Add new transformation call phpArgsNames

CHANGES

@@ -1,6 +1,8 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
 
+  - EXPERIMENTAL: Add new transformation call phpArgsNames
+    [Issue #2387 - @marshal09]
   - Having ARGS_NAMES, variables proxied
     [@zimmerle, @martinhsv, @KaNikita]
   - Use explicit path for cross-compile environments.

Makefile.am

@@ -319,6 +319,7 @@ TESTS+=test/test-cases/secrules-language-tests/transformations/htmlEntityDecode.
 TESTS+=test/test-cases/secrules-language-tests/transformations/jsDecode.json
 TESTS+=test/test-cases/secrules-language-tests/transformations/length.json
 TESTS+=test/test-cases/secrules-language-tests/transformations/lowercase.json
+TESTS+=test/test-cases/secrules-language-tests/transformations/phpArgsNames.json
 TESTS+=test/test-cases/secrules-language-tests/transformations/md5.json
 TESTS+=test/test-cases/secrules-language-tests/transformations/normalisePath.json
 TESTS+=test/test-cases/secrules-language-tests/transformations/normalisePathWin.json

src/Makefile.am

@@ -167,6 +167,7 @@ ACTIONS = \
 	actions/transformations/js_decode.cc \
 	actions/transformations/length.cc \
 	actions/transformations/lower_case.cc \
+	actions/transformations/php_args_names.cc \
 	actions/transformations/md5.cc \
 	actions/transformations/none.cc \
 	actions/transformations/normalise_path.cc \

src/actions/transformations/php_args_names.cc

@@ -0,0 +1,97 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/actions/transformations/php_args_names.h"
+
+#include <algorithm>
+#include <string>
+#include <string.h>
+
+#include "modsecurity/transaction.h"
+#include "src/actions/transformations/transformation.h"
+#include "modsecurity/actions/action.h"
+
+namespace modsecurity {
+namespace actions {
+namespace transformations {
+
+
+PhpArgsNames::PhpArgsNames(const std::string &a)
+    : Transformation(a) {
+}
+
+std::string PhpArgsNames::evaluate(const std::string &val,
+    Transaction *transaction) {
+    //Took the logic from php src code:
+    //https://github.com/php/php-src/blob/master/main/php_variables.c
+    //Function call PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *track_vars_array)
+    std::string value(val);
+    std::string ret = "";
+    if(value[0] == '[' || value[0] == '=') {
+	return ret;
+    }
+    std::string::size_type i = 0;
+    while(value[i] == ' ') {
+	    i++;
+    }
+    std::string::size_type val_size = value.length();
+    bool is_array = false;
+    bool is_open_sq_bracket = false;
+    for (; i < val_size; ++i) {
+	    if(value[i] == '[' && !is_open_sq_bracket) {
+		    if(strchr(&value[i], ']') != NULL) {
+			    is_array = true;
+			    break;
+		    }
+
+		    ret +=  '_';
+		    is_open_sq_bracket = true;
+	    }
+	    else if( !is_open_sq_bracket && (value[i] == ' ' || value[i] == '.') ) {
+		    ret += '_';
+	    }
+	    else {
+		ret += value[i];
+	    }
+    }
+
+    if(is_array) {
+	    char* start = &value[0];
+	    while(true) {
+		char *tmp = &value[i];
+		char *close_bra = strchr(tmp, ']');
+		if(close_bra == NULL) {
+			return ret;
+		}
+		int array_size = (int)(close_bra - start) + 1;
+		if(array_size - i == 3 && value[i+1] == ' ') {
+			ret += '[';
+			i+=2;
+		}
+		for(;i < array_size; ++i) {
+			ret += value[i];
+		}
+		if(i >= val_size || value[i] != '[') {
+			return ret;
+		}
+	    }
+    }
+    return ret;
+
+}
+
+}  // namespace transformations
+}  // namespace actions
+}  // namespace modsecurity

