Core is now ready to deal with SecRulesEngine set to Off

2025-08-14 05:45:59 +03:00 · 2015-09-17 10:59:56 -03:00 · 2015-09-17 10:59:56 -03:00 · 3e067e7409
commit 3e067e7409
parent 11e1a67d58
2 changed files with 69 additions and 8 deletions
--- a/src/assay.cc
+++ b/src/assay.cc
@ -351,8 +351,15 @@ int Assay::processURI(const char *uri, const char *protocol,
 */
 int Assay::processRequestHeaders() {
    debug(4, "Starting phase REQUEST_HEADERS.  (SecRules 1)");
+
+    if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
+        debug(4, "Rule engine disabled, returning...");
+        return true;
+    }
+
    this->m_rules->evaluate(ModSecurity::RequestHeadersPhase, this);
-    return 0;
+
+    return true;
 }


@ -497,6 +504,11 @@ int Assay::addRequestHeader(const unsigned char *key, size_t key_n,
 int Assay::processRequestBody() {
    debug(4, "Starting phase REQUEST_BODY. (SecRules 2)");

+    if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
+        debug(4, "Rule engine disabled, returning...");
+        return true;
+    }
+
    if (resolve_variable_first("INBOUND_DATA_ERROR") == NULL) {
        store_variable("INBOUND_DATA_ERROR", "0");
    }
@ -637,7 +649,7 @@ int Assay::processRequestBody() {
    }

    this->m_rules->evaluate(ModSecurity::RequestBodyPhase, this);
-    return 0;
+    return true;
 }


@ -721,7 +733,7 @@ int Assay::appendRequestBody(const unsigned char *buf, size_t len) {

    this->m_requestBody.write(reinterpret_cast<const char*>(buf), len);

-    return 0;
+    return true;
 }


@ -741,8 +753,14 @@ int Assay::appendRequestBody(const unsigned char *buf, size_t len) {
 */
 int Assay::processResponseHeaders() {
    debug(4, "Starting phase RESPONSE_HEADERS. (SecRules 3)");
+
+    if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
+        debug(4, "Rule engine disabled, returning...");
+        return true;
+    }
+
    this->m_rules->evaluate(ModSecurity::ResponseHeadersPhase, this);
-    return 0;
+    return true;
 }


@ -853,6 +871,11 @@ int Assay::addResponseHeader(const unsigned char *key, size_t key_n,
 int Assay::processResponseBody() {
    debug(4, "Starting phase RESPONSE_BODY. (SecRules 4)");

+    if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
+        debug(4, "Rule engine disabled, returning...");
+        return true;
+    }
+
    if (resolve_variable_first("OUTBOUND_DATA_ERROR") == NULL) {
        store_variable("OUTBOUND_DATA_ERROR", "0");
    }
@ -862,7 +885,7 @@ int Assay::processResponseBody() {
        std::to_string(m_responseBody.str().size()));

    this->m_rules->evaluate(ModSecurity::ResponseBodyPhase, this);
-    return 0;
+    return true;
 }


@ -983,6 +1006,12 @@ int Assay::getResponseBodyLenth() {
 */
 int Assay::processLogging(int returned_code) {
    debug(4, "Starting phase LOGGING. (SecRules 5)");
+
+    if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
+        debug(4, "Rule engine disabled, returning...");
+        return true;
+    }
+
    this->httpCodeReturned = returned_code;
    this->m_rules->evaluate(ModSecurity::LoggingPhase, this);

@ -1015,7 +1044,7 @@ int Assay::processLogging(int returned_code) {
        }
    }

-    return 0;
+    return true;
 }


--- a/test/test-cases/regression/secruleengine.json
+++ b/test/test-cases/regression/secruleengine.json
@ -20,7 +20,7 @@
    "version_min":300000,
    "title":"Testing Disruptive actions (2/n)",
    "expected":{
-      "debug_log": "_Not_ running action: deny. Rule _does not_ contains a disruptive action, but SecRuleEngine is not On.",
+      "debug_log": "Rule engine disabled, returning...",
      "http_code":200
    },
    "rules":[
@ -46,5 +46,37 @@
      "SecDefaultAction \"phase:2,deny,status:404\"",
      "SecAction \"id:'1',phase:request,nolog,block,t:none\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Disruptive actions (4/n)",
+    "expected":{
+      "debug_log": "Rule engine disabled, returning...",
+      "http_code":200
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecRuleEngine Off",
+      "SecDefaultAction \"phase:2,deny,status:404\"",
+      "SecAction \"'id:'1',phase:request,nolog,t:none\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Disruptive actions (5/n)",
+    "expected":{
+      "debug_log": "Rule engine disabled, returning...",
+      "http_code":200
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecRuleEngine Off",
+      "SecDefaultAction \"phase:2,deny,status:404\"",
+      "SecAction \"id:'1',phase:request,nolog,block,t:none\""
+    ]
  }
 ]