github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-16 07:56:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Revert to OWASP

Browse Source
This commit is contained in:
Marc Stern 2024-02-20 14:09:14 +01:00
commit c5a6d6b3a5
11 changed files with 916 additions and 864 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
.github/workflows/ci.yml vendored Normal file
View File

@ -0,0 +1,31 @@
name: Quality Assurance
on:
push:
pull_request:
jobs:
build-linux:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-22.04]
platform: [x64]
compiler: [gcc]
configure:
- {label: "with pcre2", opt: "--with-pcre2" }
- {label: "with lua", opt: "--with-lua" }
- {label: "wo lua", opt: "--without-lua" }
steps:
- name: Setup Dependencies
run: |
sudo apt-get update -y -qq
sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev
- uses: actions/checkout@v2
- name: autogen.sh
run: ./autogen.sh
- name: configure ${{ matrix.configure.label }}
run: ./configure ${{ matrix.configure.opt }}
- uses: ammaraskar/gcc-problem-matcher@master
- name: make
run: make -j `nproc`

8
apache2/msc_json.c
View File

@ -354,17 +354,15 @@ int json_init(modsec_rec *msr, char **error_msg) {
int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char **error_msg) {
if (error_msg == NULL) return -1;
*error_msg = NULL;
// Take a copy in case libyajl decodes the buffer inline
base_offset = apr_pstrmemdup(msr->mp, buf, size);
if (!base_offset) return -1;
base_offset=buf;
/* Feed our parser and catch any errors */
msr->json->status = yajl_parse(msr->json->handle, (unsigned char*)base_offset, size);
msr->json->status = yajl_parse(msr->json->handle, buf, size);
if (msr->json->status != yajl_status_ok) {
if (msr->json->depth_limit_exceeded) {
*error_msg = "JSON depth limit exceeded";
} else {
char *yajl_err = yajl_get_error(msr->json->handle, 0, base_offset, size);
char *yajl_err = yajl_get_error(msr->json->handle, 0, buf, size);
*error_msg = apr_pstrdup(msr->mp, yajl_err);
yajl_free_error(msr->json->handle, yajl_err);
}

10
apache2/msc_logging.c
View File

@ -234,7 +234,15 @@ static char *construct_auditlog_filename(apr_pool_t *mp, const char *uniqueid) {
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
* It also changes the return statement.
*/
char *userinfo = get_username(mp);
char *userinfo;
apr_status_t rc;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, mp);
rc = apr_uid_name_get(&userinfo, uid, mp);
if (rc != APR_SUCCESS) {
userinfo = apr_psprintf(mp, "%u", uid);
}
apr_time_exp_lt(&t, apr_time_now());

14
apache2/msc_pcre.c
View File

@ -31,7 +31,11 @@ static apr_status_t msc_pcre_cleanup(msc_regex_t *regex) {
}
#else
if (regex->pe != NULL) {
#if defined(VERSION_NGINX)
pcre_free(regex->pe);
#else
free(regex->pe);
#endif
regex->pe = NULL;
}
if (regex->re != NULL) {
@ -148,15 +152,19 @@ void *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
pe = pcre_study(regex->re, PCRE_STUDY_EXTRA_NEEDED|PCRE_STUDY_JIT_COMPILE, &errptr);
pe = pcre_study(regex->re, PCRE_STUDY_JIT_COMPILE, &errptr);
#else
pe = pcre_study(regex->re, PCRE_STUDY_EXTRA_NEEDED, &errptr);
pe = pcre_study(regex->re, 0, &errptr);
#endif
#endif
/* Setup the pcre_extra record if pcre_study did not already do it */
if (pe == NULL) {
pe = (pcre_extra*)pcre_malloc(sizeof(pcre_extra));
#if defined(VERSION_NGINX)
pe = pcre_malloc(sizeof(pcre_extra));
#else
pe = malloc(sizeof(pcre_extra));
#endif
if (pe == NULL) {
return NULL;
}

11
apache2/msc_util.c
View File

@ -2843,14 +2843,3 @@ char* strtok_r(
}
#endif
// Function compatible with Linux & Windows, also with mpm-itk & mod_ruid2
char* get_username(apr_pool_t* mp) {
char* username;
apr_uid_t uid;
apr_gid_t gid;
int rc = apr_uid_current(&uid, &gid, mp);
if (rc != APR_SUCCESS) return "apache";
rc = apr_uid_name_get(&username, uid, mp);
if (rc != APR_SUCCESS) return "apache";
return username;
}

2
apache2/msc_util.h
View File

@ -159,8 +159,6 @@ int DSOLOCAL tree_contains_ip(apr_pool_t *mp, TreeRoot *rtree,
int DSOLOCAL ip_tree_from_param(apr_pool_t *pool,
char *param, TreeRoot **rtree, char **error_msg);
char DSOLOCAL *get_username(apr_pool_t* mp);
#ifdef WITH_CURL
int ip_tree_from_uri(TreeRoot **rtree, char *uri,
apr_pool_t *mp, char **error_msg);

