Adds support to BodyLimitAction and support for parser errors

2025-09-30 03:34:29 +03:00 · 2015-07-22 20:55:17 -03:00
parent 30b2624ec5
commit 261ee9f115
8 changed files with 337 additions and 23 deletions
--- a/src/parser/driver.cc
+++ b/src/parser/driver.cc
@@ -74,8 +74,7 @@ int Driver::parse(const std::string &f) {

    int res = parser.parse();

-    if (this->audit_log->init() == false)
-    {
+    if (this->audit_log->init() == false) {
        return false;
    }

@@ -98,11 +97,18 @@ int Driver::parseFile(const std::string &f) {
 }


-void Driver::error(const yy::location& l, const std::string& m) {
-    std::cerr << l << ": " << m << std::endl;
+void Driver::error(const yy::location& l, const std::string& m,
+    const std::string& c) {
+    if (parserError.tellp() == 0) {
+        parserError << "Parser error, ";
+        parserError << "Filename: " << file << ". ";
+        parserError << "Line: " << l.end.line << ". ";
+        parserError << "Column: " << l.end.column << ". ";
+    }
+    parserError << c;
 }


-void Driver::error(const std::string& m) {
-    std::cerr << m << std::endl;
+void Driver::parser_error(const yy::location& l, const std::string& m) {
+    parserError << ". " << m << "." << std::endl;
 }
--- a/src/parser/driver.h
+++ b/src/parser/driver.h
@@ -78,7 +78,8 @@ class Driver {

    // Error handling.
    void error(const yy::location& l, const std::string& m);
-    void error(const std::string& m);
+    void parser_error(const yy::location& l, const std::string& m);
+    void error(const yy::location& l, const std::string& m, const std::string& c);

    std::vector<Rule *> rules[7];  // Number of Phases.

@@ -89,9 +90,13 @@ class Driver {
    bool sec_response_body_access;
    int requestBodyLimit;
    int responseBodyLimit;
+    int requestBodyLimitAction;
+    int responseBodyLimitAction;

    std::string debug_log_path;
    std::list<std::string> components;
+    std::ostringstream parserError;
+    std::ostringstream syntaxError;

    ModSecurity::AuditLog *audit_log;

--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@@ -73,7 +73,6 @@ using ModSecurity::Variables::TimeYear;
  QUOTATION_MARK  ")"
  SPACE
  PIPE
-  NEW_LINE
  UNKNOWN
  FREE_TEXT
 ;
@@ -83,6 +82,8 @@ using ModSecurity::Variables::TimeYear;
 %token <std::string> CONFIG_DIRECTIVE
 %token <std::string> CONFIG_DIR_REQ_BODY_LIMIT
 %token <std::string> CONFIG_DIR_RES_BODY_LIMIT
+%token <std::string> CONFIG_DIR_REQ_BODY_LIMIT_ACTION
+%token <std::string> CONFIG_DIR_RES_BODY_LIMIT_ACTION
 %token <std::string> CONFIG_DIR_RULE_ENG
 %token <std::string> CONFIG_DIR_REQ_BODY
 %token <std::string> CONFIG_DIR_RES_BODY
@@ -93,6 +94,8 @@ using ModSecurity::Variables::TimeYear;
 %token <std::string> CONFIG_VALUE_SERIAL
 %token <std::string> CONFIG_VALUE_PARALLEL
 %token <std::string> CONFIG_VALUE_RELEVANT_ONLY
+%token <std::string> CONFIG_VALUE_PROCESS_PARTIAL
+%token <std::string> CONFIG_VALUE_REJECT

