github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Forces disruptive to be first-rule-only

Browse Source 
ModSecurity version 3 is capable to handle disruptive actions in different
rules from the chain. However, lets get it working in the same fashion that
we have in version 2.
This commit is contained in:
Felipe Zimmerle 2017-04-24 21:02:50 -03:00
parent 7e59250068
commit 6421ff087a
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
9 changed files with 71 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
headers/modsecurity/rule.h
View File

@ -76,7 +76,7 @@ class Rule {
std::vector<std::string> getActionNames();
std::vector<actions::Action *> getActionsByName(const std::string& name);
bool containsTag(const std::string& name, Transaction *t);
bool containsDisruptiveAction();
int refCountDecreaseAndCheck() {
m_referenceCount--;

1
src/actions/disruptive/allow.h
View File

@ -60,6 +60,7 @@ class Allow : public Action {
bool init(std::string *error) override;
bool evaluate(Rule *rule, Transaction *transaction) override;
bool isDisruptive() override { return true; }
AllowType m_allowType;

39
src/parser/driver.cc
View File

@ -70,22 +70,33 @@ int Driver::addSecRule(Rule *rule) {
return false;
}
if (lastRule && lastRule->m_chained && lastRule->m_chainedRule == NULL) {
rule->m_phase = lastRule->m_phase;
lastRule->m_chainedRule = rule;
return true;
if (lastRule && lastRule->m_chained) {
if (lastRule->m_chainedRule == NULL) {
rule->m_phase = lastRule->m_phase;
lastRule->m_chainedRule = rule;
if (rule->containsDisruptiveAction()) {
m_parserError << "Disruptive actions can only be specified by";
m_parserError << " chain starter rules.";
return false;
}
return true;
} else {
Rule *a = lastRule->m_chainedRule;
while (a->m_chained && a->m_chainedRule != NULL) {
a = a->m_chainedRule;
}
if (a->m_chained && a->m_chainedRule == NULL) {
a->m_chainedRule = rule;
if (a->containsDisruptiveAction()) {
m_parserError << "Disruptive actions can only be ";
m_parserError << "specified by chain starter rules.";
return false;
}
return true;
}
}
}
if (lastRule && lastRule->m_chained && lastRule->m_chainedRule != NULL) {
Rule *a = lastRule->m_chainedRule;
while (a->m_chained && a->m_chainedRule != NULL) {
a = a->m_chainedRule;
}
if (a->m_chained && a->m_chainedRule == NULL) {
a->m_chainedRule = rule;
return true;
}
}
/*
* Checking if the rule has an ID and also checking if this ID is not used

21
src/rule.cc
View File

@ -706,6 +706,27 @@ end_exec:
}
bool Rule::containsDisruptiveAction() {
for (Action *a : m_actionsRuntimePos) {
if (a->isDisruptive() == true) {
return true;
}
}
for (Action *a : m_actionsRuntimePre) {
if (a->isDisruptive() == true) {
return true;
}
}
for (Action *a : m_actionsConf) {
if (a->isDisruptive() == true) {
return true;
}
}
return false;
}
std::vector<actions::Action *> Rule::getActionsByName(const std::string& name) {
std::vector<actions::Action *> ret;
for (auto &z : m_actionsRuntimePos) {

12
test/test-cases/regression/config-calling_phases_by_name.json
View File

@ -2,7 +2,7 @@
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: MATCHED_VAR (1/2)",
"title":"Testing Config :: Phases by name (1/2)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -35,14 +35,14 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:key \"@contains other_value\" \"id:1,phase:request,chain\"",
"SecRule MATCHED_VAR \"@contains asdf\" \"phase:request,pass\""
"SecRule ARGS:key \"@contains other_value\" \"id:1,phase:request,pass,chain\"",
"SecRule MATCHED_VAR \"@contains asdf\" \"\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: MATCHED_VAR (2/2)",
"title":"Testing Config :: Phases by name (2/2)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -75,8 +75,8 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:key \"@contains other_value\" \"chain,phase:response,id:28\"",
"SecRule MATCHED_VAR \"@contains Aasdf\" \"pass\"",
"SecRule ARGS:key \"@contains other_value\" \"chain,pass,phase:response,id:28\"",
"SecRule MATCHED_VAR \"@contains Aasdf\" \"\"",
"SecRule MATCHED_VAR \"@contains other_value\" \"id:29,phase:response,pass\"",
"SecRule MATCHED_VAR \"@contains other_value\" \"id:30,phase:response,pass\""
]

9
test/test-cases/regression/variable-MATCHED_VAR.json
View File

@ -35,8 +35,8 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:key \"@contains other_value\" \"chain,id:28\"",
"SecRule MATCHED_VAR \"@contains asdf\" \"pass\""
"SecRule ARGS:key \"@contains other_value\" \"chain,id:28,pass\"",
"SecRule MATCHED_VAR \"@contains asdf\" \"\""
]
},
{
@ -75,8 +75,9 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:key \"@contains other_value\" \"chain,id:28\"",
"SecRule MATCHED_VAR \"@contains Aasdf\" \"pass\"",
"SecRule ARGS:key \"@contains other_value\" \"chain,id:28,pass\"",
"SecRule MATCHED_VAR \"@contains Aasdf\" \"\"",
"SecRule MATCHED_VAR \"@contains other_value\" \"id:29,pass\"",
"SecRule MATCHED_VAR \"@contains other_value\" \"id:30,pass\""
]

8
test/test-cases/regression/variable-MATCHED_VARS.json
View File

@ -35,9 +35,9 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
"SecRule MATCHED_VARS \"@contains asdf\" \"pass\""
"SecRule MATCHED_VARS \"@contains asdf\" \"\""
]
},
{
@ -76,9 +76,9 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
"SecRule MATCHED_VARS \"@contains asdf\" \"pass\"",
"SecRule MATCHED_VARS \"@contains asdf\" \"\"",
"SecRule MATCHED_VARS \"@contains value\" \"id:29\""
]
}

8
test/test-cases/regression/variable-MATCHED_VARS_NAMES.json
View File

@ -35,9 +35,9 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
"SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"pass\""
"SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"\""
]
},
{
@ -76,9 +76,9 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
"SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"pass\"",
"SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"\"",
"SecRule MATCHED_VARS_NAMES \"@contains value\" \"id:29\""
]
}

8
test/test-cases/regression/variable-MATCHED_VAR_NAME.json
View File

@ -35,9 +35,9 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
"SecRule MATCHED_VAR_NAME \"@contains asdf\" \"pass\""
"SecRule MATCHED_VAR_NAME \"@contains asdf\" \"\""
]
},
{
@ -76,9 +76,9 @@
},
"rules":[
"SecRuleEngine On",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
"SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
"SecRule MATCHED_VAR_NAME \"@contains asdf\" \"pass\"",
"SecRule MATCHED_VAR_NAME \"@contains asdf\" \"\"",
"SecRule MATCHED_VAR_NAME \"@contains value\" \"id:29\""
]
}