github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Having body limits to respect the rule engine state

Browse Source
This commit is contained in:
Felipe Zimmerle
2019-06-03 14:05:10 -03:00
parent c7fe50e5be
commit a4e8484115
2 changed files with 214 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/transaction.cc
View File

@@ -923,11 +923,16 @@ int Transaction::appendRequestBody(const unsigned char *buf, size_t len) {
Rules::BodyLimitAction::RejectBodyLimitAction) { Rules::BodyLimitAction::RejectBodyLimitAction) {
ms_dbg(5, "Request body limit is marked to reject the " \ ms_dbg(5, "Request body limit is marked to reject the " \
"request"); "request");
intervention::free(&m_it); if (getRuleEngineState() == Rules::EnabledRuleEngine) {
m_it.log = strdup("Request body limit is marked to " \ intervention::free(&m_it);
"reject the request"); m_it.log = strdup("Request body limit is marked to " \
m_it.status = 403; "reject the request");
m_it.disruptive = true; m_it.status = 403;
m_it.disruptive = true;
} else {
ms_dbg(5, "Not rejecting the request as the engine is " \
"not Enabled");
}
} }
return true; return true;
} }
@@ -1177,11 +1182,16 @@ int Transaction::appendResponseBody(const unsigned char *buf, size_t len) {
Rules::BodyLimitAction::RejectBodyLimitAction) { Rules::BodyLimitAction::RejectBodyLimitAction) {
ms_dbg(5, "Response body limit is marked to reject the " \ ms_dbg(5, "Response body limit is marked to reject the " \
"request"); "request");
intervention::free(&m_it); if (getRuleEngineState() == Rules::EnabledRuleEngine) {
m_it.log = strdup("Response body limit is marked to reject " \ intervention::free(&m_it);
"the request"); m_it.log = strdup("Response body limit is marked to reject " \
m_it.status = 403; "the request");
m_it.disruptive = true; m_it.status = 403;
m_it.disruptive = true;
} else {
ms_dbg(5, "Not rejecting the request as the engine is " \
"not Enabled");
}
} }
return true; return true;
} }

194
test/test-cases/regression/config-body_limits.json
View File

@@ -136,6 +136,120 @@
"SecRequestBodyLimit 5" "SecRequestBodyLimit 5"
] ]
}, },
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyLimitAction Reject - Engine Disabled",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body":[
"--------------------------756b6d74fa1a8ee2",
"Content-Disposition: form-data; name=\"name\"",
"",
"test",
"--------------------------756b6d74fa1a8ee2",
"Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"",
"Content-Type: text/plain",
"",
"This is a very small test file..",
"--------------------------756b6d74fa1a8ee2",
"Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"",
"Content-Type: text/plain",
"",
"This is another very small test file..",
"--------------------------756b6d74fa1a8ee2--"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine Off",
"SecRequestBodyLimitAction Reject",
"SecRequestBodyLimit 5"
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyLimitAction Reject - Engine Detection Only",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body":[
"--------------------------756b6d74fa1a8ee2",
"Content-Disposition: form-data; name=\"name\"",
"",
"test",
"--------------------------756b6d74fa1a8ee2",
"Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"",
"Content-Type: text/plain",
"",
"This is a very small test file..",
"--------------------------756b6d74fa1a8ee2",
"Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"",
"Content-Type: text/plain",
"",
"This is another very small test file..",
"--------------------------756b6d74fa1a8ee2--"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine DetectionOnly",
"SecRequestBodyLimitAction Reject",
"SecRequestBodyLimit 5"
]
},
{ {
"enabled":1, "enabled":1,
"version_min":300000, "version_min":300000,
@@ -192,6 +306,86 @@
"SecRequestBodyLimitAction ProcessPartial", "SecRequestBodyLimitAction ProcessPartial",
"SecRequestBodyLimit 5" "SecRequestBodyLimit 5"
] ]
},
{
"enabled":1,
"version_min":300000,
"title":"SecResponseBodyLimitAction Reject - Engine Disabled",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*"
},
"uri":"/?key=value&key=other_value",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine Off",
"SecResponseBodyLimitAction Reject",
"SecResponseBodyLimit 5"
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecResponseBodyLimitAction Reject - Engine Detection Only",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*"
},
"uri":"/?key=value&key=other_value",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine DetectionOnly",
"SecResponseBodyLimitAction Reject",
"SecResponseBodyLimit 5"
]
} }
] ]