Adds support to SecRuleRemoveById

2025-08-13 21:36:00 +03:00 · 2016-07-17 00:35:12 -03:00 · 2016-07-17 00:35:12 -03:00 · 37079ef668
commit 37079ef668
parent d781b00f70
6 changed files with 154 additions and 0 deletions
--- a/headers/modsecurity/rules_properties.h
+++ b/headers/modsecurity/rules_properties.h
@ -28,11 +28,13 @@

 #include "modsecurity/modsecurity.h"
 #include "modsecurity/transaction.h"
+#include "modsecurity/rules_exceptions.h"

 #ifdef __cplusplus

 namespace modsecurity {
 class Rule;
+class RulesExceptions;
 namespace audit_log {
 class AuditLog;
 }
@ -232,6 +234,8 @@ class RulesProperties {
    audit_log::AuditLog *audit_log;

    OnFailedRemoteRulesAction remoteRulesActionOnFailed;
+
+    RulesExceptions m_exceptions;
 };
 #endif

--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -244,6 +244,7 @@ libmodsecurity_la_SOURCES = \
 	macro_expansion.cc \
 	rule.cc \
 	unique_id.cc \
+	rules_exceptions.cc \
 	${BODY_PROCESSORS} \
 	${ACTIONS} \
 	${COLLECTION} \
--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@ -217,6 +217,8 @@ using modsecurity::Variables::XML;
 %token <std::string> CONFIG_DIR_AUDIT_STS
 %token <std::string> CONFIG_DIR_AUDIT_TPE

+%token <std::string> CONFIG_SEC_RULE_REMOVE_BY_ID
+
 %token <std::string> CONFIG_UPDLOAD_KEEP_FILES
 %token <std::string> CONFIG_UPDLOAD_SAVE_TMP_FILES
 %token <std::string> CONFIG_UPLOAD_FILE_LIMIT
@ -605,6 +607,19 @@ expression:
      {
        driver.components.push_back($1);
      }
+    | CONFIG_SEC_RULE_REMOVE_BY_ID
+      {
+        std::string error;
+        if (driver.m_exceptions.load($1, &error) == false) {
+            std::stringstream ss;
+            ss << "SecRuleRemoveById: failed to load:";
+            ss << $1;
+            ss << ". ";
+            ss << error;
+            driver.error(@0, ss.str());
+            YYERROR;
+        }
+      }
    /* Debug log: start */
    | CONFIG_DIR_DEBUG_LVL
      {
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@ -114,6 +114,7 @@ CONFIG_INCLUDE                       (?i:Include)
 CONFIG_SEC_REMOTE_RULES              (?i:SecRemoteRules)
 CONFIG_SEC_REMOTE_RULES_FAIL_ACTION  (?i:SecRemoteRulesFailAction)

+CONFIG_SEC_REMOVE_RULES_BY_ID        (?i:SecRuleRemoveById)

 DICT_ELEMENT    [^ \t|]+

@ -230,6 +231,9 @@ CONFIG_DIR_UNICODE_MAP_FILE (?i:SecUnicodeMapFile)
 {ACTION_CTL_AUDIT_ENGINE}=                         { return yy::seclang_parser::make_ACTION_CTL_AUDIT_ENGINE(yytext, *driver.loc.back()); }
 {ACTION_CTL_FORCE_REQ_BODY_VAR}=                   { return yy::seclang_parser::make_ACTION_CTL_FORCE_REQ_BODY_VAR(yytext, *driver.loc.back()); }

+%{ /* Remove Rules */ %}
+{CONFIG_SEC_REMOVE_RULES_BY_ID}[ ]{FREE_TEXT_NEW_LINE}      { return yy::seclang_parser::make_CONFIG_SEC_RULE_REMOVE_BY_ID(strchr(yytext, ' ') + 1, *driver.loc.back()); }
+
 %{ /* Upload */ %}
 {CONFIG_UPLOAD_FILE_LIMIT}[ ]{CONFIG_VALUE_NUMBER}  { return yy::seclang_parser::make_CONFIG_UPLOAD_FILE_LIMIT(strchr(yytext, ' ') + 1, *driver.loc.back()); }
 {CONFIG_UPLOAD_FILE_MODE}[ ]{CONFIG_VALUE_NUMBER}  { return yy::seclang_parser::make_CONFIG_UPLOAD_FILE_MODE(strchr(yytext, ' ') + 1, *driver.loc.back()); }
--- a/src/rules.cc
+++ b/src/rules.cc
@ -220,6 +220,9 @@ int Rules::evaluate(int phase, Transaction *transaction) {
        } else if (transaction->m_allowType != actions::NoneAllowType) {
            debug(9, "Skipped rule id '" + std::to_string(rule->rule_id) \
                + "' as request trough the utilization of an `allow' action.");
+        } else if (m_exceptions.contains(rule->rule_id)) {
+            debug(9, "Skipped rule id '" + std::to_string(rule->rule_id) \
+                + "'. Removed by an SecRuleRemove directive.");
        } else {
            rule->evaluate(transaction);
        }
@ -271,6 +274,8 @@ int Rules::merge(Driver *from) {
        m_responseBodyTypeToBeInspected.insert(*it);
    }

+    this->m_exceptions = from->m_exceptions;
+
    /*
     *
     * default Actions is something per configuration context, there is
--- a/test/test-cases/regression/config-remove_by_id.json
+++ b/test/test-cases/regression/config-remove_by_id.json
@ -0,0 +1,125 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"SecRuleRemoveById (1/3)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Skipped rule id '2'. Removed by an SecRuleRemove directive."
+    },
+    "rules":[
+      "SecRuleRemoveById 2",
+      "SecRule ARGS \"@contains test\" \"id:1,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:2,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:3,pass,t:trim\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"SecRuleRemoveById (2/3)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Skipped rule id '2'. Removed by an SecRuleRemove directive."
+    },
+    "rules":[
+      "SecRuleRemoveById 1-3",
+      "SecRule ARGS \"@contains test\" \"id:1,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:2,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:3,pass,t:trim\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"SecRuleRemoveById (3/3)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Skipped rule id '2'. Removed by an SecRuleRemove directive."
+    },
+    "rules":[
+      "SecRuleRemoveById 1 2-3",
+      "SecRule ARGS \"@contains test\" \"id:1,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:2,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:3,pass,t:trim\""
+    ]
+  }
+]