github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add the ability to build custom request body parser extensions.

Browse Source 
Add an example for a request body parser extension.
This commit is contained in:
b1v1r 2010-05-05 23:01:11 +00:00
parent f7f305991f
commit 058283fb5a
9 changed files with 334 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apache2/apache2.h
View File

@ -38,6 +38,7 @@ APR_DECLARE_OPTIONAL_FN(void, modsec_register_variable,
unsigned int argc_min, unsigned int argc_max,
void *fn_validate, void *fn_generate,
unsigned int is_cacheable, unsigned int availability));
APR_DECLARE_OPTIONAL_FN(void, modsec_register_reqbody_processor, (const char *name, void *fn_init, void *fn_process, void *fn_complete));
#endif
/* ap_get_server_version() is gone in 2.3.0.

20
apache2/mod_security2.c
View File

@ -1116,6 +1116,25 @@ static void modsec_register_variable(const char *name, unsigned int type,
fprintf(stderr,"modsecurity is NULL\n");
}
}
/**
* This function is exported for other Apache modules to
* register new request body processors.
*/
static void modsec_register_reqbody_processor(const char *name,
void *fn_init,
void *fn_process,
void *fn_complete)
{
if (modsecurity != NULL) {
msre_engine_reqbody_processor_register(modsecurity->msre, name,
(fn_reqbody_processor_init_t)fn_init,
(fn_reqbody_processor_init_t)fn_process,
(fn_reqbody_processor_init_t)fn_complete);
}
}
#endif
/**
@ -1168,6 +1187,7 @@ static void register_hooks(apr_pool_t *mp) {
APR_REGISTER_OPTIONAL_FN(modsec_register_tfn);
APR_REGISTER_OPTIONAL_FN(modsec_register_operator);
APR_REGISTER_OPTIONAL_FN(modsec_register_variable);
APR_REGISTER_OPTIONAL_FN(modsec_register_reqbody_processor);
#endif
/* Main hooks */

1
apache2/modsecurity.c
View File

@ -103,6 +103,7 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) {
msre_engine_register_default_operators(msce->msre);
msre_engine_register_default_tfns(msce->msre);
msre_engine_register_default_actions(msce->msre);
// TODO: msre_engine_register_default_reqbody_processors(msce->msre);
return msce;
}

4
apache2/modsecurity.h
View File

@ -21,6 +21,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
typedef struct rule_exception rule_exception;
@ -369,6 +370,9 @@ struct modsec_rec {
* are to allow phases 1-2 only.
*/
unsigned int allow_scope;
/* Generic request body processor context to be used by custom parsers. */
void *reqbody_processor_ctx;
};
struct directory_config {

