Skip to content

SecAction to remove a full rule target doesn't work #1436

New issue
New issue
Open
Open
SecAction to remove a full rule target doesn't work#1436
@adrienyhuel

Description

@adrienyhuel
adrienyhuel
opened on Oct 1, 2025

Description

I saw that we maybe could exclude all ARGS from a rule with the action ruleRemoveTargetById.
Exemple :
https://github.com/EsadCetiner/wordpress-rule-exclusions-plugin/blob/c677d8907f33143cd2ba33b95b93ca709d07b47a/plugins/wordpress-rule-exclusions-before.conf#L151C5-L151C42
ctl:ruleRemoveTargetById=932220;ARGS,

Though I can't get it to work with Coraza, I tried the following rules in Coraza playground :

ctl:ruleRemoveById=941390
--> Works, but exclude rule for all (ARGS, COOKIES, XML...)

ctl:ruleRemoveTargetById=941390;ARGS:test"
--> Works, but target a specific ARG (test)

ctl:ruleRemoveTargetById=941390;ARGS"
--> Doesn't work

Steps to reproduce

Test in Coraza playground with :

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditLogParts ABFHKZ

#SecRule REQUEST_FILENAME "@rx ^/testurl$" "id:1020, phase:1, pass, nolog, ctl:ruleRemoveById=941390"

#SecRule REQUEST_FILENAME "@rx ^/testurl$" "id:1020, phase:1, pass, nolog, ctl:ruleRemoveTargetById=941390;ARGS:test"

SecRule REQUEST_FILENAME "@rx ^/testurl$" "id:1020, phase:1, pass, nolog, ctl:ruleRemoveTargetById=941390;ARGS"

GET /testurl?test=alert('alert') HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

Expected result

An action like "ctl:ruleRemoveTargetById=941390;ARGS" should remove all ARGS for the specfied rule

Actual result

ctl:ruleRemoveTargetById only work with specific named target

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions