github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Support expirevar for in-memory collection

Browse Source
This commit is contained in:
Martin Vierula 2023-09-29 10:58:43 -07:00
parent 135d1fa42b
commit 118e1b3a44
23 changed files with 5305 additions and 5195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile.am
View File

@ -103,6 +103,7 @@ TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_id.json
TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_tag.json
TESTS+=test/test-cases/regression/action-disruptive.json
TESTS+=test/test-cases/regression/action-exec.json
TESTS+=test/test-cases/regression/action-expirevar.json
TESTS+=test/test-cases/regression/action-id.json
TESTS+=test/test-cases/regression/action-initcol.json
TESTS+=test/test-cases/regression/action-msg.json

20
headers/modsecurity/collection/collection.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -16,7 +16,6 @@
#ifdef __cplusplus
#include <string>
#include <iostream>
#include <unordered_map>
#include <list>
#include <vector>
@ -56,6 +55,8 @@ class Collection {
virtual void del(const std::string& key) = 0;
virtual void setExpiry(const std::string& key, int32_t expiry_seconds) = 0;
virtual std::unique_ptr<std::string> resolveFirst(
const std::string& var) = 0;
@ -129,6 +130,21 @@ class Collection {
}
/* setExpiry */
virtual void setExpiry(const std::string& key, std::string compartment,
int32_t expiry_seconds) {
std::string nkey = compartment + "::" + key;
setExpiry(nkey, expiry_seconds);
}
virtual void setExpiry(const std::string& key, std::string compartment,
std::string compartment2, int32_t expiry_seconds) {
std::string nkey = compartment + "::" + compartment2 + "::" + key;
setExpiry(nkey, expiry_seconds);
}
/* resolveFirst */
virtual std::unique_ptr<std::string> resolveFirst(const std::string& var,
std::string compartment) {

2
src/Makefile.am
View File

@ -134,6 +134,7 @@ ACTIONS = \
actions/disruptive/redirect.cc \
actions/disruptive/pass.cc \
actions/exec.cc \
actions/expire_var.cc \
actions/init_col.cc \
actions/log.cc \
actions/log_data.cc \
@ -259,6 +260,7 @@ UTILS = \
COLLECTION = \
collection/collections.cc \
collection/backend/collection_data.cc \
collection/backend/in_memory-per_process.cc \
collection/backend/lmdb.cc

