WAF Plugin Incorrectly Flags Parameters Starting with "sh" as Security Risk

[lingcoder]

Ⅰ. Issue Description

When the WAF plugin is enabled, requests with parameters starting with "sh" are incorrectly flagged as a potential shell script execution risk. Then my http status code was changed to 403 by higress.

Ⅱ. Describe what happened

After enabling the WAF plugin in Higress, I find the request gets blocked and flagged as a potential shell script execution risk. This detection seems overly simplistic and could lead to false positives for legitimate requests.

If there is an exception, please attach the exception trace:

Ⅲ. Describe what you expected to happen

I expect the WAF plugin to have a more intelligent approach to identifying security risks, rather than simply blocking requests based on the beginning of parameter values, in order to avoid false positives.

Ⅳ. How to reproduce it (as minimally and precisely as possible)

1. Enable the WAF plugin in Higress.
2. Send a request with a parameter "bizSource" with value that starts with "sh".
3. Observe the request being blocked.

Ⅴ. Anything else we need to know?

No additional information at this time.

Ⅵ. Environment:

• Higress version: v2.0.0
• OS: ubuntu22.04
• Others:

---

[johnlanni]

Currently, the owasp 4.0.0-rc1 rule engine is being used. We will upgrade to the latest version later. For now, we can bypass it like this:

1. Configure an independent waf plugin configuration for this route
2. In secRules, configure SecRuleRemoveById 932250 to remove this problematic rule