specify a floating point range using regular expression

Question

I need an regular expression to check whether a particular argument is in a floating point range.For ex i want the Param only in the range 0.01 to 999.9 . I have configured the below rule ,but it fails to work .

SecRule ARGS:Param "![0.01-999.9]" "deny,id:2200"

If the value of param is say 1000 it gets rejected which is correct , if the value of Param is 0 then its being accepted which should not be the case .Please let me know the exact way of configuring the regular expression for the same.

Answer 1

this sounds like a buisness logic rule - something that should be done in the server logic, not by mod_security, but anyways:

Floating point numbers in the range [0..999.9] are numbers that

• start with an optional sequence of zeroes (you may or may not allow that)
• followed by at most three digits, first of which is not zero
• optionally followed by a dot and nothing but digits (you may require there be at least one digit the last digit to be nonzero)
• except numbers that start with 999.9 and said optional zeroes
• except 999.9 itself is allowed (if the range is inclusive from the right)

the least restrictive variant, compiled into a regex:

^0*(?:(?!999\.9\d*$)\d{0,3}(?:\.\d*)?|999\.0*)$

• ^ - start of string (not sure if it's added by mod-security)
• 0* - 0-n zeroes
• (?:...) - non-capturing group
  • (?!...) - if not followed by...
    • 999.\9 - the literal 999.9,
    • \d* - 0-n digits and
    • $ - the end of string
  • \d - digit
  • {0,3} - zero to three times
  • (?:...) - non-capturing group
    • \. - literal .
    • \d* - 0-n digits
  • ? - optional
  • | - or
  • 999\.9 - 999.9 itself
  • 0* - optional zeroes
• $ - the end of string