github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

modsecurity loader

Browse Source
This commit is contained in:
Mihai Pitu 2013-08-09 15:48:00 +03:00 committed by Felipe Zimmerle
parent b1755c5b84
commit a662d8fe4c
10 changed files with 299 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
java/ModSecurityLoader/build.xml Normal file
View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- You may freely edit this file. See commented blocks below for -->
<!-- some examples of how to customize the build. -->
<!-- (If you delete it and reopen the project it will be recreated.) -->
<!-- By default, only the Clean and Build commands use this build script. -->
<!-- Commands such as Run, Debug, and Test only use this build script if -->
<!-- the Compile on Save feature is turned off for the project. -->
<!-- You can turn off the Compile on Save (or Deploy on Save) setting -->
<!-- in the project's Project Properties dialog box.-->
<project name="ModSecurityLoader" default="default" basedir=".">
<description>Builds, tests, and runs the project ModSecurityLoader.</description>
<import file="nbproject/build-impl.xml"/>
<!--
There exist several targets which are by default empty and which can be
used for execution of your tasks. These targets are usually executed
before and after some main targets. They are:
-pre-init: called before initialization of project properties
-post-init: called after initialization of project properties
-pre-compile: called before javac compilation
-post-compile: called after javac compilation
-pre-compile-single: called before javac compilation of single file
-post-compile-single: called after javac compilation of single file
-pre-compile-test: called before javac compilation of JUnit tests
-post-compile-test: called after javac compilation of JUnit tests
-pre-compile-test-single: called before javac compilation of single JUnit test
-post-compile-test-single: called after javac compilation of single JUunit test
-pre-jar: called before JAR building
-post-jar: called after JAR building
-post-clean: called after cleaning build products
(Targets beginning with '-' are not intended to be called on their own.)
Example of inserting an obfuscator after compilation could look like this:
<target name="-post-compile">
<obfuscate>
<fileset dir="${build.classes.dir}"/>
</obfuscate>
</target>
For list of available properties check the imported
nbproject/build-impl.xml file.
Another way to customize the build is by overriding existing main targets.
The targets of interest are:
-init-macrodef-javac: defines macro for javac compilation
-init-macrodef-junit: defines macro for junit execution
-init-macrodef-debug: defines macro for class debugging
-init-macrodef-java: defines macro for class execution
-do-jar-with-manifest: JAR building (if you are using a manifest)
-do-jar-without-manifest: JAR building (if you are not using a manifest)
run: execution of project
-javadoc-build: Javadoc generation
test-report: JUnit report generation
An example of overriding the target for project execution could look like this:
<target name="run" depends="ModSecurityLoader-impl.jar">
<exec dir="bin" executable="launcher.exe">
<arg file="${dist.jar}"/>
</exec>
</target>
Notice that the overridden target depends on the jar target and not only on
the compile target as the regular run target does. Again, for a list of available
properties which you can use, check the target you are overriding in the
nbproject/build-impl.xml file.
-->
</project>

3
java/ModSecurityLoader/manifest.mf Normal file
View File

@ -0,0 +1,3 @@
Manifest-Version: 1.0
X-COMMENT: Main-Class will be added automatically by build

32
java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java Normal file
View File

@ -0,0 +1,32 @@
package org.modsecurity.loader;
import java.io.File;
public class ModSecurityLoader {
private static final String MODSECURITYLIBSDIR_PATH = "c:\\work\\mod_security\\java\\libs\\"; //directory with ModSecurity native libraries
static {
File modSecDir = new File(MODSECURITYLIBSDIR_PATH);
File[] flibs = modSecDir.listFiles();
System.out.println("len" + flibs.length);
loadLib(flibs, "zlib1");
loadLib(flibs, "libxml2");
loadLib(flibs, "pcre");
loadLib(flibs, "libapr-1");
loadLib(flibs, "libapriconv-1");
loadLib(flibs, "libaprutil-1");
loadLib(flibs, "ModSecurityJNI");
}
private static void loadLib(File[] files, String lib) {
for (int i = 0; i < files.length; i++) {
if (files[i].getName().startsWith(lib)) {
System.load(files[i].getAbsolutePath());
break;
}
}
}
}

