File: //proc/thread-self/root/proc/self/root/usr/local/modsecurity-crs/regex-assembly/942550.ra
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.
##! Referring to https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
##! this rule tries to match the following payloads:
##!
##! PostgreSQL: '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb @ '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb
##! PostgreSQL: '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' < '$.c[2].f' = 7
##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' > '$.c[2].f' = 7
##! MySQL: JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan'
##!> define quotes [\"'`]
##!> define operators (?:@>|<@|\?|\?\||\?&|#>|#>>|->>|<|>|->|<-)
##!> define json_ending_brackets [\]\}]
##!> define json_starting_brackets [\[\{]
##!> assemble
##! https://regex101.com/r/mzG5Fg/1
{{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}.*(::.*jsonb?)?.*{{operators}}
{{operators}}{{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}
##! example: SELECT id FROM users WHERE id=JsoN_EXTraCT/**/(/**/' {"a":1} '/**/,/**/' $.a '/**/);
json_extract.*\(.*\)
##!<