From a4e8484115bc88ba58d854a8ff72b5f4072986e9 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Mon, 3 Jun 2019 14:05:10 -0300 Subject: [PATCH] Having body limits to respect the rule engine state --- src/transaction.cc | 30 ++- .../regression/config-body_limits.json | 194 ++++++++++++++++++ 2 files changed, 214 insertions(+), 10 deletions(-) diff --git a/src/transaction.cc b/src/transaction.cc index be50538a..49daab12 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -923,11 +923,16 @@ int Transaction::appendRequestBody(const unsigned char *buf, size_t len) { Rules::BodyLimitAction::RejectBodyLimitAction) { ms_dbg(5, "Request body limit is marked to reject the " \ "request"); - intervention::free(&m_it); - m_it.log = strdup("Request body limit is marked to " \ - "reject the request"); - m_it.status = 403; - m_it.disruptive = true; + if (getRuleEngineState() == Rules::EnabledRuleEngine) { + intervention::free(&m_it); + m_it.log = strdup("Request body limit is marked to " \ + "reject the request"); + m_it.status = 403; + m_it.disruptive = true; + } else { + ms_dbg(5, "Not rejecting the request as the engine is " \ + "not Enabled"); + } } return true; } @@ -1177,11 +1182,16 @@ int Transaction::appendResponseBody(const unsigned char *buf, size_t len) { Rules::BodyLimitAction::RejectBodyLimitAction) { ms_dbg(5, "Response body limit is marked to reject the " \ "request"); - intervention::free(&m_it); - m_it.log = strdup("Response body limit is marked to reject " \ - "the request"); - m_it.status = 403; - m_it.disruptive = true; + if (getRuleEngineState() == Rules::EnabledRuleEngine) { + intervention::free(&m_it); + m_it.log = strdup("Response body limit is marked to reject " \ + "the request"); + m_it.status = 403; + m_it.disruptive = true; + } else { + ms_dbg(5, "Not rejecting the request as the engine is " \ + "not Enabled"); + } } return true; } diff --git a/test/test-cases/regression/config-body_limits.json b/test/test-cases/regression/config-body_limits.json index 97896039..a88035ba 100644 --- a/test/test-cases/regression/config-body_limits.json +++ b/test/test-cases/regression/config-body_limits.json @@ -136,6 +136,120 @@ "SecRequestBodyLimit 5" ] }, + { + "enabled":1, + "version_min":300000, + "title":"SecRequestBodyLimitAction Reject - Engine Disabled", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"/?key=value&key=other_value", + "method":"POST", + "body":[ + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"name\"", + "", + "test", + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is a very small test file..", + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is another very small test file..", + "--------------------------756b6d74fa1a8ee2--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine Off", + "SecRequestBodyLimitAction Reject", + "SecRequestBodyLimit 5" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"SecRequestBodyLimitAction Reject - Engine Detection Only", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"/?key=value&key=other_value", + "method":"POST", + "body":[ + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"name\"", + "", + "test", + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is a very small test file..", + "--------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is another very small test file..", + "--------------------------756b6d74fa1a8ee2--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine DetectionOnly", + "SecRequestBodyLimitAction Reject", + "SecRequestBodyLimit 5" + ] + }, { "enabled":1, "version_min":300000, @@ -192,6 +306,86 @@ "SecRequestBodyLimitAction ProcessPartial", "SecRequestBodyLimit 5" ] + }, + { + "enabled":1, + "version_min":300000, + "title":"SecResponseBodyLimitAction Reject - Engine Disabled", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"/?key=value&key=other_value", + "method":"GET" + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine Off", + "SecResponseBodyLimitAction Reject", + "SecResponseBodyLimit 5" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"SecResponseBodyLimitAction Reject - Engine Detection Only", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"/?key=value&key=other_value", + "method":"GET" + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine DetectionOnly", + "SecResponseBodyLimitAction Reject", + "SecResponseBodyLimit 5" + ] } ]