24
java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java
View File

@ -22,22 +22,14 @@ public final class ModSecurity {
private long confTime;
static {
// try {
// Class.forName("org.modsecurity.loader.ModSecurityLoader");
// System.out.println("MS loader found");
// } catch (ClassNotFoundException ex) {
// Logger.getLogger(ModSecurity.class.getName()).log(Level.SEVERE, null, ex);
// }
//TODO: bad practice (if we have two webapps using ModSecurity, one will raise UnsatisfiedLinkError),
//native libraries should be loaded in server's root classloader
System.load("c:\\work\\mod_security\\java\\libs\\zlib1.dll");
System.load("c:\\work\\mod_security\\java\\libs\\libxml2.dll");
System.load("c:\\work\\mod_security\\java\\libs\\pcre.dll");
System.load("c:\\work\\mod_security\\java\\libs\\libapr-1.dll");
System.load("c:\\work\\mod_security\\java\\libs\\libapriconv-1.dll");
System.load("c:\\work\\mod_security\\java\\libs\\libaprutil-1.dll");
System.load("c:\\work\\mod_security\\java\\Debug\\ModSecurityJNI.dll");
try {
//ModSecurityLoader calls System.load() for every native library needed by ModSecurity
Class.forName("org.modsecurity.loader.ModSecurityLoader");
System.out.println("ModSecurity libraries loaded.");
} catch (ClassNotFoundException ex) {
java.util.logging.Logger.getLogger(ModSecurity.class.getName()).log(java.util.logging.Level.SEVERE,
"ModSecurityLoader was not found, please make sure that you have \"ModSecurityLoader.jar\" in your server lib folder.", ex);
}
}
public ModSecurity(FilterConfig fc, String confFile) throws ServletException {

19
java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java
View File

@ -25,7 +25,7 @@ public class ModSecurityFilter implements Filter {
throw new ServletException("ModSecurity: parameter 'conf' not available in web.xml");
}
modsecurity = new ModSecurity(fc, confFilename);
}
@ -39,28 +39,25 @@ public class ModSecurityFilter implements Filter {
int status = modsecurity.onRequest(modsecurity.getConfFilename(), httpTran, modsecurity.checkModifiedConfig()); //modsecurity reloads only if primary config file is modified
if (status != ModSecurity.DECLINED) {
if (status > 0) {
httpTran.getHttpResponse().setStatus(status);
httpTran.getHttpResponse().sendError(status);
}
httpTran.getHttpResponse().sendError(403);
return;
}
//process request
fc.doFilter(httpTran.getMsHttpRequest(), httpTran.getMsHttpResponse());
status = modsecurity.onResponse(httpTran);
if(status != ModSecurity.OK && status != ModSecurity.DECLINED) {
if (status != ModSecurity.OK && status != ModSecurity.DECLINED) {
httpTran.getMsHttpResponse().reset();
httpTran.getMsHttpResponse().setStatus(status);
}
} finally {
httpTran.destroy();
}
}
@Override

2
java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java
View File

@ -16,7 +16,6 @@ import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
@ -28,7 +27,6 @@ import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.fileupload.DefaultFileItem;
import org.apache.commons.fileupload.DiskFileUpload;
import org.apache.commons.fileupload.FileItem;

1
java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpTransaction.java
View File

@ -19,6 +19,7 @@ public class MsHttpTransaction {
public MsHttpTransaction(ServletRequest req, ServletResponse res) {
tranID = UUID.randomUUID().toString();
tranID = tranID.replace('-', '0');
this.req = (HttpServletRequest)req;
this.res = (HttpServletResponse)res;
this.msReq = new MsHttpServletRequest(this.req);

