Adds new operator to check for data leakage of Austrian social security number

Makefile.am

@@ -166,6 +166,7 @@ TESTS+=test/test-cases/regression/operator-validate-byte-range.json
 TESTS+=test/test-cases/regression/operator-verifycc.json
 TESTS+=test/test-cases/regression/operator-verifycpf.json
 TESTS+=test/test-cases/regression/operator-verifyssn.json
+TESTS+=test/test-cases/regression/operator-verifysvnr.json
 TESTS+=test/test-cases/regression/request-body-parser-json.json
 TESTS+=test/test-cases/regression/request-body-parser-multipart-crlf.json
 TESTS+=test/test-cases/regression/request-body-parser-multipart.json

src/Makefile.am

@@ -225,6 +225,7 @@ OPERATORS = \
 	operators/verify_cc.cc \
 	operators/verify_cpf.cc \
 	operators/verify_ssn.cc \
+	operators/verify_svnr.cc \
 	operators/within.cc \
 	operators/unconditional_match.cc
 

src/operators/operator.cc

@@ -58,6 +58,7 @@
 #include "src/operators/verify_cc.h"
 #include "src/operators/verify_cpf.h"
 #include "src/operators/verify_ssn.h"
+#include "src/operators/verify_svnr.h"
 #include "src/operators/within.h"
 #include "src/operators/unconditional_match.h"
 
@@ -185,6 +186,7 @@ Operator *Operator::instantiate(std::string op, std::string param_str) {
     IF_MATCH(verifycc) { return new VerifyCC(std::move(param)); }
     IF_MATCH(verifycpf) { return new VerifyCPF(std::move(param)); }
     IF_MATCH(verifyssn) { return new VerifySSN(std::move(param)); }
+    IF_MATCH(verifysvnr) { return new VerifySVNR(std::move(param)); }
     IF_MATCH(within) { return new Within(std::move(param)); }
 
     IF_MATCH(unconditionalmatch) {

src/operators/verify_svnr.cc

@@ -0,0 +1,123 @@
+
+#include "src/operators/verify_svnr.h"
+
+#include <string>
+
+#include "src/operators/operator.h"
+
+#include "modsecurity/rule.h"
+#include "modsecurity/rule_message.h"
+#include "modsecurity/rules_properties.h"
+namespace modsecurity {
+namespace operators {
+
+int VerifySVNR::convert_to_int(const char c)
+{
+    int n;
+    if ((c>='0') && (c<='9'))
+        n = c - '0';
+    else
+        n = 0;
+    return n;
+}
+
+bool VerifySVNR::verify(const char *svnrnumber, int len) {
+    int var_len = len;
+    int sum = 0;
+    unsigned int i = 0, svnr_len = 10;
+    int svnr[11];
+    char s_svnr[11];
+    char bad_svnr[12][11] = { "0000000000",
+        "0123456789",
+        "1234567890",
+        "1111111111",
+        "2222222222",
+        "3333333333",
+        "4444444444",
+        "5555555555",
+        "6666666666",
+        "7777777777",
+        "8888888888",
+        "9999999999"};
+
+    while ((*svnrnumber != '\0') && ( var_len > 0))
+    {
+        if (*svnrnumber != '-' || *svnrnumber != '.')
+        {
+            if (i < svnr_len && isdigit(*svnrnumber))
+            {
+                s_svnr[i] = *svnrnumber;
+                svnr[i] = convert_to_int(*svnrnumber);
+                i++;
+            }
+        }
+        svnrnumber++;
+        var_len--;
+    }
+
+
+    if (i != svnr_len)
+    {
+        return 0;
+    }
+    else
+    {
+        for (i = 0; i< svnr_len; i++)
+        {
+            if (strncmp(s_svnr,bad_svnr[i],svnr_len) == 0)
+            {
+                return 0;
+            }
+        }
+    }
+    //Laufnummer mit 3, 7, 9
+    //Geburtsdatum mit 5, 8, 4, 2, 1, 6
+    sum = svnr[0] * 3 + svnr[1] * 7 + svnr[2] * 9 + svnr[4] * 5 + svnr[5] * 8 + svnr[6] * 4 + svnr[7] * 2 + svnr[8] * 1 + svnr[9] * 6;
+    sum %= 11;
+    if(sum == 10){
+    	sum = 0;
+    }
+    if (sum == svnr[3])
+    {
+        return true;
+    }
+    return false;
+}
+
+
+bool VerifySVNR::evaluate(Transaction *t, Rule *rule,
+    const std::string& input, std::shared_ptr<RuleMessage> ruleMessage) {
+    std::list<SMatch> matches;
+    bool is_svnr = false;
+    int i;
+
+    if (m_param.empty()) {
+        return is_svnr;
+    }
+
+    for (i = 0; i < input.size() - 1 && is_svnr == false; i++) {
+        matches = m_re->searchAll(input.substr(i, input.size()));
+
+        for (const auto & i : matches) {
+            is_svnr = verify(i.str().c_str(), i.str().size());
+            if (is_svnr) {
+                logOffset(ruleMessage, i.offset(), i.str().size());
+                if (rule && t && rule->m_containsCaptureAction) {
+                    t->m_collections.m_tx_collection->storeOrUpdateFirst(
+                        "0", i.str());
+                    ms_dbg_a(t, 7, "Added VerifySVNR match TX.0: " + \
+                        i.str());
+                }
+
+                goto out;
+            }
+        }
+    }
+
+out:
+    return is_svnr;
+}
+
+
+}  // namespace operators
+}  // namespace modsecurity

