github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Refactoring on rulesProperties class

Browse Source 
Among of other things the merge process was improved to detect if
certain properties were set on the origin rule set.
This commit is contained in:
Felipe Zimmerle 2016-10-05 12:01:15 -03:00
parent ae8698d8cf
commit c680ddf2cd
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
27 changed files with 495 additions and 394 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
examples/multiprocess_c/multi.c
View File

@ -15,11 +15,13 @@
#include <modsecurity/modsecurity.h>
#include <modsecurity/transaction.h>
#include <modsecurity/rules.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#define FORKS 5
#define REQUESTS_PER_PROCESS 100

1
examples/simple_example_using_c/test.c
View File

@ -18,6 +18,7 @@
#include "stdlib.h"
#include "modsecurity/modsecurity.h"
#include "modsecurity/rules.h"
char main_rule_uri[] = "basic_rules.conf";

4
headers/modsecurity/modsecurity.h
View File

@ -92,7 +92,6 @@ typedef struct ModSecurity_t modsecurity;
#include "modsecurity/intervention.h"
#include "modsecurity/transaction.h"
#include "modsecurity/debug_log.h"
#include "modsecurity/rules.h"
/**
* TAG_NUM:
@ -129,9 +128,6 @@ namespace modsecurity {
namespace actions {
class Action;
}
namespace operators {
class Operators;
}
class Rule;
/** @ingroup ModSecurity_CPP_API */

8
headers/modsecurity/rule.h
View File

@ -23,7 +23,7 @@
#ifndef HEADERS_MODSECURITY_RULE_H_
#define HEADERS_MODSECURITY_RULE_H_
#include "modsecurity/modsecurity.h"
#include "modsecurity/transaction.h"
#ifdef __cplusplus
@ -32,6 +32,12 @@ namespace modsecurity {
namespace Variables {
class Variable;
}
namespace actions {
class Action;
}
namespace operators {
class Operator;
}
class Rule {
public:

4
headers/modsecurity/rules.h
View File

@ -28,9 +28,9 @@
#ifndef HEADERS_MODSECURITY_RULES_H_
#define HEADERS_MODSECURITY_RULES_H_
#include "modsecurity/rules_properties.h"
#include "modsecurity/modsecurity.h"
#include "modsecurity/transaction.h"
#include "modsecurity/rules_properties.h"
#ifdef __cplusplus
@ -42,7 +42,7 @@ class Driver;
}
/** @ingroup ModSecurity_CPP_API */
class Rules : public RulesProperties {
class Rules : public RulesProperties {
public:
Rules()
: RulesProperties(new DebugLog()),

