github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'v3/master' of https://github.com/SpiderLabs/ModSecurity into v3/multipartpartheaderfix

Browse Source
This commit is contained in:
Ervin Hegedüs 2023-04-23 17:17:29 +02:00
commit 6fbdee9ff0
17 changed files with 1022 additions and 993 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/ISSUE_TEMPLATE/bug-report-for-version-2-x.md vendored
View File

@ -1,6 +1,9 @@
--- ---
name: Bug report for version 2.x name: Bug report for version 2.x
about: Create a report to help us improve about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
--- ---

9
.github/ISSUE_TEMPLATE/bug-report-for-version-3-x.md vendored
View File

@ -2,6 +2,9 @@
name: Bug report for version 3.x name: Bug report for version 3.x
about: Create a report to help us improve. If you don't know a specific detail or about: Create a report to help us improve. If you don't know a specific detail or
piece of information leave it blank, if necessary we will help you to figure out. piece of information leave it blank, if necessary we will help you to figure out.
title: ''
labels: ''
assignees: ''
--- ---
@ -17,7 +20,7 @@ Output of:
3. Error logs 3. Error logs
4. If there is a crash, the core dump file. 4. If there is a crash, the core dump file.
_Notice:_ Be carefully to not leak any confidential information. _Notice:_ Be careful to not leak any confidential information.
**To Reproduce** **To Reproduce**
@ -33,8 +36,8 @@ A **curl** command line that mimics the original request and reproduces the prob
A clear and concise description of what you expected to happen. A clear and concise description of what you expected to happen.
**Server (please complete the following information):** **Server (please complete the following information):**
- ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0] - ModSecurity version (and connector): [e.g. ModSecurity v3.0.8 with nginx-connector v1.0.3]
- WebServer: [e.g. nginx-1.15.5] - WebServer: [e.g. nginx-1.18.0]
- OS (and distro): [e.g. Linux, archlinux] - OS (and distro): [e.g. Linux, archlinux]

17
CHANGES
View File

@ -1,6 +1,23 @@
v3.x.y - YYYY-MMM-DD (to be released) v3.x.y - YYYY-MMM-DD (to be released)
------------------------------------- -------------------------------------
- Configure: use AS_ECHO_N instead echo -n
[Issue #2894 - @liudongmiao, @martinhsv]
- Adjust position of memset from 2890
[Issue #2891 - @mirkodziadzka-avi, @martinhsv]
- Add test: empty lines in ipMatchFromFile test
[Issue #2846 - @tomsommer]
v3.0.9 - 2023-Apr-12
--------------------
- Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
[Issue #2877, #2890 - @tomsommer, @martinhsv]
- Add some member variable inits in Transaction class (possible segfault)
[Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]
- Resolve memory leak on reload (bison-generated variable)
[Issue #2876 - @martinhsv]
- Support equals sign in XPath expressions - Support equals sign in XPath expressions
[Issue #2328 - @dennus, @martinhsv] [Issue #2328 - @dennus, @martinhsv]
- Encode two special chars in error.log output - Encode two special chars in error.log output

