On 2021-11-04 at 08:45:02 UTC-0400 (Thu, 4 Nov 2021 08:45:02 -0400)
Jared Hall <ja...@jaredsec.com>
is rumored to have said:
[...]
2) Beware of using somebody else's source code :)
That's the really significant warning...
The relevance to SA is that it uses a config system with "rules" that
can be auto-updated and are which de facto source code: somebody else's
source code. :)
We do not currently publish non-ASCII rules in the default ruleset
channel. I don't believe that KAM ever does so. At least one 3rd-party
ruleset has done so in the past, generating errors and warnings from
some versions of Perl. Through 3.x, SA does not have conscious support
for non-ASCII rules and while it is possible that SA could be vulnerable
to something akin to CVE-2021-42574 and CVE-2021-42694 via malicious
rules, it would be a noisy and rather difficult attack.
In v4.x, Unicode support will be better. That also means it may be
easier to make this sort of attack quieter in the future, as non-ASCII
rules won't be definitively wrong as they are now.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
