github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 11:44:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3216 from eduar-hte/inmemory-collection-shared-mutex

Browse Source 
Prevent concurrent access to data in InMemoryPerProcess' resolveXXX methods
This commit is contained in:
Ervin Hegedus
2024-08-13 19:30:14 +02:00
committed by GitHub
parent 32f6f78e78 4bf9616f9e
commit 718d121ee3
21 changed files with 328 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

248
src/collection/backend/in_memory-per_process.cc
View File

@@ -25,8 +25,6 @@
#include <memory>
#endif
#include <pthread.h>
#include "modsecurity/variable_value.h"
#include "src/utils/regex.h"
#include "src/utils/string.h"
@@ -39,26 +37,48 @@ namespace backend {
InMemoryPerProcess::InMemoryPerProcess(const std::string &name) :
Collection(name) {
this->reserve(1000);
pthread_mutex_init(&m_lock, NULL);
m_map.reserve(1000);
}
InMemoryPerProcess::~InMemoryPerProcess() {
this->clear();
pthread_mutex_destroy(&m_lock);
m_map.clear();
}
void InMemoryPerProcess::store(std::string key, std::string value) {
pthread_mutex_lock(&m_lock);
this->emplace(key, value);
pthread_mutex_unlock(&m_lock);
template<typename Map>
inline void __store(Map &map, std::string key, std::string value) {
// NOTE: should be called with write-lock previously acquired
map.emplace(key, value);
}
template<typename Map>
inline bool __updateFirst(Map &map,
const std::string &key,
const std::string &value) {
// NOTE: should be called with write-lock previously acquired
if (auto search = map.find(key); search != map.end()) {
search->second.setValue(value);
return true;
}
return false;
}
void InMemoryPerProcess::store(const std::string &key, const std::string &value) {
const std::lock_guard lock(m_mutex); // write lock (exclusive access)
__store(m_map, key, value);
}
bool InMemoryPerProcess::storeOrUpdateFirst(const std::string &key,
const std::string &value) {
if (updateFirst(key, value) == false) {
store(key, value);
const std::lock_guard lock(m_mutex); // write lock (exclusive access)
if (__updateFirst(m_map, key, value) == false) {
__store(m_map, key, value);
}
return true;
}
@@ -66,66 +86,59 @@ bool InMemoryPerProcess::storeOrUpdateFirst(const std::string &key,
bool InMemoryPerProcess::updateFirst(const std::string &key,
const std::string &value) {
pthread_mutex_lock(&m_lock);
if (auto search = this->find(key); search != this->end()) {
search->second.setValue(value);
pthread_mutex_unlock(&m_lock);
return true;
}
pthread_mutex_unlock(&m_lock);
return false;
const std::lock_guard lock(m_mutex); // write lock (exclusive access)
return __updateFirst(m_map, key, value);
}
void InMemoryPerProcess::del(const std::string& key) {
pthread_mutex_lock(&m_lock);
this->erase(key);
pthread_mutex_unlock(&m_lock);
const std::lock_guard lock(m_mutex); // write lock (exclusive access)
m_map.erase(key);
}
void InMemoryPerProcess::delIfExpired(const std::string& key) {
pthread_mutex_lock(&m_lock);
const std::lock_guard lock(m_mutex); // write lock (exclusive access)
// Double check the status while within the mutex
auto iter = this->find(key);
if ((iter != this->end()) && (iter->second.isExpired())) {
this->erase(key);
const auto iter = std::find_if(m_map.begin(), m_map.end(),
[&key](const auto &x) { return x.first == key && x.second.isExpired(); });
if (iter != m_map.end()) {
m_map.erase(key);
}
pthread_mutex_unlock(&m_lock);
}
void InMemoryPerProcess::setExpiry(const std::string& key, int32_t expiry_seconds) {
pthread_mutex_lock(&m_lock);
const std::lock_guard lock(m_mutex); // write lock (exclusive access)
if (auto search = this->find(key); search != this->end()) {
if (const auto search = m_map.find(key); search != m_map.end()) {
search->second.setExpiry(expiry_seconds);
pthread_mutex_unlock(&m_lock);
return;
}
// We allow an expiry value to be set for a key that has not (yet) had a value set.
auto iter = this->emplace(key, CollectionData());
const auto iter = m_map.emplace(key, CollectionData());
iter->second.setExpiry(expiry_seconds);
pthread_mutex_unlock(&m_lock);
}
void InMemoryPerProcess::resolveSingleMatch(const std::string& var,
std::vector<const VariableValue *> *l) {
std::list<std::string> expiredVars;
auto range = this->equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
if (it->second.isExpired()) {
expiredVars.push_back(it->first);
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->push_back(new VariableValue(&m_name, &it->first, &it->second.getValue()));
}
{
const std::shared_lock lock(m_mutex); // read lock (shared access)
