Support expirevar for in-memory collection

Makefile.am

@@ -103,6 +103,7 @@ TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_id.json
 TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_tag.json
 TESTS+=test/test-cases/regression/action-disruptive.json
 TESTS+=test/test-cases/regression/action-exec.json
+TESTS+=test/test-cases/regression/action-expirevar.json
 TESTS+=test/test-cases/regression/action-id.json
 TESTS+=test/test-cases/regression/action-initcol.json
 TESTS+=test/test-cases/regression/action-msg.json

headers/modsecurity/collection/collection.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -16,7 +16,6 @@
 
 #ifdef __cplusplus
 #include <string>
-#include <iostream>
 #include <unordered_map>
 #include <list>
 #include <vector>
@@ -56,6 +55,8 @@ class Collection {
 
     virtual void del(const std::string& key) = 0;
 
+    virtual void setExpiry(const std::string& key, int32_t expiry_seconds) = 0;
+
     virtual std::unique_ptr<std::string> resolveFirst(
         const std::string& var) = 0;
 
@@ -129,6 +130,21 @@ class Collection {
     }
 
 
+    /* setExpiry */
+    virtual void setExpiry(const std::string& key, std::string compartment,
+        int32_t expiry_seconds) {
+        std::string nkey = compartment + "::" + key;
+        setExpiry(nkey, expiry_seconds);
+    }
+
+
+    virtual void setExpiry(const std::string& key, std::string compartment,
+        std::string compartment2, int32_t expiry_seconds) {
+        std::string nkey = compartment + "::" + compartment2 + "::" + key;
+        setExpiry(nkey, expiry_seconds);
+    }
+
+
     /* resolveFirst */
     virtual std::unique_ptr<std::string> resolveFirst(const std::string& var,
         std::string compartment) {

src/Makefile.am

@@ -134,6 +134,7 @@ ACTIONS = \
 	actions/disruptive/redirect.cc \
 	actions/disruptive/pass.cc \
 	actions/exec.cc \
+	actions/expire_var.cc \
 	actions/init_col.cc \
 	actions/log.cc \
 	actions/log_data.cc \
@@ -259,6 +260,7 @@ UTILS = \
 
 COLLECTION = \
 	collection/collections.cc \
+	collection/backend/collection_data.cc \
 	collection/backend/in_memory-per_process.cc \
 	collection/backend/lmdb.cc
 

src/actions/expire_var.cc

@@ -0,0 +1,95 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/actions/expire_var.h"
+
+#include <string>
+
+#include "modsecurity/rules_set.h"
+#include "modsecurity/transaction.h"
+#include "modsecurity/rule.h"
+#include "src/utils/string.h"
+#include "src/variables/global.h"
+#include "src/variables/ip.h"
+#include "src/variables/resource.h"
+#include "src/variables/session.h"
+#include "src/variables/user.h"
+#include "src/variables/variable.h"
+
+namespace modsecurity {
+namespace actions {
+
+
+bool ExpireVar::init(std::string *error) {
+    return true;
+}
+
+
+bool ExpireVar::evaluate(RuleWithActions *rule, Transaction *t) {
+
+    std::string expireExpressionExpanded(m_string->evaluate(t));
+
+    std::string fully_qualified_var;
+    int expirySeconds = 0;
+    size_t posEquals = expireExpressionExpanded.find("=");
+    if (posEquals == std::string::npos) {
+        fully_qualified_var = expireExpressionExpanded;
+    } else {
+        fully_qualified_var = expireExpressionExpanded.substr(0, posEquals);
+	std::string expiry = expireExpressionExpanded.substr(posEquals+1);
+	if (expiry.find_first_not_of("0123456789") == std::string::npos) {
+            expirySeconds = atoi(expiry.c_str());
+	} else {
+            ms_dbg_a(t, 5, "Non-numeric expiry seconds found in expirevar expression.");
+            return true;
+	}
+    }
+
+    size_t posDot = fully_qualified_var.find(".");
+    if (posDot == std::string::npos) {
+        ms_dbg_a(t, 5, "No collection found in expirevar expression.");
+	return true;
+    }
+
+    std::string collection = fully_qualified_var.substr(0, posDot);
+    std::string variable_name = fully_qualified_var.substr(posDot+1);
+    std::unique_ptr<RunTimeString> runTimeString(new RunTimeString());
+    runTimeString->appendText(fully_qualified_var);
+
+    if (collection == "ip") {
+        std::unique_ptr<modsecurity::variables::Ip_DynamicElement> ip_dynamicElement(new modsecurity::variables::Ip_DynamicElement(std::move(runTimeString)));
+        ip_dynamicElement->setExpiry(t, variable_name, expirySeconds);
+    } else if (collection == "global") {
+        std::unique_ptr<modsecurity::variables::Global_DynamicElement> global_dynamicElement(new modsecurity::variables::Global_DynamicElement(std::move(runTimeString)));
+        global_dynamicElement->setExpiry(t, variable_name, expirySeconds);
+    } else if (collection == "resource") {
+        std::unique_ptr<modsecurity::variables::Resource_DynamicElement> resource_dynamicElement(new modsecurity::variables::Resource_DynamicElement(std::move(runTimeString)));
+        resource_dynamicElement->setExpiry(t, variable_name, expirySeconds);
+    } else if (collection == "session") {
+        std::unique_ptr<modsecurity::variables::Session_DynamicElement> session_dynamicElement(new modsecurity::variables::Session_DynamicElement(std::move(runTimeString)));
+        session_dynamicElement->setExpiry(t, variable_name, expirySeconds);
+    } else if (collection == "user") {
+        std::unique_ptr<modsecurity::variables::User_DynamicElement> user_dynamicElement(new modsecurity::variables::User_DynamicElement(std::move(runTimeString)));
+        user_dynamicElement->setExpiry(t, variable_name, expirySeconds);
+    } else {
+        ms_dbg_a(t, 5, "Invalid collection found in expirevar expression: collection must be `ip', `global', `resource', `user' or `session'");
+    }
+    ms_dbg_a(t, 9, "Setting variable `" + variable_name + "' to expire in " + std::to_string(expirySeconds) + " seconds.");
+
+    return true;
+}
+
+}  // namespace actions
+}  // namespace modsecurity

