Description
Describe the bug
The recommended rule 200005 runs too early to catch most MSC_PCRE_LIMITS_EXCEEDED flags that happen in phase 2.
Logs and dumps
To Reproduce
Expected behavior
The rule 200005 should block all MSC_PCRE_LIMITS_EXCEEDED that occur during request processing, even in phase 2.
Server (please complete the following information):
- ModSecurity version (and connector): all affected
- WebServer: all affected
- OS (and distro): all affected
Rule Set (please complete the following information):
- Running any public or commercial rule set? OWASP CRS
- What is the version number? all affected
Additional context
Since the ModSecurity Recommended Rules provide rules to activate body parsers etc., they need to be included before other rule sets like the Core Rule Set.
Error flags like MSC_PCRE_LIMITS_EXCEEDED are set by rule sets like the CRS.
However, since the the rule 200005 has already run at the start of phase 2, any rule from rule that also runs in phase 2 but is included after the recommended rules (which is typically the case for other rule sets because they rely on body parsing rules) can never trigger rule 200005.
Therefore, rule 200005 misses almost all MSC_PCRE_LIMITS_EXCEEDED that happen in phase 2.
Proposed solution
It's not entirely clear, what a solution would look like. Moving rule 200005 to a later phase would probably not be a good idea, since it would allow the request to be processed before blocking.
A better approach would probably be to move the rule 200005 to be included after rule sets like the CRS. However, this would also mean, it would have to be removed from the Recommended Rules to be moved somewhere else or the Recommended Rules would have to be split up into multiple files that are included before and after other rule sets.