github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'v3/master' of https://github.com/SpiderLabs/ModSecurity into v3/multipartpartheaderfix

Browse Source
This commit is contained in:
Ervin Hegedüs 2023-04-23 17:17:29 +02:00
commit 6fbdee9ff0
17 changed files with 1022 additions and 993 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/ISSUE_TEMPLATE/bug-report-for-version-2-x.md vendored
View File

@ -1,6 +1,9 @@
---
name: Bug report for version 2.x
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---

9
.github/ISSUE_TEMPLATE/bug-report-for-version-3-x.md vendored
View File

@ -2,6 +2,9 @@
name: Bug report for version 3.x
about: Create a report to help us improve. If you don't know a specific detail or
piece of information leave it blank, if necessary we will help you to figure out.
title: ''
labels: ''
assignees: ''
---
@ -17,7 +20,7 @@ Output of:
3. Error logs
4. If there is a crash, the core dump file.
_Notice:_ Be carefully to not leak any confidential information.
_Notice:_ Be careful to not leak any confidential information.
**To Reproduce**
@ -33,8 +36,8 @@ A **curl** command line that mimics the original request and reproduces the prob
A clear and concise description of what you expected to happen.
**Server (please complete the following information):**
- ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0]
- WebServer: [e.g. nginx-1.15.5]
- ModSecurity version (and connector): [e.g. ModSecurity v3.0.8 with nginx-connector v1.0.3]
- WebServer: [e.g. nginx-1.18.0]
- OS (and distro): [e.g. Linux, archlinux]

17
CHANGES
View File

@ -1,6 +1,23 @@
v3.x.y - YYYY-MMM-DD (to be released)
-------------------------------------
- Configure: use AS_ECHO_N instead echo -n
[Issue #2894 - @liudongmiao, @martinhsv]
- Adjust position of memset from 2890
[Issue #2891 - @mirkodziadzka-avi, @martinhsv]
- Add test: empty lines in ipMatchFromFile test
[Issue #2846 - @tomsommer]
v3.0.9 - 2023-Apr-12
--------------------
- Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
[Issue #2877, #2890 - @tomsommer, @martinhsv]
- Add some member variable inits in Transaction class (possible segfault)
[Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]
- Resolve memory leak on reload (bison-generated variable)
[Issue #2876 - @martinhsv]
- Support equals sign in XPath expressions
[Issue #2328 - @dennus, @martinhsv]
- Encode two special chars in error.log output