src/actions/expire_var.h

@@ -0,0 +1,54 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <memory>
+#include <string>
+#include <utility>
+
+#include "modsecurity/actions/action.h"
+#include "src/run_time_string.h"
+
+#ifndef SRC_ACTIONS_EXPIRE_VAR_H_
+#define SRC_ACTIONS_EXPIRE_VAR_H_
+
+class Transaction;
+
+namespace modsecurity {
+class Transaction;
+class RuleWithOperator;
+
+namespace actions {
+
+class ExpireVar : public Action {
+ public:
+    explicit ExpireVar(const std::string &action) : Action(action) { }
+
+    explicit ExpireVar(std::unique_ptr<RunTimeString> z)
+        : Action("expirevar", RunTimeOnlyIfMatchKind),
+            m_string(std::move(z)) { }
+
+    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
+    bool init(std::string *error) override;
+
+ private:
+
+    std::unique_ptr<RunTimeString> m_string;
+};
+
+}  // namespace actions
+}  // namespace modsecurity
+
+
+#endif  // SRC_ACTIONS_EXPIRE_VAR_H_

src/collection/backend/collection_data.cc

@@ -0,0 +1,41 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/collection/backend/collection_data.h"
+
+
+namespace modsecurity {
+namespace collection {
+namespace backend {
+
+
+bool CollectionData::isExpired() const {
+    if (m_hasExpiryTime == false) {
+        return false;
+    }
+    auto now = std::chrono::system_clock::now();
+    return (now >= m_expiryTime);
+}
+
+
+void CollectionData::setExpiry(int32_t seconds_until_expiry) {
+    m_expiryTime = std::chrono::system_clock::now() + std::chrono::seconds(seconds_until_expiry);
+    m_hasExpiryTime = true;
+}
+
+
+}  // namespace backend
+}  // namespace collection
+}  // namespace modsecurity

src/collection/backend/collection_data.h

@@ -0,0 +1,68 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+
+#ifdef __cplusplus
+#include <string>
+#include <memory>
+#include <chrono>
+#endif
+
+
+#include "modsecurity/collection/collection.h"
+
+#ifndef SRC_COLLECTION_DATA_H_
+#define SRC_COLLECTION_DATA_H_
+
+#ifdef __cplusplus
+namespace modsecurity {
+namespace collection {
+namespace backend {
+
+class CollectionData {
+public:
+    CollectionData() :
+        m_hasValue(false),
+	m_hasExpiryTime(false) { }
+
+    CollectionData(const std::string &value) :
+        m_hasValue(true),
+	m_hasExpiryTime(false),
+	m_value(value) { }
+
+    void setValue(const std::string &value) {
+        m_value = value;
+        m_hasValue = true;
+    }
+    bool hasValue() const { return m_hasValue;}
+    const std::string& getValue() const { return m_value;}
+
+    void setExpiry(int32_t seconds_until_expiry);
+    bool hasExpiry() const { return m_hasExpiryTime;}
+    bool isExpired() const;
+
+private:
+    bool m_hasValue;
+    bool m_hasExpiryTime;
+    std::string m_value;
+    std::chrono::system_clock::time_point m_expiryTime;
+};
+
+}  // namespace backend
+}  // namespace collection
+}  // namespace modsecurity
+#endif
+
+#endif  // SRC_COLLECTION_DATA_H_

