Adds support to SecRemoteRules and Include directives

This commit includes a refactoring on important pieces of the parser to allow it work in a stack fashion. Driver and Rules classes were simplified and the RulesProperties class was created.
2025-09-29 19:24:29 +03:00 · 2015-07-24 19:15:25 -03:00
parent ec9a97324f
commit b8f7fb441d
14 changed files with 726 additions and 238 deletions
--- a/headers/modsecurity/rules.h
+++ b/headers/modsecurity/rules.h
@@ -32,6 +32,7 @@ typedef struct Assay_t Assay;

 #include "modsecurity/modsecurity.h"
 #include "modsecurity/assay.h"
+#include "modsecurity/rules_properties.h"

 #ifdef __cplusplus

@@ -43,30 +44,20 @@ class Driver;
 }

 /** @ingroup ModSecurity_CPP_API */
-class Rules {
+class Rules : public RulesProperties  {
 public:
    Rules()
-        : m_referenceCount(0),
-        requestBodyLimit(0),
-        responseBodyLimit(0),
-        m_custom_debug_log(NULL) { }
+        : RulesProperties(NULL) { }

-    explicit Rules(DebugLog *custom_log)
-        : m_referenceCount(0),
-        m_custom_debug_log(custom_log) { }
+    Rules(DebugLog *customLog)
+        : RulesProperties(customLog) { }

    ~Rules();

    void incrementReferenceCount(void);
    void decrementReferenceCount(void);

-    /**
-    * FIXME:
-    *
-    * names should follow a patterner
-    *
-    */
-    bool loadFromUri(char *uri);
+    bool loadFromUri(const char *uri);
    bool loadRemote(char *key, char *uri);
    bool load(const char *rules);
    bool load(const char *rules, const std::string &ref);
@@ -79,81 +70,13 @@ class Rules {
    int evaluate(int phase, Assay *assay);
    std::string getParserError();

-    std::vector<Rule *> rules[7];  // Number of Phases.
-
-    /**
-     *
-     * The RuleEngine enumerator consists in mapping the different states
-     * of the rule engine.
-     *
-     */
-    enum RuleEngine {
-    /**
-     * Rules won't be evaluated if Rule Engine is set to DisabledRuleEngine
-     *
-     */
-     DisabledRuleEngine,
-    /**
-     * Rules will be evaluated and disturb actions will take place if needed.
-     *
-     */
-     EnabledRuleEngine,
-    /**
-     * Rules will be evaluated but it won't generate any disruptive action.
-     *
-     */
-     DetectionOnlyRuleEngine
-    };
-
-    enum BodyLimitAction {
-    /**
-     * Process partial
-     *
-     */
-     ProcessPartialBodyLimitAction,
-    /**
-     * Process partial
-     *
-     */
-     RejectBodyLimitAction
-    };
-    static const char *ruleEngineStateString(RuleEngine i) {
-      switch (i) {
-      case DisabledRuleEngine:
-          return "Disabled";
-      case EnabledRuleEngine:
-          return "Enabled";
-      case DetectionOnlyRuleEngine:
-          return "DetectionOnly";
-      }
-      return NULL;
-    }
-
-    RuleEngine secRuleEngine;
-    int sec_audit_type;
-    bool sec_audit_engine;
-    bool sec_request_body_access;
-    bool sec_response_body_access;
-    std::string audit_log_path;
-    std::string audit_log_parts;
-    std::string debug_log_path;
-    int debug_level;
-    DebugLog *debug_log;
    void debug(int level, std::string message);
-    std::list<std::string> components;
-
-    int requestBodyLimit;
-    int responseBodyLimit;
-    int requestBodyLimitAction;
-    int responseBodyLimitAction;

    std::ostringstream parserError;

-    AuditLog *audit_log;
-
+    DebugLog *debugLog;
 private:
    int m_referenceCount;
-    DebugLog *m_custom_debug_log;
 };

