False positive on valid ESPO traffic using OWASP core ruleset

[analystcmyk]

Is your feature request related to a problem? Please describe.

Application firewalls following the OWASP core ruleset (coreruleset.org) scan for SQL injection attempts and trigger on valid Espo traffic. Not all firewalls can be tuned to intelligently allow for eg regexps to override the SQL injection rules.

Example URL that triggers false positive :
https://espocrm.local/api/v1/Report?select=name%2CentityType%2Ctype%2CassignedUserId%2CassignedUserName%2CcategoryId%2CcategoryName&maxSize=100&offset=0&orderBy=name&order=asc&where%5B0%5D%5Battribute%5D=categoryId&where%5B0%5D%5Btype%5D=isNull

Describe the solution you'd like
Prefer not to use SQL keywords as "select" and "where". Maybe change to "sel" and "whr" in ControllerUtil.
Optional you may consider filing a request for an exemption rule.

Describe alternatives you've considered
For now only disabling the SQL injection detection rule which is not preferred.

Additional context
https://coreruleset.org/installation/

[analystcmyk]

Related : Azure WAF (Web application Firewall) false positive :

Upgrading extensions or uploading files may trigger the rule
"Request body length (excluding file upload fields) exceeded the limit"

This is because files are base64 encoded in the request body, not as regular attachment uploads.

Just be aware that if you are running behind an application gateway, that these errors may produce silent application fails with only a short "error 403" message.

Suggested : the client could report this type of intermediate errors back to the application server. Currently they just disappear in the rejection logs of Application Gateways that may not be under your control.

Application gateways/firewalls do not always add a specific header ( Amazon does , see https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/ ) that can be tested by the client whether it is a gateway error. The client might parse the response body for keywords like "gateway" in case of a 403.

Example response of Azure WAF

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>Microsoft-Azure-Application-Gateway/v2</center>
</body>
</html>

[analystcmyk]

This behaviour also occurs with servers that have modsec enabled, or that have Cloudflare protection.

Suggested : Handle 403 similar as 200 :

Add console.error('Error 403: ' + xhr.responseText);
to the 403 part at https://github.com/espocrm/espocrm/blob/master/client/src/app.js#L837

This enables at least to quickly spot that it is an error not related to EspoCRM permissions.

Even better would be that the client would report back to espo.log... in the future..