github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds support to ctl:requestBodyProcessor=XML

Browse Source
This commit is contained in:
Felipe Zimmerle 2016-05-18 10:29:37 -03:00
parent 9202ffb17d
commit 6a7b970fe3
7 changed files with 263 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
headers/modsecurity/transaction.h
View File

@ -252,6 +252,11 @@ class Transaction {
*/
RequestBodyType m_requestBodyType;
/**
* Holds the request body "processor"
*/
RequestBodyType m_requestBodyProcessor;
/**
* Rules object utilized during this specific transaction.
*/

1
src/Makefile.am
View File

@ -68,6 +68,7 @@ ACTIONS = \
actions/capture.cc \
actions/chain.cc \
actions/ctl_audit_log_parts.cc \
actions/ctl_request_body_processor_xml.cc \
actions/init_col.cc \
actions/deny.cc \
actions/log_data.cc \

34
src/actions/ctl_request_body_processor_xml.cc Normal file
View File

@ -0,0 +1,34 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#include "actions/ctl_request_body_processor_xml.h"
#include <iostream>
#include <string>
#include "modsecurity/transaction.h"
namespace modsecurity {
namespace actions {
bool CtlRequestBodyProcessorXML::evaluate(Rule *rule, Transaction *transaction) {
transaction->m_requestBodyProcessor = modsecurity::Transaction::XMLRequestBody;
return true;
}
} // namespace actions
} // namespace modsecurity

39
src/actions/ctl_request_body_processor_xml.h Normal file
View File

@ -0,0 +1,39 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#include <string>
#include "actions/action.h"
#include "modsecurity/transaction.h"
#ifndef SRC_ACTIONS_CTL_REQUEST_BODY_PROCESSOR_XML_H_
#define SRC_ACTIONS_CTL_REQUEST_BODY_PROCESSOR_XML_H_
namespace modsecurity {
namespace actions {
class CtlRequestBodyProcessorXML : public Action {
public:
explicit CtlRequestBodyProcessorXML(std::string action)
: Action(action, RunTimeOnlyIfMatchKind) { }
bool evaluate(Rule *rule, Transaction *transaction) override;
};
} // namespace actions
} // namespace modsecurity
#endif // SRC_ACTIONS_CTL_REQUEST_BODY_PROCESSOR_XML_H_

5
src/parser/seclang-parser.yy
View File

@ -23,6 +23,7 @@ class Driver;
#include "actions/action.h"
#include "actions/audit_log.h"
#include "actions/ctl_audit_log_parts.h"
#include "actions/ctl_request_body_processor_xml.h"
#include "actions/init_col.h"
#include "actions/set_sid.h"
#include "actions/set_uid.h"
@ -69,6 +70,7 @@ using modsecurity::ModSecurity;
using modsecurity::actions::Accuracy;
using modsecurity::actions::Action;
using modsecurity::actions::CtlAuditLogParts;
using modsecurity::actions::CtlRequestBodyProcessorXML;
using modsecurity::actions::InitCol;
using modsecurity::actions::SetSID;
using modsecurity::actions::SetUID;
@ -1094,8 +1096,7 @@ act:
}
| ACTION_CTL_BDY_XML
{
/* not ready yet. */
$$ = Action::instantiate($1);
$$ = new modsecurity::actions::CtlRequestBodyProcessorXML($1);
}
| ACTION_CTL_BDY_JSON
{