76
java/ModSecurityTestApp/web/help.html Normal file
View File

@ -0,0 +1,76 @@
<!DOCTYPE html>
<html>
<head>
<title>ModSecurity WAF: Help page</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body style="background: #333333;">
<div align="center" style="width:930px; margin:0 auto; box-shadow: 5px 5px 6px #000; background: #FFFFFF;">
<div style="width: 930px;">
<img border="0" height="101" alt="ModSecurity: Open Source Web Application Firewall" src="http://www.modsecurity.org/g/header-top.jpg" />
</div>
<div style="width: 930px;">
<table width="90%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
<h2 style="font-family: Arial;">ModSecurity for Java - Help Page</h2>
</td>
</tr>
<tr>
<td>
<p>
<b>ModSecurity</b> is an open source intrusion detection and prevention engine for web
applications. It can also be called an web application firewall. It operates embedded into
the web server, acting as a powerful umbrella, shielding applications from attacks.
</p>
<p>
ModSecurity for Java is designed as a <b>Java Servlet Filter</b> which makes use of ModSecurity's
<a href="https://github.com/SpiderLabs/ModSecurity">native code</a> using the <b>JNI technology</b>.
</p>
<br />
<h3>Installation</h3>
<p>
First you need to choose whether to install the latest version of ModSecurity directly from
<a href="https://github.com/SpiderLabs/ModSecurity">github.com/SpiderLabs/ModSecurity</a> or using pre-compiled binaries from
<a href="https://www.modsecurity.org/">modsecurity.org</a>. We will not discuss how to compile
the native libraries needed since these steps are described in the README files from ModSecurity's repository.
The native libraries (.so, .dll, etc.) needed for <b>ModSecurity for Java are:</b>
</p>
<ol>
<li>
zlib1
</li>
<li>
libxml2
</li>
<li>
pcre
</li>
<li>
libapr-1
</li>
<li>
libapriconv-1
</li>
<li>
libaprutil-1
</li>
<li>
ModSecurityJNI
</li>
</ol>
<p>
These libraries are loaded by the ModSecurityLoader.jar, which should be placed in your Java server library loader
(for example, in Tomcat 7: $CATALINA_HOME/lib). You can build/modify load directory the ModSecurityLoader from
/mod_security/java/ModSecurityLoader/src/. The libraries have to be copied in a directory (for example, c:\work\mod_security\java\libs\),
which should be accessible to ModSecurityLoader.jar.
</p>
</td>
</tr>
</table>
</div>
</div>
</body>
</html>

