github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix: quoted Include config with wildcard

Browse Source
This commit is contained in:
Martin Vierula 2023-05-30 09:32:07 -07:00
parent 2121938c51
commit 938707d117
No known key found for this signature in database
GPG Key ID: F2FC4E45883BCBA4
4 changed files with 63 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -1,6 +1,8 @@
v3.x.y - YYYY-MMM-DD (to be released) v3.x.y - YYYY-MMM-DD (to be released)
------------------------------------- -------------------------------------
- Fix: quoted Include config with wildcard
[Issue #2905 - @wiseelf, @airween, @martinhsv]
- Support isolated PCRE match limits - Support isolated PCRE match limits
[Issue #2736 - @brandonpayton, @martinhsv] [Issue #2736 - @brandonpayton, @martinhsv]
- Fix: meta actions not applied if multiMatch in first rule of chain - Fix: meta actions not applied if multiMatch in first rule of chain

23
src/parser/seclang-scanner.cc
View File

@ -1,5 +1,5 @@
#line 2 "seclang-scanner.cc" #line 3 "seclang-scanner.cc"
#define YY_INT_ALIGNED short int #define YY_INT_ALIGNED short int
@ -5128,7 +5128,7 @@ static const flex_int16_t yy_rule_linenum[546] =
1174, 1179, 1181, 1182, 1183, 1184, 1186, 1187, 1188, 1189, 1174, 1179, 1181, 1182, 1183, 1184, 1186, 1187, 1188, 1189,
1191, 1192, 1193, 1194, 1196, 1198, 1199, 1201, 1202, 1203, 1191, 1192, 1193, 1194, 1196, 1198, 1199, 1201, 1202, 1203,
1204, 1206, 1211, 1212, 1213, 1217, 1218, 1219, 1224, 1226, 1204, 1206, 1211, 1212, 1213, 1217, 1218, 1219, 1224, 1226,
1227, 1228, 1247, 1276, 1307 1227, 1228, 1247, 1276, 1306
} ; } ;
/* The intent behind this definition is that it'll catch /* The intent behind this definition is that it'll catch
@ -5214,15 +5214,15 @@ static std::stack<int> YY_PREVIOUS_STATE;
#define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); } #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); }
// The location of the current token. // The location of the current token.
#line 5217 "seclang-scanner.cc" #line 5218 "seclang-scanner.cc"
#define YY_NO_INPUT 1 #define YY_NO_INPUT 1
#line 494 "seclang-scanner.ll" #line 494 "seclang-scanner.ll"
// Code run each time a pattern is matched. // Code run each time a pattern is matched.
# define YY_USER_ACTION driver.loc.back()->columns (yyleng); # define YY_USER_ACTION driver.loc.back()->columns (yyleng);
#line 5224 "seclang-scanner.cc"
#line 5225 "seclang-scanner.cc" #line 5225 "seclang-scanner.cc"
#line 5226 "seclang-scanner.cc"
#define INITIAL 0 #define INITIAL 0
#define EXPECTING_ACTION_PREDICATE_VARIABLE 1 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1
@ -5544,7 +5544,7 @@ YY_DECL
// Code run each time yylex is called. // Code run each time yylex is called.
driver.loc.back()->step(); driver.loc.back()->step();
#line 5547 "seclang-scanner.cc" #line 5548 "seclang-scanner.cc"
while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */
{ {
@ -8597,9 +8597,9 @@ YY_RULE_SETUP
{ {
std::string err; std::string err;
const char *tmpStr = yytext + strlen("include"); const char *tmpStr = yytext + strlen("include");
const char *file = tmpStr + strspn( tmpStr, " \t"); const char *afterWhitespace = tmpStr + strspn( tmpStr, " \t");
char *f = strdup(file); std::string file(afterWhitespace+1, strlen(afterWhitespace)-2);
std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err); std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err);
if (fi.empty() == true) { if (fi.empty() == true) {
BEGIN(INITIAL); BEGIN(INITIAL);
driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err); driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err);
@ -8622,13 +8622,12 @@ YY_RULE_SETUP
} }
yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE )); yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
} }
free(f);
} }
YY_BREAK YY_BREAK
case 545: case 545:
/* rule 545 can match eol */ /* rule 545 can match eol */
YY_RULE_SETUP YY_RULE_SETUP
#line 1307 "seclang-scanner.ll" #line 1306 "seclang-scanner.ll"
{ {
HttpsClient c; HttpsClient c;
std::string key; std::string key;
@ -8667,7 +8666,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 546: case 546:
YY_RULE_SETUP YY_RULE_SETUP
#line 1344 "seclang-scanner.ll" #line 1343 "seclang-scanner.ll"
ECHO; ECHO;
YY_BREAK YY_BREAK
#line 8673 "seclang-scanner.cc" #line 8673 "seclang-scanner.cc"
@ -9775,7 +9774,7 @@ void yyfree (void * ptr )
/* %ok-for-header */ /* %ok-for-header */
#line 1344 "seclang-scanner.ll" #line 1343 "seclang-scanner.ll"
namespace modsecurity { namespace modsecurity {