src/collection/backend/in_memory-per_process.cc

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -15,6 +15,7 @@
 
 
 #include "src/collection/backend/in_memory-per_process.h"
+#include "src/collection/backend/collection_data.h"
 
 #ifdef __cplusplus
 #include <string>
@@ -69,7 +70,7 @@ bool InMemoryPerProcess::updateFirst(const std::string &key,
     auto range = this->equal_range(key);
 
     for (auto it = range.first; it != range.second; ++it) {
-        it->second = value;
+        it->second.setValue(value);
         pthread_mutex_unlock(&m_lock);
         return true;
     }
@@ -84,13 +85,49 @@ void InMemoryPerProcess::del(const std::string& key) {
     pthread_mutex_unlock(&m_lock);
 }
 
+void InMemoryPerProcess::delIfExpired(const std::string& key) {
+    pthread_mutex_lock(&m_lock);
+    // Double check the status while within the mutex
+    auto iter = this->find(key);
+    if ((iter != this->end()) && (iter->second.isExpired())) {
+        this->erase(key);
+    }
+    pthread_mutex_unlock(&m_lock);
+}
+
+void InMemoryPerProcess::setExpiry(const std::string& key, int32_t expiry_seconds) {
+    pthread_mutex_lock(&m_lock);
+    auto range = this->equal_range(key);
+    for (auto it = range.first; it != range.second; ++it) {
+        it->second.setExpiry(expiry_seconds);
+        pthread_mutex_unlock(&m_lock);
+	return;
+    }
+
+    // We allow an expiry value to be set for a key that has not (yet) had a value set.
+    auto iter = this->emplace(key, CollectionData());
+    iter->second.setExpiry(expiry_seconds);
+
+    pthread_mutex_unlock(&m_lock);
+}
+
 
 void InMemoryPerProcess::resolveSingleMatch(const std::string& var,
     std::vector<const VariableValue *> *l) {
+    std::list<std::string> expiredVars;
     auto range = this->equal_range(var);
 
     for (auto it = range.first; it != range.second; ++it) {
-        l->push_back(new VariableValue(&m_name, &it->first, &it->second));
+        if (it->second.isExpired()) {
+            expiredVars.push_back(it->first);
+	} else if (it->second.hasValue() == false) {
+            // No-op. A non-expired expiry exists for the key but there is no actual value
+	} else {
+            l->push_back(new VariableValue(&m_name, &it->first, &it->second.getValue()));
+	}
+    }
+    for (const auto& expiredVar : expiredVars) {
+        delIfExpired(expiredVar);
     }
 }
 
@@ -99,14 +136,21 @@ void InMemoryPerProcess::resolveMultiMatches(const std::string& var,
     std::vector<const VariableValue *> *l, variables::KeyExclusions &ke) {
     size_t keySize = var.size();
     l->reserve(15);
+    std::list<std::string> expiredVars;
 
     if (keySize == 0) {
         for (auto &i : *this) {
             if (ke.toOmit(i.first)) {
                 continue;
             }
-            l->insert(l->begin(), new VariableValue(&m_name, &i.first,
+            if (i.second.isExpired()) {
-                &i.second));
+                expiredVars.push_back(i.first);
+	    } else if (i.second.hasValue() == false) {
+                // No-op. A non-expired expiry exists for the key but there is no actual value
+	    } else {
+                l->insert(l->begin(), new VariableValue(&m_name, &i.first,
+                    &i.second.getValue()));
+	    }
         }
     } else {
         auto range = this->equal_range(var);
@@ -114,10 +158,19 @@ void InMemoryPerProcess::resolveMultiMatches(const std::string& var,
             if (ke.toOmit(var)) {
                 continue;
             }
-            l->insert(l->begin(), new VariableValue(&m_name, &var,
+            if (it->second.isExpired()) {
-                &it->second));
+                expiredVars.push_back(it->first);
+	    } else if (it->second.hasValue() == false) {
+                // No-op. A non-expired expiry exists for the key but there is no actual value
+	    } else {
+                l->insert(l->begin(), new VariableValue(&m_name, &var,
+                    &it->second.getValue()));
+	    }
         }
     }
+    for (const auto& expiredVar : expiredVars) {
+        delIfExpired(expiredVar);
+    }
 }
 