const auto range = m_map.equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
if (it->second.isExpired()) {
expiredVars.push_back(it->first);
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->push_back(new VariableValue(&m_name, &it->first, &it->second.getValue()));
}
}
}
for (const auto& expiredVar : expiredVars) {
delIfExpired(expiredVar);
}
@@ -134,40 +147,45 @@ void InMemoryPerProcess::resolveSingleMatch(const std::string& var,
void InMemoryPerProcess::resolveMultiMatches(const std::string& var,
std::vector<const VariableValue *> *l, variables::KeyExclusions &ke) {
size_t keySize = var.size();
const auto keySize = var.size();
l->reserve(15);
std::list<std::string> expiredVars;
if (keySize == 0) {
for (auto &i : *this) {
if (ke.toOmit(i.first)) {
continue;
{
const std::shared_lock lock(m_mutex); // read lock (shared access)
if (keySize == 0) {
for (auto &i : m_map) {
if (ke.toOmit(i.first)) {
continue;
}
if (i.second.isExpired()) {
expiredVars.push_back(i.first);
} else if (i.second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &i.first,
&i.second.getValue()));
}
}
if (i.second.isExpired()) {
expiredVars.push_back(i.first);
} else if (i.second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &i.first,
&i.second.getValue()));
}
}
} else {
auto range = this->equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
if (ke.toOmit(var)) {
continue;
} else {
const auto range = m_map.equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
if (ke.toOmit(var)) {
continue;
}
if (it->second.isExpired()) {
expiredVars.push_back(it->first);
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &var,
&it->second.getValue()));
}
}
if (it->second.isExpired()) {
expiredVars.push_back(it->first);
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &var,
&it->second.getValue()));
}
}
}
for (const auto& expiredVar : expiredVars) {
delIfExpired(expiredVar);
}
@@ -176,47 +194,30 @@ void InMemoryPerProcess::resolveMultiMatches(const std::string& var,
void InMemoryPerProcess::resolveRegularExpression(const std::string& var,
std::vector<const VariableValue *> *l, variables::KeyExclusions &ke) {
//if (var.find(":") == std::string::npos) {
// return;
//}
//if (var.size() < var.find(":") + 3) {
// return;
//}
//std::string col = std::string(var, 0, var.find(":"));
//std::string name = std::string(var, var.find(":") + 2,
// var.size() - var.find(":") - 3);
//size_t keySize = col.size();
Utils::Regex r(var, true);
std::list<std::string> expiredVars;
for (const auto& x : *this) {
//if (x.first.size() <= keySize + 1) {
// continue;
//}
//if (x.first.at(keySize) != ':') {
// continue;
//}
//if (std::string(x.first, 0, keySize) != col) {
// continue;
//}
//std::string content = std::string(x.first, keySize + 1,
// x.first.size() - keySize - 1);
int ret = Utils::regex_search(x.first, r);
if (ret <= 0) {
continue;
{
const std::shared_lock lock(m_mutex); // read lock (shared access)
for (const auto& x : m_map) {
const auto ret = Utils::regex_search(x.first, r);
if (ret <= 0) {
continue;
}
if (ke.toOmit(x.first)) {
continue;
}
if (x.second.isExpired()) {
expiredVars.push_back(x.first);
} else if (x.second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &x.first, &x.second.getValue()));
}
}
if (ke.toOmit(x.first)) {
continue;
}
if (x.second.isExpired()) {
expiredVars.push_back(x.first);
} else if (x.second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
l->insert(l->begin(), new VariableValue(&m_name, &x.first, &x.second.getValue()));
}
}
for (const auto& expiredVar : expiredVars) {
delIfExpired(expiredVar);
}
@@ -225,18 +226,29 @@ void InMemoryPerProcess::resolveRegularExpression(const std::string& var,
std::unique_ptr<std::string> InMemoryPerProcess::resolveFirst(
const std::string& var) {
auto range = equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
if (it->second.isExpired()) {
delIfExpired(it->second.getValue());
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
return std::unique_ptr<std::string>(new std::string(it->second.getValue()));
}
std::unique_ptr<std::string> ret;
std::list<std::string> expiredVars;
{
const std::shared_lock lock(m_mutex); // read lock (shared access)
const auto range = m_map.equal_range(var);
for (auto it = range.first; it != range.second; ++it) {
if (it->second.isExpired()) {
expiredVars.push_back(it->first);
} else if (it->second.hasValue() == false) {
// No-op. A non-expired expiry exists for the key but there is no actual value
} else {
ret = std::make_unique<std::string>(it->second.getValue());
}
}
}
return NULL;
for (const auto& expiredVar : expiredVars) {
delIfExpired(expiredVar);
}
return ret;
}