 %token <std::string> CONFIG_DIR_AUDIT_DIR
 %token <std::string> CONFIG_DIR_AUDIT_DIR_MOD
@@ -146,11 +149,12 @@ secrule:
    | secrule line

 line: 
-    expression NEW_LINE
-    | SPACE expression NEW_LINE
-    | NEW_LINE
-    | SPACE NEW_LINE
+    expression
+    | SPACE expression
    | SPACE
+      {
+
+      }

 audit_log:
    /* SecAuditLogDirMode */
@@ -280,6 +284,7 @@ expression:
      {
        GeoLookup::getInstance().setDataBase($1);
      }
+    /* Body limits */
    | CONFIG_DIR_REQ_BODY_LIMIT
      {
        driver.requestBodyLimit = atoi($1.c_str());
@@ -288,6 +293,22 @@ expression:
      {
        driver.responseBodyLimit = atoi($1.c_str());
      }
+    | CONFIG_DIR_REQ_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_PROCESS_PARTIAL
+      {
+        driver.requestBodyLimitAction = ModSecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
+      }
+    | CONFIG_DIR_REQ_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_REJECT
+      {
+        driver.requestBodyLimitAction = ModSecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
+      }
+    | CONFIG_DIR_RES_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_PROCESS_PARTIAL
+      {
+        driver.responseBodyLimitAction = ModSecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
+      }
+    | CONFIG_DIR_RES_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_REJECT
+      {
+        driver.responseBodyLimitAction = ModSecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
+      }

 variables:
    variables PIPE VARIABLE
@@ -544,5 +565,5 @@ void
 yy::seclang_parser::error (const location_type& l,
                          const std::string& m)
 {
-    driver.error (l, m);
+    driver.parser_error (l, m);
 }
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@@ -17,14 +17,16 @@
 static yy::location loc;
 %}
 %option noyywrap nounput batch debug noinput
-ACTION          (?i:accuracy|allow|append|auditlog|block|capture|chain|ctl|deny|deprecatevar|drop|exec|expirevar|id:[0-9]+|initcol|log|logdata|maturity|msg|multiMatch|noauditlog|nolog|pass|pause|phase:[0-9]+|prepend|proxy|redirect:[A-z0-9_\|\&\:\/\/\.]+|rev|sanitiseArg|sanitiseMatched|sanitiseMatchedBytes|sanitiseRequestHeader|sanitiseResponseHeader|setuid|setrsc|setsid|setenv|setvar|skip|skipAfter|status:[0-9]+|tag|ver|xmlns|t)
+ACTION          (?i:accuracy|allow|append|auditlog|block|capture|chain|ctl|deny|deprecatevar|drop|exec|expirevar|id:[0-9]+|initcol|log|logdata|maturity|msg|multiMatch|noauditlog|nolog|pass|pause|phase:[0-9]+|prepend|proxy|redirect:[A-z0-9_\|\&\:\/\/\.]+|rev|sanitiseArg|sanitiseMatched|sanitiseMatchedBytes|sanitiseRequestHeader|sanitiseResponseHeader|setuid|setrsc|setsid|setenv|setvar|skip|skipAfter|status:[0-9]+|tag|ver|xmlns)
 ACTION_SEVERITY (?i:severity:[0-9]+|severity:'[0-9]+'|severity:(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)|severity:'(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)')
 DIRECTIVE       SecRule

-CONFIG_DIRECTIVE SecRequestBodyLimitAction|SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecResponseBodyLimitAction|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine
+CONFIG_DIRECTIVE SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine
+
 CONFIG_DIR_REQ_BODY_LIMIT (?i:SecRequestBodyLimit)
 CONFIG_DIR_RES_BODY_LIMIT (?i:SecResponseBodyLimit)
-
+CONFIG_DIR_REQ_BODY_LIMIT_ACTION (?i:SecRequestBodyLimitAction)
+CONFIG_DIR_RES_BODY_LIMIT_ACTION (?i:SecResponseBodyLimitAction)

 CONFIG_DIR_GEO_DB (?i:SecGeoLookupDb)

@@ -85,6 +87,10 @@ CONFIG_VALUE_SERIAL Serial
 CONFIG_VALUE_PARALLEL Parallel
 CONFIG_VALUE_RELEVANT_ONLY RelevantOnly