102
java/ModSecurityTestApp/web/index.jsp
View File

@ -3,12 +3,102 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JSP Page</title>
<title>ModSecurity WAF for Java: Demo page</title>
</head>
<body>
<form method="post" action="Post.jsp">
Post Action: <input type="text" name="data" />
<input type="submit" />
</form>
<body style="background: #333333;">
<div align="center" style="width:930px; margin:0 auto; box-shadow: 5px 5px 6px #000; background: #FFFFFF;">
<div width="930">
<h1>
<img border="0" height="101" alt="ModSecurity: Open Source Web Application Firewall" src="http://www.modsecurity.org/g/header-top.jpg" />
</h1>
</div>
<div width="930">
<table width="90%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
<h2 style="font-family: Arial;">ModSecurity Core Rule Set (CRS) - Installed demo</h2>
</td>
</tr>
<tr>
<td>
<p>
Please feel free to inject malicious input to stress test the ModSecurity Core Rule Set (CRS). The form accepts both GET and POST request methods. You can either do this via the form below or manually.
</p>
<p>
Check your servlet context logging for ModSecurity output. The request may also be blocked if, for example, <i>SecRuleEngine</i> is <i>On</i>.
</p>
<p>
You can also access the <a href="help.html">ModSecurity for Java - Help page</a>.
</p>
</td>
</tr>
<tr>
<td>
<form id="demoForm" method="post" action="index.jsp">
<b>Payload:</b>
<fieldset>
<textarea name="test" rows="6" cols="90" style="max-width:800px;"></textarea> <!--Foo' or '2' < '1' ;--example payload-->
</fieldset>
<fieldset><input id="submit" type="submit" value="Send"></input>
method=
<a id="demoMethodToggle" href="javascript:toggleMethod()"> GET </a>
enctype=
<a id="demoEncToggle" href="javascript:toggleEncType()"> application/x-www-form-urlencoded </a></fieldset>
</form>
<script type="text/javascript">
function toggleEncType() {
var f = document.getElementById('demoForm');
var le = document.getElementById('demoEncToggle');
var lm = document.getElementById('demoMethodToggle');
if (f.getAttribute('enctype') === 'application/x-www-form-urlencoded') {
f.setAttribute('enctype', 'multipart/form-data');
f.setAttribute('method', 'POST');
le.innerHTML = 'multipart/form-data';
lm.innerHTML = 'POST';
}
else {
f.setAttribute('enctype', 'application/x-www-form-urlencoded');
le.innerHTML = 'application/x-www-form-urlencoded';
}
}
function toggleMethod() {
var f = document.getElementById('demoForm');
var le = document.getElementById('demoEncToggle');
var lm = document.getElementById('demoMethodToggle');
if (f.getAttribute('method') === 'POST') {
f.setAttribute('enctype', 'application/x-www-form-urlencoded');
f.setAttribute('method', 'GET');
le.innerHTML = 'application/x-www-form-urlencoded';
lm.innerHTML = 'GET';
}
else {
f.setAttribute('method', 'POST');
lm.innerHTML = 'POST';
}
}
</script>
<br />
<br />
<br />
<br />
</td>
</tr>
<tr>
<td>
<% if (request.getParameter("test") != null) {%>
<h3>Last submitted payload:</h3>
<p><%= request.getParameter("test")%></p>
<br />
<% }%>
</td>
</tr>
</table>
</div>
</div>
</body>
</html>

9
java/org_modsecurity_ModSecurity.cpp
View File

@ -34,7 +34,6 @@
#define HTTPTRANSACTION_TRANSACTIONID_MET "getTransactionID"
#define SERVLETREQUEST_SERVERNAME_MET "getServerName"
#define SERVLETREQUEST_CHARENCODING_MET "getCharacterEncoding"
#define SERVLETREQUEST_CONTENTTYPE_MET "getContentType"
@ -64,9 +63,6 @@
#define MSSERVLETRESPONSE_OUTPUTSTREAM_MET "getByteArrayStream"
#define MSSERVLETRESPONSE_OUTPUTSTREAM_SIG "()Ljava/io/ByteArrayInputStream;"
#define MSSERVLETRESPONSE_RESET_MET "reset"
#define MSSERVLETRESPONSE_RESET_SIG "()V"
//typedef struct {
JavaVM *jvm;
@ -210,7 +206,7 @@ void logSec(void *obj, int level, char *str)
(env)->CallVoidMethod(modSecurityInstance, logMethod, level, jStr);
(jvm)->DetachCurrentThread();
//in the context of a JVM thread, any leaked local references are automatically cleaned up.
//in the context of a JVM thread, any leaked local references are automatically cleaned up
//(env)->ReleaseStringUTFChars(jStr, str);
}
}
@ -249,9 +245,6 @@ apr_status_t ReadBodyCallback(request_rec *r, char *buf, unsigned int length, un
*readcnt = count;
memcpy(buf, bufferPtr, *readcnt);
//const char *test = "Foo' or '2' < '1' ;--";
//memcpy(buf, test, strlen(test));
}
(env)->ReleaseByteArrayElements(byteArrayBuf, bufferPtr, NULL);
(env)->DeleteLocalRef(byteArrayBuf);