7
src/parser/seclang-scanner.ll
View File

@ -1275,9 +1275,9 @@ EQUALS_MINUS (?i:=\-)
{CONFIG_INCLUDE}[ \t]+["]{CONFIG_VALUE_PATH}["] { {CONFIG_INCLUDE}[ \t]+["]{CONFIG_VALUE_PATH}["] {
std::string err; std::string err;
const char *tmpStr = yytext + strlen("include"); const char *tmpStr = yytext + strlen("include");
const char *file = tmpStr + strspn( tmpStr, " \t"); const char *afterWhitespace = tmpStr + strspn( tmpStr, " \t");
char *f = strdup(file); std::string file(afterWhitespace+1, strlen(afterWhitespace)-2);
std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err); std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err);
if (fi.empty() == true) { if (fi.empty() == true) {
BEGIN(INITIAL); BEGIN(INITIAL);
driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err); driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err);
@ -1300,7 +1300,6 @@ EQUALS_MINUS (?i:=\-)
} }
yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE )); yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
} }
free(f);
} }
{CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ { {CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ {

54
test/test-cases/regression/config-include.json
View File

@ -2,7 +2,7 @@
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
"title":"Include (1/7)", "title":"Include (1/8)",
"client":{ "client":{
"ip":"200.249.12.31", "ip":"200.249.12.31",
"port":123 "port":123
@ -42,7 +42,7 @@
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
"title":"Include (2/7)", "title":"Include (2/8)",
"client":{ "client":{
"ip":"200.249.12.31", "ip":"200.249.12.31",
"port":123 "port":123
@ -82,7 +82,7 @@
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
"title":"Include (3/7)", "title":"Include (3/8)",
"client":{ "client":{
"ip":"200.249.12.31", "ip":"200.249.12.31",
"port":123 "port":123
@ -122,7 +122,7 @@
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
"title":"Include (4/7)", "title":"Include (4/8)",
"client":{ "client":{
"ip":"200.249.12.31", "ip":"200.249.12.31",
"port":123 "port":123
@ -162,7 +162,7 @@
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
"title":"Include (5/7)", "title":"Include (5/8)",
"client":{ "client":{
"ip":"200.249.12.31", "ip":"200.249.12.31",
"port":123 "port":123
@ -203,7 +203,7 @@
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
"title":"Include (6/7)", "title":"Include (6/8)",
"client":{ "client":{
"ip":"200.249.12.31", "ip":"200.249.12.31",
"port":123 "port":123
@ -243,7 +243,7 @@
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
"title":"Include (7/7)", "title":"Include (7/8)",
"client":{ "client":{
"ip":"200.249.12.31", "ip":"200.249.12.31",
"port":123 "port":123
@ -279,5 +279,45 @@
"Include test-cases/data/conasdffig_example2.txt", "Include test-cases/data/conasdffig_example2.txt",
"SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\"" "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\""
] ]
},
{
"enabled":1,
"version_min":300000,
"title":"Include (8/8) -- quoted with wildcard",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*"
},
"uri":"/?key=value&key=other_value",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Executing operator \"Contains\" with param \"config_example2\" against ARGS."
},
"rules":[
"SecRuleEngine On",
"Include \"test-cases/data/config_ex*ple2.txt\"",
"SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\""
]
} }
] ]