src/actions/transformations/php_args_names.h

@@ -0,0 +1,46 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <string>
+#include <unordered_map>
+
+#include "modsecurity/actions/action.h"
+#include "src/actions/transformations/transformation.h"
+
+#ifndef SRC_ACTIONS_TRANSFORMATIONS_PHP_ARGS_NAMES_H_
+#define SRC_ACTIONS_TRANSFORMATIONS_PHP_ARGS_NAMES_H_
+
+#ifdef __cplusplus
+
+namespace modsecurity {
+class Transaction;
+namespace actions {
+namespace transformations {
+
+
+class PhpArgsNames : public Transformation {
+ public:
+    explicit PhpArgsNames(const std::string &action);
+    std::string evaluate(const std::string &exp,
+        Transaction *transaction) override;
+};
+
+}  // namespace transformations
+}  // namespace actions
+}  // namespace modsecurity
+
+#endif
+
+#endif  // SRC_ACTIONS_TRANSFORMATIONS_PHP_ARGS_NAMES_H_

src/actions/transformations/transformation.cc

@@ -35,6 +35,7 @@
 #include "src/actions/transformations/js_decode.h"
 #include "src/actions/transformations/length.h"
 #include "src/actions/transformations/lower_case.h"
+#include "src/actions/transformations/php_args_names.h"
 #include "src/actions/transformations/md5.h"
 #include "src/actions/transformations/none.h"
 #include "src/actions/transformations/normalise_path.h"
@@ -88,6 +89,7 @@ Transformation* Transformation::instantiate(std::string a) {
     IF_MATCH(jsDecode) { return new JsDecode(a); }
     IF_MATCH(length) { return new Length(a); }
     IF_MATCH(lowercase) { return new LowerCase(a); }
+    IF_MATCH(phpArgsNames) { return new PhpArgsNames(a); }
     IF_MATCH(md5) { return new Md5(a); }
     IF_MATCH(none) { return new None(a); }
     IF_MATCH(normalizePathWin) { return new NormalisePathWin(a); }

src/parser/seclang-parser.yy

@@ -77,6 +77,7 @@ class Driver;
 #include "src/actions/transformations/none.h"
 #include "src/actions/transformations/url_decode.h"
 #include "src/actions/transformations/lower_case.h"
+#include "src/actions/transformations/php_args_names.h"
 #include "src/actions/transformations/upper_case.h"
 #include "src/actions/transformations/hex_decode.h"
 #include "src/actions/transformations/url_encode.h"
@@ -546,6 +547,7 @@ using namespace modsecurity::operators;
   ACTION_TRANSFORMATION_JS_DECODE              "ACTION_TRANSFORMATION_JS_DECODE"
   ACTION_TRANSFORMATION_LENGTH                 "ACTION_TRANSFORMATION_LENGTH"
   ACTION_TRANSFORMATION_LOWERCASE              "ACTION_TRANSFORMATION_LOWERCASE"
+  ACTION_TRANSFORMATION_PHP_ARGS_NAMES         "ACTION_TRANSFORMATION_PHP_ARGS_NAMES"
   ACTION_TRANSFORMATION_MD5                    "ACTION_TRANSFORMATION_MD5"
   ACTION_TRANSFORMATION_NONE                   "ACTION_TRANSFORMATION_NONE"
   ACTION_TRANSFORMATION_NORMALISE_PATH         "ACTION_TRANSFORMATION_NORMALISE_PATH"
@@ -2903,6 +2905,10 @@ act:
       {
         ACTION_CONTAINER($$, new actions::transformations::LowerCase($1));
       }
+    | ACTION_TRANSFORMATION_PHP_ARGS_NAMES
+      {
+        ACTION_CONTAINER($$, new actions::transformations::PhpArgsNames($1));
+      }
     | ACTION_TRANSFORMATION_UPPERCASE
       {
         ACTION_CONTAINER($$, new actions::transformations::UpperCase($1));