20
configure.ac
View File

@ -424,9 +424,9 @@ echo " "
echo "ModSecurity - ${MSC_GIT_VERSION} for $PLATFORM"
echo " "
echo " Mandatory dependencies"
echo -n " + libInjection ...."
AS_ECHO_N(" + libInjection ....")
echo LIBINJECTION_VERSION
echo -n " + SecLang tests ...."
AS_ECHO_N(" + SecLang tests ....")
echo SECLANG_TEST_VERSION
echo " "
@ -439,7 +439,7 @@ if test "x$GEOIP_FOUND" = "x0" && test "x$MAXMIND_FOUND" = "x0"; then
echo " + GeoIP/MaxMind ....not found"
fi
if test "x$GEOIP_FOUND" = "x1" || test "x$MAXMIND_FOUND" = "x1"; then
echo -n " + GeoIP/MaxMind ....found "
AS_ECHO_N(" + GeoIP/MaxMind ....found ")
echo ""
if test "x$MAXMIND_FOUND" = "x1"; then
echo " * (MaxMind) v${MAXMIND_VERSION}"
@ -460,7 +460,7 @@ if test "x$CURL_FOUND" = "x0"; then
echo " + LibCURL ....not found"
fi
if test "x$CURL_FOUND" = "x1"; then
echo -n " + LibCURL ....found "
AS_ECHO_N(" + LibCURL ....found ")
if ! test "x$CURL_VERSION" = "x"; then
echo "v${CURL_VERSION}"
else
@ -478,7 +478,7 @@ if test "x$YAJL_FOUND" = "x0"; then
echo " + YAJL ....not found"
fi
if test "x$YAJL_FOUND" = "x1"; then
echo -n " + YAJL ....found "
AS_ECHO_N(" + YAJL ....found ")
if ! test "x$YAJL_VERSION" = "x"; then
echo "v${YAJL_VERSION}"
else
@ -496,7 +496,7 @@ if test "x$LMDB_FOUND" = "x0"; then
echo " + LMDB ....not found"
fi
if test "x$LMDB_FOUND" = "x1"; then
echo -n " + LMDB ....found "
AS_ECHO_N(" + LMDB ....found ")
if ! test "x$LMDB_VERSION" = "x"; then
echo "v${LMDB_VERSION}"
else
@ -514,7 +514,7 @@ if test "x$LIBXML2_FOUND" = "x0"; then
echo " + LibXML2 ....not found"
fi
if test "x$LIBXML2_FOUND" = "x1"; then
echo -n " + LibXML2 ....found "
AS_ECHO_N(" + LibXML2 ....found ")
if ! test "x$LIBXML2_VERSION" = "x"; then
echo "v${LIBXML2_VERSION}"
else
@ -532,7 +532,7 @@ if test "x$SSDEEP_FOUND" = "x0"; then
echo " + SSDEEP ....not found"
fi
if test "x$SSDEEP_FOUND" = "x1"; then
echo -n " + SSDEEP ....found "
AS_ECHO_N(" + SSDEEP ....found ")
if ! test "x$SSDEEP_VERSION" = "x"; then
echo "v${SSDEEP_VERSION}"
else
@ -549,7 +549,7 @@ if test "x$LUA_FOUND" = "x0"; then
echo " + LUA ....not found"
fi
if test "x$LUA_FOUND" = "x1"; then
echo -n " + LUA ....found "
AS_ECHO_N(" + LUA ....found ")
if ! test "x$LUA_VERSION" = "x"; then
echo "v${LUA_VERSION}"
else
@ -567,7 +567,7 @@ if test "x$PCRE2_FOUND" = "x0"; then
echo " + PCRE2 ....not found"
fi
if test "x$PCRE2_FOUND" = "x1"; then
echo -n " + PCRE2 ....found "
AS_ECHO_N(" + PCRE2 ....found ")
if ! test "x$PCRE2_VERSION" = "x"; then
echo "v${PCRE2_VERSION}"
else

6
headers/modsecurity/modsecurity.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -190,7 +190,7 @@ namespace modsecurity {
#define MODSECURITY_MAJOR "3"
#define MODSECURITY_MINOR "0"
#define MODSECURITY_PATCHLEVEL "8"
#define MODSECURITY_PATCHLEVEL "9"
#define MODSECURITY_TAG ""
#define MODSECURITY_TAG_NUM "100"
@ -198,7 +198,7 @@ namespace modsecurity {
MODSECURITY_MINOR "." MODSECURITY_PATCHLEVEL \
MODSECURITY_TAG
#define MODSECURITY_VERSION_NUM 3080100
#define MODSECURITY_VERSION_NUM 3090100
#define MODSECURITY_CHECK_VERSION(a) (MODSECURITY_VERSION_NUM <= a)