20
configure.ac
View File

@ -424,9 +424,9 @@ echo " "
echo "ModSecurity - ${MSC_GIT_VERSION} for $PLATFORM" echo "ModSecurity - ${MSC_GIT_VERSION} for $PLATFORM"
echo " " echo " "
echo " Mandatory dependencies" echo " Mandatory dependencies"
echo -n " + libInjection ...." AS_ECHO_N(" + libInjection ....")
echo LIBINJECTION_VERSION echo LIBINJECTION_VERSION
echo -n " + SecLang tests ...." AS_ECHO_N(" + SecLang tests ....")
echo SECLANG_TEST_VERSION echo SECLANG_TEST_VERSION
echo " " echo " "
@ -439,7 +439,7 @@ if test "x$GEOIP_FOUND" = "x0" && test "x$MAXMIND_FOUND" = "x0"; then
echo " + GeoIP/MaxMind ....not found" echo " + GeoIP/MaxMind ....not found"
fi fi
if test "x$GEOIP_FOUND" = "x1" || test "x$MAXMIND_FOUND" = "x1"; then if test "x$GEOIP_FOUND" = "x1" || test "x$MAXMIND_FOUND" = "x1"; then
echo -n " + GeoIP/MaxMind ....found " AS_ECHO_N(" + GeoIP/MaxMind ....found ")
echo "" echo ""
if test "x$MAXMIND_FOUND" = "x1"; then if test "x$MAXMIND_FOUND" = "x1"; then
echo " * (MaxMind) v${MAXMIND_VERSION}" echo " * (MaxMind) v${MAXMIND_VERSION}"
@ -460,7 +460,7 @@ if test "x$CURL_FOUND" = "x0"; then
echo " + LibCURL ....not found" echo " + LibCURL ....not found"
fi fi
if test "x$CURL_FOUND" = "x1"; then if test "x$CURL_FOUND" = "x1"; then
echo -n " + LibCURL ....found " AS_ECHO_N(" + LibCURL ....found ")
if ! test "x$CURL_VERSION" = "x"; then if ! test "x$CURL_VERSION" = "x"; then
echo "v${CURL_VERSION}" echo "v${CURL_VERSION}"
else else
@ -478,7 +478,7 @@ if test "x$YAJL_FOUND" = "x0"; then
echo " + YAJL ....not found" echo " + YAJL ....not found"
fi fi
if test "x$YAJL_FOUND" = "x1"; then if test "x$YAJL_FOUND" = "x1"; then
echo -n " + YAJL ....found " AS_ECHO_N(" + YAJL ....found ")
if ! test "x$YAJL_VERSION" = "x"; then if ! test "x$YAJL_VERSION" = "x"; then
echo "v${YAJL_VERSION}" echo "v${YAJL_VERSION}"
else else
@ -496,7 +496,7 @@ if test "x$LMDB_FOUND" = "x0"; then
echo " + LMDB ....not found" echo " + LMDB ....not found"
fi fi
if test "x$LMDB_FOUND" = "x1"; then if test "x$LMDB_FOUND" = "x1"; then
echo -n " + LMDB ....found " AS_ECHO_N(" + LMDB ....found ")
if ! test "x$LMDB_VERSION" = "x"; then if ! test "x$LMDB_VERSION" = "x"; then
echo "v${LMDB_VERSION}" echo "v${LMDB_VERSION}"
else else
@ -514,7 +514,7 @@ if test "x$LIBXML2_FOUND" = "x0"; then
echo " + LibXML2 ....not found" echo " + LibXML2 ....not found"
fi fi
if test "x$LIBXML2_FOUND" = "x1"; then if test "x$LIBXML2_FOUND" = "x1"; then
echo -n " + LibXML2 ....found " AS_ECHO_N(" + LibXML2 ....found ")
if ! test "x$LIBXML2_VERSION" = "x"; then if ! test "x$LIBXML2_VERSION" = "x"; then
echo "v${LIBXML2_VERSION}" echo "v${LIBXML2_VERSION}"
else else
@ -532,7 +532,7 @@ if test "x$SSDEEP_FOUND" = "x0"; then
echo " + SSDEEP ....not found" echo " + SSDEEP ....not found"
fi fi
if test "x$SSDEEP_FOUND" = "x1"; then if test "x$SSDEEP_FOUND" = "x1"; then
echo -n " + SSDEEP ....found " AS_ECHO_N(" + SSDEEP ....found ")
if ! test "x$SSDEEP_VERSION" = "x"; then if ! test "x$SSDEEP_VERSION" = "x"; then
echo "v${SSDEEP_VERSION}" echo "v${SSDEEP_VERSION}"
else else
@ -549,7 +549,7 @@ if test "x$LUA_FOUND" = "x0"; then
echo " + LUA ....not found" echo " + LUA ....not found"
fi fi
if test "x$LUA_FOUND" = "x1"; then if test "x$LUA_FOUND" = "x1"; then
echo -n " + LUA ....found " AS_ECHO_N(" + LUA ....found ")
if ! test "x$LUA_VERSION" = "x"; then if ! test "x$LUA_VERSION" = "x"; then
echo "v${LUA_VERSION}" echo "v${LUA_VERSION}"
else else
@ -567,7 +567,7 @@ if test "x$PCRE2_FOUND" = "x0"; then
echo " + PCRE2 ....not found" echo " + PCRE2 ....not found"
fi fi
if test "x$PCRE2_FOUND" = "x1"; then if test "x$PCRE2_FOUND" = "x1"; then
echo -n " + PCRE2 ....found " AS_ECHO_N(" + PCRE2 ....found ")
if ! test "x$PCRE2_VERSION" = "x"; then if ! test "x$PCRE2_VERSION" = "x"; then
echo "v${PCRE2_VERSION}" echo "v${PCRE2_VERSION}"
else else