95
src/actions/expire_var.cc Normal file
View File

@ -0,0 +1,95 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#include "src/actions/expire_var.h"
#include <string>
#include "modsecurity/rules_set.h"
#include "modsecurity/transaction.h"
#include "modsecurity/rule.h"
#include "src/utils/string.h"
#include "src/variables/global.h"
#include "src/variables/ip.h"
#include "src/variables/resource.h"
#include "src/variables/session.h"
#include "src/variables/user.h"
#include "src/variables/variable.h"
namespace modsecurity {
namespace actions {
bool ExpireVar::init(std::string *error) {
return true;
}
bool ExpireVar::evaluate(RuleWithActions *rule, Transaction *t) {
std::string expireExpressionExpanded(m_string->evaluate(t));
std::string fully_qualified_var;
int expirySeconds = 0;
size_t posEquals = expireExpressionExpanded.find("=");
if (posEquals == std::string::npos) {
fully_qualified_var = expireExpressionExpanded;
} else {
fully_qualified_var = expireExpressionExpanded.substr(0, posEquals);
std::string expiry = expireExpressionExpanded.substr(posEquals+1);
if (expiry.find_first_not_of("0123456789") == std::string::npos) {
expirySeconds = atoi(expiry.c_str());
} else {
ms_dbg_a(t, 5, "Non-numeric expiry seconds found in expirevar expression.");
return true;
}
}
size_t posDot = fully_qualified_var.find(".");
if (posDot == std::string::npos) {
ms_dbg_a(t, 5, "No collection found in expirevar expression.");
return true;
}
std::string collection = fully_qualified_var.substr(0, posDot);
std::string variable_name = fully_qualified_var.substr(posDot+1);
std::unique_ptr<RunTimeString> runTimeString(new RunTimeString());
runTimeString->appendText(fully_qualified_var);
if (collection == "ip") {
std::unique_ptr<modsecurity::variables::Ip_DynamicElement> ip_dynamicElement(new modsecurity::variables::Ip_DynamicElement(std::move(runTimeString)));
ip_dynamicElement->setExpiry(t, variable_name, expirySeconds);
} else if (collection == "global") {
std::unique_ptr<modsecurity::variables::Global_DynamicElement> global_dynamicElement(new modsecurity::variables::Global_DynamicElement(std::move(runTimeString)));
global_dynamicElement->setExpiry(t, variable_name, expirySeconds);
} else if (collection == "resource") {
std::unique_ptr<modsecurity::variables::Resource_DynamicElement> resource_dynamicElement(new modsecurity::variables::Resource_DynamicElement(std::move(runTimeString)));
resource_dynamicElement->setExpiry(t, variable_name, expirySeconds);
} else if (collection == "session") {
std::unique_ptr<modsecurity::variables::Session_DynamicElement> session_dynamicElement(new modsecurity::variables::Session_DynamicElement(std::move(runTimeString)));
session_dynamicElement->setExpiry(t, variable_name, expirySeconds);
} else if (collection == "user") {
std::unique_ptr<modsecurity::variables::User_DynamicElement> user_dynamicElement(new modsecurity::variables::User_DynamicElement(std::move(runTimeString)));
user_dynamicElement->setExpiry(t, variable_name, expirySeconds);
} else {
ms_dbg_a(t, 5, "Invalid collection found in expirevar expression: collection must be `ip', `global', `resource', `user' or `session'");
}
ms_dbg_a(t, 9, "Setting variable `" + variable_name + "' to expire in " + std::to_string(expirySeconds) + " seconds.");
return true;
}
} // namespace actions
} // namespace modsecurity

54
src/actions/expire_var.h Normal file
View File

@ -0,0 +1,54 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#include <memory>
#include <string>
#include <utility>
#include "modsecurity/actions/action.h"
#include "src/run_time_string.h"
#ifndef SRC_ACTIONS_EXPIRE_VAR_H_
#define SRC_ACTIONS_EXPIRE_VAR_H_
class Transaction;
namespace modsecurity {
class Transaction;
class RuleWithOperator;
namespace actions {
class ExpireVar : public Action {
public:
explicit ExpireVar(const std::string &action) : Action(action) { }
explicit ExpireVar(std::unique_ptr<RunTimeString> z)
: Action("expirevar", RunTimeOnlyIfMatchKind),
m_string(std::move(z)) { }
bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
bool init(std::string *error) override;
private:
std::unique_ptr<RunTimeString> m_string;
};
} // namespace actions
} // namespace modsecurity
#endif // SRC_ACTIONS_EXPIRE_VAR_H_

41
src/collection/backend/collection_data.cc Normal file
View File

@ -0,0 +1,41 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#include "src/collection/backend/collection_data.h"
namespace modsecurity {
namespace collection {
namespace backend {
bool CollectionData::isExpired() const {
if (m_hasExpiryTime == false) {
return false;
}
auto now = std::chrono::system_clock::now();
return (now >= m_expiryTime);
}
void CollectionData::setExpiry(int32_t seconds_until_expiry) {
m_expiryTime = std::chrono::system_clock::now() + std::chrono::seconds(seconds_until_expiry);
m_hasExpiryTime = true;
}
} // namespace backend
} // namespace collection
} // namespace modsecurity

