From b089c44c1ac61b1f55bdb5eaef38bd92c23d7b46 Mon Sep 17 00:00:00 2001
From: Felipe Zimmerle <fcosta@trustwave.com>
Date: Tue, 21 Jul 2015 14:22:12 -0300
Subject: [PATCH] Adds support to MATCHED_VARS_NAMES variable

---
 src/parser/seclang-scanner.ll                 |  2 +-
 src/rule.cc                                   |  3 +
 .../variable-MATCHED_VARS_NAMES.json          | 90 +++++++++++++++++++
 3 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 test/test-cases/regression/variable-MATCHED_VARS_NAMES.json

diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll
index 87ba3966..9de669e2 100755
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@@ -59,7 +59,7 @@ OPERATORNOARG	(?i:@detectSQLi|@detectXSS|@geoLookup|@validateUrlEncoding|@valida
 
 TRANSFORMATION  t:(lowercase|urlDecodeUni|urlDecode|none|compressWhitespace|removeWhitespace|replaceNulls|removeNulls|htmlEntityDecode|jsDecode|cssDecode|trim)
 
-VARIABLE          (?i:MATCHED_VAR|MATCHED_VARS|INBOUND_DATA_ERROR|FULL_REQUEST|FILES|AUTH_TYPE|ARGS_NAMES|ARGS|QUERY_STRING|REMOTE_ADDR|REQUEST_BASENAME|REQUEST_BODY|REQUEST_COOKIES_NAMES|REQUEST_COOKIES|REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_METHOD|REQUEST_PROTOCOL|REQUEST_URI|RESPONSE_BODY|RESPONSE_CONTENT_LENGTH|RESPONSE_CONTENT_TYPE|RESPONSE_HEADERS_NAMES|RESPONSE_HEADERS|RESPONSE_PROTOCOL|RESPONSE_STATUS|TX|GEO)
+VARIABLE          (?i:MATCHED_VARS_NAMES|MATCHED_VAR|MATCHED_VARS|INBOUND_DATA_ERROR|FULL_REQUEST|FILES|AUTH_TYPE|ARGS_NAMES|ARGS|QUERY_STRING|REMOTE_ADDR|REQUEST_BASENAME|REQUEST_BODY|REQUEST_COOKIES_NAMES|REQUEST_COOKIES|REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_METHOD|REQUEST_PROTOCOL|REQUEST_URI|RESPONSE_BODY|RESPONSE_CONTENT_LENGTH|RESPONSE_CONTENT_TYPE|RESPONSE_HEADERS_NAMES|RESPONSE_HEADERS|RESPONSE_PROTOCOL|RESPONSE_STATUS|TX|GEO)
 RUN_TIME_VAR_DUR  (?i:DURATION)
 RUN_TIME_VAR_ENV  (?i:ENV)
 RUN_TIME_VAR_BLD  (?i:MODSEC_BUILD)
diff --git a/src/rule.cc b/src/rule.cc
index 51b19af6..e720503f 100644
--- a/src/rule.cc
+++ b/src/rule.cc
@@ -123,9 +123,12 @@ bool Rule::evaluate(Assay *assay) {
                         assay->store_variable("MATCHED_VAR", value);
                     }
                     assay->store_variable("MATCHED_VARS:" + v.first, value);
+                    assay->store_variable("MATCHED_VARS_NAMES:" + v.first,
+                        v.first);
                     this->chainedRule->evaluate(assay);
                     assay->update_variable_first("MATCHED_VAR", "");
                     assay->delete_variable("MATCHED_VARS:" + v.first);
+                    assay->delete_variable("MATCHED_VARS_NAMES:" + v.first);
                 }
             } else {
                 assay->debug(4, "Rule returned 0.");
diff --git a/test/test-cases/regression/variable-MATCHED_VARS_NAMES.json b/test/test-cases/regression/variable-MATCHED_VARS_NAMES.json
new file mode 100644
index 00000000..c7bb31a7
--- /dev/null
+++ b/test/test-cases/regression/variable-MATCHED_VARS_NAMES.json
@@ -0,0 +1,90 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: MATCHED_VARS_NAMES (1/2)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?keyI=value&keyII=other_value",
+      "protocol":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Target value: \"ARGS:keyII\" \\(Variable: MATCHED_VARS_NAMES:ARGS:keyII\\)"
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecDebugLogLevel 9",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
+      "SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"pass\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: MATCHED_VARS_NAMES (2/2)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?keyI=value&keyII=other_value",
+      "protocol":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Target value: \"ARGS:keyI\" \\(Variable: MATCHED_VARS_NAMES:ARGS:keyI\\)"
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecDebugLogLevel 9",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
+      "SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"pass\"",
+      "SecRule MATCHED_VARS_NAMES \"@contains value\" \"id:29\""
+    ]
+  }
+]
+