mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-13 21:36:00 +03:00
fix: remove target by {id,tag} are now considering collections
Fix issue #1409
This commit is contained in:
Felipe Zimmerle
parent
7c2dbf48cf
commit
337216fd87
28
src/rule.cc
28
src/rule.cc
@ -502,7 +502,7 @@ std::vector<std::unique_ptr<collection::Variable>> Rule::getFinalVars(
|
|||||||
!= exclusions_update_by_tag_remove.end()) {
|
!= exclusions_update_by_tag_remove.end()) {
|
||||||
#ifndef NO_LOGS
|
#ifndef NO_LOGS
|
||||||
trans->debug(9, "Variable: " + *key +
|
trans->debug(9, "Variable: " + *key +
|
||||||
" is part of the exclusion list (from update by tag " +
|
" is part of the exclusion list (from update by tag" +
|
||||||
"), skipping...");
|
"), skipping...");
|
||||||
#endif
|
#endif
|
||||||
if (v->m_dynamic) {
|
if (v->m_dynamic) {
|
||||||
@ -530,15 +530,27 @@ std::vector<std::unique_ptr<collection::Variable>> Rule::getFinalVars(
|
|||||||
for (auto &i : trans->m_ruleRemoveTargetByTag) {
|
for (auto &i : trans->m_ruleRemoveTargetByTag) {
|
||||||
std::string tag = i.first;
|
std::string tag = i.first;
|
||||||
std::string args = i.second;
|
std::string args = i.second;
|
||||||
|
size_t posa = key->find(":");
|
||||||
|
|
||||||
if (containsTag(tag, trans) == false) {
|
if (containsTag(tag, trans) == false) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (args == *key) {
|
if (args == *key) {
|
||||||
trans->debug(9, "Variable: " + *key +
|
trans->debug(9, "Variable: " + *key +
|
||||||
" was excluded by ruleRemoteTargetByTag...");
|
" was excluded by ruleRemoteTargetByTag...");
|
||||||
ignoreVariable = true;
|
ignoreVariable = true;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
if (posa != std::string::npos) {
|
||||||
|
std::string var = std::string(*key, posa);
|
||||||
|
if (var == args) {
|
||||||
|
trans->debug(9, "Variable: " + *key +
|
||||||
|
" was excluded by ruleRemoteTargetByTag...");
|
||||||
|
ignoreVariable = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (ignoreVariable) {
|
if (ignoreVariable) {
|
||||||
if (v->m_dynamic) {
|
if (v->m_dynamic) {
|
||||||
@ -551,15 +563,29 @@ std::vector<std::unique_ptr<collection::Variable>> Rule::getFinalVars(
|
|||||||
for (auto &i : trans->m_ruleRemoveTargetById) {
|
for (auto &i : trans->m_ruleRemoveTargetById) {
|
||||||
int id = i.first;
|
int id = i.first;
|
||||||
std::string args = i.second;
|
std::string args = i.second;
|
||||||
|
size_t posa = key->find(":");
|
||||||
|
|
||||||
if (m_ruleId != id) {
|
if (m_ruleId != id) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (args == *key) {
|
if (args == *key) {
|
||||||
trans->debug(9, "Variable: " + *key +
|
trans->debug(9, "Variable: " + *key +
|
||||||
" was excluded by ruleRemoveTargetById...");
|
" was excluded by ruleRemoveTargetById...");
|
||||||
ignoreVariable = true;
|
ignoreVariable = true;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
if (posa != std::string::npos) {
|
||||||
|
if (key->size() > posa) {
|
||||||
|
std::string var = std::string(*key, 0, posa);
|
||||||
|
if (var == args) {
|
||||||
|
trans->debug(9, "Variable: " + var +
|
||||||
|
" was excluded by ruleRemoveTargetById...");
|
||||||
|
ignoreVariable = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (ignoreVariable) {
|
if (ignoreVariable) {
|
||||||
if (v->m_dynamic) {
|
if (v->m_dynamic) {
|
||||||
|
|||||||
@ -2,9 +2,9 @@
|
|||||||
{
|
{
|
||||||
"enabled":1,
|
"enabled":1,
|
||||||
"version_min":300000,
|
"version_min":300000,
|
||||||
"title":"Testing CtlRuleRemoteTargetById (1)",
|
"title":"Testing CtlRuleRemoveTargetById (1)",
|
||||||
"expected":{
|
"expected":{
|
||||||
"debug_log": "Variable: ARGS:pwd was excluded by ruleRemoteTargetById..."
|
"debug_log": "Variable: ARGS:pwd was excluded by ruleRemoveTargetById..."