68
src/collection/backend/collection_data.h Normal file
View File

@ -0,0 +1,68 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#ifdef __cplusplus
#include <string>
#include <memory>
#include <chrono>
#endif
#include "modsecurity/collection/collection.h"
#ifndef SRC_COLLECTION_DATA_H_
#define SRC_COLLECTION_DATA_H_
#ifdef __cplusplus
namespace modsecurity {
namespace collection {
namespace backend {
class CollectionData {
public:
CollectionData() :
m_hasValue(false),
m_hasExpiryTime(false) { }
CollectionData(const std::string &value) :
m_hasValue(true),
m_hasExpiryTime(false),
m_value(value) { }
void setValue(const std::string &value) {
m_value = value;
m_hasValue = true;
}
bool hasValue() const { return m_hasValue;}
const std::string& getValue() const { return m_value;}
void setExpiry(int32_t seconds_until_expiry);
bool hasExpiry() const { return m_hasExpiryTime;}
bool isExpired() const;
private:
bool m_hasValue;
bool m_hasExpiryTime;
std::string m_value;
std::chrono::system_clock::time_point m_expiryTime;
};
} // namespace backend
} // namespace collection
} // namespace modsecurity
#endif
#endif // SRC_COLLECTION_DATA_H_

83
src/collection/backend/in_memory-per_process.cc
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -15,6 +15,7 @@
#include "src/collection/backend/in_memory-per_process.h"
#include "src/collection/backend/collection_data.h"
#ifdef __cplusplus
#include <string>
@ -69,7 +70,7 @@ bool InMemoryPerProcess::updateFirst(const std::string &key,
auto range = this->equal_range(key);
for (auto it = range.first; it != range.second; ++it) {
it->second = value;
it->second.setValue(value);
pthread_mutex_unlock(&m_lock);
return true;
}
@ -84,13 +85,49 @@ void InMemoryPerProcess::del(const std::string& key) {
pthread_mutex_unlock(&m_lock);
}
void InMemoryPerProcess::delIfExpired(const std::string& key) {
pthread_mutex_lock(&m_lock);
// Double check the status while within the mutex
auto iter = this->find(key);
if ((iter != this->end()) && (iter->second.isExpired())) {
this->erase(key);
}
pthread_mutex_unlock(&m_lock);
}
void InMemoryPerProcess::setExpiry(const std::string& key, int32_t expiry_seconds) {
pthread_mutex_lock(&m_lock);
auto range = this->equal_range(key);
for (auto it = range.first; it != range.second; ++it) {
it->second.setExpiry(expiry_seconds);
pthread_mutex_unlock(&m_lock);
return;
}
// We allow an expiry value to be set for a key that has not (yet) had a value set.
auto iter = this->emplace(key, CollectionData());
iter->second.setExpiry(expiry_seconds);
pthread_mutex_unlock(&m_lock);
}
void InMemoryPerProcess::resolveSingleMatch(const std::string& var,
std::vector<const VariableValue *> *l) {
std::list<std::string> expiredVars;
auto range = this->equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
l->push_back(new VariableValue(&m_name, &it->first, &it->second));
if (it->second.isExpired()) {
expiredVars.push_back(it->first);
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->push_back(new VariableValue(&m_name, &it->first, &it->second.getValue()));
}
}
for (const auto& expiredVar : expiredVars) {
delIfExpired(expiredVar);
}
}
@ -99,14 +136,21 @@ void InMemoryPerProcess::resolveMultiMatches(const std::string& var,
std::vector<const VariableValue *> *l, variables::KeyExclusions &ke) {
size_t keySize = var.size();
l->reserve(15);
std::list<std::string> expiredVars;
if (keySize == 0) {
for (auto &i : *this) {
if (ke.toOmit(i.first)) {
continue;
}
if (i.second.isExpired()) {
expiredVars.push_back(i.first);
} else if (i.second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &i.first,
&i.second));
&i.second.getValue()));
}
}
} else {
auto range = this->equal_range(var);
@ -114,10 +158,19 @@ void InMemoryPerProcess::resolveMultiMatches(const std::string& var,
if (ke.toOmit(var)) {
continue;
}
if (it->second.isExpired()) {
expiredVars.push_back(it->first);
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &var,
&it->second));
&it->second.getValue()));
}
}
}
for (const auto& expiredVar : expiredVars) {
delIfExpired(expiredVar);
}
}
@ -135,6 +188,7 @@ void InMemoryPerProcess::resolveRegularExpression(const std::string& var,
// var.size() - var.find(":") - 3);
//size_t keySize = col.size();
Utils::Regex r(var, true);
std::list<std::string> expiredVars;
for (const auto& x : *this) {
//if (x.first.size() <= keySize + 1) {
@ -155,7 +209,16 @@ void InMemoryPerProcess::resolveRegularExpression(const std::string& var,
if (ke.toOmit(x.first)) {
continue;
}
l->insert(l->begin(), new VariableValue(&m_name, &x.first, &x.second));
if (x.second.isExpired()) {
expiredVars.push_back(x.first);
} else if (x.second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &x.first, &x.second.getValue()));
}
}
for (const auto& expiredVar : expiredVars) {
delIfExpired(expiredVar);
}
}
@ -164,7 +227,13 @@ std::unique_ptr<std::string> InMemoryPerProcess::resolveFirst(
const std::string& var) {
auto range = equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
return std::unique_ptr<std::string>(new std::string(it->second));
if (it->second.isExpired()) {
delIfExpired(it->second.getValue());
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
return std::unique_ptr<std::string>(new std::string(it->second.getValue()));
}
}
return NULL;