445
headers/modsecurity/rules_properties.h
View File

@ -13,6 +13,7 @@
*
*/
#ifdef __cplusplus
#include <ctime>
#include <iostream>
@ -26,14 +27,15 @@
#ifndef HEADERS_MODSECURITY_RULES_PROPERTIES_H_
#define HEADERS_MODSECURITY_RULES_PROPERTIES_H_
#include "modsecurity/modsecurity.h"
#include "modsecurity/transaction.h"
#include "modsecurity/rule.h"
#include "modsecurity/rules_exceptions.h"
#ifdef __cplusplus
namespace modsecurity {
class Rule;
class RulesExceptions;
namespace audit_log {
class AuditLog;
@ -45,79 +47,77 @@ namespace Parser {
class Driver;
}
/** @ingroup ModSecurity_CPP_API */
class ConfigInt {
public:
ConfigInt() : m_set(false), m_value(0) { }
bool m_set;
int m_value;
};
class ConfigDouble {
public:
ConfigDouble() : m_set(false), m_value(0) { }
bool m_set;
double m_value;
};
class ConfigString {
public:
ConfigString() : m_set(false), m_value("") { }
bool m_set;
std::string m_value;
};
class RulesProperties {
public:
RulesProperties()
: audit_log(NULL),
RulesProperties() : m_auditLog(NULL),
m_debugLog(new DebugLog()),
m_httpbl_key(""),
remoteRulesActionOnFailed(AbortOnFailedRemoteRulesAction),
requestBodyLimit(0),
requestBodyNoFilesLimit(0),
requestBodyInMemoryLimit(0),
secRequestBodyAccess(false),
secResponseBodyAccess(false),
secXMLExternalEntity(false),
requestBodyLimitAction(ProcessPartialBodyLimitAction),
responseBodyLimit(0),
responseBodyLimitAction(ProcessPartialBodyLimitAction),
secRuleEngine(DetectionOnlyRuleEngine),
uploadKeepFiles(0),
uploadFileLimit(100),
uploadFileMode(0),
tmpSaveUploadedFiles(false) { }
m_httpblKey(""),
m_remoteRulesActionOnFailed(PropertyNotSetRemoteRulesAction),
m_secRequestBodyAccess(PropertyNotSetConfigBoolean),
m_secResponseBodyAccess(PropertyNotSetConfigBoolean),
m_secXMLExternalEntity(PropertyNotSetConfigBoolean),
m_requestBodyLimitAction(PropertyNotSetBodyLimitAction),
m_responseBodyLimitAction(PropertyNotSetBodyLimitAction),
m_secRuleEngine(PropertyNotSetRuleEngine),
m_uploadKeepFiles(PropertyNotSetConfigBoolean),
m_tmpSaveUploadedFiles(PropertyNotSetConfigBoolean) { }
explicit RulesProperties(DebugLog *debugLog)
: audit_log(NULL),
explicit RulesProperties(DebugLog *debugLog) : m_auditLog(NULL),
m_debugLog(debugLog),
m_httpbl_key(""),
remoteRulesActionOnFailed(AbortOnFailedRemoteRulesAction),
requestBodyLimit(0),
requestBodyNoFilesLimit(0),
requestBodyInMemoryLimit(0),
secRequestBodyAccess(false),
secResponseBodyAccess(false),
secXMLExternalEntity(false),
requestBodyLimitAction(ProcessPartialBodyLimitAction),
responseBodyLimit(0),
responseBodyLimitAction(ProcessPartialBodyLimitAction),
secRuleEngine(DetectionOnlyRuleEngine),
uploadKeepFiles(0),
uploadFileLimit(100),
uploadFileMode(0),
tmpSaveUploadedFiles(false) { }
m_httpblKey(""),
m_remoteRulesActionOnFailed(PropertyNotSetRemoteRulesAction),
m_secRequestBodyAccess(PropertyNotSetConfigBoolean),
m_secResponseBodyAccess(PropertyNotSetConfigBoolean),
m_secXMLExternalEntity(PropertyNotSetConfigBoolean),
m_requestBodyLimitAction(PropertyNotSetBodyLimitAction),
m_responseBodyLimitAction(PropertyNotSetBodyLimitAction),
m_secRuleEngine(PropertyNotSetRuleEngine),
m_uploadKeepFiles(PropertyNotSetConfigBoolean),
m_tmpSaveUploadedFiles(PropertyNotSetConfigBoolean) { }
/*
RulesProperties(const RulesProperties &other)
: audit_log(other.audit_log),
m_debugLog(other.m_debugLog),
remoteRulesActionOnFailed(other.remoteRulesActionOnFailed),
requestBodyLimit(other.requestBodyLimit),
requestBodyNoFilesLimit(other.requestBodyNoFilesLimit),
requestBodyInMemoryLimit(other.requestBodyInMemoryLimit),
secRequestBodyAccess(other.secRequestBodyAccess),
secResponseBodyAccess(other.secResponseBodyAccess),
requestBodyLimitAction(other.requestBodyLimitAction),
responseBodyLimit(other.responseBodyLimit),
responseBodyLimitAction(other.responseBodyLimitAction),
secRuleEngine(other.secRuleEngine) { }
*/
~RulesProperties() {
delete m_debugLog;
}
std::vector<Rule *> rules[8];
std::vector<Rule *> * getRulesForPhase(int phase) {
if (phase > 7) {
return NULL;