src/parser/seclang-scanner.ll

@@ -148,6 +148,7 @@ ACTION_TRANSFORMATION_HTML_ENTITY_DECODE        (?i:t:htmlEntityDecode)
 ACTION_TRANSFORMATION_JS_DECODE                 (?i:t:jsDecode)
 ACTION_TRANSFORMATION_LENGTH                    (?i:t:length)
 ACTION_TRANSFORMATION_LOWERCASE                 (?i:t:lowercase)
+ACTION_TRANSFORMATION_PHP_ARGS_NAMES            (?i:t:phpArgsNames)
 ACTION_TRANSFORMATION_MD5                       (?i:t:md5)
 ACTION_TRANSFORMATION_NONE                      (?i:t:none)
 ACTION_TRANSFORMATION_NORMALISE_PATH            (?i:t:(normalisePath|normalizePath))
@@ -585,6 +586,7 @@ EQUALS_MINUS                            (?i:=\-)
 {ACTION_TRANSFORMATION_HEX_ENCODE}                                      { return p::make_ACTION_TRANSFORMATION_HEX_ENCODE(yytext, *driver.loc.back()); }
 {ACTION_TRANSFORMATION_HEX_DECODE}                                      { return p::make_ACTION_TRANSFORMATION_HEX_DECODE(yytext, *driver.loc.back()); }
 {ACTION_TRANSFORMATION_LOWERCASE}                                       { return p::make_ACTION_TRANSFORMATION_LOWERCASE(yytext, *driver.loc.back()); }
+{ACTION_TRANSFORMATION_PHP_ARGS_NAMES}                                  { return p::make_ACTION_TRANSFORMATION_PHP_ARGS_NAMES(yytext, *driver.loc.back()); }
 {ACTION_TRANSFORMATION_UPPERCASE}                                       { return p::make_ACTION_TRANSFORMATION_UPPERCASE(yytext, *driver.loc.back()); }
 {ACTION_TRANSFORMATION_URL_ENCODE}                                      { return p::make_ACTION_TRANSFORMATION_URL_ENCODE(yytext, *driver.loc.back()); }
 {ACTION_TRANSFORMATION_URL_DECODE_UNI}                                  { return p::make_ACTION_TRANSFORMATION_URL_DECODE_UNI(yytext, *driver.loc.back()); }

test/test-cases/regression/transformations.json

@@ -114,5 +114,64 @@
       "SecRuleEngine On",
       "SecRule ARGS \"@contains test \" \"id:1,pass,t:trim,t:lowercase\""
     ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "version_max": 0,
+    "title": "Testing transformations :: block,t:none,t:phpArgsNames",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 2313
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "net.tutsplus.com",
+        "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
+        "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
+        "Accept-Language": "en-us,en;q=0.5",
+        "Accept-Encoding": "gzip,deflate",
+        "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+        "Keep-Alive": "300",
+        "Connection": "keep-alive",
+        "Cookie": "PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120",
+        "Pragma": "no-cache",
+        "Cache-Control": "no-cache"
+      },
+      "uri": "\/test.pl?param1=fdsfsd&s%252bc%20r.%2b+ipt._[a[_xss]]iaaa=1",
+      "method": "GET",
+      "http_version": 1.1,
+      "body": ""
+    },
+    "response": {
+      "headers": {
+        "Content-Type": "text\/xml; charset=utf-8\n\r",
+        "Content-Length": "length\n\r"
+      },
+      "body": [
+        "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n\r",
+        "<soap:Envelope xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\" xmlns:soap=\"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\">\n\r",
+        "  <soap:Body>\n\r",
+        "  <EnlightenResponse xmlns=\"http:\/\/clearforest.com\/\">\n\r",
+        "  <EnlightenResult>string<\/EnlightenResult>\n\r",
+        "  <\/EnlightenResponse>\n\r",
+        "  <\/soap:Body>\n\r",
+        "<\/soap:Envelope>\n\r"
+      ]
+    },
+    "expected": {
+      "audit_log": "",
+      "debug_log": "phpArgsNames: \"s%2bc_r_[+]_ipt__[a[_xss]",
+      "error_log": "",
+      "http_code": 403
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule ARGS_NAMES \"@streq s%2bc_r_+_ipt__[a[_xss]\" \"id:1,phase:2,deny,status:403,t:none,t:phpArgsNames\""
+    ]
   }
 ]