6
headers/modsecurity/modsecurity.h
View File

@ -1,6 +1,6 @@
/* /*
* ModSecurity, http://www.modsecurity.org/ * ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* *
* You may not use this file except in compliance with * You may not use this file except in compliance with
* the License. You may obtain a copy of the License at * the License. You may obtain a copy of the License at
@ -190,7 +190,7 @@ namespace modsecurity {
#define MODSECURITY_MAJOR "3" #define MODSECURITY_MAJOR "3"
#define MODSECURITY_MINOR "0" #define MODSECURITY_MINOR "0"
#define MODSECURITY_PATCHLEVEL "8" #define MODSECURITY_PATCHLEVEL "9"
#define MODSECURITY_TAG "" #define MODSECURITY_TAG ""
#define MODSECURITY_TAG_NUM "100" #define MODSECURITY_TAG_NUM "100"
@ -198,7 +198,7 @@ namespace modsecurity {
MODSECURITY_MINOR "." MODSECURITY_PATCHLEVEL \ MODSECURITY_MINOR "." MODSECURITY_PATCHLEVEL \
MODSECURITY_TAG MODSECURITY_TAG
#define MODSECURITY_VERSION_NUM 3080100 #define MODSECURITY_VERSION_NUM 3090100
#define MODSECURITY_CHECK_VERSION(a) (MODSECURITY_VERSION_NUM <= a) #define MODSECURITY_CHECK_VERSION(a) (MODSECURITY_VERSION_NUM <= a)

11
src/parser/driver.cc
View File

@ -1,6 +1,6 @@
/* /*
* ModSecurity, http://www.modsecurity.org/ * ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* *
* You may not use this file except in compliance with * You may not use this file except in compliance with
* the License. You may obtain a copy of the License at * the License. You may obtain a copy of the License at
@ -34,6 +34,7 @@ Driver::Driver()
Driver::~Driver() { Driver::~Driver() {
while (loc.empty() == false) { while (loc.empty() == false) {
yy::location *a = loc.back(); yy::location *a = loc.back();
loc.pop_back(); loc.pop_back();
@ -42,7 +43,7 @@ Driver::~Driver() {
} }
int Driver::addSecMarker(std::string marker, std::unique_ptr<std::string> fileName, int lineNumber) { int Driver::addSecMarker(const std::string& marker, std::unique_ptr<std::string> fileName, int lineNumber) {
// FIXME: we might move this to the parser. // FIXME: we might move this to the parser.
for (int i = 0; i < modsecurity::Phases::NUMBER_OF_PHASES; i++) { for (int i = 0; i < modsecurity::Phases::NUMBER_OF_PHASES; i++) {
RuleMarker *r = new RuleMarker(marker, std::unique_ptr<std::string>(new std::string(*fileName)), lineNumber); RuleMarker *r = new RuleMarker(marker, std::unique_ptr<std::string>(new std::string(*fileName)), lineNumber);
@ -129,9 +130,11 @@ int Driver::parse(const std::string &f, const std::string &ref) {
m_lastRule = nullptr; m_lastRule = nullptr;
loc.push_back(new yy::location()); loc.push_back(new yy::location());
if (ref.empty()) { if (ref.empty()) {
loc.back()->begin.filename = loc.back()->end.filename = new std::string("<<reference missing or not informed>>"); m_filenames.push_back("<<reference missing or not informed>>");
loc.back()->begin.filename = loc.back()->end.filename = &(m_filenames.back());
} else { } else {
loc.back()->begin.filename = loc.back()->end.filename = new std::string(ref); m_filenames.push_back(ref);
loc.back()->begin.filename = loc.back()->end.filename = &(m_filenames.back());
} }
if (f.empty()) { if (f.empty()) {