}
return &rules[phase];
}
// ModSecurity::Phases::NUMBER_OF_PHASES
std::vector<actions::Action *> defaultActions[8];
// ModSecurity::Phases::NUMBER_OF_PHASES
/**
*
*
*/
enum ConfigBoolean {
TrueConfigBoolean,
FalseConfigBoolean,
PropertyNotSetConfigBoolean
};
/**
*
@ -126,25 +126,30 @@ class RulesProperties {
*
*/
enum RuleEngine {
/**
*
* Rules won't be evaluated if Rule Engine is set to DisabledRuleEngine
*
*/
DisabledRuleEngine,
/**
*
* Rules will be evaluated and disturb actions will take place if needed.
*
*/
EnabledRuleEngine,
/**
* Rules will be evaluated but it won't generate any disruptive action.
*
*/
DetectionOnlyRuleEngine
/**
*
* Rules won't be evaluated if Rule Engine is set to DisabledRuleEngine
*
*/
DisabledRuleEngine,
/**
*
* Rules will be evaluated and disturb actions will take place if needed.
*
*/
EnabledRuleEngine,
/**
* Rules will be evaluated but it won't generate any disruptive action.
*
*/
DetectionOnlyRuleEngine,
/**
*
*/
PropertyNotSetRuleEngine
};
/**
*
* Defines what actions should be taken in case the body (response or
@ -152,18 +157,22 @@ class RulesProperties {
*
*/
enum BodyLimitAction {
/**
*
* Process partial
*
*/
/**
*
* Process partial
*
*/
ProcessPartialBodyLimitAction,
/**
*
* Reject the request
*
*/
RejectBodyLimitAction
/**
*
* Reject the request
*
*/
RejectBodyLimitAction,
/**
*
*/
PropertyNotSetBodyLimitAction
};
@ -171,72 +180,226 @@ class RulesProperties {
*
* Defines what actions should be taken in case the remote rules failed to
* be downloaded (independent of the circumstances)
*
*
*
*/
enum OnFailedRemoteRulesAction {
/**
*
* Abort
*
*/
/**
*
* Abort
*
*/
AbortOnFailedRemoteRulesAction,
/**
*
* Warn on logging
*
*/
WarnOnFailedRemoteRulesAction
/**
*
* Warn on logging
*
*/
WarnOnFailedRemoteRulesAction,
/**
*
*/
PropertyNotSetRemoteRulesAction
};
static const char *ruleEngineStateString(RuleEngine i) {
switch (i) {
case DisabledRuleEngine:
return "Disabled";
case EnabledRuleEngine:
return "Enabled";
case DetectionOnlyRuleEngine:
return "DetectionOnly";
}
return NULL;
switch (i) {
case DisabledRuleEngine:
return "Disabled";
case EnabledRuleEngine:
return "Enabled";
case DetectionOnlyRuleEngine:
return "DetectionOnly";
case PropertyNotSetRuleEngine:
return "PropertyNotSet/DetectionOnly";
}
return NULL;
}
RuleEngine secRuleEngine;
double requestBodyNoFilesLimit;
double requestBodyInMemoryLimit;
double requestBodyLimit;
double responseBodyLimit;
BodyLimitAction requestBodyLimitAction;
BodyLimitAction responseBodyLimitAction;
static std::string configBooleanString(ConfigBoolean i) {
switch (i) {
case TrueConfigBoolean:
return "True";
case FalseConfigBoolean:
return "False";
case PropertyNotSetConfigBoolean:
return "Not set";
}
return NULL;
}
bool secRequestBodyAccess;
bool secResponseBodyAccess;
bool secXMLExternalEntity;
std::string audit_log_path;
std::string audit_log_parts;
std::list<std::string> components;
std::set<std::string> m_responseBodyTypeToBeInspected;
static int mergeProperties(RulesProperties *from, RulesProperties *to,
std::ostringstream *err) {
int amount_of_rules = 0;
amount_of_rules = appendRules(from->rules, to->rules, err);
if (amount_of_rules < 0) {
return amount_of_rules;
}
if (from->m_secRuleEngine != PropertyNotSetRuleEngine) {
to->m_secRuleEngine = from->m_secRuleEngine;
}
if (from->m_secRequestBodyAccess != PropertyNotSetConfigBoolean) {
to->m_secRequestBodyAccess = from->m_secRequestBodyAccess;
}
if (from->m_secResponseBodyAccess != PropertyNotSetConfigBoolean) {
to->m_secResponseBodyAccess = from->m_secResponseBodyAccess;
}
if (from->m_secXMLExternalEntity != PropertyNotSetConfigBoolean) {
to->m_secXMLExternalEntity = from->m_secXMLExternalEntity;
}
if (from->m_uploadKeepFiles != PropertyNotSetConfigBoolean) {
to->m_uploadKeepFiles = from->m_uploadKeepFiles;
}
if (from->m_tmpSaveUploadedFiles != PropertyNotSetConfigBoolean) {
to->m_tmpSaveUploadedFiles = from->m_tmpSaveUploadedFiles;
}
to->m_components = from->m_components;