10
src/collection/backend/in_memory-per_process.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -18,6 +18,7 @@
#include <string>
#include <iostream>
#include <unordered_map>
#include <chrono>
#include <list>
#include <vector>
#include <algorithm>
@ -27,6 +28,7 @@
#include "modsecurity/variable_value.h"
#include "modsecurity/collection/collection.h"
#include "src/collection/backend/collection_data.h"
#include "src/variables/variable.h"
#ifndef SRC_COLLECTION_BACKEND_IN_MEMORY_PER_PROCESS_H_
@ -68,7 +70,7 @@ struct MyHash{
};
class InMemoryPerProcess :
public std::unordered_multimap<std::string, std::string,
public std::unordered_multimap<std::string, CollectionData,
/*std::hash<std::string>*/MyHash, MyEqual>,
public Collection {
public:
@ -84,6 +86,10 @@ class InMemoryPerProcess :
void del(const std::string& key) override;
void delIfExpired(const std::string& key);
void setExpiry(const std::string& key, int32_t expiry_seconds) override;
std::unique_ptr<std::string> resolveFirst(const std::string& var) override;
void resolveSingleMatch(const std::string& var,

5
src/collection/backend/lmdb.cc
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -400,6 +400,9 @@ end_txn:
return;
}
void LMDB::setExpiry(const std::string& key, int32_t expiry_seconds) {
// TODO: add implementation
}
void LMDB::resolveMultiMatches(const std::string& var,
std::vector<const VariableValue *> *l,

4
src/collection/backend/lmdb.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -108,6 +108,8 @@ class LMDB :
void del(const std::string& key) override;
void setExpiry(const std::string& key, int32_t expiry_seconds) override;
std::unique_ptr<std::string> resolveFirst(const std::string& var) override;
void resolveSingleMatch(const std::string& var,

2293
src/parser/seclang-parser.cc
View File

File diff suppressed because it is too large Load Diff

9
src/parser/seclang-parser.hh
View File

@ -83,6 +83,7 @@ class Driver;
#include "src/actions/disruptive/redirect.h"
#include "src/actions/init_col.h"
#include "src/actions/exec.h"
#include "src/actions/expire_var.h"
#include "src/actions/log_data.h"
#include "src/actions/log.h"
#include "src/actions/maturity.h"
@ -354,7 +355,7 @@ using namespace modsecurity::operators;
a = std::move(c);
#line 358 "seclang-parser.hh"
#line 359 "seclang-parser.hh"
# include <cassert>
# include <cstdlib> // std::abort
@ -494,7 +495,7 @@ using namespace modsecurity::operators;
#endif
namespace yy {
#line 498 "seclang-parser.hh"
#line 499 "seclang-parser.hh"
@ -8069,7 +8070,7 @@ switch (yykind)
/// Constants.
enum
{
yylast_ = 3372, ///< Last index in yytable_.
yylast_ = 3373, ///< Last index in yytable_.
yynnts_ = 16, ///< Number of nonterminal symbols.
yyfinal_ = 341 ///< Termination state number.
};
@ -8731,7 +8732,7 @@ switch (yykind)
} // yy
#line 8735 "seclang-parser.hh"
#line 8736 "seclang-parser.hh"

