From 058283fb5af1ab372db20e3573eb4442674dafda Mon Sep 17 00:00:00 2001 From: b1v1r Date: Wed, 5 May 2010 23:01:11 +0000 Subject: [PATCH] Add the ability to build custom request body parser extensions. Add an example for a request body parser extension. --- apache2/apache2.h | 1 + apache2/mod_security2.c | 20 +++++ apache2/modsecurity.c | 1 + apache2/modsecurity.h | 4 + apache2/msc_reqbody.c | 99 ++++++++++++++++++---- apache2/re.c | 24 ++++-- apache2/re.h | 21 +++++ ext/README | 17 ++++ ext/mod_reqbody_example.c | 169 ++++++++++++++++++++++++++++++++++++++ 9 files changed, 334 insertions(+), 22 deletions(-) create mode 100644 ext/mod_reqbody_example.c diff --git a/apache2/apache2.h b/apache2/apache2.h index b6f8edf7..511deed1 100644 --- a/apache2/apache2.h +++ b/apache2/apache2.h @@ -38,6 +38,7 @@ APR_DECLARE_OPTIONAL_FN(void, modsec_register_variable, unsigned int argc_min, unsigned int argc_max, void *fn_validate, void *fn_generate, unsigned int is_cacheable, unsigned int availability)); +APR_DECLARE_OPTIONAL_FN(void, modsec_register_reqbody_processor, (const char *name, void *fn_init, void *fn_process, void *fn_complete)); #endif /* ap_get_server_version() is gone in 2.3.0. diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index ac2a093a..7e3443c9 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -1116,6 +1116,25 @@ static void modsec_register_variable(const char *name, unsigned int type, fprintf(stderr,"modsecurity is NULL\n"); } } + +/** + * This function is exported for other Apache modules to + * register new request body processors. + */ +static void modsec_register_reqbody_processor(const char *name, + void *fn_init, + void *fn_process, + void *fn_complete) +{ + if (modsecurity != NULL) { + + msre_engine_reqbody_processor_register(modsecurity->msre, name, + (fn_reqbody_processor_init_t)fn_init, + (fn_reqbody_processor_init_t)fn_process, + (fn_reqbody_processor_init_t)fn_complete); + } +} + #endif /** @@ -1168,6 +1187,7 @@ static void register_hooks(apr_pool_t *mp) { APR_REGISTER_OPTIONAL_FN(modsec_register_tfn); APR_REGISTER_OPTIONAL_FN(modsec_register_operator); APR_REGISTER_OPTIONAL_FN(modsec_register_variable); + APR_REGISTER_OPTIONAL_FN(modsec_register_reqbody_processor); #endif /* Main hooks */ diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c index 4827525c..8d988e66 100644 --- a/apache2/modsecurity.c +++ b/apache2/modsecurity.c @@ -103,6 +103,7 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) { msre_engine_register_default_operators(msce->msre); msre_engine_register_default_tfns(msce->msre); msre_engine_register_default_actions(msce->msre); + // TODO: msre_engine_register_default_reqbody_processors(msce->msre); return msce; } diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index 59654a54..623fa662 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -21,6 +21,7 @@ #include #include + #include typedef struct rule_exception rule_exception; @@ -369,6 +370,9 @@ struct modsec_rec { * are to allow phases 1-2 only. */ unsigned int allow_scope; + + /* Generic request body processor context to be used by custom parsers. */ + void *reqbody_processor_ctx; }; struct directory_config { diff --git a/apache2/msc_reqbody.c b/apache2/msc_reqbody.c index edb8252e..9f40268b 100644 --- a/apache2/msc_reqbody.c +++ b/apache2/msc_reqbody.c @@ -17,10 +17,30 @@ * */ #include "modsecurity.h" +#include "re.h" #include "msc_parsers.h" #define CHUNK_CAPACITY 8192 + +/** + * + */ +void msre_engine_reqbody_processor_register(msre_engine *engine, + const char *name, void *fn_init, void *fn_process, void *fn_complete) +{ + msre_reqbody_processor_metadata *metadata = + (msre_reqbody_processor_metadata *)apr_pcalloc(engine->mp, + sizeof(msre_reqbody_processor_metadata)); + if (metadata == NULL) return; + + metadata->name = name; + metadata->init = fn_init; + metadata->process = fn_process; + metadata->complete = fn_complete; + apr_table_setn(engine->reqbody_processors, name, (void *)metadata); +} + /** * Prepare to accept the request body (part 2). */ @@ -77,8 +97,25 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) { if (msr->msc_reqbody_processor != NULL) { char *my_error_msg = NULL; + msre_reqbody_processor_metadata *metadata = + (msre_reqbody_processor_metadata *)apr_table_get(msr->modsecurity->msre->reqbody_processors, msr->msc_reqbody_processor); + - if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) { + if (metadata != NULL) { + if ( (metadata->init != NULL) + && (metadata->init(msr, &my_error_msg) < 0)) + { + *error_msg = apr_psprintf(msr->mp, + "%s parsing error (init): %s", + msr->msc_reqbody_processor, + my_error_msg); + msr->msc_reqbody_error = 1; + msr->msc_reqbody_error_msg = my_error_msg; + msr_log(msr, 2, "%s", *error_msg); + } + } + // TODO: All these below need to be registered in the same way as above + else if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) { if (multipart_init(msr, &my_error_msg) < 0) { *error_msg = apr_psprintf(msr->mp, "Multipart parsing error (init): %s", my_error_msg); msr->msc_reqbody_error = 1; @@ -86,8 +123,7 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) { msr_log(msr, 2, "%s", *error_msg); } } - else - if (strcmp(msr->msc_reqbody_processor, "XML") == 0) { + else if (strcmp(msr->msc_reqbody_processor, "XML") == 0) { if (xml_init(msr, &my_error_msg) < 0) { *error_msg = apr_psprintf(msr->mp, "XML parsing error (init): %s", my_error_msg); msr->msc_reqbody_error = 1; @@ -95,8 +131,7 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) { msr_log(msr, 2, "%s", *error_msg); } } - else - if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) { + else if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) { /* Do nothing, URLENCODED processor does not support streaming yet. */ } else { @@ -268,10 +303,27 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr, * data to it first (but only if it did not report an * error on previous invocations). */ - if ((msr->msc_reqbody_processor != NULL)&&(msr->msc_reqbody_error == 0)) { + if ((msr->msc_reqbody_processor != NULL) && (msr->msc_reqbody_error == 0)) { char *my_error_msg = NULL; + msre_reqbody_processor_metadata *metadata = + (msre_reqbody_processor_metadata *)apr_table_get(msr->modsecurity->msre->reqbody_processors, msr->msc_reqbody_processor); + - if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) { + if (metadata != NULL) { + if ( (metadata->process != NULL) + && (metadata->process(msr, data, length, &my_error_msg) < 0)) + { + *error_msg = apr_psprintf(msr->mp, + "%s parsing error: %s", + msr->msc_reqbody_processor, + my_error_msg); + msr->msc_reqbody_error = 1; + msr->msc_reqbody_error_msg = my_error_msg; + msr_log(msr, 2, "%s", *error_msg); + } + } + // TODO: All these below need to be registered in the same way as above + else if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) { /* The per-request data length counter will * be updated by the multipart parser. */ @@ -284,8 +336,7 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr, msr_log(msr, 2, "%s", *error_msg); } } - else - if (strcmp(msr->msc_reqbody_processor, "XML") == 0) { + else if (strcmp(msr->msc_reqbody_processor, "XML") == 0) { /* Increase per-request data length counter. */ msr->msc_reqbody_no_files_length += length; @@ -297,8 +348,7 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr, msr_log(msr, 2, "%s", *error_msg); } } - else - if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) { + else if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) { /* Increase per-request data length counter. */ msr->msc_reqbody_no_files_length += length; @@ -449,10 +499,27 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) { msr->msc_reqbody_read = 1; /* Finalise body processing. */ - if ((msr->msc_reqbody_processor != NULL)&&(msr->msc_reqbody_error == 0)) { + if ((msr->msc_reqbody_processor != NULL) && (msr->msc_reqbody_error == 0)) { char *my_error_msg = NULL; + msre_reqbody_processor_metadata *metadata = + (msre_reqbody_processor_metadata *)apr_table_get(msr->modsecurity->msre->reqbody_processors, msr->msc_reqbody_processor); + - if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) { + if (metadata != NULL) { + if ( (metadata->complete != NULL) + && (metadata->complete(msr, &my_error_msg) < 0)) + { + *error_msg = apr_psprintf(msr->mp, + "%s parsing error (complete): %s", + msr->msc_reqbody_processor, + my_error_msg); + msr->msc_reqbody_error = 1; + msr->msc_reqbody_error_msg = my_error_msg; + msr_log(msr, 2, "%s", *error_msg); + } + } + // TODO: All these below need to be registered in the same way as above + else if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) { if (multipart_complete(msr, &my_error_msg) < 0) { *error_msg = apr_psprintf(msr->mp, "Multipart parsing error: %s", my_error_msg); msr->msc_reqbody_error = 1; @@ -469,12 +536,10 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) { return -1; } } - else - if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) { + else if (strcmp(msr->msc_reqbody_processor, "URLENCODED") == 0) { return modsecurity_request_body_end_urlencoded(msr, error_msg); } - else - if (strcmp(msr->msc_reqbody_processor, "XML") == 0) { + else if (strcmp(msr->msc_reqbody_processor, "XML") == 0) { if (xml_complete(msr, &my_error_msg) < 0) { *error_msg = apr_psprintf(msr->mp, "XML parser error: %s", my_error_msg); msr->msc_reqbody_error = 1; diff --git a/apache2/re.c b/apache2/re.c index 854da2b5..1b67453f 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -240,17 +240,29 @@ apr_status_t msre_parse_actions(msre_engine *engine, msre_actionset *actionset, /** * Locates variable metadata given the variable name. */ -msre_var_metadata *msre_resolve_var(msre_engine *engine, const char *name) { +msre_var_metadata *msre_resolve_var(msre_engine *engine, const char *name) +{ return (msre_var_metadata *)apr_table_get(engine->variables, name); } /** * Locates action metadata given the action name. */ -msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name) { +msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name) +{ return (msre_action_metadata *)apr_table_get(engine->actions, name); } +/** + * Locates request body processor metadata given the processor name. + */ +msre_reqbody_processor_metadata *msre_resolve_reqbody_processor( + msre_engine *engine, + const char *name) +{ + return (msre_reqbody_processor_metadata *)apr_table_get(engine->reqbody_processors, name); +} + /** * Creates a new variable instance given the variable name * and an (optional) parameter. @@ -738,14 +750,16 @@ msre_engine *msre_engine_create(apr_pool_t *parent_pool) { engine = apr_pcalloc(mp, sizeof(msre_engine)); if (engine == NULL) return NULL; engine->mp = mp; - engine->tfns = apr_table_make(mp, 25); + engine->tfns = apr_table_make(mp, 50); if (engine->tfns == NULL) return NULL; engine->operators = apr_table_make(mp, 25); if (engine->operators == NULL) return NULL; - engine->variables = apr_table_make(mp, 25); + engine->variables = apr_table_make(mp, 100); if (engine->variables == NULL) return NULL; - engine->actions = apr_table_make(mp, 25); + engine->actions = apr_table_make(mp, 50); if (engine->actions == NULL) return NULL; + engine->reqbody_processors = apr_table_make(mp, 10); + if (engine->reqbody_processors == NULL) return NULL; return engine; } diff --git a/apache2/re.h b/apache2/re.h index 663d4bb9..cb58ab2e 100644 --- a/apache2/re.h +++ b/apache2/re.h @@ -34,6 +34,7 @@ typedef struct msre_tfn_metadata msre_tfn_metadata; typedef struct msre_actionset msre_actionset; typedef struct msre_action_metadata msre_action_metadata; typedef struct msre_action msre_action; +typedef struct msre_reqbody_processor_metadata msre_reqbody_processor_metadata; typedef struct msre_cache_rec