19
src/parser/driver.h
View File

@ -1,6 +1,6 @@
/* /*
* ModSecurity, http://www.modsecurity.org/ * ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* *
* You may not use this file except in compliance with * You may not use this file except in compliance with
* the License. You may obtain a copy of the License at * the License. You may obtain a copy of the License at
@ -53,14 +53,6 @@ typedef struct Driver_t Driver;
#endif #endif
/**
*
* FIXME: There is a memory leak in the filename at yy::location.
* The filename should be converted into a shared string to
* save memory or be associated with the life cycle of the
* driver class.
*
**/
class Driver : public RulesSetProperties { class Driver : public RulesSetProperties {
public: public:
Driver(); Driver();
@ -68,7 +60,7 @@ class Driver : public RulesSetProperties {
int addSecRule(std::unique_ptr<RuleWithActions> rule); int addSecRule(std::unique_ptr<RuleWithActions> rule);
int addSecAction(std::unique_ptr<RuleWithActions> rule); int addSecAction(std::unique_ptr<RuleWithActions> rule);
int addSecMarker(std::string marker, std::unique_ptr<std::string> fileName, int lineNumber); int addSecMarker(const std::string& marker, std::unique_ptr<std::string> fileName, int lineNumber);
int addSecRuleScript(std::unique_ptr<RuleScript> rule); int addSecRuleScript(std::unique_ptr<RuleScript> rule);
bool scan_begin(); bool scan_begin();
@ -92,6 +84,13 @@ class Driver : public RulesSetProperties {
RuleWithActions *m_lastRule; RuleWithActions *m_lastRule;
RulesSetPhases m_rulesSetPhases; RulesSetPhases m_rulesSetPhases;
// Retain a list of new'd filenames so that they are available during the lifetime
// of the Driver object, but so that they will get cleaned up by the Driver
// destructor. This is to resolve a memory leak of yy.position.filename in location.hh.
// Ordinarily other solutions would have been preferable, but location.hh is a
// bison-generated file, which makes some alternative solutions impractical.
std::list<std::string> m_filenames;
}; };

1839
src/parser/seclang-parser.cc
View File

File diff suppressed because it is too large Load Diff

3
src/parser/seclang-parser.yy
View File

@ -319,7 +319,8 @@ using namespace modsecurity::operators;
%initial-action %initial-action
{ {
// Initialize the initial location. // Initialize the initial location.
@$.begin.filename = @$.end.filename = new std::string(driver.file); driver.m_filenames.push_back(driver.file);
@$.begin.filename = @$.end.filename = &(driver.m_filenames.back());
}; };
%define parse.trace %define parse.trace
%define parse.error verbose %define parse.error verbose