6
src/parser/seclang-parser.yy
View File

@ -44,6 +44,7 @@ class Driver;
#include "src/actions/disruptive/redirect.h"
#include "src/actions/init_col.h"
#include "src/actions/exec.h"
#include "src/actions/expire_var.h"
#include "src/actions/log_data.h"
#include "src/actions/log.h"
#include "src/actions/maturity.h"
@ -2744,10 +2745,9 @@ act:
{
ACTION_CONTAINER($$, new actions::Exec($1));
}
| ACTION_EXPIRE_VAR
| ACTION_EXPIRE_VAR run_time_string
{
//ACTION_NOT_SUPPORTED("ExpireVar", @0);
ACTION_CONTAINER($$, new actions::Action($1));
ACTION_CONTAINER($$, new actions::ExpireVar(std::move($2)));
}
| ACTION_ID
{

7689
src/parser/seclang-scanner.cc
View File

File diff suppressed because it is too large Load Diff

5
src/parser/seclang-scanner.ll
View File

@ -545,10 +545,7 @@ EQUALS_MINUS (?i:=\-)
{ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG}[=]{REMOVE_RULE_BY} { return p::make_ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG(yytext, *driver.loc.back()); }
{ACTION_EXEC}:'{VAR_FREE_TEXT_QUOTE}' { return p::make_ACTION_EXEC(yytext, *driver.loc.back()); }
{ACTION_EXEC}:{VAR_FREE_TEXT_SPACE_COMMA} { return p::make_ACTION_EXEC(yytext, *driver.loc.back()); }
{ACTION_EXPIRE_VAR}:'{VAR_FREE_TEXT_QUOTE}={VAR_FREE_TEXT_QUOTE}' { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
{ACTION_EXPIRE_VAR}:'{VAR_FREE_TEXT_QUOTE}' { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
{ACTION_EXPIRE_VAR}:{VAR_FREE_TEXT_SPACE_COMMA} { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
{ACTION_EXPIRE_VAR}:{VAR_FREE_TEXT_SPACE}={VAR_FREE_TEXT_SPACE_COMMA} { return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
{ACTION_EXPIRE_VAR}: { BEGIN(EXPECTING_ACTION_PREDICATE); return p::make_ACTION_EXPIRE_VAR(yytext, *driver.loc.back()); }
{ACTION_INITCOL}:{COL_NAME}= { BEGIN(EXPECTING_ACTION_PREDICATE); return p::make_ACTION_INITCOL(yytext, *driver.loc.back()); }
{ACTION_MATURITY}:'{FREE_TEXT_QUOTE}' { return p::make_ACTION_MATURITY(yytext, *driver.loc.back()); }
{ACTION_MATURITY}:{FREE_TEXT_QUOTE} { return p::make_ACTION_MATURITY(yytext, *driver.loc.back()); }

9
src/variables/global.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -13,7 +13,6 @@
*
*/
#include <iostream>
#include <list>
#include <memory>
#include <string>
@ -106,6 +105,12 @@ class Global_DynamicElement : public Variable {
t->m_rules->m_secWebAppId.m_value);
}
static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
t->m_collections.m_global_collection->setExpiry(k,
t->m_collections.m_global_collection_key,
t->m_rules->m_secWebAppId.m_value, expiry_seconds);
}
static void storeOrUpdateFirst(Transaction *t, const std::string &var,
const std::string &value) {
t->m_collections.m_global_collection->storeOrUpdateFirst(

