False positive in SID 2067295 (CVE-2025-58180 OctoPrint upload) - pcre matches multipart line terminator

This rule fires on any legitimate multipart file upload to /api/files/local, not just command-injection attempts.

Root cause

In the pcre, the skip class [^\x26]*? only stops at &, so it walks past the closing " of the filename="…" field and matches the \x0a of the line’s terminating \r\n (which is in the detection alternation). Any filename without a literal & therefore matches.

Reproduce

POST a normal multipart upload to /api/files/local with e.g. filename="model.gcode" and any body - the rule alerts despite no metacharacter in the filename.

Suggested fix

bound the search to the filename value and add & as a detected metachar:

pcre:"/^[^\x22\x0d\x0a]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26))+/R"

[^\x26] --> [^\x22\x0d\x0a] stops at the closing quote / CR / LF so the terminator can’t match; injected metacharacters (including a raw \x0a inside the value) still trip.

Hi there, sorry for any difficulties this has caused. I agree that this regex change should hopefully resolve the issue at-hand while still helping to mitigate the command injection vulnerability, and have made the necessary changes to this rule. These modifications should be available with today’s daily rule release. Please download the latest copy of the ET ruleset, and let us know if there are still problems with this rule.

Again, thank you for reporting this issue, and your recommendation on the regex changes.

-Tony

Awesome, thank you for the quite turnaround on this, Tony!