21
src/parser/seclang-scanner.cc
View File

@ -5106,7 +5106,7 @@ static const flex_int16_t yy_rule_linenum[544] =
1177, 1178, 1179, 1180, 1182, 1183, 1184, 1185, 1187, 1188, 1177, 1178, 1179, 1180, 1182, 1183, 1184, 1185, 1187, 1188,
1189, 1190, 1192, 1194, 1195, 1197, 1198, 1199, 1200, 1202, 1189, 1190, 1192, 1194, 1195, 1197, 1198, 1199, 1200, 1202,
1207, 1208, 1209, 1213, 1214, 1215, 1220, 1222, 1223, 1224, 1207, 1208, 1209, 1213, 1214, 1215, 1220, 1222, 1223, 1224,
1243, 1271, 1301 1243, 1272, 1303
} ; } ;
/* The intent behind this definition is that it'll catch /* The intent behind this definition is that it'll catch
@ -8546,7 +8546,8 @@ YY_RULE_SETUP
std::string err; std::string err;
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location()); driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" ); yyin = fopen(f.c_str(), "r" );
if (!yyin) { if (!yyin) {
BEGIN(INITIAL); BEGIN(INITIAL);
@ -8560,7 +8561,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 542: case 542:
YY_RULE_SETUP YY_RULE_SETUP
#line 1271 "seclang-scanner.ll" #line 1272 "seclang-scanner.ll"
{ {
std::string err; std::string err;
const char *tmpStr = yytext + strlen("include"); const char *tmpStr = yytext + strlen("include");
@ -8577,7 +8578,8 @@ YY_RULE_SETUP
for (auto& s: files) { for (auto& s: files) {
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location()); driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" ); yyin = fopen(f.c_str(), "r" );
if (!yyin) { if (!yyin) {
@ -8594,7 +8596,7 @@ YY_RULE_SETUP
case 543: case 543:
/* rule 543 can match eol */ /* rule 543 can match eol */
YY_RULE_SETUP YY_RULE_SETUP
#line 1301 "seclang-scanner.ll" #line 1303 "seclang-scanner.ll"
{ {
HttpsClient c; HttpsClient c;
std::string key; std::string key;
@ -8610,7 +8612,8 @@ YY_RULE_SETUP
c.setKey(key); c.setKey(key);
driver.loc.push_back(new yy::location()); driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(url); driver.m_filenames.push_back(url);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
YY_BUFFER_STATE temp = YY_CURRENT_BUFFER; YY_BUFFER_STATE temp = YY_CURRENT_BUFFER;
yypush_buffer_state(temp); yypush_buffer_state(temp);
@ -8632,10 +8635,10 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 544: case 544:
YY_RULE_SETUP YY_RULE_SETUP
#line 1337 "seclang-scanner.ll" #line 1340 "seclang-scanner.ll"
ECHO; ECHO;
YY_BREAK YY_BREAK
#line 8639 "seclang-scanner.cc" #line 8642 "seclang-scanner.cc"
case YY_END_OF_BUFFER: case YY_END_OF_BUFFER:
{ {
@ -9740,7 +9743,7 @@ void yyfree (void * ptr )
/* %ok-for-header */ /* %ok-for-header */
#line 1337 "seclang-scanner.ll" #line 1340 "seclang-scanner.ll"
namespace modsecurity { namespace modsecurity {

9
src/parser/seclang-scanner.ll
View File

@ -1255,7 +1255,8 @@ EQUALS_MINUS (?i:=\-)
std::string err; std::string err;
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location()); driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" ); yyin = fopen(f.c_str(), "r" );
if (!yyin) { if (!yyin) {
BEGIN(INITIAL); BEGIN(INITIAL);
@ -1283,7 +1284,8 @@ EQUALS_MINUS (?i:=\-)
for (auto& s: files) { for (auto& s: files) {
std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err);
driver.loc.push_back(new yy::location()); driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); driver.m_filenames.push_back(f);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" ); yyin = fopen(f.c_str(), "r" );
if (!yyin) { if (!yyin) {
@ -1312,7 +1314,8 @@ EQUALS_MINUS (?i:=\-)
c.setKey(key); c.setKey(key);
driver.loc.push_back(new yy::location()); driver.loc.push_back(new yy::location());
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(url); driver.m_filenames.push_back(url);
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
YY_BUFFER_STATE temp = YY_CURRENT_BUFFER; YY_BUFFER_STATE temp = YY_CURRENT_BUFFER;
yypush_buffer_state(temp); yypush_buffer_state(temp);

