From 1de6d07dfd680d27ba309b597f2a4b0abee901f2 Mon Sep 17 00:00:00 2001
From: Felipe Zimmerle <fcosta@trustwave.com>
Date: Thu, 13 Aug 2015 23:33:57 -0300
Subject: [PATCH] Adds support to the @detectSQLi operator

---
 src/Makefile.am              |  1 +
 src/operators/detect_sqli.cc | 41 ++++++++++++++++++++++++------------
 src/operators/detect_sqli.h  |  8 +++----
 3 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index b7c10524..b83665e0 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -182,6 +182,7 @@ libmodsecurity_la_SOURCES = \
 
 LIBINJECTION = \
 	../others/libinjection/src/libinjection_html5.c \
+	../others/libinjection/src/libinjection_sqli.c \
 	../others/libinjection/src/libinjection_xss.c
 
 
diff --git a/src/operators/detect_sqli.cc b/src/operators/detect_sqli.cc
index 9d0b2643..a1f4a228 100644
--- a/src/operators/detect_sqli.cc
+++ b/src/operators/detect_sqli.cc
@@ -18,26 +18,41 @@
 #include <string>
 
 #include "operators/operator.h"
+#include "others/libinjection/src/libinjection.h"
 
 namespace ModSecurity {
 namespace operators {
 
-bool DetectSQLi::evaluate(Assay *assay) {
-    /**
-     * @todo Implement the operator BeginsWith.
-     *       Reference: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#detectsqli
-     */
 
-    return true;
+bool DetectSQLi::evaluate(Assay *assay, const std::string &input) {
+    char fingerprint[8];
+    int issqli;
+    // int capture;
+
+    issqli = libinjection_sqli(input.c_str(), input.length(), fingerprint);
+    // capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+
+    if (issqli) {
+        // set_match_to_tx(msr, capture, fingerprint, 0);
+        if (assay) {
+            assay->debug(4, "detected SQLi using libinjection with " \
+                "fingerprint '" + std::string(fingerprint) + "' at: '" +
+                input + "'");
+        }
+    } else {
+        if (assay) {
+            assay->debug(9, "detected SQLi: not able to find an inject on '" +
+                input + "'");
+        }
+    }
+
+    if (negation) {
+        return issqli == 0;
+    }
+
+    return issqli != 0;
 }
 
 
-DetectSQLi::DetectSQLi(std::string op, std::string param,
-    bool negation)
-    : Operator() {
-    this->op = op;
-    this->param = param;
-}
-
 }  // namespace operators
 }  // namespace ModSecurity
diff --git a/src/operators/detect_sqli.h b/src/operators/detect_sqli.h
index cfa39325..2353cc0f 100644
--- a/src/operators/detect_sqli.h
+++ b/src/operators/detect_sqli.h
@@ -20,20 +20,20 @@
 
 #include "operators/operator.h"
 
-#ifdef __cplusplus
 namespace ModSecurity {
 namespace operators {
 
 class DetectSQLi : public Operator {
  public:
     /** @ingroup ModSecurity_Operator */
-    DetectSQLi(std::string o, std::string p, bool i);
-    bool evaluate(Assay *assay);
+    DetectSQLi(std::string op, std::string param, bool negation)
+        : Operator(op, param, negation) { }
+
+    bool evaluate(Assay *assay, const std::string &input);
 };
 
 }  // namespace operators
 }  // namespace ModSecurity
-#endif
 
 
 #endif  // SRC_OPERATORS_DETECT_SQLI_H_