msre_cache_rec; #include "apr_general.h" @@ -63,6 +64,10 @@ msre_var_metadata DSOLOCAL *msre_resolve_var(msre_engine *engine, const char *na msre_action_metadata DSOLOCAL *msre_resolve_action(msre_engine *engine, const char *name); +msre_reqbody_processor_metadata DSOLOCAL *msre_resolve_reqbody_processor( + msre_engine *engine, + const char *name); + msre_var DSOLOCAL *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param, modsec_rec *msr, char **error_msg); @@ -91,6 +96,7 @@ struct msre_engine { apr_table_t *operators; apr_table_t *actions; apr_table_t *tfns; + apr_table_t *reqbody_processors; }; msre_engine DSOLOCAL *msre_engine_create(apr_pool_t *parent_pool); @@ -360,6 +366,21 @@ struct msre_action { unsigned int param_plusminus; /* ABSOLUTE_VALUE, POSITIVE_VALUE, NEGATIVE_VALUE */ }; +void DSOLOCAL msre_engine_reqbody_processor_register(msre_engine *engine, + const char *name, void *fn_init, void *fn_process, void *fn_complete); + +typedef int (*fn_reqbody_processor_init_t)(modsec_rec *msr, char **error_msg); +typedef int (*fn_reqbody_processor_process_t)(modsec_rec *msr, const char *buf, + unsigned int size, char **error_msg); +typedef int (*fn_reqbody_processor_complete_t)(modsec_rec *msr, char **error_msg); + +struct msre_reqbody_processor_metadata { + const char *name; + fn_reqbody_processor_init_t init; + fn_reqbody_processor_process_t process; + fn_reqbody_processor_complete_t complete; +}; + /* -- MSRE Function Prototypes ---------------------------------------------- */ msre_var_metadata DSOLOCAL *msre_resolve_var(msre_engine *engine, const char *name); diff --git a/ext/README b/ext/README index c0a2dfd5..a4e266f3 100644 --- a/ext/README +++ b/ext/README @@ -54,6 +54,23 @@ that combines the REMOTE_ADDR and REMOTE_PORT into a.b.c.d:port format. sudo apxs -i mod_var_remote_addr_port.la +3) Example custom request body parser module + +Module mod_reqbody_example.c creates a custom request body parser named +"EXAMPLE". It does noting in particular, but shows the basic structure +of such a module. + + # Compile as a normal user + apxs -I -I/usr/include/libxml2 \ + -ca mod_reqbody_example.c + + # Install as superuser + sudo apxs -i mod_var_remote_addr_port.la + + # Write a phase 1 rule to set the parser + SecAction "phase:1,pass,nolog,ctl:requestBodyProcessor=EXAMPLE" + + Using the Modules ----------------- diff --git a/ext/mod_reqbody_example.c b/ext/mod_reqbody_example.c new file mode 100644 index 00000000..23772ceb --- /dev/null +++ b/ext/mod_reqbody_example.c @@ -0,0 +1,169 @@ +/* + * ModSecurity for Apache 2.x, http://www.modsecurity.org/ + * Copyright (c) 2004-2010 Breach Security, Inc. (http://www.breach.com/) + * + * This product is released under the terms of the General Public Licence, + * version 2 (GPLv2). Please refer to the file LICENSE (included with this + * distribution) which contains the complete text of the licence. + * + * There are special exceptions to the terms and conditions of the GPL + * as it is applied to this software. View the full text of the exception in + * file MODSECURITY_LICENSING_EXCEPTION in the directory of this software + * distribution. + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Breach Security, Inc. + * directly using the email address support@breach.com. + * + */ + +/* This is just an example on how to make an extension to allow custom + * request body parsing. This just describes how to do this externally + * and you should look more at on e of the internal parsers to see + * the full potential. + * + * This module defines "EXAMPLE" and can be enabled with a rule like this: + * + * SecAction "phase:1,pass,nolog,ctl:requestBodyProcessor=EXAMPLE" + * + * See these for real parsers: + * msc_reqbody.c + * msc_multipart.c + * msc_xml.c + */ + +#include "httpd.h" +#include "http_core.h" +#include "http_config.h" +#include "http_log.h" +#include "http_protocol.h" +#include "ap_config.h" +#include "apr_optional.h" + +#include "modsecurity.h" + +typedef struct example_ctx { + unsigned long length; +} example_ctx; + +/** + * This function will be invoked to initialize the processor. This is + * probably only needed for streaming parsers that must create a context. + */ +static int example_init(modsec_rec *msr, char **error_msg) +{ + if (error_msg == NULL) return -1; + *error_msg = NULL; + + ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL, + "mod_reqbody_example: init()"); + + msr->reqbody_processor_ctx = apr_pcalloc(msr->mp, sizeof(example_ctx)); + if (msr->reqbody_processor_ctx == NULL) { + /* Set error message and return -1 if unsuccessful */ + *error_msg = apr_pstrdup(msr->mp, "failed to create example requbody processor context"); + return -1; + } + + /* Return 1 on success */ + return 1; +} + +/** + * This function will be invoked whenever the ModSecurity has data to + * be processed. You probably at least need to increment the no_files + * length, but otherwise this is only useful for a streaming parser. + */ +static int example_process(modsec_rec *msr, + const char *buf, unsigned int size, char **error_msg) +{ + example_ctx *ctx = (example_ctx *)msr->reqbody_processor_ctx; + + if (error_msg == NULL) return -1; + *error_msg = NULL; + + ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL, + "mod_reqbody_example: process()"); + + /* Need to increment the no_files length if this is not an uploaded file. + * Failing to do this will mess up some other limit checks. + */ + msr->msc_reqbody_no_files_length += size; + + /* Check for an existing context and do something interesting + * with the chunk of data we have been given. + */ + if (ctx != NULL) { + ctx->length += size; + } + + /* Return 1 on success */ + return 1; +} + +/** + * This function is called to signal the parser that the request body is + * complete. Here you should do any final parsing. For non-streaming parsers + * you can parse the data in msr->msc_reqbody_buffer of length + * msr->msc_reqbody_length. See modsecurity_request_body_end_urlencoded() in + * msc_reqbody.c for an example of this. + */ +static int example_complete(modsec_rec *msr, char **error_msg) +{ + example_ctx *ctx = (example_ctx *)msr->reqbody_processor_ctx; + + if (error_msg == NULL) return -1; + *error_msg = NULL; + + ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL, + "mod_reqbody_example: complete()"); + + ap_log_error(APLOG_MARK, APLOG_INFO | APLOG_NOERRNO, 0, NULL, + "mod_reqbody_example: request body length=%lu", ctx->length); + + /* Return 1 on success */ + return 1; +} + +static int hook_pre_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_temp) { + + void (*fn)(const char *name, + void *fn_init, void *fn_process, void *fn_complete); + + /* Look for the registration function exported by ModSecurity. */ + fn = APR_RETRIEVE_OPTIONAL_FN(modsec_register_reqbody_processor); + if (fn) { + /* Use it to register our new request body parser functions under + * the name "EXAMPLE". + */ + fn("EXAMPLE", + (void *)example_init, + (void *)example_process, + (void *)example_complete); + } + else { + ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, NULL, + "mod_reqbody_example: Unable to find modsec_register_reqbody_processor."); + } + + return OK; +} + +/* This is a function to register another function to be called during + * the Apache configuration process. + */ +static void register_hooks(apr_pool_t *p) { + ap_hook_pre_config(hook_pre_config, NULL, NULL, APR_HOOK_LAST); +} + +/* Dispatch list for API hooks */ +module AP_MODULE_DECLARE_DATA reqbody_example_module = { + STANDARD20_MODULE_STUFF, + NULL, /* create per-dir config structures */ + NULL, /* merge per-dir config structures */ + NULL, /* create per-server config structures */ + NULL, /* merge per-server config structures */ + NULL, /* table of config file commands */ + register_hooks /* register hooks */ +}; +