github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

dds support to CtlRequestBodyAccess

Browse Source
This commit is contained in:
Felipe Zimmerle 2016-10-28 09:46:43 -03:00
parent 10d263cd36
commit 4711644600
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
9 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
headers/modsecurity/transaction.h
View File

@ -283,6 +283,11 @@ class Transaction {
*/ */
std::list< std::pair<int, std::string> > m_ruleRemoveTargetById; std::list< std::pair<int, std::string> > m_ruleRemoveTargetById;
/**
*
*/
int m_requestBodyAccess;
/** /**
* The list m_auditLogModifier contains modifications to the `auditlogs' * The list m_auditLogModifier contains modifications to the `auditlogs'
* for this specific request, those modifications can happens via the * for this specific request, those modifications can happens via the

1
src/Makefile.am
View File

@ -106,6 +106,7 @@ ACTIONS = \
actions/ctl_rule_remove_target_by_tag.cc \ actions/ctl_rule_remove_target_by_tag.cc \
actions/ctl_rule_remove_target_by_id.cc \ actions/ctl_rule_remove_target_by_id.cc \
actions/ctl_rule_remove_by_id.cc \ actions/ctl_rule_remove_by_id.cc \
actions/ctl_request_body_access.cc\
actions/init_col.cc \ actions/init_col.cc \
actions/deny.cc \ actions/deny.cc \
actions/log.cc \ actions/log.cc \

20
src/parser/seclang-parser.yy
View File

@ -29,6 +29,7 @@ class Driver;
#include "actions/ctl_rule_remove_target_by_tag.h" #include "actions/ctl_rule_remove_target_by_tag.h"
#include "actions/ctl_rule_remove_target_by_id.h" #include "actions/ctl_rule_remove_target_by_id.h"
#include "actions/ctl_rule_remove_by_id.h" #include "actions/ctl_rule_remove_by_id.h"
#include "actions/ctl_request_body_access.h"
#include "actions/init_col.h" #include "actions/init_col.h"
#include "actions/set_sid.h" #include "actions/set_sid.h"
#include "actions/set_uid.h" #include "actions/set_uid.h"
@ -304,6 +305,7 @@ using modsecurity::Variables::XML;
%token <std::string> ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG %token <std::string> ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG
%token <std::string> ACTION_CTL_RULE_REMOVE_TARGET_BY_ID %token <std::string> ACTION_CTL_RULE_REMOVE_TARGET_BY_ID
%token <std::string> ACTION_CTL_RULE_REMOVE_BY_ID %token <std::string> ACTION_CTL_RULE_REMOVE_BY_ID
%token <std::string> ACTION_CTL_REQUEST_BODY_ACCESS
%type <std::vector<Action *> *> actions %type <std::vector<Action *> *> actions
%type <std::vector<Variable *> *> variables %type <std::vector<Variable *> *> variables
@ -1252,6 +1254,24 @@ act:
YYERROR; YYERROR;
} }
} }
| ACTION_CTL_REQUEST_BODY_ACCESS CONFIG_VALUE_ON
{
std::string error;
$$ = new modsecurity::actions::CtlRequestBodyAccess($1 + "true");
if ($$->init(&error) == false) {
driver.error(@0, error);
YYERROR;
}
}
| ACTION_CTL_REQUEST_BODY_ACCESS CONFIG_VALUE_OFF
{
std::string error;
$$ = new modsecurity::actions::CtlRequestBodyAccess($1 + "false");
if ($$->init(&error) == false) {
driver.error(@0, error);
YYERROR;
}
}
| ACTION_CTL_FORCE_REQ_BODY_VAR CONFIG_VALUE_ON | ACTION_CTL_FORCE_REQ_BODY_VAR CONFIG_VALUE_ON
{ {
$$ = Action::instantiate($1); $$ = Action::instantiate($1);

2
src/parser/seclang-scanner.ll
View File

@ -80,6 +80,7 @@ CONFIG_DIR_RES_BODY_LIMIT_ACTION (?i:SecResponseBodyLimitAction)
ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG (?i:ctl:ruleRemoveTargetByTag) ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG (?i:ctl:ruleRemoveTargetByTag)
ACTION_CTL_RULE_REMOVE_TARGET_BY_ID (?i:ctl:ruleRemoveTargetById) ACTION_CTL_RULE_REMOVE_TARGET_BY_ID (?i:ctl:ruleRemoveTargetById)
ACTION_CTL_RULE_REMOVE_BY_ID (?i:ctl:ruleRemoveById) ACTION_CTL_RULE_REMOVE_BY_ID (?i:ctl:ruleRemoveById)
ACTION_CTL_REQUEST_BODY_ACCESS (?i:ctl:requestBodyAccess)
CONFIG_DIR_GEO_DB (?i:SecGeoLookupDb) CONFIG_DIR_GEO_DB (?i:SecGeoLookupDb)
@ -235,6 +236,7 @@ CONFIG_DIR_UNICODE_MAP_FILE (?i:SecUnicodeMapFile)
{ACTION_CTL_RULE_ENGINE}= { return yy::seclang_parser::make_ACTION_CTL_RULE_ENGINE(yytext, *driver.loc.back()); } {ACTION_CTL_RULE_ENGINE}= { return yy::seclang_parser::make_ACTION_CTL_RULE_ENGINE(yytext, *driver.loc.back()); }
{ACTION_CTL_AUDIT_ENGINE}= { return yy::seclang_parser::make_ACTION_CTL_AUDIT_ENGINE(yytext, *driver.loc.back()); } {ACTION_CTL_AUDIT_ENGINE}= { return yy::seclang_parser::make_ACTION_CTL_AUDIT_ENGINE(yytext, *driver.loc.back()); }
{ACTION_CTL_FORCE_REQ_BODY_VAR}= { return yy::seclang_parser::make_ACTION_CTL_FORCE_REQ_BODY_VAR(yytext, *driver.loc.back()); } {ACTION_CTL_FORCE_REQ_BODY_VAR}= { return yy::seclang_parser::make_ACTION_CTL_FORCE_REQ_BODY_VAR(yytext, *driver.loc.back()); }
{ACTION_CTL_REQUEST_BODY_ACCESS}= { return yy::seclang_parser::make_ACTION_CTL_REQUEST_BODY_ACCESS(yytext, *driver.loc.back()); }
%{ /* Remove Rules */ %} %{ /* Remove Rules */ %}

