Fix rule line number

Issue #1844
2025-09-29 11:16:33 +03:00 · 2018-10-24 20:51:22 -03:00
parent fa5f3784f2
commit 973c1f1028
9 changed files with 1293 additions and 785 deletions
--- a/test/test-cases/data/big-file.conf
+++ b/test/test-cases/data/big-file.conf
@@ -0,0 +1,198 @@
+# 1
+# 2
+# 3
+# 4
+# 5
+# 6
+# 7
+# 8
+
+# 10
+# 11
+# 12
+
+
+
+SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:930011,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 
+SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:930012,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+# 18
+# 19
+# 20
+
+# 22
+# 23
+# 24
+# 25
+# 26
+# 27
+# 28
+SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))|test1" \
+	"phase:request,\
+	msg:'Path Traversal Attack (/../)',\
+	id:930100,\
+	ver:'OWASP_CRS/3.0.0',\
+	rev:'3',\
+	maturity:'9',\
+	accuracy:'7',\
+	t:none,\
+	block,\
+	severity:CRITICAL,\
+	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+	capture,\
+	tag:'application-multi',\
+	tag:'language-multi',\
+	tag:'platform-multi',\
+	tag:'attack-lfi',\
+	tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
+	setvar:'tx.msg=%{rule.msg}',\
+	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
+	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
+
+# 52
+# 53
+# 54
+SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm test2" \
+	"phase:request,\
+        msg:'Path Traversal Attack (/../)',\
+        id:930110,\
+        ver:'OWASP_CRS/3.0.0',\
+        rev:'1',\
+        maturity:'9',\
+	accuracy:'7',\
+	multiMatch,\
+        t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
+        block,\
+        severity:CRITICAL,\
+        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+        capture,\
+        tag:'application-multi',\
+        tag:'language-multi',\
+        tag:'platform-multi',\
+        tag:'attack-lfi',\
+        tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
+        setvar:'tx.msg=%{rule.msg}',\
+        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+        setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
+        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
+
+# 79
+# 80
+# 81
+# 82
+# 83
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm test3" \
+	"phase:request,\
+	msg:'OS File Access Attempt',\
+	rev:'4',\
+	ver:'OWASP_CRS/3.0.0',\
+	maturity:'9',\
+	accuracy:'9',\
+	capture,\
+	t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
+	block,\
+	id:930120,\
+        tag:'application-multi',\
+        tag:'language-multi',\
+        tag:'platform-multi',\
+        tag:'attack-lfi',\
+	tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
+	tag:'WASCTC/WASC-33',\
+	tag:'OWASP_TOP_10/A4',\
+	tag:'PCI/6.5.4',\
+	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+	severity:'CRITICAL',\
+	setvar:'tx.msg=%{rule.msg}',\
+	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
+	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
+
+# 110
+# 111
+# 112
+# 113
+# 114
+# 115
+SecRule REQUEST_FILENAME|ARGS "@pm test4" \
+	"phase:request,\
+	msg:'Restricted File Access Attempt',\
+	rev:'1',\
+	ver:'OWASP_CRS/3.0.0',\
+	maturity:'7',\
+	accuracy:'8',\
+	capture,\
+	t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
+	block,\
+	id:930130,\
+	tag:'application-multi',\
+	tag:'language-multi',\
+	tag:'platform-multi',\
+	tag:'attack-lfi',\
+	tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
+	tag:'WASCTC/WASC-33',\
+	tag:'OWASP_TOP_10/A4',\
+	tag:'PCI/6.5.4',\
+	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+	severity:'CRITICAL',\
+	setvar:'tx.msg=%{rule.msg}',\
+	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
+	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+
+SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:930013,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:930014,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+# 146
+# 147
+# 148
+
+
+
+SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:930015,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:930016,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+# 154
+# 155
+# 156
+
+
+
+SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:930017,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:930018,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+# 162
+# 163
+# 164
+
+
+
+# 168
+# 169
+# 170
+SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"
+# 172
+
+SecRule REQUEST_FILENAME|ARGS "@pm test5" \
+	"phase:request,\
+	msg:'Restricted File Access Attempt',\
+	rev:'1',\
+	ver:'OWASP_CRS/3.0.0',\
+	maturity:'7',\
+	accuracy:'8',\
+	capture,\
+	t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
+	block,\
+	id:9304130,\
+	tag:'application-multi',\
+	tag:'language-multi',\
+	tag:'platform-multi',\
+	tag:'attack-lfi',\
+	tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
+	tag:'WASCTC/WASC-33',\
+	tag:'OWASP_TOP_10/A4',\
+	tag:'PCI/6.5.4',\
+	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+	severity:'CRITICAL',\
+	setvar:'tx.msg=%{rule.msg}',\
+	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
+	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
--- a/test/test-cases/data/not-so-big-file.conf
+++ b/test/test-cases/data/not-so-big-file.conf
@@ -0,0 +1,26 @@
+# 1
+# 2
+# 3
+# 4
+# 5
+# 6
+# 7
+# 8
+
+# 10
+# 11
+# 12
+
+Include "big-file.conf"
+
+# 18
+# 19
+# 20
+
+# 22
+# 23
+# 24
+# 25
+# 26
+# 27
+# 28
--- a/test/test-cases/regression/issue-1844.json
+++ b/test/test-cases/regression/issue-1844.json
@@ -0,0 +1,279 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"m_lineNumber ... mapping ... correct line number in file (1/n)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length": "27",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "param1=test1&param2=value2"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "error_log":"line \"29\""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule WEBAPPID \"@contains test1\" \"id:1,phase:3,pass,t:trim\"",
+      "Include test-cases/data/big-file.conf"
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"m_lineNumber ... mapping ... correct line number in file (2/n)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length": "27",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "param1=test2"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "error_log":"line \"55\""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule WEBAPPID \"@contains test2\" \"id:1,phase:3,pass,t:trim\"",
+      "Include test-cases/data/big-file.conf"
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"m_lineNumber ... mapping ... correct line number in file (3/n)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length": "27",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "param1=test3"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "error_log":"line \"84\""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule WEBAPPID \"@contains test3\" \"id:1,phase:3,pass,t:trim\"",
+      "Include test-cases/data/big-file.conf"
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"m_lineNumber ... mapping ... correct line number in file (4/n)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length": "27",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "param1=test4"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "error_log":"line \"116\""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule WEBAPPID \"@contains test3\" \"id:1,phase:3,pass,t:trim\"",
+      "Include test-cases/data/big-file.conf"
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"m_lineNumber ... mapping ... correct line number in file (5/n)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length": "27",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "param1=test5"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "error_log":"line \"174\""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule WEBAPPID \"@contains test3\" \"id:1,phase:3,pass,t:trim\"",
+      "Include test-cases/data/big-file.conf"
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"m_lineNumber ... mapping ... correct line number in file (6/n)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length": "27",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "param1=test5"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "error_log":"line \"174\""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule WEBAPPID \"@contains test3\" \"id:1,phase:3,pass,t:trim\"",
+      "Include test-cases/data/not-so-big-file.conf"
+    ]
+  }
+]
+