 
@@ -135,6 +188,7 @@ void InMemoryPerProcess::resolveRegularExpression(const std::string& var,
     //    var.size() - var.find(":") - 3);
     //size_t keySize = col.size();
     Utils::Regex r(var, true);
+    std::list<std::string> expiredVars;
 
     for (const auto& x : *this) {
         //if (x.first.size() <= keySize + 1) {
@@ -155,7 +209,16 @@ void InMemoryPerProcess::resolveRegularExpression(const std::string& var,
         if (ke.toOmit(x.first)) {
             continue;
         }
-        l->insert(l->begin(), new VariableValue(&m_name, &x.first, &x.second));
+        if (x.second.isExpired()) {
+            expiredVars.push_back(x.first);
+	} else if (x.second.hasValue() == false) {
+            // No-op. A non-expired expiry exists for the key but there is no actual value
+	} else {
+            l->insert(l->begin(), new VariableValue(&m_name, &x.first, &x.second.getValue()));
+	}
+    }
+    for (const auto& expiredVar : expiredVars) {
+        delIfExpired(expiredVar);
     }
 }
 
@@ -164,7 +227,13 @@ std::unique_ptr<std::string> InMemoryPerProcess::resolveFirst(
     const std::string& var) {
     auto range = equal_range(var);
     for (auto it = range.first; it != range.second; ++it) {
-        return std::unique_ptr<std::string>(new std::string(it->second));
+        if (it->second.isExpired()) {
+            delIfExpired(it->second.getValue());
+	} else if (it->second.hasValue() == false) {
+            // No-op. A non-expired expiry exists for the key but there is no actual value
+	} else {
+            return std::unique_ptr<std::string>(new std::string(it->second.getValue()));
+	}
     }
 
     return NULL;

src/collection/backend/in_memory-per_process.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -18,6 +18,7 @@
 #include <string>
 #include <iostream>
 #include <unordered_map>
+#include <chrono>
 #include <list>
 #include <vector>
 #include <algorithm>
@@ -27,6 +28,7 @@
 
 #include "modsecurity/variable_value.h"
 #include "modsecurity/collection/collection.h"
+#include "src/collection/backend/collection_data.h"
 #include "src/variables/variable.h"
 
 #ifndef SRC_COLLECTION_BACKEND_IN_MEMORY_PER_PROCESS_H_
@@ -68,7 +70,7 @@ struct MyHash{
 };
 
 class InMemoryPerProcess :
-    public std::unordered_multimap<std::string, std::string,
+    public std::unordered_multimap<std::string, CollectionData,
         /*std::hash<std::string>*/MyHash, MyEqual>,
     public Collection {
  public:
@@ -84,6 +86,10 @@ class InMemoryPerProcess :
 
     void del(const std::string& key) override;
 
+    void delIfExpired(const std::string& key);
+
+    void setExpiry(const std::string& key, int32_t expiry_seconds) override;
+
     std::unique_ptr<std::string> resolveFirst(const std::string& var) override;
 
     void resolveSingleMatch(const std::string& var,

src/collection/backend/lmdb.cc

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -400,6 +400,9 @@ end_txn:
     return;
 }
 
+void LMDB::setExpiry(const std::string& key, int32_t expiry_seconds) {
+    // TODO: add implementation
+}
 
 void LMDB::resolveMultiMatches(const std::string& var,
     std::vector<const VariableValue *> *l,

src/collection/backend/lmdb.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -108,6 +108,8 @@ class LMDB :
 
     void del(const std::string& key) override;
 
+    void setExpiry(const std::string& key, int32_t expiry_seconds) override;
+
     std::unique_ptr<std::string> resolveFirst(const std::string& var) override;
 
     void resolveSingleMatch(const std::string& var,

src/parser/seclang-parser.hh

@@ -83,6 +83,7 @@ class Driver;
 #include "src/actions/disruptive/redirect.h"
 #include "src/actions/init_col.h"
 #include "src/actions/exec.h"
+#include "src/actions/expire_var.h"
 #include "src/actions/log_data.h"
 #include "src/actions/log.h"
 #include "src/actions/maturity.h"
@@ -354,7 +355,7 @@ using namespace modsecurity::operators;
     a = std::move(c);
 