99
apache2/msc_reqbody.c
View File

@ -17,10 +17,30 @@
*
*/
#include "modsecurity.h"
#include "re.h"
#include "msc_parsers.h"
#define CHUNK_CAPACITY 8192
/**
*
*/
void msre_engine_reqbody_processor_register(msre_engine *engine,
const char *name, void *fn_init, void *fn_process, void *fn_complete)
{
msre_reqbody_processor_metadata *metadata =
(msre_reqbody_processor_metadata *)apr_pcalloc(engine->mp,
sizeof(msre_reqbody_processor_metadata));
if (metadata == NULL) return;
metadata->name = name;
metadata->init = fn_init;
metadata->process = fn_process;
metadata->complete = fn_complete;
apr_table_setn(engine->reqbody_processors, name, (void *)metadata);
}
/**
* Prepare to accept the request body (part 2).
*/
@ -77,8 +97,25 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) {
if (msr->msc_reqbody_processor != NULL) {
char *my_error_msg = NULL;
msre_reqbody_processor_metadata *metadata =
(msre_reqbody_processor_metadata *)apr_table_get(msr->modsecurity->msre->reqbody_processors, msr->msc_reqbody_processor);
if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) {
if (metadata != NULL) {
if ( (metadata->init != NULL)
&& (metadata->init(msr, &my_error_msg) < 0))
{
*error_msg = apr_psprintf(msr->mp,
"%s parsing error (init): %s",
msr->msc_reqbody_processor,
my_error_msg);
msr->msc_reqbody_error = 1;
msr->msc_reqbody_error_msg = my_error_msg;
msr_log(msr, 2, "%s", *error_msg);
}
}
// TODO: All these below need to be registered in the same way as above
else if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) {
if (multipart_init(msr, &my_error_msg) < 0) {
*error_msg = apr_psprintf(msr->mp, "Multipart parsing error (init): %s", my_error_msg);
msr->msc_reqbody_error = 1;
@ -86,8 +123,7 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) {
msr_log(msr, 2, "%s", *error_msg);
}
}
else
if (strcmp(msr->msc_reqbody_processor, "XML") == 0) {
else if (strcmp(msr->msc_reqbody_processor, "XML") == 0) {
if (xml_init(msr, &my_error_msg) < 0) {
*error_msg = apr_psprintf(msr->mp, "XML parsing error (init): %s", my_error_msg);
msr->msc_reqbody_error = 1;
@ -95,8 +131,7 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) {
msr_log(msr, 2, "%s", *error_msg);
}
}
else
if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) {
else if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) {
/* Do nothing, URLENCODED processor does not support streaming yet. */
}
else {
@ -268,10 +303,27 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
* data to it first (but only if it did not report an
* error on previous invocations).
*/
if ((msr->msc_reqbody_processor != NULL)&&(msr->msc_reqbody_error == 0)) {
if ((msr->msc_reqbody_processor != NULL) && (msr->msc_reqbody_error == 0)) {
char *my_error_msg = NULL;
msre_reqbody_processor_metadata *metadata =
(msre_reqbody_processor_metadata *)apr_table_get(msr->modsecurity->msre->reqbody_processors, msr->msc_reqbody_processor);
if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) {
if (metadata != NULL) {
if ( (metadata->process != NULL)
&& (metadata->process(msr, data, length, &my_error_msg) < 0))
{
*error_msg = apr_psprintf(msr->mp,
"%s parsing error: %s",
msr->msc_reqbody_processor,
my_error_msg);
msr->msc_reqbody_error = 1;
msr->msc_reqbody_error_msg = my_error_msg;
msr_log(msr, 2, "%s", *error_msg);
}
}
// TODO: All these below need to be registered in the same way as above
else if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) {
/* The per-request data length counter will
* be updated by the multipart parser.
*/
@ -284,8 +336,7 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
msr_log(msr, 2, "%s", *error_msg);
}
}
else
if (strcmp(msr->msc_reqbody_processor, "XML") == 0) {
else if (strcmp(msr->msc_reqbody_processor, "XML") == 0) {
/* Increase per-request data length counter. */
msr->msc_reqbody_no_files_length += length;
@ -297,8 +348,7 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
msr_log(msr, 2, "%s", *error_msg);
}
}
else
if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) {
else if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) {
/* Increase per-request data length counter. */
msr->msc_reqbody_no_files_length += length;
@ -449,10 +499,27 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
msr->msc_reqbody_read = 1;
/* Finalise body processing. */
if ((msr->msc_reqbody_processor != NULL)&&(msr->msc_reqbody_error == 0)) {
if ((msr->msc_reqbody_processor != NULL) && (msr->msc_reqbody_error == 0)) {
char *my_error_msg = NULL;
msre_reqbody_processor_metadata *metadata =
(msre_reqbody_processor_metadata *)apr_table_get(msr->modsecurity->msre->reqbody_processors, msr->msc_reqbody_processor);
if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) {
if (metadata != NULL) {
if ( (metadata->complete != NULL)
&& (metadata->complete(msr, &my_error_msg) < 0))
{
*error_msg = apr_psprintf(msr->mp,
"%s parsing error (complete): %s",
msr->msc_reqbody_processor,
my_error_msg);
msr->msc_reqbody_error = 1;
msr->msc_reqbody_error_msg = my_error_msg;
msr_log(msr, 2, "%s", *error_msg);
}
}
// TODO: All these below need to be registered in the same way as above
else if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) {
if (multipart_complete(msr, &my_error_msg) < 0) {
*error_msg = apr_psprintf(msr->mp, "Multipart parsing error: %s", my_error_msg);
msr->msc_reqbody_error = 1;
@ -469,12 +536,10 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
return -1;
}
}
else
if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) {
else if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) {
return modsecurity_request_body_end_urlencoded(msr, error_msg);
}
else
if (strcmp(msr->msc_reqbody_processor, "XML") == 0) {
else if (strcmp(msr->msc_reqbody_processor, "XML") == 0) {
if (xml_complete(msr, &my_error_msg) < 0) {
*error_msg = apr_psprintf(msr->mp, "XML parser error: %s", my_error_msg);
msr->msc_reqbody_error = 1;

