# # # # # # # # # # # # # # # # # # # #
# configuration file for crs-toolchain
# # # # # # # # # # # # # # # # # # # #
patterns:
  # The Unix evasion patterns, were extended per decision in https://github.com/coreruleset/coreruleset/issues/2632.
  anti_evasion:
    # - [\x5c'\"\[)]: common evasion tokens and path expansion, e.g., `/bin/[c]''a""\t`
    # - (?:\|\||&&)\s*: hiding of empty variables through logial operators, e.g., `nc&&$u -p 777`
    # - \$[a-z0-9_@?!#{(*-]*: empty variable evasion, e.g., `n\$uc -p 777`
    # - [\x5c'\"\[)], \$[a-z0-9_@?!#{(*-]*: arithmetic expansion evasion, e.g., `c$((9))9`
    unix: |
      [\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?
    windows: |
      [\"\^]*
  anti_evasion_suffix:
    # - \s$: end of line / string
    # - <>: redirection, e.g., `cat<foo`
    # - ,: brace expansion, e.g., `""{nc,-p,777}`
    # - &|: logical operators in headers, e.g., `a=nc&&$a -nlvp 555`
    # - ): subshell, e.g, `(ifconfig)`
    unix: |
      (?:[\s<>&|),]|$).*
    # "more foo", "more,foo", "more;foo", "more.com", "more/e",
    # "more<foo", "more>foo"
    windows: |
      [\s,;./<>].*
  # Same as above but does not allow any white space as the next token.
  # This is useful for words like `python3`, where `python@` would
  # create too many false positives because it would match `python `.
  # These patterns consist mainly of combinations of the `anti_evasion`
  # and `anti_evasion_suffix` patterns above, with only a few bits of
  # additional matching logic.
  anti_evasion_no_space_suffix:
    # This will match:
    #
    # python<<<foo
    # python2 foo
    #
    # It will _not_ match:
    # python foo
    unix: |
      (?:(?:[<>&|),]|$){1,10}|(?:[\w\d._-][\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?){1,10}(?:[\s<>&|),]|$){1,10})
    # This will match:
    #
    # python,foo
    # python2 foo
    #
    # It will _not_ match:
    # python foo
    windows: |
      (?:[,;./<>]{1,10}|(?:[\w\d._-][\"\^]*){1,10}[\s,;./<>]{1,10})