 
-#line 358 "seclang-parser.hh"
+#line 359 "seclang-parser.hh"
 
 # include <cassert>
 # include <cstdlib> // std::abort
@@ -494,7 +495,7 @@ using namespace modsecurity::operators;
 #endif
 
 namespace yy {
-#line 498 "seclang-parser.hh"
+#line 499 "seclang-parser.hh"
 
 
 
@@ -8069,7 +8070,7 @@ switch (yykind)
     /// Constants.
     enum
     {
-      yylast_ = 3372,     ///< Last index in yytable_.
+      yylast_ = 3373,     ///< Last index in yytable_.
       yynnts_ = 16,  ///< Number of nonterminal symbols.
       yyfinal_ = 341 ///< Termination state number.
     };
@@ -8731,7 +8732,7 @@ switch (yykind)
 
 
 } // yy
-#line 8735 "seclang-parser.hh"
+#line 8736 "seclang-parser.hh"
 
 
 

src/parser/seclang-parser.yy

@@ -44,6 +44,7 @@ class Driver;
 #include "src/actions/disruptive/redirect.h"
 #include "src/actions/init_col.h"
 #include "src/actions/exec.h"
+#include "src/actions/expire_var.h"
 #include "src/actions/log_data.h"
 #include "src/actions/log.h"
 #include "src/actions/maturity.h"
@@ -2744,10 +2745,9 @@ act:
       {
         ACTION_CONTAINER($$, new actions::Exec($1));
       }
-    | ACTION_EXPIRE_VAR
+    | ACTION_EXPIRE_VAR run_time_string
       {
-        //ACTION_NOT_SUPPORTED("ExpireVar", @0);
+        ACTION_CONTAINER($$, new actions::ExpireVar(std::move($2)));
-        ACTION_CONTAINER($$, new actions::Action($1));
       }
     | ACTION_ID
       {

src/parser/seclang-scanner.ll

@@ -545,10 +545,7 @@ EQUALS_MINUS                            (?i:=\-)
 {ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG}[=]{REMOVE_RULE_BY}               { return p::make_ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG(yytext, *driver.loc.back()); }
 {ACTION_EXEC}:'{VAR_FREE_TEXT_QUOTE}'                                   { return p::make_ACTION_EXEC(yytext, *driver.loc.back()); }
 {ACTION_EXEC}:{VAR_FREE_TEXT_SPACE_COMMA}                               { return p::make_ACTION_EXEC(yytext, *driver.loc.back()); }
-{ACTION_EXPIRE_VAR}:'{VAR_FREE_TEXT_QUOTE}={VAR_FREE_TEXT_QUOTE}'       { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
+{ACTION_EXPIRE_VAR}:                                                    { BEGIN(EXPECTING_ACTION_PREDICATE); return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
-{ACTION_EXPIRE_VAR}:'{VAR_FREE_TEXT_QUOTE}'                             { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
-{ACTION_EXPIRE_VAR}:{VAR_FREE_TEXT_SPACE_COMMA}                         { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
-{ACTION_EXPIRE_VAR}:{VAR_FREE_TEXT_SPACE}={VAR_FREE_TEXT_SPACE_COMMA}   { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
 {ACTION_INITCOL}:{COL_NAME}=                                            { BEGIN(EXPECTING_ACTION_PREDICATE); return p::make_ACTION_INITCOL(yytext, *driver.loc.back()); }
 {ACTION_MATURITY}:'{FREE_TEXT_QUOTE}'                                   { return p::make_ACTION_MATURITY(yytext, *driver.loc.back()); }
 {ACTION_MATURITY}:{FREE_TEXT_QUOTE}                                     { return p::make_ACTION_MATURITY(yytext, *driver.loc.back()); }

src/variables/global.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -13,7 +13,6 @@
  *
  */
 
-#include <iostream>
 #include <list>
 #include <memory>
 #include <string>
@@ -106,6 +105,12 @@ class Global_DynamicElement : public Variable {
             t->m_rules->m_secWebAppId.m_value);
     }
 
+    static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
+        t->m_collections.m_global_collection->setExpiry(k,
+            t->m_collections.m_global_collection_key,
+            t->m_rules->m_secWebAppId.m_value, expiry_seconds);
+    }
+
     static void storeOrUpdateFirst(Transaction *t, const std::string &var,
         const std::string &value) {
         t->m_collections.m_global_collection->storeOrUpdateFirst(

src/variables/ip.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -13,7 +13,6 @@
  *
  */
 