11
src/parser/driver.cc
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -34,6 +34,7 @@ Driver::Driver()
Driver::~Driver() {
while (loc.empty() == false) {
yy::location *a = loc.back();
loc.pop_back();
@ -42,7 +43,7 @@ Driver::~Driver() {
}
int Driver::addSecMarker(std::string marker, std::unique_ptr<std::string> fileName, int lineNumber) {
int Driver::addSecMarker(const std::string& marker, std::unique_ptr<std::string> fileName, int lineNumber) {
// FIXME: we might move this to the parser.
for (int i = 0; i < modsecurity::Phases::NUMBER_OF_PHASES; i++) {
RuleMarker *r = new RuleMarker(marker, std::unique_ptr<std::string>(new std::string(*fileName)), lineNumber);
@ -129,9 +130,11 @@ int Driver::parse(const std::string &f, const std::string &ref) {
m_lastRule = nullptr;
loc.push_back(new yy::location());
if (ref.empty()) {
loc.back()->begin.filename = loc.back()->end.filename = new std::string("<<reference missing or not informed>>");
m_filenames.push_back("<<reference missing or not informed>>");
loc.back()->begin.filename = loc.back()->end.filename = &(m_filenames.back());
} else {
loc.back()->begin.filename = loc.back()->end.filename = new std::string(ref);
m_filenames.push_back(ref);
loc.back()->begin.filename = loc.back()->end.filename = &(m_filenames.back());
}
if (f.empty()) {

19
src/parser/driver.h
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -53,14 +53,6 @@ typedef struct Driver_t Driver;
#endif
/**
*
* FIXME: There is a memory leak in the filename at yy::location.
* The filename should be converted into a shared string to
* save memory or be associated with the life cycle of the
* driver class.
*
**/
class Driver : public RulesSetProperties {
public:
Driver();
@ -68,7 +60,7 @@ class Driver : public RulesSetProperties {
int addSecRule(std::unique_ptr<RuleWithActions> rule);
int addSecAction(std::unique_ptr<RuleWithActions> rule);
int addSecMarker(std::string marker, std::unique_ptr<std::string> fileName, int lineNumber);
int addSecMarker(const std::string& marker, std::unique_ptr<std::string> fileName, int lineNumber);
int addSecRuleScript(std::unique_ptr<RuleScript> rule);
bool scan_begin();
@ -92,6 +84,13 @@ class Driver : public RulesSetProperties {
RuleWithActions *m_lastRule;
RulesSetPhases m_rulesSetPhases;
// Retain a list of new'd filenames so that they are available during the lifetime
// of the Driver object, but so that they will get cleaned up by the Driver
// destructor. This is to resolve a memory leak of yy.position.filename in location.hh.
// Ordinarily other solutions would have been preferable, but location.hh is a
// bison-generated file, which makes some alternative solutions impractical.
std::list<std::string> m_filenames;
};

1839
src/parser/seclang-parser.cc
View File

File diff suppressed because it is too large Load Diff

3
src/parser/seclang-parser.yy
View File

@ -319,7 +319,8 @@ using namespace modsecurity::operators;
%initial-action
{
// Initialize the initial location.
@$.begin.filename = @$.end.filename = new std::string(driver.file);
driver.m_filenames.push_back(driver.file);
@$.begin.filename = @$.end.filename = &(driver.m_filenames.back());
};
%define parse.trace
%define parse.error verbose