9
src/variables/ip.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -13,7 +13,6 @@
*
*/
#include <iostream>
#include <list>
#include <memory>
#include <string>
@ -105,6 +104,12 @@ class Ip_DynamicElement : public Variable {
t->m_rules->m_secWebAppId.m_value);
}
static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
t->m_collections.m_ip_collection->setExpiry(k,
t->m_collections.m_ip_collection_key,
t->m_rules->m_secWebAppId.m_value, expiry_seconds);
}
static void storeOrUpdateFirst(Transaction *t, const std::string &var,
const std::string &value) {
t->m_collections.m_ip_collection->storeOrUpdateFirst(

10
src/variables/resource.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -13,7 +13,6 @@
*
*/
#include <iostream>
#include <list>
#include <memory>
#include <string>
@ -105,6 +104,13 @@ class Resource_DynamicElement : public Variable {
t->m_rules->m_secWebAppId.m_value);
}
static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
t->m_collections.m_resource_collection->setExpiry(k,
t->m_collections.m_resource_collection_key,
t->m_rules->m_secWebAppId.m_value, expiry_seconds);
}
static void storeOrUpdateFirst(Transaction *t, const std::string &var,
const std::string &value) {
t->m_collections.m_resource_collection->storeOrUpdateFirst(

9
src/variables/session.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -13,7 +13,6 @@
*
*/
#include <iostream>
#include <list>
#include <memory>
#include <string>
@ -105,6 +104,12 @@ class Session_DynamicElement : public Variable {
t->m_collections.m_ip_collection_key);
}
static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
t->m_collections.m_session_collection->setExpiry(k,
t->m_collections.m_session_collection_key,
t->m_rules->m_secWebAppId.m_value, expiry_seconds);
}
static void storeOrUpdateFirst(Transaction *t, const std::string &var,
const std::string &value) {
t->m_collections.m_session_collection->storeOrUpdateFirst(

9
src/variables/user.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -13,7 +13,6 @@
*
*/
#include <iostream>
#include <list>
#include <memory>
#include <string>
@ -105,6 +104,12 @@ class User_DynamicElement : public Variable {
t->m_rules->m_secWebAppId.m_value);
}
static void setExpiry(Transaction *t, const std::string &k, int32_t expiry_seconds) {
t->m_collections.m_user_collection->setExpiry(k,
t->m_collections.m_user_collection_key,
t->m_rules->m_secWebAppId.m_value, expiry_seconds);
}
static void storeOrUpdateFirst(Transaction *t, const std::string &var,
const std::string &value) {
t->m_collections.m_user_collection->storeOrUpdateFirst(

1
test/cppcheck_suppressions.txt
View File

@ -78,6 +78,7 @@ accessMoved:seclang-parser.hh
unreadVariable:src/operators/rx.cc
unreadVariable:src/operators/rx_global.cc
noExplicitConstructor:src/collection/backend/collection_data.h
unusedFunction
missingIncludeSystem

64
test/test-cases/regression/action-expirevar.json Normal file
View File

@ -0,0 +1,64 @@
[
{
"enabled":1,
"version_min":300000,
"title":"Testing expirevar action (1/x)",
"expected":{
"debug_log": "Saving msg: mycount1 is 100"
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*"
},
"uri":"/?key=value",
"method":"GET"
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecAction \"initcol:ip='127.0.0.1',id:5000,phase:1\"",
"SecRule ARGS \"@rx value\" \"id:'5001',phase:2,setvar:ip.mycount1=100,expirevar:ip.mycount1=60,pass\"",
"SecRule &IP:mycount1 \"@eq 1\" \"id:'5002',phase:2,pass,log,msg:'mycount1 is %{ip.mycount1}\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing expirevar action (2/x)",
"expected":{
"debug_log": "Saving msg: mycount1 is 12"
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*"
},
"uri":"/?key=value",
"method":"GET"
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS \"@rx .\" \"id:5150,phase:2,pass,setsid:sess1234\"",
"SecRule ARGS \"@rx value\" \"id:5151,phase:2,pass,setvar:session.mycount1=12,expirevar:session.mycount1=30\"",
"SecRule &SESSION:mycount1 \"@eq 1\" \"id:'5152',phase:2,pass,log,msg:'mycount1 is %{session.mycount1}\""
]
}
]