Parser: Pipes are no longer welcomed inside regex dict element selection.

Issue #1591

CHANGES

@@ -2,6 +2,8 @@
 v3.0.????? - ?
 ---------------------------
 
+ - Parser: Pipes are no longer welcomed inside regex dict element selection.
+   [Issue #1591 - @zimmerle, @slabber]
  - Avoids unicode initialization on every rules object
    [Issue #1563 - @zimmerle, @Tiki-God, @sethinsd, @Cloaked9000, @AnoopAlias,
                   @intelbg]

Makefile.am

@@ -104,6 +104,7 @@ TESTS+=test/test-cases/regression/operator-rx.json
 TESTS+=test/test-cases/regression/variable-ARGS.json
 TESTS+=test/test-cases/regression/issue-394.json
 TESTS+=test/test-cases/regression/issue-1565.json
+TESTS+=test/test-cases/regression/issue-1591.json
 TESTS+=test/test-cases/regression/variable-TIME_MON.json
 TESTS+=test/test-cases/regression/misc.json
 TESTS+=test/test-cases/regression/collection-regular_expression_selection.json

src/parser/seclang-scanner.ll

@@ -327,7 +327,7 @@ CONGIG_DIR_SEC_STATUS_ENGINE            (?i:SecStatusEngine)
 CONGIG_DIR_SEC_TMP_DIR                  (?i:SecTmpDir)
 DICT_ELEMENT                            ([^\"|,\n \t]|([^\\]\\\"))+
 DICT_ELEMENT_WITH_PIPE                  [^ \t"]+
-
+DICT_ELEMENT_NO_PIPE                    [^ \|\t"]+
 
 DICT_ELEMENT_TWO                         [^\"\=, \t\r\n\\]*
 DICT_ELEMENT_TWO_QUOTED                  [^\"\'\=\r\n\\]*
@@ -844,17 +844,17 @@ EQUALS_MINUS                            (?i:=\-)
 
 
 <EXPECTING_VAR_PARAMETER>{
-[\/]{DICT_ELEMENT_WITH_PIPE}[\/][ ]         { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 1, yyleng-2), *driver.loc.back()); }
-[\/]{DICT_ELEMENT_WITH_PIPE}[\/][|]         { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 1, yyleng-2), *driver.loc.back()); }
-['][\/]{DICT_ELEMENT_WITH_PIPE}[\/][']      { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 0); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 2, yyleng-4), *driver.loc.back()); }
-['][\/]{DICT_ELEMENT_WITH_PIPE}[\/]['][|]   { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 2, yyleng-4), *driver.loc.back()); }
-{DICT_ELEMENT}                              { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT(yytext, *driver.loc.back()); }
+[\/]{DICT_ELEMENT_NO_PIPE}[\/][ ]         { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 1, yyleng-2), *driver.loc.back()); }
+[\/]{DICT_ELEMENT_NO_PIPE}[\/][|]         { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 1, yyleng-2), *driver.loc.back()); }
+['][\/]{DICT_ELEMENT_NO_PIPE}[\/][']      { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 0); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 2, yyleng-4), *driver.loc.back()); }
+['][\/]{DICT_ELEMENT_NO_PIPE}[\/]['][|]   { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 2, yyleng-4), *driver.loc.back()); }
+{DICT_ELEMENT}                            { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT(yytext, *driver.loc.back()); }
 
-[\/]{DICT_ELEMENT_WITH_PIPE}[\/][,]         { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 1, yyleng-2), *driver.loc.back()); }
-['][\/]{DICT_ELEMENT_WITH_PIPE}[\/]['][,]   { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 2, yyleng-4), *driver.loc.back()); }
+[\/]{DICT_ELEMENT_NO_PIPE}[\/][,]         { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 1, yyleng-2), *driver.loc.back()); }
+['][\/]{DICT_ELEMENT_NO_PIPE}[\/]['][,]   { BEGIN(EXPECTING_VARIABLE); yyless(yyleng - 1); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 2, yyleng-4), *driver.loc.back()); }
 
-.                                           { BEGIN(LEXING_ERROR_ACTION); yyless(0); }
-["]                                         { return p::make_QUOTATION_MARK(yytext, *driver.loc.back()); }
+.                                         { BEGIN(LEXING_ERROR_ACTION); yyless(0); }
+["]                                       { return p::make_QUOTATION_MARK(yytext, *driver.loc.back()); }
 }
 
 

test/test-cases/regression/issue-1591.json

@@ -0,0 +1,81 @@
+[
+{
+  "enabled": 1,
+  "version_min": 209000,
+  "version_max": -1,
+  "title": "Regular expressions in rule targets not respected (1/2)",
+  "url": "https:\/\/github.com\/SpiderLabs\/ModSecurity\/issues\/1591",
+  "gihub_issue": 394,
+  "client": {
+    "ip": "200.249.12.31",
+    "port": 2313
+  },
+  "server": {
+    "ip": "200.249.12.31",
+    "port": 80
+  },
+  "request": {
+    "headers":{
+      "Host":"localhost",
+      "User-Agent":"curl/7.38.0",
+      "Accept":"*/*",
+      "Content-Length": "1539",
+      "Cookie": "__utma=1.32168570.12572608.1259628772.2&__utmb=1.4.10.1259628772&"
+    },
+    "body": "",
+    "method": "GET",
+    "http_version": 1.1
+  },
+  "response": {
+    "headers": "",
+    "body": ""
+  },
+  "expected": {
+    "debug_log": "Rule returned 0."
+  },
+  "rules": [
+    "SecRuleEngine On",
+    "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ \"321\" \"id:1,log\""
+  ]
+},
+{
+  "enabled": 1,
+  "version_min": 209000,
+  "version_max": -1,
+  "title": "Regular expressions in rule targets not respected (2/2)",
+  "url": "https:\/\/github.com\/SpiderLabs\/ModSecurity\/issues\/1591",
+  "gihub_issue": 394,
+  "client": {
+    "ip": "200.249.12.31",
+    "port": 2313
+  },
+  "server": {
+    "ip": "200.249.12.31",
+    "port": 80
+  },
+  "request": {
+    "headers":{
+      "Host":"localhost",
+      "User-Agent":"curl/7.38.0",
+      "Accept":"*/*",
+      "Content-Length": "1539",
+      "Cookie": "__utma=1.32168570.12572608.1259628772.2&__utmb=1.4.10.1259628772&"
+    },
+    "body": "",
+    "method": "GET",
+    "http_version": 1.1
+  },
+  "response": {
+    "headers": "",
+    "body": ""
+  },
+  "expected": {
+    "debug_log": "Rule returned 1."
+  },
+  "rules": [
+    "SecRuleEngine On",
+    "SecRule REQUEST_COOKIES \"321\" \"id:1,log\""
+  ]
+}
+
+]