feat: add regex support to ctl:ruleRemoveTargetById, ruleRemoveTargetByTag, and ruleRemoveTargetByMsg collection keys

[Copilot]

ctl:ruleRemoveTargetById (and its siblings) only accepted exact string keys, making it impossible to write per-URI exclusions for dynamically indexed variables like ARGS:json.0.field, ARGS:json.1.field, etc. without globally disabling the rule or excluding the entire collection.

Changes

• internal/strings/strings.go — New HasRegex(s string) (bool, string) shared utility that detects /pattern/ syntax with correct escaped-slash handling (e.g. /user\/ is a plain string; /user\\/ is a regex). Both rule.go and ctl.go delegate to this function for consistent behavior.
• internal/actions/ctl.go — parseCtl uses utils.HasRegex to detect regex keys, validates that the pattern is non-empty, and accepts a plugintypes.Memoizer to deduplicate compiled *regexp.Regexp instances across rules sharing the same pattern. ctlFn gains a colKeyRx *regexp.Regexp field; all three RemoveRuleTargetByID calls in Evaluate forward it. ctlFn.Init type-asserts plugintypes.RuleMetadata to *corazawaf.Rule to extract and pass the rule's memoizer into parseCtl. Doc comment updated to describe both exact-string and regex-delimited key forms.
• internal/corazawaf/transaction.go — RemoveRuleTargetByID gains a keyRx *regexp.Regexp parameter; stored directly in ruleVariableParams. Doc comment updated to cover the new argument.
• internal/corazawaf/rule.go — Exception loop now passes c.KeyRx (was hardcoded nil) when building ruleVariableException entries from ruleRemoveTargetByID, completing the propagation path. Adds a public Memoizer() plugintypes.Memoizer getter alongside the existing SetMemoizer. Local hasRegex() now delegates to utils.HasRegex().
• internal/corazawaf/transaction_test.go — Added BenchmarkTxGetFieldWithShortRegexException and BenchmarkTxGetFieldWithMediumRegexException benchmarks (plus a makeTransactionWithJSONArgs helper) to quantify the per-call overhead of regex exception filtering at different pattern complexities.
• testing/engine/ctl.go — Added four integration tests covering all three CTL target-removal variants:
  • "ruleRemoveTargetById regex key" — GET args matching /^json\.\d+\.desc$/
  • "ruleRemoveTargetById regex key (POST JSON body)" — POST with Content-Type: application/json; JSON body processor maps [{"desc":"attack"},{"desc":"attack"}] to ARGS_POST:json.0.desc and ARGS_POST:json.1.desc
  • "ruleRemoveTargetByTag regex key" — removes ARGS_GET:/^json\.\d+\.desc$/ from all rules tagged OWASP_CRS
  • "ruleRemoveTargetByMsg regex key" — removes ARGS_GET:/^json\.\d+\.desc$/ from all rules with msg:'web shell detection'

Example

SecRule REQUEST_URI "@beginsWith /api/jobs" \
    "id:100100,phase:1,pass,nolog,\
     ctl:ruleRemoveTargetById=932125;ARGS:/^json\.\d+\.jobdescription$/"

Note: Exception key matching is always case-insensitive (keys are lowercased before comparison), so regex patterns should be written in lowercase or use (?i).

Applies to all three variants

The regex key syntax works uniformly across all three target-removal CTL options:

# By rule ID
ctl:ruleRemoveTargetById=932125;ARGS:/^json\.\d+\.jobdescription$/

# By tag
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS_GET:/^json\.\d+\.field$/

# By message
ctl:ruleRemoveTargetByMsg=web shell detection;ARGS_GET:/^json\.\d+\.field$/

Escaped-slash handling

HasRegex correctly distinguishes regex delimiters from escaped slashes inside patterns:

Input	Treated as regex?	Pattern
/user/	✅	user
/user\/	❌ (escaped close)	—
/user\\/	✅ (double-escaped)	user\\
//	error: empty pattern	—

JSON body processor note

The JSON body processor prefixes all parsed variables with json. (e.g. [{"field":"value"}] → ARGS_POST:json.0.field=value). Regex patterns in ctl:ruleRemoveTargetById should account for this prefix when targeting JSON POST arguments.

Benchmarks

Sample results (AMD EPYC 7763) showing the cost of regex exception filtering relative to the no-exception baseline:

BenchmarkTxGetField-4                           	 4448526	  558.9 ns/op	  384 B/op	6 allocs/op
BenchmarkTxGetFieldWithShortRegexException-4    	 1000000	 2181.0 ns/op	 1888 B/op	6 allocs/op
BenchmarkTxGetFieldWithMediumRegexException-4   	  726223	 3189.0 ns/op	 1888 B/op	6 allocs/op

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Feature Request: Regex/pattern support for ctl:ruleRemoveTargetById (URI-scoped exclusions)</issue_title>
<issue_description>Hi team! This is my first ask/contribution to Coraza. I'm hoping to help improve false positive management for folks using CRS — please let me know if I can clarify anything or adjust this proposal.

