Merge pull request #2736 from brandonpayton/add-regex-match-limits-and-error-reporting

Add isolated PCRE match limits as a layer of ReDoS defense

src/variables/msc_pcre_error.h

@@ -0,0 +1,39 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <iostream>
+#include <string>
+#include <vector>
+#include <list>
+#include <utility>
+
+#ifndef SRC_VARIABLES_MSC_PCRE_ERROR_H_
+#define SRC_VARIABLES_MSC_PCRE_ERROR_H_
+
+#include "src/variables/variable.h"
+
+namespace modsecurity {
+
+class Transaction;
+namespace variables {
+
+
+DEFINE_VARIABLE(MscPcreError, MSC_PCRE_ERROR, m_variableMscPcreError)
+
+
+}  // namespace variables
+}  // namespace modsecurity
+
+#endif  // SRC_VARIABLES_MSC_PCRE_ERROR_H_

src/variables/msc_pcre_limits_exceeded.h

@@ -0,0 +1,39 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <iostream>
+#include <string>
+#include <vector>
+#include <list>
+#include <utility>
+
+#ifndef SRC_VARIABLES_MSC_PCRE_LIMITS_EXCEEDED_H_
+#define SRC_VARIABLES_MSC_PCRE_LIMITS_EXCEEDED_H_
+
+#include "src/variables/variable.h"
+
+namespace modsecurity {
+
+class Transaction;
+namespace variables {
+
+
+DEFINE_VARIABLE(MscPcreLimitsExceeded, MSC_PCRE_LIMITS_EXCEEDED, m_variableMscPcreLimitsExceeded)
+
+
+}  // namespace variables
+}  // namespace modsecurity
+
+#endif  // SRC_VARIABLES_MSC_PCRE_LIMITS_EXCEEDED_H_

src/variables/variable.h

@@ -202,6 +202,10 @@ class VariableMonkeyResolution {
                 t->m_variableMatchedVar.evaluate(l);
             } else if (comp(variable, "MATCHED_VAR_NAME")) {
                 t->m_variableMatchedVarName.evaluate(l);
+            } else if (comp(variable, "MSC_PCRE_ERROR")) {
+                t->m_variableMscPcreError.evaluate(l);
+            } else if (comp(variable, "MSC_PCRE_LIMITS_EXCEEDED")) {
+                t->m_variableMscPcreLimitsExceeded.evaluate(l);
             } else if (comp(variable, "MULTIPART_CRLF_LF_LINES")) {
                 t->m_variableMultipartCrlfLFLines.evaluate(l);
             } else if (comp(variable, "MULTIPART_DATA_AFTER")) {
@@ -365,6 +369,10 @@ class VariableMonkeyResolution {
                 vv = t->m_variableMatchedVar.resolveFirst();
             } else if (comp(variable, "MATCHED_VAR_NAME")) {
                 vv = t->m_variableMatchedVarName.resolveFirst();
+            } else if (comp(variable, "MSC_PCRE_ERROR")) {
+                vv = t->m_variableMscPcreError.resolveFirst();
+            } else if (comp(variable, "MSC_PCRE_LIMITS_EXCEEDED")) {
+                vv = t->m_variableMscPcreLimitsExceeded.resolveFirst();
             } else if (comp(variable, "MULTIPART_CRLF_LF_LINES")) {
                 vv = t->m_variableMultipartCrlfLFLines.resolveFirst();
             } else if (comp(variable, "MULTIPART_DATA_AFTER")) {