21
src/parser/seclang-scanner.cc
View File

@ -5106,7 +5106,7 @@ static const flex_int16_t yy_rule_linenum[544] =
1177, 1178, 1179, 1180, 1182, 1183, 1184, 1185, 1187, 1188,
1189, 1190, 1192, 1194, 1195, 1197, 1198, 1199, 1200, 1202,
1207, 1208, 1209, 1213, 1214, 1215, 1220, 1222, 1223, 1224,
1243, 1271, 1301
1243, 1272, 1303
} ;
/* The intent behind this definition is that it'll catch
@ -8546,7 +8546,8 @@ YY_RULE_SETUP
std::string err;
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f);
driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" );
if (!yyin) {
BEGIN(INITIAL);
@ -8560,7 +8561,7 @@ YY_RULE_SETUP
YY_BREAK
case 542:
YY_RULE_SETUP
#line 1271 "seclang-scanner.ll"
#line 1272 "seclang-scanner.ll"
{
std::string err;
const char *tmpStr = yytext + strlen("include");
@ -8577,7 +8578,8 @@ YY_RULE_SETUP
for (auto& s: files) {
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f);
driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" );
if (!yyin) {
@ -8594,7 +8596,7 @@ YY_RULE_SETUP
case 543:
/* rule 543 can match eol */
YY_RULE_SETUP
#line 1301 "seclang-scanner.ll"
#line 1303 "seclang-scanner.ll"
{
HttpsClient c;
std::string key;
@ -8610,7 +8612,8 @@ YY_RULE_SETUP
c.setKey(key);
driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(url);
driver.m_filenames.push_back(url);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
YY_BUFFER_STATE temp = YY_CURRENT_BUFFER;
yypush_buffer_state(temp);
@ -8632,10 +8635,10 @@ YY_RULE_SETUP
YY_BREAK
case 544:
YY_RULE_SETUP
#line 1337 "seclang-scanner.ll"
#line 1340 "seclang-scanner.ll"
ECHO;
YY_BREAK
#line 8639 "seclang-scanner.cc"
#line 8642 "seclang-scanner.cc"
case YY_END_OF_BUFFER:
{
@ -9740,7 +9743,7 @@ void yyfree (void * ptr )
/* %ok-for-header */
#line 1337 "seclang-scanner.ll"
#line 1340 "seclang-scanner.ll"
namespace modsecurity {

9
src/parser/seclang-scanner.ll
View File

@ -1255,7 +1255,8 @@ EQUALS_MINUS (?i:=\-)
std::string err;
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f);
driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" );
if (!yyin) {
BEGIN(INITIAL);
@ -1283,7 +1284,8 @@ EQUALS_MINUS (?i:=\-)
for (auto& s: files) {
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f);
driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" );
if (!yyin) {
@ -1312,7 +1314,8 @@ EQUALS_MINUS (?i:=\-)
c.setKey(key);
driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(url);
driver.m_filenames.push_back(url);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
YY_BUFFER_STATE temp = YY_CURRENT_BUFFER;
yypush_buffer_state(temp);

12
src/request_body_processor/multipart.cc
View File

@ -1199,15 +1199,9 @@ int Multipart::multipart_complete(std::string *error) {
size_t offset = m_transaction->m_variableOffset + 1;
if (m->m_type == MULTIPART_FILE) {
std::string tmp_name;
std::string name;
if (m->m_tmp_file && !m->m_tmp_file->getFilename().empty()) {
tmp_name.assign(m->m_tmp_file->getFilename());
m_transaction->m_variableFilesTmpNames.set(m->m_tmp_file->getFilename(),
m->m_tmp_file->getFilename(), m->m_filenameOffset);
}
if (!m->m_filename.empty()) {
name.assign(m->m_filename);
if (m->m_tmp_file && !m->m_tmp_file->getFilename().empty()) {
m_transaction->m_variableFilesTmpNames.set(m->m_tmp_file->getFilename(),
m->m_tmp_file->getFilename(), m->m_filenameOffset);
}
m_transaction->m_variableFiles.set(m->m_name,

14
src/transaction.cc
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -101,11 +101,11 @@ namespace modsecurity {
*/
Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
: m_creationTimeStamp(utils::cpu_seconds()),
/* m_clientIpAddress(nullptr), */
m_clientIpAddress(std::make_shared<std::string>("")),
m_httpVersion(""),
/* m_serverIpAddress(""), */
m_serverIpAddress(std::make_shared<std::string>("")),
m_uri(""),
/* m_uri_no_query_string_decoded(""), */
m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
m_ARGScombinedSizeDouble(0),
m_clientPort(0),
m_highestSeverityAction(255),
@ -175,11 +175,11 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCbData)
: m_creationTimeStamp(utils::cpu_seconds()),
/* m_clientIpAddress(""), */
m_clientIpAddress(std::make_shared<std::string>("")),
m_httpVersion(""),
/* m_serverIpAddress(""), */
m_serverIpAddress(std::make_shared<std::string>("")),
m_uri(""),
/* m_uri_no_query_string_decoded(""), */
m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
m_ARGScombinedSizeDouble(0),
m_clientPort(0),
m_highestSeverityAction(255),

