On Fri, Feb 02, 2024 at 06:43:12PM +0000, Lukas Tribus wrote: > On Fri, 2 Feb 2024 at 18:42, John Lauro <johnala...@gmail.com> wrote: > > > > Seems like a lint style checker that doesn't require AI. > > For example, it could recognize that the / in /api isn't valid for > > req.hdr(host) > > [...] > > The _ in path_beg is also questionable. You can have _ in dns names, > > but are not valid in host names. > > [ CCing the mailing list again ] > > A primary use-case for ACLs is to match invalid values and headers ( > for example in case of zero days). > > We can't restrict ACLs to valid things only, that would defeat the > purpose of ACLs.
I totally agree. We have a diagnostic mode (-dD) which triggers warnings on a few more cases. The purpose is to say "this is totally valid but unusual, are you sure?". One example would be having two servers with the same cookie value, which commonly results from a copy-paste. The case above could possibly be another example, but in fact we could check for the presence of "and" or "or" on a line, or some other suspicious constructs such as those where a pattern has parenthesis and looks like a sample fetch function. But honestly, I think there's already a lot of effort involved in trying to help spot mistakes with various warnings, with correct rule ordering checks and with suggestions of alternate keywords in case of misspelling, all such things rely on fuzzy logic and take a lot of time while being very rarely used, so I'm never totally convinced that the benefits are worth the effort :-/ Willy
