Strapi v4 Filter ModSecurity: Access denied Forbidden

Question

i am using Strapi 4 new Filters. https://docs.strapi.io/developer-docs/latest/developer-resources/database-apis-reference/rest/filtering-locale-publication.html#filtering

The Filter look like this: https://domain/api/endpoint?filters[code][$eq]=123

The API is running in a Production Environment and when I use the Filter I will get a ModSecurity 403 Error:

    [client 162.158.91.31] ModSecurity: 
Access denied with code 403 (phase 2). 
Pattern match "(?i:(?:\\\\[\\\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\\\]))" at ARGS_NAMES:filters[authCode][$eq].
[file "/etc/apache2/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] 
[line "53"] [id "211760"] [rev "4"] 
[msg "COMODO WAF: Finds basic MongoDB SQL injection attempts||...|F|2"] 
[data "Matched Data: [$eq] found within ARGS_NAMES:filters[authCode]
[$eq]: filters[authCode][$eq]"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] 
[hostname "..."] 
[uri "/api/..."] 
[unique_id "..."]

Answer 1

I have a very old copy of Comodo rule set, the rule 211760 looks like

"@rx (?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))

Your query contains the string $eq, so ModSecurity does what you can expect :).

I think the best thing what you can do make an exclusion rule like this:

SecRule REQUEST_URI "@streq /api/endpoint" \
    "id:990100,\
    phase:1,\
    t:none,\
    nolog,\
    pass,\
    chain\
    SecRule ARGS_NAMES "@streq filters" \
        ruleRemoveTargetById=211760;ARGS:filters

Try to put this rule somewhere, eg. to your Apache VHOST config.