16
src/transaction.cc
View File

@ -107,6 +107,7 @@ Transaction::Transaction(ModSecurity *ms, Rules *rules, void *logCbData)
m_namesArgsPost(NULL),
m_namesArgsGet(NULL),
m_requestBodyType(UnknownFormat),
m_requestBodyProcessor(UnknownFormat),
m_requestHeadersNames(NULL),
m_responseHeadersNames(NULL),
m_responseContentType(NULL),
@ -475,7 +476,6 @@ int Transaction::addRequestHeader(const std::string& key,
if (keyl == "content-type") {
std::string multipart("multipart/form-data");
std::string l = tolower(value);
if (l.compare(0, multipart.length(), multipart) == 0) {
this->m_requestBodyType = MultiPartRequestBody;
}
@ -590,15 +590,11 @@ int Transaction::processRequestBody() {
*
*/
if (m_requestBodyType == XMLRequestBody) {
std::string *a = m_collections.resolveFirst(
"REQUEST_HEADERS:Content-Type");
if (a != NULL) {
if (m_xml->init() == true) {
m_xml->processChunk(m_requestBody.str().c_str(),
m_requestBody.str().size());
m_xml->complete();
}
if (m_requestBodyProcessor == XMLRequestBody) {
if (m_xml->init() == true) {
m_xml->processChunk(m_requestBody.str().c_str(),
m_requestBody.str().size());
m_xml->complete();
}
}

175
test/test-cases/regression/action-ctl_request_body_processor.json Normal file
View File

@ -0,0 +1,175 @@
[
{
"enabled":1,
"version_min":300000,
"title":"Testing CtlRequestBodyProcessor=XML (1)",
"expected":{
"debug_log": "Registered XML namespace href \"http://schemas.xmlsoap.org/soap/envelope/\" prefix \"soap\""
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
"<bookstore>",
"<book category=\"COOKING\">",
"<title lang=\"en\">Everyday Italian</title>",
"<author>Giada De Laurentiis</author>",
"<year>2005</year>",
"<price>30.00</price>",
"</book>",
"<book category=\"CHILDREN\">",
"<title lang=\"en\">Harry Potter</title>",
"<author>J K. Rowling</author>",
"<year>2005</year>",
"<price>29.99</price>",
"</book>",
"<book category=\"WEB\">",
"<title lang=\"en\">XQuery Kick Start</title>",
"<author>James McGovern</author>",
"<author>Per Bothner</author>",
"<author>Kurt Cagle</author>",
"<author>James Linn</author>",
"<author>Vaidyanathan Nagarajan</author>",
"<year>2003</year>",
"<price>49.99</price>",
"</book>",
"<book category=\"WEB\">",
"<title lang=\"en\">Learning XML</title>",
"<author>Erik T. Ray</author>",
"<year>2003</year>",
"<price>39.95</price>",
"</book>",
"</bookstore>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML:/bookstore/book/price[text()] \"Fred\" \"phase:3,id:123,xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing CtlRequestBodyProcessor=XML (2)",
"expected":{
"debug_log": "XML: No XML document found, returning"
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
"<bookstore>",
"<book category=\"COOKING\">",
"<title lang=\"en\">Everyday Italian</title>",
"<author>Giada De Laurentiis</author>",
"<year>2005</year>",
"<price>30.00</price>",
"</book>",
"<book category=\"CHILDREN\">",
"<title lang=\"en\">Harry Potter</title>",
"<author>J K. Rowling</author>",
"<year>2005</year>",
"<price>29.99</price>",
"</book>",
"<book category=\"WEB\">",
"<title lang=\"en\">XQuery Kick Start</title>",
"<author>James McGovern</author>",
"<author>Per Bothner</author>",
"<author>Kurt Cagle</author>",
"<author>James Linn</author>",
"<author>Vaidyanathan Nagarajan</author>",
"<year>2003</year>",
"<price>49.99</price>",
"</book>",
"<book category=\"WEB\">",
"<title lang=\"en\">Learning XML</title>",
"<author>Erik T. Ray</author>",
"<year>2003</year>",
"<price>39.95</price>",
"</book>",
"</bookstore>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule XML:/bookstore/book/price[text()] \"Fred\" \"phase:3,id:123,xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing CtlRequestBodyProcessor=XML (3)",
"expected":{
"debug_log": "XML: Failed parsing document."
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"not a xml"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML:/bookstore/book/price[text()] \"Fred\" \"phase:3,id:123,xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\""
]
}
]