1561
+ },
1562
+ "operator": "match_regex"
1563
+ }
1564
+ ],
1565
+ "transformers": [
1566
+ "removeNulls"
1567
+ ]
1568
+ },
1569
+ {
1570
+ "id": "sqr-000-007",
1571
+ "name": "NoSQL: Detect common exploitation strategy",
1572
+ "tags": {
1573
+ "type": "nosql_injection",
1574
+ "category": "attack_attempt",
1575
+ "cwe": "943"
1576
+ },
1577
+ "conditions": [
1578
+ {
1579
+ "parameters": {
1580
+ "inputs": [
1581
+ {
1582
+ "address": "server.request.query"
1583
+ },
1584
+ {
1585
+ "address": "server.request.body"
1586
+ },
1587
+ {
1588
+ "address": "server.request.path_params"
1589
+ },
1590
+ {
1591
+ "address": "graphql.server.all_resolvers"
1592
+ }
1593
+ ],
1594
+ "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
1595
+ },
1596
+ "operator": "match_regex"
1597
+ }
1598
+ ],
1599
+ "transformers": [
1600
+ "keys_only"
1601
+ ]
1602
+ },
1603
+ {
1604
+ "id": "sqr-000-011",
1605
+ "name": "Node.js: Prototype pollution",
1606
+ "tags": {
1607
+ "type": "js_code_injection",
1608
+ "category": "attack_attempt"
1609
+ },
1610
+ "conditions": [
1611
+ {
1612
+ "parameters": {
1613
+ "inputs": [
1614
+ {
1615
+ "address": "server.request.query"
1616
+ },
1617
+ {
1618
+ "address": "server.request.body"
1619
+ },
1620
+ {
1621
+ "address": "server.request.path_params"
1622
+ },
1623
+ {
1624
+ "address": "server.request.headers.no_cookies"
1625
+ }
1626
+ ],
1627
+ "regex": "__proto__[\\.\\[]"
1628
+ },
1629
+ "operator": "match_regex"
1630
+ }
1631
+ ],
1632
+ "transformers": []
1633
+ }
1634
+ ]
1635
+ }