Merge pull request #113 from client9/remotes/trunk

Remotes/trunk

apache2/libinjection/libinjection.h

@@ -37,7 +37,7 @@ extern "C" {
  * See python's normalized version
  * http://www.python.org/dev/peps/pep-0386/#normalizedversion
  */
-#define LIBINJECTION_VERSION "2.0.0"
+#define LIBINJECTION_VERSION "3.0.0-pre8"
 
 #define ST_MAX_SIZE 32
 #define MAX_TOKENS 5
@@ -46,14 +46,25 @@ extern "C" {
 #define CHAR_SINGLE '\''
 #define CHAR_DOUBLE '"'
 
+#define COMMENTS_ANSI 0
+#define COMMENTS_MYSQL 1
+
 typedef struct {
+#ifdef SWIG
+%immutable;
+#endif
     char type;
     char str_open;
     char str_close;
+    char var_count;
     char val[ST_MAX_SIZE];
 } stoken_t;
 
 typedef struct {
+#ifdef SWIG
+%immutable;
+#endif
+
     /* input */
     const char *s;
     size_t slen;
@@ -62,29 +73,50 @@ typedef struct {
     size_t pos;
     int    in_comment;
 
-    /* syntax fixups state */
-    stoken_t syntax_current;
-    stoken_t syntax_last;
-    stoken_t syntax_comment;
-
-    /* constant folding state */
-    stoken_t fold_current;
-    stoken_t fold_last;
-    int fold_state;
-
     /* final sqli data */
-    stoken_t tokenvec[MAX_TOKENS];
+    stoken_t *current;
+
+    /* MAX TOKENS + 1 since use one extra token to determine
+       the type of the previous token */
+    stoken_t tokenvec[MAX_TOKENS + 1];
 
     /*  +1 for ending null */
     char pat[MAX_TOKENS + 1];
     char delim;
+    char comment_style;
+
     int reason;
+
+    /* Number of ddw (dash-dash-white) comments
+     * These comments are in the form of
+     *   '--[whitespace]' or '--[EOF]'
+     *
+     * All databases treat this as a comment.
+     */
+     int stats_comment_ddw;
+
+    /* Number of ddx (dash-dash-[notwhite]) comments
+     *
+     * ANSI SQL treats these are comments, MySQL treats this as
+     * two unary operators '-' '-'
+     *
+     * If you are parsing result returns FALSE and
+     * stats_comment_dd > 0, you should reparse with
+     * COMMENT_MYSQL
+     *
+     */
+    int stats_comment_ddx;
+
+    int stats_comment_c;
+
+    int stats_folds;
+
 } sfilter;
 
 /**
  * Pointer to function, takes cstr input, returns 1 for true, 0 for false
  */
-typedef int (*ptr_fingerprints_fn)(const char*, void* callbackarg);
+typedef int (*ptr_fingerprints_fn)(sfilter*, void* callbackarg);
 
 /**
  * Main API: tests for SQLi in three possible contexts, no quotes,
@@ -117,18 +149,50 @@ int libinjection_is_sqli(sfilter * sql_state,
  *        CHAR_SINGLE ('), single quote context
  *        CHAR_DOUBLE ("), double quote context
  *        Other values will likely be ignored.
- * \param ptr_fingerprints_fn is a pointer to a function
- *        that determines if a fingerprint is a match or not.
- * \param callbackarg passed to function above
  *
- *
- * \return 1 (true) if SQLi or 0 (false) if not SQLi **in this context**
+ * \return pointer to sfilter.pat as convience.
+ *         do not free!
  *
  */
-int libinjection_is_string_sqli(sfilter * sql_state,
+const char* libinjection_sqli_fingerprint(sfilter * sql_state,
                                           const char *s, size_t slen,
-                                const char delim,
-                                ptr_fingerprints_fn fn, void* callbackarg);
+                                          char delim,
+                                          char comment_style);
+
+/*  FOR H@CKERS ONLY
+ *
+ */
+
+void libinjection_sqli_init(sfilter* sql_state,
+                            const char* s, size_t slen,
+                            char delim, char comment_style);
+
+int libinjection_sqli_tokenize(sfilter * sql_state, stoken_t *ouput);
+
+/** The built-in default function to match fingerprints
+ *  and do false negative/positive analysis.  This calls the following
+ *  two functions.  With this, you other-ride one part or the other.
+ *
+ *     return libinjection_sqli_blacklist(sql_state, callbackarg) &&
+ *        libinject_sqli_not_whitelist(sql_state, callbackarg);
+ *
+ * \param sql_state should be filled out after libinjection_sqli_fingerprint is called
+ * \param callbackarg is unused but here to be used with API.
+ */
+int libinjection_sqli_check_fingerprint(sfilter *sql_state, void* callbackarg);
+
+/* Given a pattern determine if it's a SQLi pattern.
+ *
+ * \return TRUE if sqli, false otherwise
+ */
+int libinjection_sqli_blacklist(sfilter* sql_state);
+
+/* Given a positive match for a pattern (i.e. pattern is SQLi), this function
+ * does additional analysis to reduce false positives.
+ *
+ * \return TRUE if sqli, false otherwise
+ */
+int libinjection_sqli_not_whitelist(sfilter* sql_state);
 
 #ifdef __cplusplus
 }

standalone/Makefile.am

@@ -13,7 +13,7 @@ standalone_la_SOURCES = ../apache2/mod_security2.c \
                            ../apache2/msc_util.c ../apache2/msc_pcre.c ../apache2/persist_dbm.c ../apache2/msc_reqbody.c \
      			   ../apache2/msc_geo.c ../apache2/msc_gsb.c ../apache2/msc_unicode.c \
      			   ../apache2/acmp.c ../apache2/msc_lua.c ../apache2/msc_release.c \
-     			   ../apache2/msc_crypt.c ../apache2/msc_tree.c ../apache2/libinjection/sqlparse.c \
+     			   ../apache2/msc_crypt.c ../apache2/msc_tree.c ../apache2/libinjection/libinjection_sql.c \
                            api.c buckets.c \
                            config.c filters.c \
                            hooks.c \

tests/Makefile.am

@@ -22,7 +22,7 @@ msc_test_SOURCES = msc_test.c \
                    $(top_srcdir)/apache2/acmp.c \
                    $(top_srcdir)/apache2/msc_lua.c \
                    $(top_srcdir)/apache2/msc_release.c \
-                   $(top_srcdir)/apache2/libinjection/sqlparse.c
+                   $(top_srcdir)/apache2/libinjection/libinjection_sqli.c
 msc_test_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \
                   @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @LUA_CFLAGS@
 msc_test_CPPFLAGS = -I$(top_srcdir)/apache2 \