From 2185b8244c7981a4de13dc4dd19110d323e1d8cd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Sep 2025 16:55:43 +0000
Subject: [PATCH] Refine security patterns: reduce false positives in null byte
 detection and expand RFI protocol coverage

Co-authored-by: fuomag9 <1580624+fuomag9@users.noreply.github.com>
---
 docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
index 15ff736a..76bc9e79 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
@@ -52,7 +52,7 @@ if ($block_sql_injections = 1) {
 set $block_file_injections 0;
 
 # Remote file inclusion
-if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps)://") {
+if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps|file|data|php|expect|gopher)://") {
 	set $block_file_injections 1;
 }
 
@@ -84,8 +84,8 @@ if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
 	set $block_file_injections 1;
 }
 
-# Null bytes and encoding attacks
-if ($query_string ~ "(%00|%0a|%0d|%09|%20$)") {
+# Null bytes and dangerous encoding attacks
+if ($query_string ~ "(%00|%0a%0d|%0d%0a)") {
 	set $block_file_injections 1;
 }