Adds support to the INBOUND_DATA_ERROR variable and SecRequestBodyLimit direc.

2025-08-14 13:56:01 +03:00 · 2015-07-21 02:14:47 -03:00 · 2015-07-21 02:14:47 -03:00 · 9c066e3198
commit 9c066e3198
parent 95c2fed89c
8 changed files with 138 additions and 6 deletions
--- a/headers/modsecurity/rules.h
+++ b/headers/modsecurity/rules.h
@ -47,6 +47,7 @@ class Rules {
 public:
    Rules()
        : m_referenceCount(0),
+        requestBodyLimit(0),
        m_custom_debug_log(NULL) { }

    explicit Rules(DebugLog *custom_log)
@ -124,6 +125,7 @@ class Rules {
    void debug(int level, std::string message);
    std::list<std::string> components;

+    int requestBodyLimit;
    AuditLog *audit_log;

 private:
--- a/src/assay.cc
+++ b/src/assay.cc
@ -414,6 +414,10 @@ int Assay::addRequestHeader(const unsigned char *key, size_t key_n,
 int Assay::processRequestBody() {
    debug(4, "Starting phase REQUEST_BODY. (SecRules 2)");

+    if (resolve_variable_first("INBOUND_DATA_ERROR") == NULL) {
+        store_variable("INBOUND_DATA_ERROR", "0");
+    }
+
    if (m_requestBody.tellp() <= 0) {
        return true;
    }
@ -522,10 +526,16 @@ int Assay::processRequestBody() {
 *
 */
 int Assay::appendRequestBody(const unsigned char *buf, size_t len) {
-    /**
-     * as part of the confiurations or rules it is expected to 
-     * set a higher value for this. Will not handle it for now.
-     */
+    int current_size = this->m_requestBody.tellp();
+
+    debug(9, "Appending request body: " + std::to_string(len) + " bytes. " \
+        "Limit set to: " + std::to_string(this->m_rules->requestBodyLimit));
+
+    if (this->m_rules->requestBodyLimit > 0
+        && this->m_rules->requestBodyLimit < len + current_size) {
+        store_variable("INBOUND_DATA_ERROR", "1");
+    }
+
    this->m_requestBody.write(reinterpret_cast<const char*>(buf), len);

    return 0;
--- a/src/parser/driver.cc
+++ b/src/parser/driver.cc
@ -20,6 +20,7 @@
 Driver::Driver()
  : trace_scanning(false),
  trace_parsing(false),
+  requestBodyLimit(0),
  audit_log(new ModSecurity::AuditLog()) {
 }

--- a/src/parser/driver.h
+++ b/src/parser/driver.h
@ -87,6 +87,7 @@ class Driver {
    bool sec_audit_engine;
    bool sec_request_body_access;
    bool sec_response_body_access;
+    int requestBodyLimit;

    std::string debug_log_path;
    std::list<std::string> components;
--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@ -63,6 +63,7 @@ using ModSecurity::Utils::GeoLookup;
 %left ARGS CONFIG_VALUE_RELEVANT_ONLY CONFIG_VALUE_ON CONFIG_VALUE_OFF CONFIG_VALUE
 %token <std::string> DIRECTIVE
 %token <std::string> CONFIG_DIRECTIVE
+%token <std::string> CONFIG_DIR_REQ_BODY_LIMIT
 %token <std::string> CONFIG_DIR_RULE_ENG
 %token <std::string> CONFIG_DIR_REQ_BODY
 %token <std::string> CONFIG_DIR_RES_BODY
@ -250,6 +251,10 @@ expression:
      {
        GeoLookup::getInstance().setDataBase($1);
      }
+    | CONFIG_DIR_REQ_BODY_LIMIT
+      {
+        driver.requestBodyLimit = atoi($1.c_str());
+      }

 variables:
    variables PIPE VARIABLE
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@ -21,7 +21,9 @@ ACTION          (?i:accuracy|allow|append|auditlog|block|capture|chain|ctl|deny|
 ACTION_SEVERITY (?i:severity:[0-9]+|severity:'[0-9]+'|severity:(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)|severity:'(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)')
 DIRECTIVE       SecRule

-CONFIG_DIRECTIVE SecRequestBodyLimitAction|SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecRequestBodyLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecResponseBodyLimitAction|SecResponseBodyLimit|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine
+CONFIG_DIRECTIVE SecRequestBodyLimitAction|SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecResponseBodyLimitAction|SecResponseBodyLimit|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine
+CONFIG_DIR_REQ_BODY_LIMIT (?i:SecRequestBodyLimit)
+

 CONFIG_DIR_GEO_DB (?i:SecGeoLookupDb)

@ -57,7 +59,7 @@ OPERATORNOARG	(?i:@detectSQLi|@detectXSS|@geoLookup|@validateUrlEncoding|@valida

 TRANSFORMATION  t:(lowercase|urlDecodeUni|urlDecode|none|compressWhitespace|removeWhitespace|replaceNulls|removeNulls|htmlEntityDecode|jsDecode|cssDecode|trim)