28
src/transaction.cc
View File

@ -43,8 +43,10 @@
#include "src/unique_id.h" #include "src/unique_id.h"
#include "src/utils.h" #include "src/utils.h"
#include "modsecurity/rule.h" #include "modsecurity/rule.h"
#include "modsecurity/rules_properties.h"
#include "src/actions/allow.h" #include "src/actions/allow.h"
using modsecurity::actions::Action; using modsecurity::actions::Action;
using modsecurity::RequestBodyProcessor::Multipart; using modsecurity::RequestBodyProcessor::Multipart;
using modsecurity::RequestBodyProcessor::XML; using modsecurity::RequestBodyProcessor::XML;
@ -113,6 +115,7 @@ Transaction::Transaction(ModSecurity *ms, Rules *rules, void *logCbData)
m_requestHeadersNames(NULL), m_requestHeadersNames(NULL),
m_responseHeadersNames(NULL), m_responseHeadersNames(NULL),
m_responseContentType(NULL), m_responseContentType(NULL),
m_requestBodyAccess(Rules::PropertyNotSetConfigBoolean),
m_marker(""), m_marker(""),
m_allowType(modsecurity::actions::NoneAllowType), m_allowType(modsecurity::actions::NoneAllowType),
m_skip_next(0), m_skip_next(0),
@ -618,7 +621,7 @@ int Transaction::processRequestBody() {
debug(4, "Starting phase REQUEST_BODY. (SecRules 2)"); debug(4, "Starting phase REQUEST_BODY. (SecRules 2)");
#endif #endif
if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) { if (m_rules->m_secRuleEngine == RulesProperties::DisabledRuleEngine) {
#ifndef NO_LOGS #ifndef NO_LOGS
debug(4, "Rule engine disabled, returning..."); debug(4, "Rule engine disabled, returning...");
#endif #endif
@ -719,6 +722,29 @@ int Transaction::processRequestBody() {
m_collections.storeOrUpdateFirst("REQBODY_PROCESSOR_ERROR", "0"); m_collections.storeOrUpdateFirst("REQBODY_PROCESSOR_ERROR", "0");
} }
#if 1
if (m_rules->m_secRequestBodyAccess != RulesProperties::TrueConfigBoolean) {
if (m_requestBodyAccess != RulesProperties::TrueConfigBoolean) {
debug(4, "Request body processing is disabled");
this->m_rules->evaluate(modsecurity::RequestBodyPhase, this);
return true;
} else {
debug(4, "Request body processing is disabled, but " \
"enabled to this transaction due to ctl:requestBodyAccess " \
"action");
}
} else {
if (m_requestBodyAccess == RulesProperties::FalseConfigBoolean) {
debug(4, "Request body processing is enabled, but " \
"disable to this transaction due to ctl:requestBodyAccess " \
"action");
this->m_rules->evaluate(modsecurity::RequestBodyPhase, this);
return true;
}
}
#endif
/** /**
* FIXME: This variable should be calculated on demand, it is * FIXME: This variable should be calculated on demand, it is
* computationally intensive. * computationally intensive.

1
test/test-cases/regression/variable-FULL_REQUEST.json
View File

@ -55,6 +55,7 @@
}, },
"rules":[ "rules":[
"SecRuleEngine On", "SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule FULL_REQUEST \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\"" "SecRule FULL_REQUEST \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\""
] ]
} }

1
test/test-cases/regression/variable-FULL_REQUEST_LENGTH.json
View File

@ -55,6 +55,7 @@
}, },
"rules":[ "rules":[
"SecRuleEngine On", "SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule FULL_REQUEST_LENGTH \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\"" "SecRule FULL_REQUEST_LENGTH \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\""
] ]
} }

1
test/test-cases/regression/variable-REQUEST_BODY.json
View File

@ -55,6 +55,7 @@
}, },
"rules":[ "rules":[
"SecRuleEngine On", "SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_BODY \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\"" "SecRule REQUEST_BODY \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\""
] ]
} }

1
test/test-cases/regression/variable-REQUEST_BODY_LENGTH.json
View File

@ -55,6 +55,7 @@
}, },
"rules":[ "rules":[
"SecRuleEngine On", "SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_BODY_LENGTH \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\"" "SecRule REQUEST_BODY_LENGTH \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\""
] ]
} }