From 9c066e3198eefbb7e9c73de8441cd4c52c27784a Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Tue, 21 Jul 2015 02:14:47 -0300 Subject: [PATCH] Adds support to the INBOUND_DATA_ERROR variable and SecRequestBodyLimit direc. --- headers/modsecurity/rules.h | 2 + src/assay.cc | 18 ++- src/parser/driver.cc | 1 + src/parser/driver.h | 1 + src/parser/seclang-parser.yy | 5 + src/parser/seclang-scanner.ll | 9 +- src/rules.cc | 2 + .../variable-INBOUND_DATA_ERROR.json | 106 ++++++++++++++++++ 8 files changed, 138 insertions(+), 6 deletions(-) create mode 100644 test/test-cases/regression/variable-INBOUND_DATA_ERROR.json diff --git a/headers/modsecurity/rules.h b/headers/modsecurity/rules.h index 06e8d231..2f1d29d6 100644 --- a/headers/modsecurity/rules.h +++ b/headers/modsecurity/rules.h @@ -47,6 +47,7 @@ class Rules { public: Rules() : m_referenceCount(0), + requestBodyLimit(0), m_custom_debug_log(NULL) { } explicit Rules(DebugLog *custom_log) @@ -124,6 +125,7 @@ class Rules { void debug(int level, std::string message); std::list components; + int requestBodyLimit; AuditLog *audit_log; private: diff --git a/src/assay.cc b/src/assay.cc index 0a9cbecd..8907923c 100644 --- a/src/assay.cc +++ b/src/assay.cc @@ -414,6 +414,10 @@ int Assay::addRequestHeader(const unsigned char *key, size_t key_n, int Assay::processRequestBody() { debug(4, "Starting phase REQUEST_BODY. (SecRules 2)"); + if (resolve_variable_first("INBOUND_DATA_ERROR") == NULL) { + store_variable("INBOUND_DATA_ERROR", "0"); + } + if (m_requestBody.tellp() <= 0) { return true; } @@ -522,10 +526,16 @@ int Assay::processRequestBody() { * */ int Assay::appendRequestBody(const unsigned char *buf, size_t len) { - /** - * as part of the confiurations or rules it is expected to - * set a higher value for this. Will not handle it for now. - */ + int current_size = this->m_requestBody.tellp(); + + debug(9, "Appending request body: " + std::to_string(len) + " bytes. " \ + "Limit set to: " + std::to_string(this->m_rules->requestBodyLimit)); + + if (this->m_rules->requestBodyLimit > 0 + && this->m_rules->requestBodyLimit < len + current_size) { + store_variable("INBOUND_DATA_ERROR", "1"); + } + this->m_requestBody.write(reinterpret_cast(buf), len); return 0; diff --git a/src/parser/driver.cc b/src/parser/driver.cc index c0ebe071..c5f8a2de 100644 --- a/src/parser/driver.cc +++ b/src/parser/driver.cc @@ -20,6 +20,7 @@ Driver::Driver() : trace_scanning(false), trace_parsing(false), + requestBodyLimit(0), audit_log(new ModSecurity::AuditLog()) { } diff --git a/src/parser/driver.h b/src/parser/driver.h index d3778450..43d9f27a 100644 --- a/src/parser/driver.h +++ b/src/parser/driver.h @@ -87,6 +87,7 @@ class Driver { bool sec_audit_engine; bool sec_request_body_access; bool sec_response_body_access; + int requestBodyLimit; std::string debug_log_path; std::list components; diff --git a/src/parser/seclang-parser.yy b/src/parser/seclang-parser.yy index 3846396c..cd6fce65 100644 --- a/src/parser/seclang-parser.yy +++ b/src/parser/seclang-parser.yy @@ -63,6 +63,7 @@ using ModSecurity::Utils::GeoLookup; %left ARGS CONFIG_VALUE_RELEVANT_ONLY CONFIG_VALUE_ON CONFIG_VALUE_OFF CONFIG_VALUE %token DIRECTIVE %token CONFIG_DIRECTIVE +%token CONFIG_DIR_REQ_BODY_LIMIT %token CONFIG_DIR_RULE_ENG %token CONFIG_DIR_REQ_BODY %token CONFIG_DIR_RES_BODY @@ -250,6 +251,10 @@ expression: { GeoLookup::getInstance().setDataBase($1); } + | CONFIG_DIR_REQ_BODY_LIMIT + { + driver.requestBodyLimit = atoi($1.c_str()); + } variables: variables PIPE VARIABLE diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll index 6ccb6243..5f160b9a 100755 --- a/src/parser/seclang-scanner.ll +++ b/src/parser/seclang-scanner.ll @@ -21,7 +21,9 @@ ACTION (?i:accuracy|allow|append|auditlog|block|capture|chain|ctl|deny| ACTION_SEVERITY (?i:severity:[0-9]+|severity:'[0-9]+'|severity:(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)|severity:'(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)') DIRECTIVE SecRule -CONFIG_DIRECTIVE SecRequestBodyLimitAction|SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecRequestBodyLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecResponseBodyLimitAction|SecResponseBodyLimit|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine +CONFIG_DIRECTIVE SecRequestBodyLimitAction|SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecResponseBodyLimitAction|SecResponseBodyLimit|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine +CONFIG_DIR_REQ_BODY_LIMIT (?i:SecRequestBodyLimit) + CONFIG_DIR_GEO_DB (?i:SecGeoLookupDb) @@ -57,7 +59,7 @@ OPERATORNOARG (?i:@detectSQLi|@detectXSS|@geoLookup|@validateUrlEncoding|@valida TRANSFORMATION t:(lowercase|urlDecodeUni|urlDecode|none|compressWhitespace|removeWhitespace|replaceNulls|removeNulls|htmlEntityDecode|jsDecode|cssDecode|trim) -VARIABLE (?i:FULL_REQUEST|FILES|AUTH_TYPE|ARGS_NAMES|ARGS|QUERY_STRING|REMOTE_ADDR|REQUEST_BASENAME|REQUEST_BODY|REQUEST_COOKIES_NAMES|REQUEST_COOKIES|REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_METHOD|REQUEST_PROTOCOL|REQUEST_URI|RESPONSE_BODY|RESPONSE_CONTENT_LENGTH|RESPONSE_CONTENT_TYPE|RESPONSE_HEADERS_NAMES|RESPONSE_HEADERS|RESPONSE_PROTOCOL|RESPONSE_STATUS|TX|GEO) +VARIABLE (?i:INBOUND_DATA_ERROR|FULL_REQUEST|FILES|AUTH_TYPE|ARGS_NAMES|ARGS|QUERY_STRING|REMOTE_ADDR|REQUEST_BASENAME|REQUEST_BODY|REQUEST_COOKIES_NAMES|REQUEST_COOKIES|REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_METHOD|REQUEST_PROTOCOL|REQUEST_URI|RESPONSE_BODY|RESPONSE_CONTENT_LENGTH|RESPONSE_CONTENT_TYPE|RESPONSE_HEADERS_NAMES|RESPONSE_HEADERS|RESPONSE_PROTOCOL|RESPONSE_STATUS|TX|GEO) RUN_TIME_VAR_DUR (?i:DURATION) RUN_TIME_VAR_ENV (?i:ENV) RUN_TIME_VAR_BLD (?i:MODSEC_BUILD) @@ -122,6 +124,9 @@ FREE_TEXT_NEW_LINE [^\"|\n]+ %{ /* Geo DB loopkup */ %} {CONFIG_DIR_GEO_DB}[ ]{FREE_TEXT_NEW_LINE} { return yy::seclang_parser::make_CONFIG_DIR_GEO_DB(strchr(yytext, ' ') + 1, loc); } +%{ /* Request body limit */ %} +{CONFIG_DIR_REQ_BODY_LIMIT}[ ]{CONFIG_VALUE_NUMBER} { return yy::seclang_parser::make_CONFIG_DIR_REQ_BODY_LIMIT(strchr(yytext, ' ') + 1, loc); } + {CONFIG_COMPONENT_SIG}[ ]["]{FREE_TEXT}["] { return yy::seclang_parser::make_CONFIG_COMPONENT_SIG(strchr(yytext, ' ') + 2, loc); } {CONFIG_VALUE_ON} { return yy::seclang_parser::make_CONFIG_VALUE_ON(yytext, loc); } diff --git a/src/rules.cc b/src/rules.cc index 367bf539..aa9f9ec4 100644 --- a/src/rules.cc +++ b/src/rules.cc @@ -167,6 +167,7 @@ int Rules::merge(Driver *from) { this->debug_log_path = from->debug_log_path; this->debug_level = from->debug_level; this->components = from->components; + this->requestBodyLimit = from->requestBodyLimit; if (m_custom_debug_log) { this->debug_log = m_custom_debug_log->new_instance(); @@ -201,6 +202,7 @@ int Rules::merge(Rules *from) { this->sec_request_body_access = from->sec_request_body_access; this->sec_response_body_access = from->sec_response_body_access; this->components = from->components; + this->requestBodyLimit = from->requestBodyLimit; this->debug_log = from->debug_log; diff --git a/test/test-cases/regression/variable-INBOUND_DATA_ERROR.json b/test/test-cases/regression/variable-INBOUND_DATA_ERROR.json new file mode 100644 index 00000000..4d676f42 --- /dev/null +++ b/test/test-cases/regression/variable-INBOUND_DATA_ERROR.json @@ -0,0 +1,106 @@ +[ + { + "enabled":1, + "version_min":300000, + "title":"Testing Variables :: INBOUND_DATA_ERROR (1/2)", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"/?key=value&key=other_value", + "protocol":"GET" + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "debug_log":"Target value: \"0\" \\(Variable: INBOUND_DATA_ERROR\\)" + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecDebugLogLevel 9", + "SecRule INBOUND_DATA_ERROR \"@eq 1\" \"phase:3,pass,t:trim\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Testing Variables :: INBOUND_DATA_ERROR (1/1)", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*", + "Content-Length":"330", + "Content-Type":"multipart/form-data; boundary=--------------------------756b6d74fa1a8ee2", + "Expect":"100-continue" + }, + "uri":"/", + "protocol":"POST", + "body":[ + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"name\"", + "", + "test", + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is a very small test file..", + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is another very small test file..", + "--------------------------756b6d74fa1a8ee2--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "debug_log":"Target value: \"1\" \\(Variable: INBOUND_DATA_ERROR\\)" + }, + "rules":[ + "SecRuleEngine On", + "SecDebugLog \/tmp\/modsec_debug.log", + "SecRequestBodyLimit 2", + "SecDebugLogLevel 9", + "SecRule INBOUND_DATA_ERROR \"@eq 1\" \"phase:3,pass,t:trim\"" + ] + } +] +