From 0e7c13e3c0471a53112cfbaf8a5633b9ae1fd86e Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Sat, 25 Jul 2015 08:18:06 -0300 Subject: [PATCH] Adds more regression tests to SecRemoteRules --- src/parser/seclang-parser.yy | 4 +- src/parser/seclang-scanner.ll | 8 +-- .../data/config_example-bad-op-include.txt | 2 + .../data/config_example-ops-include.txt | 1 + .../regression/config-include-bad.json | 62 +++++++++++++++++++ .../regression/config-secremoterules.json | 60 +++++++++++++++++- 6 files changed, 130 insertions(+), 7 deletions(-) create mode 100644 test/test-cases/data/config_example-bad-op-include.txt create mode 100644 test/test-cases/data/config_example-ops-include.txt create mode 100644 test/test-cases/regression/config-include-bad.json diff --git a/src/parser/seclang-parser.yy b/src/parser/seclang-parser.yy index b362495c..143ea132 100644 --- a/src/parser/seclang-parser.yy +++ b/src/parser/seclang-parser.yy @@ -323,11 +323,11 @@ expression: { driver.responseBodyLimitAction = ModSecurity::Rules::BodyLimitAction::RejectBodyLimitAction; } - | CONFIG_SEC_REMOTE_RULES_FAIL_ACTION CONFIG_VALUE_ABORT + | CONFIG_SEC_REMOTE_RULES_FAIL_ACTION SPACE CONFIG_VALUE_ABORT { driver.remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction; } - | CONFIG_SEC_REMOTE_RULES_FAIL_ACTION CONFIG_VALUE_WARN + | CONFIG_SEC_REMOTE_RULES_FAIL_ACTION SPACE CONFIG_VALUE_WARN { driver.remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction; } diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll index 656a1dae..4e6b6f2f 100755 --- a/src/parser/seclang-scanner.ll +++ b/src/parser/seclang-scanner.ll @@ -236,6 +236,7 @@ FREE_TEXT_NEW_LINE [^\"|\n]+ std::vector conf = split(yytext, ' '); key = conf[1]; url = conf[2]; + driver.ref.push_back(url); driver.loc.push_back(*(new yy::location())); YY_BUFFER_STATE temp = YY_CURRENT_BUFFER; @@ -244,13 +245,12 @@ FREE_TEXT_NEW_LINE [^\"|\n]+ bool ret = c.download(url); if (ret == false) { - /** - * TODO: Implement the fail action. - * - */ if (driver.remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction) { + /** TODO: Implement the server logging mechanism. */ } if (driver.remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction) { + driver.error (driver.loc.back(), "", yytext + std::string(" - Failed to download: ") + c.error); + throw yy::seclang_parser::syntax_error(driver.loc.back(), ""); } } diff --git a/test/test-cases/data/config_example-bad-op-include.txt b/test/test-cases/data/config_example-bad-op-include.txt new file mode 100644 index 00000000..c255c20f --- /dev/null +++ b/test/test-cases/data/config_example-bad-op-include.txt @@ -0,0 +1,2 @@ +SecRule ARGS "@contains config_example" "id:10,pass,t:trim" +SecRule ARGS "@missingOperator config_example" "id:10,pass,t:trim" diff --git a/test/test-cases/data/config_example-ops-include.txt b/test/test-cases/data/config_example-ops-include.txt new file mode 100644 index 00000000..6a7cdfb2 --- /dev/null +++ b/test/test-cases/data/config_example-ops-include.txt @@ -0,0 +1 @@ +Include test-cases/data/config_example-not-exist.txt \ No newline at end of file diff --git a/test/test-cases/regression/config-include-bad.json b/test/test-cases/regression/config-include-bad.json new file mode 100644 index 00000000..fa1c8160 --- /dev/null +++ b/test/test-cases/regression/config-include-bad.json @@ -0,0 +1,62 @@ +[ + { + "enabled":1, + "version_min":300000, + "title":"Include - bad rule", + "expected":{ + "parser_error": "Rules error. File: config-include-bad.json. Line: 5. Column: 15." + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecDebugLogLevel 9", + "Include test-cases/data/config_example.txt", + "SecRule ARGS \"@missing_operator test\" \"id:9,pass,t:trim\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Include - missing file", + "expected":{ + "parser_error": "Rules error. File: config-include-bad.json. Line: 4. Column: 47. Include test-cases/data/config_example-ops.txt: Not able to open file." + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecDebugLogLevel 9", + "Include test-cases/data/config_example-ops.txt", + "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Include - missing at include", + "expected":{ + "parser_error": "Rules error. File: test-cases/data/config_example-ops-include.txt. Line: 1. Column: 53. Include test-cases/data/config_example-not-exist.txt: Not able to open file." + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecDebugLogLevel 9", + "Include test-cases/data/config_example-ops-include.txt", + "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Include - bad operator inside include", + "expected":{ + "parser_error": "Rules error. File: test-cases/data/config_example-bad-op-include.txt. Line: 2. Column: 15." + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecDebugLogLevel 9", + "Include test-cases/data/config_example-bad-op-include.txt", + "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\"" + ] + } +] \ No newline at end of file diff --git a/test/test-cases/regression/config-secremoterules.json b/test/test-cases/regression/config-secremoterules.json index 78ea208e..61b39f69 100644 --- a/test/test-cases/regression/config-secremoterules.json +++ b/test/test-cases/regression/config-secremoterules.json @@ -2,7 +2,7 @@ { "enabled":1, "version_min":300000, - "title":"Include", + "title":"Include remote rules", "client":{ "ip":"200.249.12.31", "port":123 @@ -40,5 +40,63 @@ "SecRemoteRules key https://www.modsecurity.org/modsecurity-regression-test-secremoterules.txt", "SecRule ARGS \"@contains somethingelse\" \"id:9,pass,t:trim\"" ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Include remote rules - failed download (Abort)", + "expected":{ + "parser_error": "Failed to download: HTTP response code said error" + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecDebugLogLevel 9", + "SecRemoteRulesFailAction Abort", + "SecRemoteRules key https://www.modsecurity.org/modsecurity-regression-test-secremoterules-bonga.txt" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Include remote rules - failed download (Warn)", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"/?key=value&key=other_value", + "protocol":"GET" + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "debug_log":"Executing operator \"@contains \" with param \"somethingelse\" against ARGS." + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecDebugLogLevel 9", + "SecRemoteRulesFailAction Warn", + "SecRemoteRules key https://www.modsecurity.org/modsecurity-regression-test-secremoterules-bonga.txt", + "SecRule ARGS \"@contains somethingelse\" \"id:9,pass,t:trim\"" + ] } ] \ No newline at end of file