On Fri, Feb 02, 2024 at 06:43:12PM +0000, Lukas Tribus wrote:
> On Fri, 2 Feb 2024 at 18:42, John Lauro <johnala...@gmail.com> wrote:
> >
> > Seems like a lint style checker that doesn't require AI.
> > For example, it could recognize that the / in /api isn't valid for 
> > req.hdr(host)
> > [...]
> > The _ in path_beg is also questionable.  You can have _ in dns names,
> > but are not valid in host names.
> 
> [ CCing the mailing list again ]
> 
> A primary use-case for ACLs is to match invalid values and headers (
> for example in case of zero days).
> 
> We can't restrict ACLs to valid things only, that would defeat the
> purpose of ACLs.

I totally agree. We have a diagnostic mode (-dD) which triggers warnings
on a few more cases. The purpose is to say "this is totally valid but
unusual, are you sure?". One example would be having two servers with the
same cookie value, which commonly results from a copy-paste. The case
above could possibly be another example, but in fact we could check for
the presence of "and" or "or" on a line, or some other suspicious
constructs such as those where a pattern has parenthesis and looks like
a sample fetch function.

But honestly, I think there's already a lot of effort involved in trying
to help spot mistakes with various warnings, with correct rule ordering
checks and with suggestions of alternate keywords in case of misspelling,
all such things rely on fuzzy logic and take a lot of time while being
very rarely used, so I'm never totally convinced that the benefits are
worth the effort :-/

Willy

Reply via email to