+CONFIG_VALUE_PROCESS_PARTIAL (?i:ProcessPartial)
+CONFIG_VALUE_REJECT (?i:Reject)
+
+
 CONFIG_VALUE_PATH    [A-Za-z_/\.]+
 AUDIT_PARTS [ABCDEFHJKZ]+
 CONFIG_VALUE_NUMBER [0-9]+
@@ -101,7 +107,7 @@ FREE_TEXT_NEW_LINE       [^\"|\n]+

 %{
  // Code run each time yylex is called.
-  loc.step ();
+  loc.step();
 %}

 {DIRECTIVE}                     { return yy::seclang_parser::make_DIRECTIVE(yytext, loc); }
@@ -148,8 +154,10 @@ FREE_TEXT_NEW_LINE       [^\"|\n]+

 %{ /* Request body limit */ %}
 {CONFIG_DIR_REQ_BODY_LIMIT}[ ]{CONFIG_VALUE_NUMBER}  { return yy::seclang_parser::make_CONFIG_DIR_REQ_BODY_LIMIT(strchr(yytext, ' ') + 1, loc); }
+{CONFIG_DIR_REQ_BODY_LIMIT_ACTION} { return yy::seclang_parser::make_CONFIG_DIR_REQ_BODY_LIMIT_ACTION(yytext, loc); }
 %{ /* Reponse body limit */ %}
 {CONFIG_DIR_RES_BODY_LIMIT}[ ]{CONFIG_VALUE_NUMBER}  { return yy::seclang_parser::make_CONFIG_DIR_RES_BODY_LIMIT(strchr(yytext, ' ') + 1, loc); }
+{CONFIG_DIR_RES_BODY_LIMIT_ACTION} { return yy::seclang_parser::make_CONFIG_DIR_RES_BODY_LIMIT_ACTION(yytext, loc); }

 {CONFIG_COMPONENT_SIG}[ ]["]{FREE_TEXT}["] { return yy::seclang_parser::make_CONFIG_COMPONENT_SIG(strchr(yytext, ' ') + 2, loc); }

@@ -159,6 +167,9 @@ FREE_TEXT_NEW_LINE       [^\"|\n]+
 {CONFIG_VALUE_PARALLEL}         { return yy::seclang_parser::make_CONFIG_VALUE_PARALLEL(yytext, loc); }
 {CONFIG_VALUE_DETC}             { return yy::seclang_parser::make_CONFIG_VALUE_DETC(yytext, loc); }
 {CONFIG_VALUE_RELEVANT_ONLY}    { return yy::seclang_parser::make_CONFIG_VALUE_RELEVANT_ONLY(yytext, loc); }
+{CONFIG_VALUE_PROCESS_PARTIAL}  { return yy::seclang_parser::make_CONFIG_VALUE_PROCESS_PARTIAL(yytext, loc); }
+{CONFIG_VALUE_REJECT}           { return yy::seclang_parser::make_CONFIG_VALUE_REJECT(yytext, loc); }
+
 ["]{OPERATOR}[ ]{FREE_TEXT}["]  { return yy::seclang_parser::make_OPERATOR(yytext, loc); }
 ["]{OPERATORNOARG}["]           { return yy::seclang_parser::make_OPERATOR(yytext, loc); }
 {ACTION}                        { return yy::seclang_parser::make_ACTION(yytext, loc); }
@@ -168,8 +179,8 @@ FREE_TEXT_NEW_LINE       [^\"|\n]+
 [|]                             { return yy::seclang_parser::make_PIPE(loc); }
 {VARIABLENOCOLON}	   	{ return yy::seclang_parser::make_VARIABLE(yytext, loc); }
 [ \t]+                          { return yy::seclang_parser::make_SPACE(loc); }
-\n                              { return yy::seclang_parser::make_NEW_LINE(loc); }
-.                               driver.error (loc, "invalid character");
+[\n]+                           { loc.lines(yyleng); loc.step(); }
+.                               { driver.error (loc, "invalid character", yytext); }
 <<EOF>>                         { return yy::seclang_parser::make_END(loc); }

 %%