github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds support to the operator @validateDTD

Browse Source 
Further info #1003
This commit is contained in:
Felipe Zimmerle 2016-05-12 11:09:59 -03:00
parent 6a40752500
commit 3e8defb853
3 changed files with 314 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
src/operators/validate_dtd.cc
View File

@ -17,25 +17,90 @@
#include <string> #include <string>
#include "request_body_processor/xml.h"
#include "src/utils.h"
#include "operators/operator.h" #include "operators/operator.h"
namespace modsecurity { namespace modsecurity {
namespace operators { namespace operators {
bool ValidateDTD::evaluate(Transaction *transaction, const std::string &str) {
/** bool ValidateDTD::init(const std::string &file, const char **error) {
* @todo Implement the operator ValidateDTD. m_resource = find_resource(param, file);
* Reference: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#validateDTD if (m_resource == "") {
*/ std::string f("XML: File not found: " + param + ".");
*error = strdup(f.c_str());
return false;
}
xmlThrDefSetGenericErrorFunc(NULL,
null_error);
xmlSetGenericErrorFunc(NULL,
null_error);
m_dtd = xmlParseDTD(NULL, (const xmlChar *)m_resource.c_str());
if (m_dtd == NULL) {
std::string err = std::string("XML: Failed to load DTD: ") \
+ m_resource;
*error = strdup(err.c_str());
return false;
}
return true; return true;
} }
ValidateDTD::ValidateDTD(std::string op, std::string param, bool negation) bool ValidateDTD::evaluate(Transaction *t, const std::string &str) {
: Operator() { xmlValidCtxtPtr cvp;
this->op = op;
this->param = param; if (t->m_xml->m_data.doc == NULL) {
t->debug(4, "XML document tree could not "\
"be found for DTD validation.");
return true;
}
if (t->m_xml->m_data.well_formed != 1) {
t->debug(4, "XML: DTD validation failed because " \
"content is not well formed.");
return true;
}
#if 0
/* Make sure there were no other generic processing errors */
if (msr->msc_reqbody_error) {
*error_msg = apr_psprintf(msr->mp,
"XML: DTD validation could not proceed due to previous"
" processing errors.");
return 1;
}
#endif
cvp = xmlNewValidCtxt();
if (cvp == NULL) {
t->debug(4, "XML: Failed to create a validation context.");
return true;
}
/* Send validator errors/warnings to msr_log */
cvp->error = (xmlSchemaValidityErrorFunc)error_runtime;
cvp->warning = (xmlSchemaValidityErrorFunc)warn_runtime;
cvp->userData = t;
if (!xmlValidateDtd(cvp, t->m_xml->m_data.doc, m_dtd)) {
t->debug(4, "XML: DTD validation failed.");
xmlFreeValidCtxt(cvp);
return true;
}
t->debug(4, std::string("XML: Successfully validated " \
"payload against DTD: ") + m_resource);
xmlFreeValidCtxt(cvp);
return false;
} }
} // namespace operators } // namespace operators
} // namespace modsecurity } // namespace modsecurity

60
src/operators/validate_dtd.h
View File

@ -16,6 +16,12 @@
#ifndef SRC_OPERATORS_VALIDATE_DTD_H_ #ifndef SRC_OPERATORS_VALIDATE_DTD_H_
#define SRC_OPERATORS_VALIDATE_DTD_H_ #define SRC_OPERATORS_VALIDATE_DTD_H_
#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <libxml/xmlschemas.h>
#include <libxml/xpath.h>
#include <string> #include <string>
#include "operators/operator.h" #include "operators/operator.h"
@ -27,8 +33,60 @@ namespace operators {
class ValidateDTD : public Operator { class ValidateDTD : public Operator {
public: public:
/** @ingroup ModSecurity_Operator */ /** @ingroup ModSecurity_Operator */
ValidateDTD(std::string o, std::string p, bool i); ValidateDTD(std::string o, std::string p, bool i)
: Operator(o, p, i),
m_dtd(NULL) { }
~ValidateDTD() {
if (m_dtd != NULL) {
xmlFreeDtd(m_dtd);
m_dtd = NULL;
}
}
bool evaluate(Transaction *transaction, const std::string &str) override; bool evaluate(Transaction *transaction, const std::string &str) override;
bool init(const std::string &file, const char **error) override;
static void error_runtime(void *ctx, const char *msg, ...) {
Transaction *t = reinterpret_cast<Transaction *>(ctx);
char buf[1024];
std::string s;
va_list args;
va_start(args, msg);
int len = vsnprintf(buf, sizeof(buf), msg, args);
va_end(args);
if (len > 0) {
s = "XML Error: " + std::string(buf);
}
t->debug(4, s);
}
static void warn_runtime(void *ctx, const char *msg, ...) {
Transaction *t = reinterpret_cast<Transaction *>(ctx);
char buf[1024];
std::string s;
va_list args;
va_start(args, msg);
int len = vsnprintf(buf, sizeof(buf), msg, args);
va_end(args);
if (len > 0) {
s = "XML Warning: " + std::string(buf);
}
t->debug(4, s);
}
static void null_error(void *ctx, const char *msg, ...) {
}
private:
std::string m_resource;
xmlDtdPtr m_dtd;
}; };
} // namespace operators } // namespace operators

181
test/test-cases/regression/request-body-parser-xml-validade-dtd.json Normal file
View File

@ -0,0 +1,181 @@
[
{
"enabled":1,
"version_min":300000,
"title":"Testing XML request body parser - validateDTD (validate ok)",
"expected":{
"debug_log": "XML: Successfully validated payload against DTD: test-cases/data/SoapEnvelope.dtd"
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"utf-8\"?>",
" <!DOCTYPE Envelope SYSTEM \"SoapEnvelope.dtd\">",
" <Envelope>",
" <Body>",
" <getInput>",
" <id type=\"string\">12123</id>",
" </getInput>",
" </Body>",
" </Envelope>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing XML request body parser - validateDTD (validation failed)",
"expected":{
"debug_log": "XML Error: No declaration for element xBody",
"http_code": 403
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"utf-8\"?>",
" <!DOCTYPE Envelope SYSTEM \"SoapEnvelope.dtd\">",
" <Envelope>",
" <xBody>",
" <getInput>",
" <id type=\"string\">12123</id>",
" </getInput>",
" </xBody>",
" </Envelope>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing XML request body parser - validateDTD (bad XML)",
"expected":{
"debug_log": "XML: DTD validation failed because content is not well formed",
"http_code": 403
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"utf-8\"?>",
"<!DOCTYPE Envelope SYSTEM \"SoapEnvelope.dtd\">",
" <Envelop>",
" <Body>",
" <getInput>",
" <id type=\"string\">12123</id>",
" </getInput>",
" </Body>",
" </Envelope>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing XML request body parser - validateDTD (bad DTD)",
"expected":{
"parser_error": "Line: 4. Column: 12. XML: Failed to load DTD: test-cases/data/SoapEnvelope-bad.dtd"
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"utf-8\"?>",
" <!DOCTYPE Envelope SYSTEM \"SoapEnvelope.dtd\">",
" <Envelope>",
" <Body>",
" <getInput>",
" <id type=\"string\">12123</id>",
" </getInput>",
" </Body>",
" </Envelope>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope-bad.dtd\" \"id:500007,phase:3,deny\""
]
}
]