[SOLVED] Cannot access XML element within a namespace using ModSecurity

Cannot access XML element within a namespace using ModSecurity

I have the following rules

SecRule REQUEST_URI "@beginsWith /testing-endpoint" "id:10003,phase:2,t:lowercase,log,msg:'TESTING_SOAP BLOCKED',deny,chain"
SecRule XML:/soap12:Envelope/soap12:Body/level1/level2/data ".*" "id:11003,xmlns:level1=http://www.erpx.example.com/,xmlns:soap12=http://www.w3.example.org/2003/05/soap-envelope,xmlns:xsd=http://www.w3.example.org/2001/XMLSchema,xmlns:xsi=http://www.w3.example.org/2001/XMLSchema-instance"

The ModSecurity rules are intended to access <data>AAAA-BBBB</data> in the following payload

<?xml version="1.0" encoding="ISO-8859-1"?>
<soap12:Envelope xmlns:xsi=http://www.w3.example.org/2001/XMLSchema-instance xmlns:xsd=http://www.w3.example.org/2001/XMLSchema xmlns:soap12=http://www.w3.example.org/2003/05/soap-envelope>
  <soap12:Body>
    <level1 xmlns=http://www.erpx.example.com/>
      <level2>
        <data>AAAA-BBBB</data>  <!-- Trying to access this -->
        <dataOther>Testing Purposes Only</dataOther>
      </level2>
    </level1>
  </soap12:Body>
</soap12:Envelope>

This is failing, however if I remove the xmlns attribute from <level1 xmlns=http://www.erpx.example.com/> , everything works as expected.

These are the relevant parts of the log

[170006830474.797743] [/testing-endpoint] [4] (Rule: 11004) Executing operator "Rx" with param ".*" against XML:/soap12:Envelope/soap12:Body/level1/level2/data.
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.erpx.example.com/" prefix "level1"
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.w3.org/2003/05/soap-envelope" prefix "soap12"
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.w3.org/2001/XMLSchema" prefix "xsd"
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.w3.org/2001/XMLSchema-instance" prefix "xsi"
[170006830474.797743] [/testing-endpoint] [4] Rule returned 0.

I must be missing something obvious, any idea how I can get through / ignore that namespace?

Solution

After conferring with the OP, it seems its possible to resolve this with the following SecRule:

SecRule XML:/soap12:Envelope/soap12:Body/*[local-name()='level1']/*[local-name()='level2']/*[local-name()='data'] ".*" "id:11003,xmlns:level1=http://www.erpx.example.com/,xmlns:soap12=http://www.w3.example.org/2003/05/soap-envelope,xmlns:xsd=http://www.w3.example.org/2001/XMLSchema,xmlns:xsi=http://www.w3.example.org/2001/XMLSchema-instance"