 #endif
--- a/headers/modsecurity/rules_properties.h
+++ b/headers/modsecurity/rules_properties.h
@@ -0,0 +1,187 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifdef __cplusplus
+#include <ctime>
+#include <iostream>
+#include <string>
+#include <vector>
+#include <list>
+#endif
+
+
+#ifndef HEADERS_MODSECURITY_RULES_PROPERTIES_H_
+#define HEADERS_MODSECURITY_RULES_PROPERTIES_H_
+
+#include "modsecurity/modsecurity.h"
+#include "modsecurity/assay.h"
+#include "modsecurity/assay.h"
+
+#ifdef __cplusplus
+
+namespace ModSecurity {
+class Rule;
+class AuditLog;
+namespace Parser {
+class Driver;
+}
+
+/** @ingroup ModSecurity_CPP_API */
+class RulesProperties {
+ public:
+    RulesProperties()
+        : audit_log(NULL),
+        customDebugLog(NULL),
+        remoteRulesActionOnFailed(AbortOnFailedRemoteRulesAction),
+        requestBodyLimit(0),
+        requestBodyLimitAction(ProcessPartialBodyLimitAction),
+        responseBodyLimit(0),
+        responseBodyLimitAction(ProcessPartialBodyLimitAction),
+        secRuleEngine(DetectionOnlyRuleEngine) { }
+
+    explicit RulesProperties(DebugLog *customDebugLog)
+        : audit_log(NULL),
+        customDebugLog(customDebugLog),
+        remoteRulesActionOnFailed(AbortOnFailedRemoteRulesAction),
+        requestBodyLimit(0),
+        requestBodyLimitAction(ProcessPartialBodyLimitAction),
+        responseBodyLimit(0),
+        responseBodyLimitAction(ProcessPartialBodyLimitAction),
+        secRuleEngine(DetectionOnlyRuleEngine) { }
+
+    ~RulesProperties() { };
+
+    std::vector<Rule *> rules[7];  // ModSecurity::Phases::NUMBER_OF_PHASES
+
+
+    /**
+     *
+     * The RuleEngine enumerator consists in mapping the different states
+     * of the rule engine.
+     *
+     */
+    enum RuleEngine {
+    /**
+     *
+     * Rules won't be evaluated if Rule Engine is set to DisabledRuleEngine
+     *
+     */
+     DisabledRuleEngine,
+    /**
+     *
+     * Rules will be evaluated and disturb actions will take place if needed.
+     *
+     */
+     EnabledRuleEngine,
+    /**
+     * Rules will be evaluated but it won't generate any disruptive action.
+     *
+     */
+     DetectionOnlyRuleEngine
+    };
+
+    /**
+     *
+     * Defines what actions should be taken in case the body (response or
+     * request) is bigger than the expected size.
+     *
+     */
+    enum BodyLimitAction {
+    /**
+     *
+     * Process partial
+     *
+     */
+     ProcessPartialBodyLimitAction,
+    /**
+     *
+     * Reject the request
+     *
+     */
+     RejectBodyLimitAction
+    };
+
+
+    /**
+     *
+     * Defines what actions should be taken in case the remote rules failed to
+     * be downloaded (independent of the circumstances)
+     * 
+     *
+     */
+    enum OnFailedRemoteRulesAction {
+    /**
+     *
+     * Abort
+     *
+     */
+     AbortOnFailedRemoteRulesAction,
+    /**
+     *
+     * Warn on logging
+     *
+     */
+     WarnOnFailedRemoteRulesAction
+    };
+
+
+    static const char *ruleEngineStateString(RuleEngine i) {
+      switch (i) {
+      case DisabledRuleEngine:
+          return "Disabled";
+      case EnabledRuleEngine:
+          return "Enabled";
+      case DetectionOnlyRuleEngine:
+          return "DetectionOnly";
+      }
+      return NULL;
+    }
+
+
+    RuleEngine secRuleEngine;
+    double requestBodyLimit;
+    double responseBodyLimit;
+    BodyLimitAction requestBodyLimitAction;
+    BodyLimitAction responseBodyLimitAction;
+
+    DebugLog *customDebugLog;
+
+    int sec_audit_type;
+    bool sec_audit_engine;
+    bool sec_request_body_access;
+    bool sec_response_body_access;
+    std::string audit_log_path;
+    std::string audit_log_parts;
+    std::string debug_log_path;
+    int debug_level;
+    std::list<std::string> components;
+
+
+    std::ostringstream parserError;
+
+    AuditLog *audit_log;
+
+    OnFailedRemoteRulesAction remoteRulesActionOnFailed;
+
+
+};
+
+#endif
+
+#ifdef __cplusplus
+}  // namespace ModSecurity
+#endif
+
+#endif  // HEADERS_MODSECURITY_RULES_PROPERTIES_H_