|
||||||
},
|
},
|
||||||
"client":{
|
"client":{
|
||||||
"ip":"200.249.12.31",
|
"ip":"200.249.12.31",
|
||||||
@ -34,7 +34,7 @@
|
|||||||
{
|
{
|
||||||
"enabled":1,
|
"enabled":1,
|
||||||
"version_min":300000,
|
"version_min":300000,
|
||||||
"title":"Testing CtlRuleRemoteTargetById (2)",
|
"title":"Testing CtlRuleRemoveTargetById (2)",
|
||||||
"expected":{
|
"expected":{
|
||||||
"debug_log": "Target value: .*Variable: ARGS:pwd"
|
"debug_log": "Target value: .*Variable: ARGS:pwd"
|
||||||
},
|
},
|
||||||
@ -62,5 +62,37 @@
|
|||||||
"SecRule REQUEST_FILENAME \"@endsWith /wp-login.php\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=123;ARGS:pwd\"",
|
"SecRule REQUEST_FILENAME \"@endsWith /wp-login.php\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=123;ARGS:pwd\"",
|
||||||
"SecRule ARGS \"@contais whe\" \"id:1,phase:3,t:none,nolog,pass,tag:'CRS2'\""
|
"SecRule ARGS \"@contais whe\" \"id:1,phase:3,t:none,nolog,pass,tag:'CRS2'\""
|
||||||
]
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"enabled":1,
|
||||||
|
"version_min":300000,
|
||||||
|
"title":"Testing CtlRuleRemoveTargetById (3)",
|
||||||
|
"expected":{
|
||||||
|
"debug_log": "Variable: ARGS was excluded by ruleRemoveTargetById..."
|
||||||
|
},
|
||||||
|
"client":{
|
||||||
|
"ip":"200.249.12.31",
|
||||||
|
"port":123
|
||||||
|
},
|
||||||
|
"request":{
|
||||||
|
"headers":{
|
||||||
|
"Host":"localhost",
|
||||||
|
"User-Agent":"curl/7.38.0",
|
||||||
|
"Accept":"*/*",
|
||||||
|
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
|
||||||
|
"Content-Type": "text/xml"
|
||||||
|
},
|
||||||
|
"uri":"/wp-login.php?whee&pwd=lhebs",
|
||||||
|
"method":"GET",
|
||||||
|
"body": [ ]
|
||||||
|
},
|
||||||
|
"server":{
|
||||||
|
"ip":"200.249.12.31",
|
||||||
|
"port":80
|
||||||
|
},
|
||||||
|
"rules":[
|
||||||
|
"SecRule REQUEST_FILENAME \"@endsWith /wp-login.php\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=1;ARGS\"",
|
||||||
|
"SecRule ARGS \"@contais whe\" \"id:1,phase:3,t:none,nolog,pass,tag:'CRS'\""
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|||||||
@ -62,5 +62,37 @@
|
|||||||
"SecRule REQUEST_FILENAME \"@endsWith /wp-login.php\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd\"",
|
"SecRule REQUEST_FILENAME \"@endsWith /wp-login.php\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd\"",
|
||||||
"SecRule ARGS \"@contais whe\" \"id:1,phase:3,t:none,nolog,pass,tag:'CRS2'\""
|
"SecRule ARGS \"@contais whe\" \"id:1,phase:3,t:none,nolog,pass,tag:'CRS2'\""
|
||||||
]
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"enabled":1,
|
||||||
|
"version_min":300000,
|
||||||
|
"title":"Testing CtlRuleRemoteTargetByTag (3)",
|
||||||
|
"expected":{
|
||||||
|
"debug_log": "Target value: .*Variable: ARGS:pwd"
|
||||||
|
},
|
||||||
|
"client":{
|
||||||
|
"ip":"200.249.12.31",
|
||||||
|
"port":123
|
||||||
|
},
|
||||||
|
"request":{
|
||||||
|
"headers":{
|
||||||
|
"Host":"localhost",
|
||||||
|
"User-Agent":"curl/7.38.0",
|
||||||
|
"Accept":"*/*",
|
||||||
|
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
|
||||||
|
"Content-Type": "text/xml"
|
||||||
|
},
|
||||||
|
"uri":"/wp-login.php?whee&pwd=lhebs",
|
||||||
|
"method":"GET",
|
||||||
|
"body": [ ]
|
||||||
|
},
|
||||||
|
"server":{
|
||||||
|
"ip":"200.249.12.31",
|
||||||
|
"port":80
|
||||||
|
},
|
||||||
|
"rules":[
|
||||||
|
"SecRule REQUEST_FILENAME \"@endsWith /wp-login.php\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS\"",
|
||||||
|
"SecRule ARGS \"@contais whe\" \"id:1,phase:3,t:none,nolog,pass,tag:'CRS2'\""
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
Subproject commit 1a572362156de9c570e2589c36d382bf59dcc1a0
|
Subproject commit add8f637703ac2c069f1b650164b70cd35675228
|
||||||
Loading…
x
Reference in New Issue
Block a user