12
src/request_body_processor/multipart.cc
View File

@ -1199,15 +1199,9 @@ int Multipart::multipart_complete(std::string *error) {
size_t offset = m_transaction->m_variableOffset + 1; size_t offset = m_transaction->m_variableOffset + 1;
if (m->m_type == MULTIPART_FILE) { if (m->m_type == MULTIPART_FILE) {
std::string tmp_name; if (m->m_tmp_file && !m->m_tmp_file->getFilename().empty()) {
std::string name; m_transaction->m_variableFilesTmpNames.set(m->m_tmp_file->getFilename(),
if (m->m_tmp_file && !m->m_tmp_file->getFilename().empty()) { m->m_tmp_file->getFilename(), m->m_filenameOffset);
tmp_name.assign(m->m_tmp_file->getFilename());
m_transaction->m_variableFilesTmpNames.set(m->m_tmp_file->getFilename(),
m->m_tmp_file->getFilename(), m->m_filenameOffset);
}
if (!m->m_filename.empty()) {
name.assign(m->m_filename);
} }
m_transaction->m_variableFiles.set(m->m_name, m_transaction->m_variableFiles.set(m->m_name,

14
src/transaction.cc
View File

@ -1,6 +1,6 @@
/* /*
* ModSecurity, http://www.modsecurity.org/ * ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* *
* You may not use this file except in compliance with * You may not use this file except in compliance with
* the License. You may obtain a copy of the License at * the License. You may obtain a copy of the License at
@ -101,11 +101,11 @@ namespace modsecurity {
*/ */
Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData) Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
: m_creationTimeStamp(utils::cpu_seconds()), : m_creationTimeStamp(utils::cpu_seconds()),
/* m_clientIpAddress(nullptr), */ m_clientIpAddress(std::make_shared<std::string>("")),
m_httpVersion(""), m_httpVersion(""),
/* m_serverIpAddress(""), */ m_serverIpAddress(std::make_shared<std::string>("")),
m_uri(""), m_uri(""),
/* m_uri_no_query_string_decoded(""), */ m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
m_ARGScombinedSizeDouble(0), m_ARGScombinedSizeDouble(0),
m_clientPort(0), m_clientPort(0),
m_highestSeverityAction(255), m_highestSeverityAction(255),
@ -175,11 +175,11 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCbData) Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCbData)
: m_creationTimeStamp(utils::cpu_seconds()), : m_creationTimeStamp(utils::cpu_seconds()),
/* m_clientIpAddress(""), */ m_clientIpAddress(std::make_shared<std::string>("")),
m_httpVersion(""), m_httpVersion(""),
/* m_serverIpAddress(""), */ m_serverIpAddress(std::make_shared<std::string>("")),
m_uri(""), m_uri(""),
/* m_uri_no_query_string_decoded(""), */ m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
m_ARGScombinedSizeDouble(0), m_ARGScombinedSizeDouble(0),
m_clientPort(0), m_clientPort(0),
m_highestSeverityAction(255), m_highestSeverityAction(255),

2
src/utils/ip_tree.cc
View File

@ -1,6 +1,6 @@
/* /*
* ModSecurity, http://www.modsecurity.org/ * ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) * Copyright (c) 2015 - 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* *
* You may not use this file except in compliance with * You may not use this file except in compliance with
* the License. You may obtain a copy of the License at * the License. You may obtain a copy of the License at

