File: //usr/share/modsecurity-crs/util/regexp-assemble/regexp-932100.txt
# Word list for rule 932100 (RCE Unix command injection part 1/3)
#
# To convert to a regexp that can be pasted into the rule:
#   cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl
#
# Entries starting with ' are used verbatim.
# Everything after # is a comment.
#
# To prevent some FP for a command, you can require command parameters
# after a command. Only do this if the command regularly causes FP and if
# allowing the bare command (without parameters) is not too dangerous.
# (Note: due to \b following the regexp, a word boundary is also required
# further on, so some letter/number is needed for a match). Example:
#
#   diff+
# Special regexp case for the '.' (source) command to prevent FP:
'\.\s.*
7z
7za
7zr
adduser
alias+
apt-get
arch+
arp
awk+
bash
batch+
breaksw
bsdcat
bsdiff
bsdtar
builtin
bzcat
bzdiff
bzegrep
bzfgrep
bzgrep
bzip2
bzless
bzmore
cat+
cc+
chattr
chdir+
chflags
chmod
command+
compress+
coproc
cp+
crontab
csh
curl
dash
dhclient
diff+
dmesg
doas
done
dpkg
du+
echo+
egrep
endif
endsw
env
env-update
esac
eval
exec+
expand
export
expr
fc+
fetch+
fgrep
fi
file+
filetest
find+
foreach
ftp+
ftpstats
ftpwho
function
gcc+
gdb
GET+
getfacl+
git+
grep+
gunzip
gzcat
gzip
head+
history
hostid
hostname
htdigest
htpasswd
hup+
# 'id' causes way too much FP, so we require whitespace; this will allow
# injecting ';id' unfortunately.
id+
ifconfig
ip6tables
ipconfig
iptables
irb
irb1
irb18
irb19
irb20
irb21
irb22
java+
jexec
jobs+
kill+
killall
last+
lastcomm
lastlog
lastlogin
ldconfig
ldd+
less+
lessecho
lessfile
lesspipe
lftp
lftpget
ln+
local+
locate+
logname
lp+
ls
ls-F
lsb_release
lscpu
lshw
lsmod
lsof
lspci
lsusb
lwp-download
lwp-dump
lwp-mirror
lwp-request
lynx+
lzcat
lzcmp
lzdiff
lzegrep
lzfgrep
lzgrep
lzless
lzma
lzmore
mailq
mailx+
mkdir+
mlocate
more+