24
apache2/re.c
View File

@ -240,17 +240,29 @@ apr_status_t msre_parse_actions(msre_engine *engine, msre_actionset *actionset,
/**
* Locates variable metadata given the variable name.
*/
msre_var_metadata *msre_resolve_var(msre_engine *engine, const char *name) {
msre_var_metadata *msre_resolve_var(msre_engine *engine, const char *name)
{
return (msre_var_metadata *)apr_table_get(engine->variables, name);
}
/**
* Locates action metadata given the action name.
*/
msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name) {
msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name)
{
return (msre_action_metadata *)apr_table_get(engine->actions, name);
}
/**
* Locates request body processor metadata given the processor name.
*/
msre_reqbody_processor_metadata *msre_resolve_reqbody_processor(
msre_engine *engine,
const char *name)
{
return (msre_reqbody_processor_metadata *)apr_table_get(engine->reqbody_processors, name);
}
/**
* Creates a new variable instance given the variable name
* and an (optional) parameter.
@ -738,14 +750,16 @@ msre_engine *msre_engine_create(apr_pool_t *parent_pool) {
engine = apr_pcalloc(mp, sizeof(msre_engine));
if (engine == NULL) return NULL;
engine->mp = mp;
engine->tfns = apr_table_make(mp, 25);
engine->tfns = apr_table_make(mp, 50);
if (engine->tfns == NULL) return NULL;
engine->operators = apr_table_make(mp, 25);
if (engine->operators == NULL) return NULL;
engine->variables = apr_table_make(mp, 25);
engine->variables = apr_table_make(mp, 100);
if (engine->variables == NULL) return NULL;
engine->actions = apr_table_make(mp, 25);
engine->actions = apr_table_make(mp, 50);
if (engine->actions == NULL) return NULL;
engine->reqbody_processors = apr_table_make(mp, 10);
if (engine->reqbody_processors == NULL) return NULL;
return engine;
}

21
apache2/re.h
View File

@ -34,6 +34,7 @@ typedef struct msre_tfn_metadata msre_tfn_metadata;
typedef struct msre_actionset msre_actionset;
typedef struct msre_action_metadata msre_action_metadata;
typedef struct msre_action msre_action;
typedef struct msre_reqbody_processor_metadata msre_reqbody_processor_metadata;
typedef struct msre_cache_rec msre_cache_rec;
#include "apr_general.h"
@ -63,6 +64,10 @@ msre_var_metadata DSOLOCAL *msre_resolve_var(msre_engine *engine, const char *na
msre_action_metadata DSOLOCAL *msre_resolve_action(msre_engine *engine, const char *name);
msre_reqbody_processor_metadata DSOLOCAL *msre_resolve_reqbody_processor(
msre_engine *engine,
const char *name);
msre_var DSOLOCAL *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param,
modsec_rec *msr, char **error_msg);
@ -91,6 +96,7 @@ struct msre_engine {
apr_table_t *operators;
apr_table_t *actions;
apr_table_t *tfns;
apr_table_t *reqbody_processors;
};
msre_engine DSOLOCAL *msre_engine_create(apr_pool_t *parent_pool);
@ -360,6 +366,21 @@ struct msre_action {
unsigned int param_plusminus; /* ABSOLUTE_VALUE, POSITIVE_VALUE, NEGATIVE_VALUE */
};
void DSOLOCAL msre_engine_reqbody_processor_register(msre_engine *engine,
const char *name, void *fn_init, void *fn_process, void *fn_complete);
typedef int (*fn_reqbody_processor_init_t)(modsec_rec *msr, char **error_msg);
typedef int (*fn_reqbody_processor_process_t)(modsec_rec *msr, const char *buf,
unsigned int size, char **error_msg);
typedef int (*fn_reqbody_processor_complete_t)(modsec_rec *msr, char **error_msg);
struct msre_reqbody_processor_metadata {
const char *name;
fn_reqbody_processor_init_t init;
fn_reqbody_processor_process_t process;
fn_reqbody_processor_complete_t complete;
};
/* -- MSRE Function Prototypes ---------------------------------------------- */
msre_var_metadata DSOLOCAL *msre_resolve_var(msre_engine *engine, const char *name);

17
ext/README
View File

@ -54,6 +54,23 @@ that combines the REMOTE_ADDR and REMOTE_PORT into a.b.c.d:port format.
sudo apxs -i mod_var_remote_addr_port.la
3) Example custom request body parser module
Module mod_reqbody_example.c creates a custom request body parser named
"EXAMPLE". It does noting in particular, but shows the basic structure
of such a module.
# Compile as a normal user
apxs -I<MODSECURITY_SOURCE_CODE> -I/usr/include/libxml2 \
-ca mod_reqbody_example.c
# Install as superuser
sudo apxs -i mod_var_remote_addr_port.la
# Write a phase 1 rule to set the parser
SecAction "phase:1,pass,nolog,ctl:requestBodyProcessor=EXAMPLE"
Using the Modules
-----------------