Feature Description

Add regular expression support to ctl:ruleRemoveTargetById to allow URI-scoped exclusions for dynamically named variables (like JSON array indices or GraphQL keys).

Currently, targets must be exact literals. If an API accepts a JSON array (ARGS:json.0.JobDescription, ARGS:json.1.JobDescription), operators cannot easily exclude a specific CRS rule for that parameter without disabling the rule globally or excluding the entire URI.

Proposed Solution

Allow /.../ syntax in the target collection, similar to SecRuleUpdateTargetById.

Example:

SecRule REQUEST_URI "@beginsWith /api/jobs" \
    "id:100100,phase:1,pass,nolog,ctl:ruleRemoveTargetById=932125;ARGS:/^json\.\d+\.JobDescription$/"

Codebase Feasibility

Coraza already has the necessary exception infrastructure; the gap is parsing and passing the regex from the ctl action into the evaluation path.

• internal/actions/ctl.go: In parseCtl, detect the colkey in /.../ form. If present, compile via regexp.Compile and store in ctlFn.
• internal/corazawaf/transaction.go: Extend RemoveRuleTargetByID(id, variable, key string) to accept an optional keyRx *regexp.Regexp. Store as ruleVariableParams{Variable, KeyStr, KeyRx}.
• internal/corazawaf/rule.go: In the exclusion loop (~line 233), use ruleVariableException{c.KeyStr, c.KeyRx} instead of nil for the regex field.

Performance & Security Notes

Because Coraza utilizes Go's regexp (RE2) engine, it provides a linear-time guarantee and is naturally resistant to catastrophic backtracking (ReDoS).

• Scope: The regex only matches variable names (e.g., json.0.JobDescription), not the payload values.
• Limits: To maintain performance, we recommend a soft cap on the subject length (e.g., 256 characters) when evaluating the regex against incoming variable names.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Feature Request: Regex/pattern support for ctl:ruleRemoveTargetById (URI-scoped exclusions) #1503
• Fixes Adds support for regex in ctl key #718

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[fzipi]

@copilot Add benchmarks also for short and medium regexes.

[fzipi]

@copilot Read #1207 as it is another implementation of the same feature. In particular, you could take from there the HasRegex func (and tests) that will make the code more easy to read.

[Copilot]

@copilot Add benchmarks also for short and medium regexes.

Added in commit 94c557a:

• makeTransactionWithJSONArgs helper — builds a transaction with 10 JSON-array-style GET args (json.0.jobdescription … json.9.jobdescription) to simulate the real-world pattern
• BenchmarkTxGetFieldWithShortRegexException — uses ^id$
• BenchmarkTxGetFieldWithMediumRegexException — uses ^json\.\d+\.jobdescription$

Sample results on AMD EPYC 7763:

BenchmarkTxGetField-4                           	 4448526	  558.9 ns/op	  384 B/op	6 allocs/op
BenchmarkTxGetFieldWithShortRegexException-4    	 1000000	 2181.0 ns/op	 1888 B/op	6 allocs/op
BenchmarkTxGetFieldWithMediumRegexException-4   	  726223	 3189.0 ns/op	 1888 B/op	6 allocs/op

[Copilot]

@copilot Read #1207 as it is another implementation of the same feature. In particular, you could take from there the HasRegex func (and tes...

Done in commit 0c47e23:

• Added HasRegex() to internal/strings/strings.go — handles escaped slashes properly (e.g. /user\/ is not a regex; /user\\/ is) using the same backslash-counting logic from PR feat(ctl): implement ctl regexes #1207.
• rule.go's local hasRegex() now delegates to utils.HasRegex() (added import).
• parseCtl() in ctl.go uses utils.HasRegex() instead of the inline check, and now returns an error for empty regex patterns (//).
• TestHasRegex() added in internal/strings/strings_test.go (12 cases).
• TestParseCtl extended with empty regex pattern and escaped slash not treated as regex sub-tests.

[fzipi]

@copilot While the test "ruleRemoveTargetById regex key" targets GET arguments, a test that does POST using json formatted input would also be good to have. Be aware that the json bodyprocessor adds json. as prefix to the variables, and if in doubt, read the json tests.

[Copilot]

@copilot While the test "ruleRemoveTargetById regex key" targets GET arguments, a test that does POST using json formatted input would also be good to have. Be aware that the json bo...

