github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2735 from martinhsv/v2/master

Browse Source 
Allow no-key, single-value JSON body
This commit is contained in:
martinhsv
2022-05-03 15:58:43 -04:00
committed by GitHub
parent 733427197e 4a98032b7f
commit 784693b61c
4 changed files with 38 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,6 +1,8 @@
DD mmm YYYY - 2.9.x (to be released) DD mmm YYYY - 2.9.x (to be released)
------------------- -------------------
* Allow no-key, single-value JSON body
[Issue #2735 - @marcstern, @martinhsv]
* Set SecStatusEngine Off in modsecurity.conf-recommended * Set SecStatusEngine Off in modsecurity.conf-recommended
[Issue #2717 - @un99known99, @martinhsv] [Issue #2717 - @un99known99, @martinhsv]
* Fix memory leak that occurs on JSON parsing error * Fix memory leak that occurs on JSON parsing error

3
apache2/msc_json.c
View File

@@ -27,8 +27,7 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
* to reference this argument; for now we simply ignore these * to reference this argument; for now we simply ignore these
*/ */
if (!msr->json->current_key) { if (!msr->json->current_key) {
msr_log(msr, 3, "Cannot add scalar value without an associated key"); msr->json->current_key = "";
return 1;
} }
arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg)); arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg));

2
apache2/msc_json.h
View File

@@ -39,7 +39,7 @@ struct json_data {
/* prefix is used to create data hierarchy (i.e., 'parent.child.value') */ /* prefix is used to create data hierarchy (i.e., 'parent.child.value') */
unsigned char *prefix; unsigned char *prefix;
unsigned char *current_key; const unsigned char *current_key;
long int current_depth; long int current_depth;
int depth_limit_exceeded; int depth_limit_exceeded;
}; };

34
tests/regression/rule/15-json.t
View File

@@ -224,6 +224,40 @@
), ),
), ),
), ),
},
{
type => "rule",
comment => "json parser - no-key single value",
conf => qq(
SecRuleEngine On
SecRequestBodyAccess On
SecDebugLog $ENV{DEBUG_LOG}
SecAuditEngine RelevantOnly
SecAuditLog "$ENV{AUDIT_LOG}"
SecDebugLogLevel 9
SecRequestBodyJsonDepthLimit 3
SecRule REQUEST_HEADERS:Content-Type "application/json" \\
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403"
),
match_log => {
audit => [ qr/200445/s, 1 ],
},
match_response => {
status => qr/^403$/,
},
request => new HTTP::Request(
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
[
"Content-Type" => "application/json",
],
normalize_raw_request_data(
q(
25
),
),
),
} }