169
ext/mod_reqbody_example.c Normal file
View File

@ -0,0 +1,169 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
* Copyright (c) 2004-2010 Breach Security, Inc. (http://www.breach.com/)
*
* This product is released under the terms of the General Public Licence,
* version 2 (GPLv2). Please refer to the file LICENSE (included with this
* distribution) which contains the complete text of the licence.
*
* There are special exceptions to the terms and conditions of the GPL
* as it is applied to this software. View the full text of the exception in
* file MODSECURITY_LICENSING_EXCEPTION in the directory of this software
* distribution.
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Breach Security, Inc.
* directly using the email address support@breach.com.
*
*/
/* This is just an example on how to make an extension to allow custom
* request body parsing. This just describes how to do this externally
* and you should look more at on e of the internal parsers to see
* the full potential.
*
* This module defines "EXAMPLE" and can be enabled with a rule like this:
*
* SecAction "phase:1,pass,nolog,ctl:requestBodyProcessor=EXAMPLE"
*
* See these for real parsers:
* msc_reqbody.c
* msc_multipart.c
* msc_xml.c
*/
#include "httpd.h"
#include "http_core.h"
#include "http_config.h"
#include "http_log.h"
#include "http_protocol.h"
#include "ap_config.h"
#include "apr_optional.h"
#include "modsecurity.h"
typedef struct example_ctx {
unsigned long length;
} example_ctx;
/**
* This function will be invoked to initialize the processor. This is
* probably only needed for streaming parsers that must create a context.
*/
static int example_init(modsec_rec *msr, char **error_msg)
{
if (error_msg == NULL) return -1;
*error_msg = NULL;
ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL,
"mod_reqbody_example: init()");
msr->reqbody_processor_ctx = apr_pcalloc(msr->mp, sizeof(example_ctx));
if (msr->reqbody_processor_ctx == NULL) {
/* Set error message and return -1 if unsuccessful */
*error_msg = apr_pstrdup(msr->mp, "failed to create example requbody processor context");
return -1;
}
/* Return 1 on success */
return 1;
}
/**
* This function will be invoked whenever the ModSecurity has data to
* be processed. You probably at least need to increment the no_files
* length, but otherwise this is only useful for a streaming parser.
*/
static int example_process(modsec_rec *msr,
const char *buf, unsigned int size, char **error_msg)
{
example_ctx *ctx = (example_ctx *)msr->reqbody_processor_ctx;
if (error_msg == NULL) return -1;
*error_msg = NULL;
ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL,
"mod_reqbody_example: process()");
/* Need to increment the no_files length if this is not an uploaded file.
* Failing to do this will mess up some other limit checks.
*/
msr->msc_reqbody_no_files_length += size;
/* Check for an existing context and do something interesting
* with the chunk of data we have been given.
*/
if (ctx != NULL) {
ctx->length += size;
}
/* Return 1 on success */
return 1;
}
/**
* This function is called to signal the parser that the request body is
* complete. Here you should do any final parsing. For non-streaming parsers
* you can parse the data in msr->msc_reqbody_buffer of length
* msr->msc_reqbody_length. See modsecurity_request_body_end_urlencoded() in
* msc_reqbody.c for an example of this.
*/
static int example_complete(modsec_rec *msr, char **error_msg)
{
example_ctx *ctx = (example_ctx *)msr->reqbody_processor_ctx;
if (error_msg == NULL) return -1;
*error_msg = NULL;
ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL,
"mod_reqbody_example: complete()");
ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL,
"mod_reqbody_example: request body length=%lu", ctx->length);
/* Return 1 on success */
return 1;
}
static int hook_pre_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_temp) {
void (*fn)(const char *name,
void *fn_init, void *fn_process, void *fn_complete);
/* Look for the registration function exported by ModSecurity. */
fn = APR_RETRIEVE_OPTIONAL_FN(modsec_register_reqbody_processor);
if (fn) {
/* Use it to register our new request body parser functions under
* the name "EXAMPLE".
*/
fn("EXAMPLE",
(void *)example_init,
(void *)example_process,
(void *)example_complete);
}
else {
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, NULL,
"mod_reqbody_example: Unable to find modsec_register_reqbody_processor.");
}
return OK;
}
/* This is a function to register another function to be called during
* the Apache configuration process.
*/
static void register_hooks(apr_pool_t *p) {
ap_hook_pre_config(hook_pre_config, NULL, NULL, APR_HOOK_LAST);
}
/* Dispatch list for API hooks */
module AP_MODULE_DECLARE_DATA reqbody_example_module = {
STANDARD20_MODULE_STUFF,
NULL, /* create per-dir config structures */
NULL, /* merge per-dir config structures */
NULL, /* create per-server config structures */
NULL, /* merge per-server config structures */
NULL, /* table of config file commands */
register_hooks /* register hooks */
};