github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 11:44:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

Support SecRequestBodyNoFilesLimit

Browse Source
This commit is contained in:
Martin Vierula
2022-02-15 14:53:34 -08:00
parent 6bd1c7764e
commit 4c526fc218
3 changed files with 463 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
src/transaction.cc
View File

@@ -804,25 +804,43 @@ int Transaction::processRequestBody() {
*/
std::unique_ptr<std::string> a = m_variableRequestHeaders.resolveFirst(
"Content-Type");
bool requestBodyNoFilesLimitExceeded = false;
if ((m_requestBodyType == WWWFormUrlEncoded) ||
(m_requestBodyProcessor == JSONRequestBody) ||
(m_requestBodyProcessor == XMLRequestBody)) {
if ((m_rules->m_requestBodyNoFilesLimit.m_set)
&& (m_requestBody.str().size() > m_rules->m_requestBodyNoFilesLimit.m_value)) {
m_variableReqbodyError.set("1", 0);
m_variableReqbodyErrorMsg.set("Request body excluding files is bigger than the maximum expected.", 0);
m_variableInboundDataError.set("1", m_variableOffset);
ms_dbg(5, "Request body excluding files is bigger than the maximum expected.");
requestBodyNoFilesLimitExceeded = true;
}
}
#ifdef WITH_LIBXML2
if (m_requestBodyProcessor == XMLRequestBody) {
std::string error;
if (m_xml->init() == true) {
m_xml->processChunk(m_requestBody.str().c_str(),
m_requestBody.str().size(),
&error);
m_xml->complete(&error);
}
if (error.empty() == false) {
m_variableReqbodyError.set("1", m_variableOffset);
m_variableReqbodyErrorMsg.set("XML parsing error: " + error,
m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("XML parsing error: " \
+ error, m_variableOffset);
m_variableReqbodyProcessorError.set("1", m_variableOffset);
} else {
m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset);
// large size might cause issues in the parsing itself; omit if exceeded
if (!requestBodyNoFilesLimitExceeded) {
std::string error;
if (m_xml->init() == true) {
m_xml->processChunk(m_requestBody.str().c_str(),
m_requestBody.str().size(),
&error);
m_xml->complete(&error);
}
if (error.empty() == false) {
m_variableReqbodyError.set("1", m_variableOffset);
m_variableReqbodyErrorMsg.set("XML parsing error: " + error,
m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("XML parsing error: " \
+ error, m_variableOffset);
m_variableReqbodyProcessorError.set("1", m_variableOffset);
} else {
m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset);
}
}
#endif
#if WITH_YAJL
@@ -831,26 +849,29 @@ int Transaction::processRequestBody() {
#else
if (m_requestBodyProcessor == JSONRequestBody) {
#endif
std::string error;
if (m_rules->m_requestBodyJsonDepthLimit.m_set) {
m_json->setMaxDepth(m_rules->m_requestBodyJsonDepthLimit.m_value);
}
if (m_json->init() == true) {
m_json->processChunk(m_requestBody.str().c_str(),
m_requestBody.str().size(),
&error);
m_json->complete(&error);
}
if (error.empty() == false && m_requestBody.str().size() > 0) {
m_variableReqbodyError.set("1", m_variableOffset);
m_variableReqbodyProcessorError.set("1", m_variableOffset);
m_variableReqbodyErrorMsg.set("JSON parsing error: " + error,
m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("JSON parsing error: " \
+ error, m_variableOffset);
} else {
m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset);
// large size might cause issues in the parsing itself; omit if exceeded
if (!requestBodyNoFilesLimitExceeded) {
std::string error;
if (m_rules->m_requestBodyJsonDepthLimit.m_set) {
m_json->setMaxDepth(m_rules->m_requestBodyJsonDepthLimit.m_value);
}
if (m_json->init() == true) {
m_json->processChunk(m_requestBody.str().c_str(),
m_requestBody.str().size(),
&error);
m_json->complete(&error);
}
if (error.empty() == false && m_requestBody.str().size() > 0) {
m_variableReqbodyError.set("1", m_variableOffset);
m_variableReqbodyProcessorError.set("1", m_variableOffset);
m_variableReqbodyErrorMsg.set("JSON parsing error: " + error,
m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("JSON parsing error: " \
+ error, m_variableOffset);
} else {
m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset);
}
}
#endif
#if defined(WITH_LIBXML2) or defined(WITH_YAJL)
@@ -859,11 +880,13 @@ int Transaction::processRequestBody() {
if (m_requestBodyType == MultiPartRequestBody) {
#endif
std::string error;
int reqbodyNoFilesLength = 0;
if (a != NULL) {
Multipart m(*a, this);
if (m.init(&error) == true) {
m.process(m_requestBody.str(), &error, m_variableOffset);
}
reqbodyNoFilesLength = m.m_reqbody_no_files_length;
m.multipart_complete(&error);
}
if (error.empty() == false) {
@@ -873,13 +896,22 @@ int Transaction::processRequestBody() {
m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("Multipart parsing " \
"error: " + error, m_variableOffset);
} else if (((m_rules->m_requestBodyNoFilesLimit.m_set)
&& (reqbodyNoFilesLength > m_rules->m_requestBodyNoFilesLimit.m_value))) {
m_variableReqbodyError.set("1", 0);
m_variableReqbodyErrorMsg.set("Request body excluding files is bigger than the maximum expected.", 0);
m_variableInboundDataError.set("1", m_variableOffset);
ms_dbg(5, "Request body excluding files is bigger than the maximum expected.");
} else {
m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset);
}
} else if (m_requestBodyType == WWWFormUrlEncoded) {
m_variableOffset++;
extractArguments("POST", m_requestBody.str(), m_variableOffset);
// large size might cause issues in the parsing itself; omit if exceeded
if (!requestBodyNoFilesLimitExceeded) {
extractArguments("POST", m_requestBody.str(), m_variableOffset);
}
} else if (m_requestBodyType != UnknownFormat) {
/**
* FIXME: double check to see if that is a valid scenario...