2
src/utils/ip_tree.cc
View File

@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at

25
src/utils/msc_tree.cc
View File

@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License.  You may obtain a copy of the License at
@ -258,10 +258,13 @@ int InsertNetmask(TreeNode *node, TreeNode *parent, TreeNode *new_node,
}
node->count++;
node->netmasks = reinterpret_cast<unsigned char *>(malloc(node->count * sizeof(unsigned char)));
if(node->netmasks == NULL)
node->netmasks = reinterpret_cast<unsigned char *>(malloc(node->count * sizeof(unsigned char)));
if(node->netmasks == NULL) {
return 0;
}
memset(node->netmasks, 0, (node->count * sizeof(unsigned char)));
if ((node->count-1) == 0) {
node->netmasks[0] = netmask;
return 1;
@ -410,6 +413,7 @@ TreeNode *CPTAddElement(unsigned char *ipdata, unsigned int ip_bitmask, CPTTree
node->count++;
new_node = node;
node->netmasks = reinterpret_cast<unsigned char *>(malloc(node->count * sizeof(unsigned char)));
memset(node->netmasks, 0, (node->count * sizeof(unsigned char)));
if ((node->count -1) == 0) {
node->netmasks[0] = netmask;
@ -418,16 +422,16 @@ TreeNode *CPTAddElement(unsigned char *ipdata, unsigned int ip_bitmask, CPTTree
node->netmasks[node->count - 1] = netmask;
i = node->count - 2;
while (i >= 0) {
if (netmask < node->netmasks[i]) {
node->netmasks[i + 1] = netmask;
int index = node->count - 2;
while (index >= 0) {
if (netmask < node->netmasks[index]) {
node->netmasks[index + 1] = netmask;
break;
}
node->netmasks[i + 1] = node->netmasks[i];
node->netmasks[i] = netmask;
i--;
node->netmasks[index + 1] = node->netmasks[index];
node->netmasks[index] = netmask;
index--;
}
}
} else {
@ -481,6 +485,7 @@ TreeNode *CPTAddElement(unsigned char *ipdata, unsigned int ip_bitmask, CPTTree
}
i_node->netmasks = reinterpret_cast<unsigned char *>(malloc((node->count - i) * sizeof(unsigned char)));
memset(i_node->netmasks, 0, ((node->count - i) * sizeof(unsigned char)));
if(i_node->netmasks == NULL) {
free(new_node->prefix);

4
test/cppcheck_suppressions.txt
View File

@ -60,7 +60,6 @@ ctunullpointer:src/rule_with_operator.cc:135
ctunullpointer:src/rule_with_operator.cc:95
passedByValue:src/variables/global.h:109
passedByValue:src/variables/global.h:110
passedByValue:src/parser/driver.cc:45
passedByValue:test/common/modsecurity_test.cc:49
passedByValue:test/common/modsecurity_test.cc:98
unreadVariable:src/rule_with_operator.cc:219
@ -71,14 +70,12 @@ uninitvar:src/operators/verify_svnr.cc:67
noExplicitConstructor:seclang-parser.hh
constParameter:seclang-parser.hh
accessMoved:seclang-parser.hh
returnTempReference:seclang-parser.hh
unusedFunction
missingIncludeSystem
useStlAlgorithm
preprocessorErrorDirective
funcArgNamesDifferent
unmatchedSuppression
missingInclude
purgedConfiguration
@ -89,7 +86,6 @@ nullPointerRedundantCheck
knownConditionTrueFalse
cstyleCast
functionStatic
variableScope
shadowFunction
constVariable

1
test/test-cases/data/ipMatchFromFile.txt
View File

@ -1,4 +1,5 @@
127.0.0.1
# Comment line
10.10.10.1
::1