From 793f6cb776689555669cf5ce5088cebe54a17909 Mon Sep 17 00:00:00 2001
From: Sumner Robinson <srobinson@onecloud.com>
Date: Fri, 20 Feb 2026 23:50:39 -0500
Subject: [PATCH] update for tracking cookies

---
 src/nssec/modules/waf/config.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/nssec/modules/waf/config.py b/src/nssec/modules/waf/config.py
index 7d6a496..3954595 100644
--- a/src/nssec/modules/waf/config.py
+++ b/src/nssec/modules/waf/config.py
@@ -169,6 +169,11 @@
 SecRuleUpdateTargetById 942100 "!REQUEST_COOKIES"
 SecRuleUpdateTargetById 942200 "!REQUEST_COOKIES"
 
+# ---- Third-party tracking cookies trigger RCE false positives ----
+# Reddit (_rdt_*), Google (_ga, _gid), Facebook (_fbp) etc. use delimiters
+# that match shell patterns like ~N (directory stack) or command separators.
+SecRuleUpdateTargetById 932270 "!REQUEST_COOKIES"
+
 # ---- NS API endpoints use base64 in query strings ----
 SecRule REQUEST_URI "@beginsWith /ns-api/" \\
     "id:1000001,\\