-VARIABLE          (?i:FULL_REQUEST|FILES|AUTH_TYPE|ARGS_NAMES|ARGS|QUERY_STRING|REMOTE_ADDR|REQUEST_BASENAME|REQUEST_BODY|REQUEST_COOKIES_NAMES|REQUEST_COOKIES|REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_METHOD|REQUEST_PROTOCOL|REQUEST_URI|RESPONSE_BODY|RESPONSE_CONTENT_LENGTH|RESPONSE_CONTENT_TYPE|RESPONSE_HEADERS_NAMES|RESPONSE_HEADERS|RESPONSE_PROTOCOL|RESPONSE_STATUS|TX|GEO)
+VARIABLE          (?i:INBOUND_DATA_ERROR|FULL_REQUEST|FILES|AUTH_TYPE|ARGS_NAMES|ARGS|QUERY_STRING|REMOTE_ADDR|REQUEST_BASENAME|REQUEST_BODY|REQUEST_COOKIES_NAMES|REQUEST_COOKIES|REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_METHOD|REQUEST_PROTOCOL|REQUEST_URI|RESPONSE_BODY|RESPONSE_CONTENT_LENGTH|RESPONSE_CONTENT_TYPE|RESPONSE_HEADERS_NAMES|RESPONSE_HEADERS|RESPONSE_PROTOCOL|RESPONSE_STATUS|TX|GEO)
 RUN_TIME_VAR_DUR  (?i:DURATION)
 RUN_TIME_VAR_ENV  (?i:ENV)
 RUN_TIME_VAR_BLD  (?i:MODSEC_BUILD)
@ -122,6 +124,9 @@ FREE_TEXT_NEW_LINE       [^\"|\n]+
 %{ /* Geo DB loopkup */ %}
 {CONFIG_DIR_GEO_DB}[ ]{FREE_TEXT_NEW_LINE}      { return yy::seclang_parser::make_CONFIG_DIR_GEO_DB(strchr(yytext, ' ') + 1, loc); }

+%{ /* Request body limit */ %}
+{CONFIG_DIR_REQ_BODY_LIMIT}[ ]{CONFIG_VALUE_NUMBER}  { return yy::seclang_parser::make_CONFIG_DIR_REQ_BODY_LIMIT(strchr(yytext, ' ') + 1, loc); }
+
 {CONFIG_COMPONENT_SIG}[ ]["]{FREE_TEXT}["] { return yy::seclang_parser::make_CONFIG_COMPONENT_SIG(strchr(yytext, ' ') + 2, loc); }

 {CONFIG_VALUE_ON}               { return yy::seclang_parser::make_CONFIG_VALUE_ON(yytext, loc); }
--- a/src/rules.cc
+++ b/src/rules.cc
@ -167,6 +167,7 @@ int Rules::merge(Driver *from) {
    this->debug_log_path = from->debug_log_path;
    this->debug_level = from->debug_level;
    this->components = from->components;
+    this->requestBodyLimit = from->requestBodyLimit;

    if (m_custom_debug_log) {
        this->debug_log = m_custom_debug_log->new_instance();
@ -201,6 +202,7 @@ int Rules::merge(Rules *from) {
    this->sec_request_body_access = from->sec_request_body_access;
    this->sec_response_body_access = from->sec_response_body_access;
    this->components = from->components;
+    this->requestBodyLimit = from->requestBodyLimit;

    this->debug_log = from->debug_log;

--- a/test/test-cases/regression/variable-INBOUND_DATA_ERROR.json
+++ b/test/test-cases/regression/variable-INBOUND_DATA_ERROR.json
@ -0,0 +1,106 @@
+[  
+  {  
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: INBOUND_DATA_ERROR (1/2)",
+    "client":{  
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{  
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{  
+      "headers":{  
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "protocol":"GET"
+    },
+    "response":{  
+      "headers":{  
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[  
+        "no need."
+      ]
+    },
+    "expected":{  
+      "debug_log":"Target value: \"0\" \\(Variable: INBOUND_DATA_ERROR\\)"
+    },
+    "rules":[  
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecDebugLogLevel 9",
+      "SecRule INBOUND_DATA_ERROR \"@eq 1\" \"phase:3,pass,t:trim\""
+    ]
+  },
+  {  
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: INBOUND_DATA_ERROR (1/1)",
+    "client":{  
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{  
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{  
+      "headers":{  
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length":"330",
+        "Content-Type":"multipart/form-data; boundary=--------------------------756b6d74fa1a8ee2",
+        "Expect":"100-continue"
+      },
+      "uri":"/",
+      "protocol":"POST",
+      "body":[  
+        "--------------------------756b6d74fa1a8ee2",
+        "Content-Disposition: form-data; name=\"name\"",
+        "",
+        "test",
+        "--------------------------756b6d74fa1a8ee2",
+        "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"",
+        "Content-Type: text/plain",
+        "",
+        "This is a very small test file..",
+        "--------------------------756b6d74fa1a8ee2",
+        "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"",
+        "Content-Type: text/plain",
+        "",
+        "This is another very small test file..",
+        "--------------------------756b6d74fa1a8ee2--"
+      ]
+    },
+    "response":{  
+      "headers":{  
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[  
+        "no need."
+      ]
+    },
+    "expected":{  
+      "debug_log":"Target value: \"1\" \\(Variable: INBOUND_DATA_ERROR\\)"
+    },
+    "rules":[  
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecRequestBodyLimit 2",
+      "SecDebugLogLevel 9",
+      "SecRule INBOUND_DATA_ERROR \"@eq 1\" \"phase:3,pass,t:trim\""
+    ]
+  }
+]
+