18
src/collection/backend/in_memory-per_process.h
View File

@@ -12,7 +12,6 @@
* directly using the email address security@modsecurity.org.
*
*/
#include <pthread.h>
#ifdef __cplusplus
@@ -24,6 +23,7 @@
#include <vector>
#include <algorithm>
#include <memory>
#include <shared_mutex>
#endif
@@ -71,13 +71,11 @@ struct MyHash{
};
class InMemoryPerProcess :
public std::unordered_multimap<std::string, CollectionData,
/*std::hash<std::string>*/MyHash, MyEqual>,
public Collection {
public:
explicit InMemoryPerProcess(const std::string &name);
~InMemoryPerProcess();
void store(std::string key, std::string value);
void store(const std::string &key, const std::string &value);
bool storeOrUpdateFirst(const std::string &key,
const std::string &value) override;
@@ -103,21 +101,23 @@ class InMemoryPerProcess :
variables::KeyExclusions &ke) override;
/* store */
virtual void store(std::string key, std::string compartment,
virtual void store(const std::string &key, std::string &compartment,
std::string value) {
std::string nkey = compartment + "::" + key;
const auto nkey = compartment + "::" + key;
store(nkey, value);
}
virtual void store(std::string key, std::string compartment,
virtual void store(const std::string &key, const std::string &compartment,
std::string compartment2, std::string value) {
std::string nkey = compartment + "::" + compartment2 + "::" + key;
const auto nkey = compartment + "::" + compartment2 + "::" + key;
store(nkey, value);
}
private:
pthread_mutex_t m_lock;
std::unordered_multimap<std::string, CollectionData,
/*std::hash<std::string>*/MyHash, MyEqual> m_map;
std::shared_mutex m_mutex;
};
} // namespace backend

2
src/collection/backend/lmdb.cc
View File

@@ -27,8 +27,6 @@
#include <string>
#include <memory>
#include <pthread.h>
#include "modsecurity/variable_value.h"
#include "src/utils/regex.h"
#include "src/variables/variable.h"

2
src/collection/backend/lmdb.h
View File

@@ -27,12 +27,10 @@
#ifdef WITH_LMDB
#include <lmdb.h>
#include <semaphore.h>
#endif // WITH_LMDB
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <pthread.h>
#include "modsecurity/variable_value.h"
#include "modsecurity/collection/collection.h"

11
src/operators/pm.cc
View File

@@ -39,9 +39,6 @@ Pm::~Pm() {
free(m_p);
m_p = NULL;
#ifdef MODSEC_MUTEX_ON_PM
pthread_mutex_destroy(&m_lock);
#endif
}
@@ -89,11 +86,12 @@ bool Pm::evaluate(Transaction *transaction, RuleWithActions *rule,
pt.ptr = NULL;
const char *match = NULL;
#ifdef MODSEC_MUTEX_ON_PM
pthread_mutex_lock(&m_lock);
{
const std::lock_guard lock(m_mutex);
#endif
rc = acmp_process_quick(&pt, &match, input.c_str(), input.length());
#ifdef MODSEC_MUTEX_ON_PM
pthread_mutex_unlock(&m_lock);
}
#endif
if (rc >= 0 && transaction) {
@@ -118,9 +116,6 @@ bool Pm::init(const std::string &file, std::string *error) {
std::istringstream *iss;
const char *err = NULL;
#ifdef MODSEC_MUTEX_ON_PM
pthread_mutex_init(&m_lock, NULL);
#endif
char *content = parse_pm_content(m_param.c_str(), m_param.length(), &err);
if (content == NULL) {
iss = new std::istringstream(m_param);

3
src/operators/pm.h
View File

@@ -20,6 +20,7 @@
#include <list>
#include <memory>
#include <utility>
#include <mutex>
#include "src/operators/operator.h"
#include "src/utils/acmp.h"
@@ -56,7 +57,7 @@ class Pm : public Operator {
#ifdef MODSEC_MUTEX_ON_PM
private:
pthread_mutex_t m_lock;
std::mutex m_mutex;
#endif
};