25
src/utils/msc_tree.cc
View File

@ -1,6 +1,6 @@
/* /*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/ * ModSecurity for Apache 2.x, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
* *
* You may not use this file except in compliance with * You may not use this file except in compliance with
* the License.  You may obtain a copy of the License at * the License.  You may obtain a copy of the License at
@ -258,10 +258,13 @@ int InsertNetmask(TreeNode *node, TreeNode *parent, TreeNode *new_node,
} }
node->count++; node->count++;
node->netmasks = reinterpret_cast<unsigned char *>(malloc(node->count * sizeof(unsigned char)));
if(node->netmasks == NULL) node->netmasks = reinterpret_cast<unsigned char *>(malloc(node->count * sizeof(unsigned char)));
if(node->netmasks == NULL) {
return 0; return 0;
}
memset(node->netmasks, 0, (node->count * sizeof(unsigned char)));
if ((node->count-1) == 0) { if ((node->count-1) == 0) {
node->netmasks[0] = netmask; node->netmasks[0] = netmask;
return 1; return 1;
@ -410,6 +413,7 @@ TreeNode *CPTAddElement(unsigned char *ipdata, unsigned int ip_bitmask, CPTTree
node->count++; node->count++;
new_node = node; new_node = node;
node->netmasks = reinterpret_cast<unsigned char *>(malloc(node->count * sizeof(unsigned char))); node->netmasks = reinterpret_cast<unsigned char *>(malloc(node->count * sizeof(unsigned char)));
memset(node->netmasks, 0, (node->count * sizeof(unsigned char)));
if ((node->count -1) == 0) { if ((node->count -1) == 0) {
node->netmasks[0] = netmask; node->netmasks[0] = netmask;
@ -418,16 +422,16 @@ TreeNode *CPTAddElement(unsigned char *ipdata, unsigned int ip_bitmask, CPTTree
node->netmasks[node->count - 1] = netmask; node->netmasks[node->count - 1] = netmask;
i = node->count - 2; int index = node->count - 2;
while (i >= 0) { while (index >= 0) {
if (netmask < node->netmasks[i]) { if (netmask < node->netmasks[index]) {
node->netmasks[i + 1] = netmask; node->netmasks[index + 1] = netmask;
break; break;
} }
node->netmasks[i + 1] = node->netmasks[i]; node->netmasks[index + 1] = node->netmasks[index];
node->netmasks[i] = netmask; node->netmasks[index] = netmask;
i--; index--;
} }
} }
} else { } else {
@ -481,6 +485,7 @@ TreeNode *CPTAddElement(unsigned char *ipdata, unsigned int ip_bitmask, CPTTree
} }
i_node->netmasks = reinterpret_cast<unsigned char *>(malloc((node->count - i) * sizeof(unsigned char))); i_node->netmasks = reinterpret_cast<unsigned char *>(malloc((node->count - i) * sizeof(unsigned char)));
memset(i_node->netmasks, 0, ((node->count - i) * sizeof(unsigned char)));
if(i_node->netmasks == NULL) { if(i_node->netmasks == NULL) {
free(new_node->prefix); free(new_node->prefix);

4
test/cppcheck_suppressions.txt
View File

@ -60,7 +60,6 @@ ctunullpointer:src/rule_with_operator.cc:135
ctunullpointer:src/rule_with_operator.cc:95 ctunullpointer:src/rule_with_operator.cc:95
passedByValue:src/variables/global.h:109 passedByValue:src/variables/global.h:109
passedByValue:src/variables/global.h:110 passedByValue:src/variables/global.h:110
passedByValue:src/parser/driver.cc:45
passedByValue:test/common/modsecurity_test.cc:49 passedByValue:test/common/modsecurity_test.cc:49
passedByValue:test/common/modsecurity_test.cc:98 passedByValue:test/common/modsecurity_test.cc:98
unreadVariable:src/rule_with_operator.cc:219 unreadVariable:src/rule_with_operator.cc:219
@ -71,14 +70,12 @@ uninitvar:src/operators/verify_svnr.cc:67
noExplicitConstructor:seclang-parser.hh noExplicitConstructor:seclang-parser.hh
constParameter:seclang-parser.hh constParameter:seclang-parser.hh
accessMoved:seclang-parser.hh accessMoved:seclang-parser.hh
returnTempReference:seclang-parser.hh
unusedFunction unusedFunction
missingIncludeSystem missingIncludeSystem
useStlAlgorithm useStlAlgorithm
preprocessorErrorDirective preprocessorErrorDirective
funcArgNamesDifferent funcArgNamesDifferent
unmatchedSuppression
missingInclude missingInclude
purgedConfiguration purgedConfiguration
@ -89,7 +86,6 @@ nullPointerRedundantCheck
knownConditionTrueFalse knownConditionTrueFalse
cstyleCast cstyleCast
functionStatic functionStatic
variableScope
shadowFunction shadowFunction
constVariable constVariable

1
test/test-cases/data/ipMatchFromFile.txt
View File

@ -1,4 +1,5 @@
127.0.0.1 127.0.0.1
# Comment line # Comment line
10.10.10.1 10.10.10.1
::1 ::1