src/operators/verify_svnr.h

@@ -0,0 +1,55 @@
+
+#ifndef SRC_OPERATORS_VERIFY_SVNR_H_
+#define SRC_OPERATORS_VERIFY_SVNR_H_
+
+#include <string>
+#include <memory>
+#include <utility>
+
+#include "src/operators/operator.h"
+#include "src/utils/regex.h"
+
+
+namespace modsecurity {
+using Utils::SMatch;
+using Utils::regex_search;
+using Utils::Regex;
+
+namespace operators {
+
+class VerifySVNR : public Operator {
+ public:
+    /** @ingroup ModSecurity_Operator */
+    explicit VerifySVNR(std::unique_ptr<RunTimeString> param)
+        : Operator("VerifySVNR", std::move(param)) {
+        m_re = new Regex(m_param);
+    }
+
+    ~VerifySVNR() {
+        delete m_re;
+    }
+    bool evaluate(Transaction *transaction, Rule *rule,
+        const std::string &input) override {
+        return evaluate(transaction, NULL, input, NULL);
+    }
+    bool evaluate(Transaction *transaction,
+        const std::string &input) override {
+        return evaluate(transaction, NULL, input);
+    }
+    bool evaluate(Transaction *transaction, Rule *rule,
+        const std::string& input,
+        std::shared_ptr<RuleMessage> ruleMessage) override;
+
+    int convert_to_int(const char c);
+    bool verify(const char *ssnumber, int len);
+
+ private:
+    Regex *m_re;
+};
+
+}  // namespace operators
+}  // namespace modsecurity
+
+
+#endif  // SRC_OPERATORS_VERIFY_SVNR_H_
+

src/parser/seclang-parser.yy

@@ -143,6 +143,7 @@ class Driver;
 #include "src/operators/verify_cc.h"
 #include "src/operators/verify_cpf.h"
 #include "src/operators/verify_ssn.h"
+#include "src/operators/verify_svnr.h"
 #include "src/operators/within.h"
 
 
@@ -466,6 +467,7 @@ using namespace modsecurity::operators;
   OPERATOR_VERIFY_CC                           "OPERATOR_VERIFY_CC"
   OPERATOR_VERIFY_CPF                          "OPERATOR_VERIFY_CPF"
   OPERATOR_VERIFY_SSN                          "OPERATOR_VERIFY_SSN"
+  OPERATOR_VERIFY_SVNR                          "OPERATOR_VERIFY_SVNR"
   OPERATOR_WITHIN                              "OPERATOR_WITHIN"
 
   CONFIG_DIR_AUDIT_LOG_FMT
@@ -960,6 +962,10 @@ op_before_init:
       {
         OPERATOR_CONTAINER($$, new operators::VerifySSN(std::move($2)));
       }
+    | OPERATOR_VERIFY_SVNR run_time_string
+      {
+        OPERATOR_CONTAINER($$, new operators::VerifySVNR(std::move($2)));
+      }
     | OPERATOR_GSB_LOOKUP run_time_string
       {
         /* $$ = new operators::GsbLookup($1); */

src/parser/seclang-scanner.ll

@@ -314,6 +314,7 @@ OPERATOR_VALIDATE_UTF8_ENCODING         (?i:@validateUtf8Encoding)
 OPERATOR_VERIFY_CC                      (?i:@verifyCC)
 OPERATOR_VERIFY_CPF                     (?i:@verifyCPF)
 OPERATOR_VERIFY_SSN                     (?i:@verifySSN)
+OPERATOR_VERIFY_SVNR                    (?i:@verifySVNR)
 OPERATOR_WITHIN                         (?i:@within)
 
 
@@ -1110,6 +1111,7 @@ EQUALS_MINUS                            (?i:=\-)
 {OPERATOR_VERIFY_CC}                    { BEGIN_PARAMETER(); return p::make_OPERATOR_VERIFY_CC(*driver.loc.back()); }
 {OPERATOR_VERIFY_CPF}                   { BEGIN_PARAMETER(); return p::make_OPERATOR_VERIFY_CPF(*driver.loc.back()); }
 {OPERATOR_VERIFY_SSN}                   { BEGIN_PARAMETER(); return p::make_OPERATOR_VERIFY_SSN(*driver.loc.back()); }
+{OPERATOR_VERIFY_SVNR}                   { BEGIN_PARAMETER(); return p::make_OPERATOR_VERIFY_SVNR(*driver.loc.back()); }
 {OPERATOR_GSB_LOOKUP}                   { BEGIN_PARAMETER(); return p::make_OPERATOR_GSB_LOOKUP(*driver.loc.back()); }
 {OPERATOR_RSUB}                         { BEGIN_PARAMETER(); return p::make_OPERATOR_RSUB(*driver.loc.back()); }
 

test/test-cases/regression/operator-verifysvnr.json

@@ -0,0 +1,46 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Operator :: @verifysvnr (1/1)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length": "32",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "param1=1237%20010180&param2=value2"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Added VerifySVNR match TX.0: 1237 010180"
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule ARGS \"@verifysvnr \\d{4} ?\\d{6}\" \"id:1,phase:2,capture,pass,t:trim\""
+    ]
+  }
+]