39
apache2/persist_dbm.c
View File

@ -100,7 +100,18 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
apr_table_entry_t *te;
int expired = 0;
int i;
char *userinfo = get_username(msr->mp);
/**
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
*/
char *userinfo;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, msr->mp);
rc = apr_uid_name_get(&userinfo, uid, msr->mp);
if (rc != APR_SUCCESS) {
userinfo = apr_psprintf(msr->mp, "%u", uid);
}
if (msr->txcfg->data_dir == NULL) {
msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use "
@ -373,7 +384,18 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
int i;
const apr_table_t *stored_col = NULL;
const apr_table_t *orig_col = NULL;
char *userinfo = get_username(msr->mp);
/**
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
*/
char *userinfo;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, msr->mp);
rc = apr_uid_name_get(&userinfo, uid, msr->mp);
if (rc != APR_SUCCESS) {
userinfo = apr_psprintf(msr->mp, "%u", uid);
}
var_name = (msc_string *)apr_table_get(col, "__name");
if (var_name == NULL) {
@ -655,7 +677,18 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
char **keys;
apr_time_t now = apr_time_sec(msr->request_time);
int i;
char *userinfo = get_username(msr->mp);
/**
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
*/
char *userinfo;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, msr->mp);
rc = apr_uid_name_get(&userinfo, uid, msr->mp);
if (rc != APR_SUCCESS) {
userinfo = apr_psprintf(msr->mp, "%u", uid);
}
if (msr->txcfg->data_dir == NULL) {
/* The user has been warned about this problem enough times already by now.

44
apache2/re.c
View File

@ -76,7 +76,7 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va
if(rule->actionset == NULL)
return 0;
{
if(rule->actionset->id !=NULL) {
myvar = apr_pstrdup(msr->mp, var->name);
@ -353,11 +353,11 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
rc = msre_parse_targets(ruleset, p, rule->targets, &my_error_msg);
if (rc < 0) {
if(msr) {
msr_log(msr, 9, "Error parsing rule targets to replace variable: %s", my_error_msg);
msr_log(msr, 9, "Error parsing rule targets to replace variable");
}
#if !defined(MSC_TEST)
else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parsing rule targets to replace variable: %s", my_error_msg);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parsing rule targets to replace variable");
}
#endif
goto end;
@ -378,7 +378,7 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
}
#if !defined(MSC_TEST)
else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Cannot find variable to replace");
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Cannot find varibale to replace");
}
#endif
goto end;
@ -386,13 +386,8 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
} else {
target = strdup(p);
if(target == NULL) {
if(target_list != NULL)
free(target_list);
if(replace != NULL)
free(replace);
return NULL;
}
if(target == NULL)
return NULL;
is_negated = is_counting = 0;
param = name = value = NULL;
@ -426,8 +421,6 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
free(target_list);
if(replace != NULL)
free(replace);
if(target != NULL)
free(target);
if(msr) {
msr_log(msr, 9, "Error to update target - [%s] is not valid target", name);
}
@ -506,7 +499,7 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
if(var_appended == 1) {
current_targets = msre_generate_target_string(ruleset->mp, rule);
rule->unparsed = msre_rule_generate_unparsed(ruleset->mp, rule, current_targets, NULL, NULL);
rule->p1 = current_targets;
rule->p1 = apr_pstrdup(ruleset->mp, current_targets);
if(msr) {
msr_log(msr, 9, "Successfully appended variable");
}
@ -519,12 +512,18 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
}
end:
if(target_list != NULL)
if(target_list != NULL) {
free(target_list);
if(replace != NULL)
target_list = NULL;
}
if(replace != NULL) {
free(replace);
if(target != NULL)
replace = NULL;
}
if(target != NULL) {
free(target);
target = NULL;
}
return NULL;
}
@ -638,10 +637,7 @@ static char *msre_generate_target_string(apr_pool_t *pool, msre_rule *rule) {
/**
* Generate an action string from an actionset.
*/
#ifndef DEBUG_CONF
static
#endif
char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset) {
static char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset) {
const apr_array_header_t *tarr = NULL;
const apr_table_entry_t *telts = NULL;
char *actions = NULL;
@ -1059,12 +1055,6 @@ int msre_parse_generic(apr_pool_t *mp, const char *text, apr_table_t *vartable,
while(isspace(*p)) p++;
if (*p == '\0') return count;
/* ignore empty action */
if (*p == ',') {
p++;
continue;
}
/* we are at the beginning of the name */
name = p;
while((*p != '\0')&&(*p != '|')&&(*p != ':')&&(*p != ',')&&(!isspace(*p))) p++; /* ENH replace with isvarnamechar() */

4
apache2/re.h
View File

@ -75,10 +75,6 @@ int DSOLOCAL rule_id_in_range(int ruleid, const char *range);
msre_var DSOLOCAL *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr,
msre_rule *rule, apr_pool_t *mptmp);
#ifdef DEBUG_CONF
char DSOLOCAL* msre_actionset_generate_action_string(apr_pool_t* pool, const msre_actionset* actionset);
#endif
#if defined(WITH_LUA)
apr_table_t DSOLOCAL *generate_multi_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr,
msre_rule *rule, apr_pool_t *mptmp);

4
apache2/re_actions.c
View File

@ -183,9 +183,9 @@ int expand_macros(modsec_rec *msr, msc_string *var, msre_rule *rule, apr_pool_t
* no macros in the input data.
*/
data = var->value;
data = apr_pstrdup(mptmp, var->value); /* IMP1 Are we modifying data anywhere? */
arr = apr_array_make(mptmp, 16, sizeof(msc_string *));
if (arr == NULL) return -1;
if ((data == NULL)||(arr == NULL)) return -1;
text_start = next_text_start = data;
do {

3
apache2/re_operators.c
View File

@ -751,6 +751,7 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
char *my_error_msg = NULL;
int ovector[33];
int rc;
const char *pattern = NULL;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
int jit = 0;
@ -780,7 +781,7 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
expand_macros(msr, re_pattern, rule, msr->mp);
const char *pattern = log_escape_re(msr->mp, re_pattern->value);
pattern = log_escape_re(msr->mp, re_pattern->value);
if (msr->txcfg->debuglog_level >= 6) {
msr_log(msr, 6, "Escaping pattern [%s]",pattern);
}