Added in commit ee4f1bd — new test "ruleRemoveTargetById regex key (POST JSON body)" in testing/engine/ctl.go:

• Sends POST /api/jsonjobs with Content-Type: application/json and body [{"desc": "attack"}, {"desc": "attack"}]
• Rule 310 activates the JSON body processor (ctl:requestBodyProcessor=JSON)
• The JSON processor maps the array to ARGS_POST:json.0.desc=attack and ARGS_POST:json.1.desc=attack
• Rule 311 removes ARGS_POST:/^json\.\d+\.desc$/ from rule 312 via CTL
• Rule 312 (ARGS_POST @rx attack) must not trigger — confirmed by NonTriggeredRules: []int{312}

[fzipi]

@copilot if the syntax is supported also by ruleRemoveTargetByMsg and ruleRemoveTargetByTag, then add tests for both. Use /OWASP_CRS/ as the example for tag, and /.*web shell.*/ fot the msg.

[Copilot]

@copilot if the syntax is supported also by ruleRemoveTargetByMsg and ruleRemoveTargetByTag, then add tests for both. Use /OWASP_CRS/ as the example for tag, and `/.*web shell....

Added in commit f595ba9:

• ruleRemoveTargetByTag regex key — rule 320 (CTL, fires on /api/tag-test) removes ARGS_GET:/^json\.\d+\.desc$/ from all rules tagged OWASP_CRS; rule 321 (tagged OWASP_CRS, ARGS_GET @rx attack) must not trigger.
• ruleRemoveTargetByMsg regex key — rule 330 (CTL, fires on /api/msg-test) removes ARGS_GET:/^json\.\d+\.desc$/ from all rules with msg:'web shell detection'; rule 331 (ARGS_GET @rx attack, msg:'web shell detection') must not trigger.

Both CTL rules are placed before their respective target rules in the ruleset (lower IDs, same phase) so the removal takes effect before the target rule evaluates.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.37%. Comparing base (fddc8ba) to head (9057aa0).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1561      +/-   ##
==========================================
+ Coverage   86.32%   86.37%   +0.05%     
==========================================
  Files         176      176              
  Lines        8775     8810      +35     
==========================================
+ Hits         7575     7610      +35     
  Misses        949      949              
  Partials      251      251              

Flag	Coverage Δ
coraza.no_memoize	86.45% <100.00%> (+0.05%)	⬆️
coraza.rule.case_sensitive_args_keys	86.34% <100.00%> (+0.05%)	⬆️
coraza.rule.mandatory_rule_id_check	86.36% <100.00%> (+0.05%)	⬆️
coraza.rule.multiphase_evaluation	86.10% <100.00%> (+0.05%)	⬆️
coraza.rule.no_regex_multiline	86.36% <100.00%> (+0.05%)	⬆️
default	86.37% <100.00%> (+0.05%)	⬆️
examples+	16.67% <8.00%> (-0.04%)	⬇️
examples+coraza.no_memoize	84.43% <100.00%> (+0.06%)	⬆️
examples+coraza.rule.case_sensitive_args_keys	84.42% <100.00%> (+0.06%)	⬆️
examples+coraza.rule.mandatory_rule_id_check	84.54% <100.00%> (+0.06%)	⬆️
examples+coraza.rule.multiphase_evaluation	86.10% <100.00%> (+0.05%)	⬆️
examples+coraza.rule.no_regex_multiline	84.39% <100.00%> (+0.06%)	⬆️
examples+no_fs_access	83.89% <100.00%> (+0.06%)	⬆️
ftw	86.37% <100.00%> (+0.05%)	⬆️
no_fs_access	85.72% <100.00%> (+0.05%)	⬆️
tinygo	86.37% <100.00%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fzipi]

@copilot apply go fmt to fix the pipeline https://github.com/corazawaf/coraza/actions/runs/23295092484/job/67741892512?pr=1561

[Copilot]

@copilot apply go fmt to fix the pipeline https://github.com/corazawaf/coraza/actions/runs/23295092484/job/67741892512?pr=1561

Fixed in commit 922efd5 — the comment continuation lines in internal/actions/ctl.go were indented one extra level, which gofmt normalizes. Applied gofmt -w.

[fzipi]

@copilot Take a look at #1561 (comment) and add more coverage.

[Copilot]

@copilot Take a look at #1561 (comment) and add more coverage.

Added in commit 877f638. The Codecov report pointed to the memoizer branch in parseCtl (if memoizer != nil): unit tests never exercised it because TestCtl creates rules without calling SetMemoizer. Two new subtests cover it:

• TestParseCtl/memoizer_with_valid_regex — passes a real memoize.NewMemoizer(99) with a valid regex, covering the success path (lines 416–421).
• TestParseCtl/memoizer_with_invalid_regex — passes a memoizer with an invalid regex, covering the error-return path (line 419).

[fzipi]

LGTM now.