-#include <iostream>
 #include <list>
 #include <memory>
 #include <string>
@@ -105,6 +104,12 @@ class Ip_DynamicElement : public Variable {
             t->m_rules->m_secWebAppId.m_value);
     }
 
+    static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
+        t->m_collections.m_ip_collection->setExpiry(k,
+            t->m_collections.m_ip_collection_key,
+            t->m_rules->m_secWebAppId.m_value, expiry_seconds);
+    }
+
     static void storeOrUpdateFirst(Transaction *t, const std::string &var,
         const std::string &value) {
         t->m_collections.m_ip_collection->storeOrUpdateFirst(

src/variables/resource.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -13,7 +13,6 @@
  *
  */
 
-#include <iostream>
 #include <list>
 #include <memory>
 #include <string>
@@ -105,6 +104,13 @@ class Resource_DynamicElement : public Variable {
             t->m_rules->m_secWebAppId.m_value);
     }
 
+    static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
+        t->m_collections.m_resource_collection->setExpiry(k,
+            t->m_collections.m_resource_collection_key,
+            t->m_rules->m_secWebAppId.m_value, expiry_seconds);
+    }
+
+
     static void storeOrUpdateFirst(Transaction *t, const std::string &var,
         const std::string &value) {
         t->m_collections.m_resource_collection->storeOrUpdateFirst(

src/variables/session.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -13,7 +13,6 @@
  *
  */
 
-#include <iostream>
 #include <list>
 #include <memory>
 #include <string>
@@ -105,6 +104,12 @@ class Session_DynamicElement : public Variable {
             t->m_collections.m_ip_collection_key);
     }
 
+    static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
+        t->m_collections.m_session_collection->setExpiry(k,
+            t->m_collections.m_session_collection_key,
+            t->m_rules->m_secWebAppId.m_value, expiry_seconds);
+    }
+
     static void storeOrUpdateFirst(Transaction *t, const std::string &var,
         const std::string &value) {
         t->m_collections.m_session_collection->storeOrUpdateFirst(

src/variables/user.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -13,7 +13,6 @@
  *
  */
 
-#include <iostream>
 #include <list>
 #include <memory>
 #include <string>
@@ -105,6 +104,12 @@ class User_DynamicElement : public Variable {
             t->m_rules->m_secWebAppId.m_value);
     }
 
+    static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
+        t->m_collections.m_user_collection->setExpiry(k,
+            t->m_collections.m_user_collection_key,
+            t->m_rules->m_secWebAppId.m_value, expiry_seconds);
+    }
+
     static void storeOrUpdateFirst(Transaction *t, const std::string &var,
         const std::string &value) {
         t->m_collections.m_user_collection->storeOrUpdateFirst(

test/cppcheck_suppressions.txt

@@ -78,6 +78,7 @@ accessMoved:seclang-parser.hh
 unreadVariable:src/operators/rx.cc
 unreadVariable:src/operators/rx_global.cc
 
+noExplicitConstructor:src/collection/backend/collection_data.h
 
 unusedFunction
 missingIncludeSystem

test/test-cases/regression/action-expirevar.json

@@ -0,0 +1,64 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing expirevar action (1/x)",
+    "expected":{
+      "debug_log": "Saving msg: mycount1 is 100"
+    },
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value",
+      "method":"GET"
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecAction \"initcol:ip='127.0.0.1',id:5000,phase:1\"",
+      "SecRule ARGS \"@rx value\" \"id:'5001',phase:2,setvar:ip.mycount1=100,expirevar:ip.mycount1=60,pass\"",
+      "SecRule &IP:mycount1 \"@eq 1\" \"id:'5002',phase:2,pass,log,msg:'mycount1 is %{ip.mycount1}\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing expirevar action (2/x)",
+    "expected":{
+      "debug_log": "Saving msg: mycount1 is 12"
+    },
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value",
+      "method":"GET"
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule ARGS \"@rx .\" \"id:5150,phase:2,pass,setsid:sess1234\"",
+      "SecRule ARGS \"@rx value\" \"id:5151,phase:2,pass,setvar:session.mycount1=12,expirevar:session.mycount1=30\"",
+      "SecRule &SESSION:mycount1 \"@eq 1\" \"id:'5152',phase:2,pass,log,msg:'mycount1 is %{session.mycount1}\""
+    ]
+  }
+]