if (from->m_requestBodyLimit.m_set == true) {
to->m_requestBodyLimit.m_value = from->m_requestBodyLimit.m_value;
}
if (from->m_responseBodyLimit.m_set == true) {
to->m_responseBodyLimit.m_value = from->m_responseBodyLimit.m_value;
}
if (from->m_requestBodyLimitAction != PropertyNotSetBodyLimitAction) {
to->m_requestBodyLimitAction = from->m_requestBodyLimitAction;
}
if (from->m_responseBodyLimitAction != PropertyNotSetBodyLimitAction) {
to->m_responseBodyLimitAction = from->m_responseBodyLimitAction;
}
if (from->m_uploadFileLimit.m_set == true) {
to->m_uploadFileLimit.m_value = from->m_uploadFileLimit.m_value;
}
if (from->m_uploadFileMode.m_set == true) {
to->m_uploadFileMode.m_value = from->m_uploadFileMode.m_value;
}
to->m_uploadDirectory = from->m_uploadDirectory;
to->m_exceptions = from->m_exceptions;
for (std::set<std::string>::iterator
it = from->m_responseBodyTypeToBeInspected.begin();
it != from->m_responseBodyTypeToBeInspected.end(); ++it) {
to->m_responseBodyTypeToBeInspected.insert(*it);
}
/*
*
* default Actions is something per configuration context, there is
* need to merge anything.
*
*/
for (int i = 0; i <= 8; i++) {
std::vector<actions::Action *> actions = from->defaultActions[i];
to->defaultActions[i].clear();
for (int j = 0; j < actions.size(); j++) {
actions::Action *action = actions[j];
to->defaultActions[i].push_back(action);
}
}
if (from->m_debugLog && to->m_debugLog &&
from->m_debugLog->isLogFileSet()) {
to->m_debugLog->setDebugLogFile(
from->m_debugLog->getDebugLogFile());
}
if (from->m_debugLog && to->m_debugLog &&
from->m_debugLog->isLogLevelSet()) {
to->m_debugLog->setDebugLogLevel(
from->m_debugLog->getDebugLogLevel());
}
return amount_of_rules;
}
static int appendRules(std::vector<modsecurity::Rule *> from[8],
std::vector<modsecurity::Rule *> to[8],
std::ostringstream *err) {
int amount_of_rules = 0;
for (int i = 0; i <= 8; i++) {
std::vector<modsecurity::Rule *> rules_to = to[i];
std::vector<modsecurity::Rule *> rules_from = from[i];
for (int j = 0; j < rules_from.size(); j++) {
Rule *rule = rules_from[j];
for (int z = 0; z < rules_to.size(); z++) {
Rule *rule_ckc = rules_to[z];
if (rule_ckc->rule_id == rule->rule_id) {
if (err != NULL) {
*err << "Rule id: " \
<< std::to_string(rule->rule_id) \
<< " is duplicated" << std::endl;
}
return -1;
}
}
amount_of_rules++;
rules_to.push_back(rule);
rule->refCountIncrease();
}
}
return amount_of_rules;
}
std::vector<modsecurity::Rule *> *getRulesForPhase(int phase) {
if (phase > 7) {
return NULL;
}
return &rules[phase];
}
audit_log::AuditLog *m_auditLog;
BodyLimitAction m_requestBodyLimitAction;
BodyLimitAction m_responseBodyLimitAction;
ConfigBoolean m_secRequestBodyAccess;
ConfigBoolean m_secResponseBodyAccess;
ConfigBoolean m_secXMLExternalEntity;
ConfigBoolean m_tmpSaveUploadedFiles;
ConfigBoolean m_uploadKeepFiles;
ConfigDouble m_requestBodyInMemoryLimit;
ConfigDouble m_requestBodyLimit;
ConfigDouble m_requestBodyNoFilesLimit;
ConfigDouble m_responseBodyLimit;
ConfigInt m_uploadFileLimit;
ConfigInt m_uploadFileMode;
DebugLog *m_debugLog;
std::string m_httpbl_key;
std::ostringstream parserError;
bool uploadKeepFiles;
int uploadFileLimit;
int uploadFileMode;
std::string uploadDirectory;
std::string uploadTmpDirectory;
bool tmpSaveUploadedFiles;
audit_log::AuditLog *audit_log;
OnFailedRemoteRulesAction remoteRulesActionOnFailed;
OnFailedRemoteRulesAction m_remoteRulesActionOnFailed;
RuleEngine m_secRuleEngine;
RulesExceptions m_exceptions;
std::list<std::string> m_components;
std::ostringstream m_parserError;
std::set<std::string> m_responseBodyTypeToBeInspected;
std::string m_auditLogParts;
std::string m_auditLogPath;
std::string m_httpblKey;
std::string m_uploadDirectory;
std::string m_uploadTmpDirectory;
std::vector<actions::Action *> defaultActions[8];
std::vector<modsecurity::Rule *> rules[8];
};
#endif
#ifdef __cplusplus

1
src/actions/transformations/escape_seq_decode.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

1
src/actions/transformations/hex_decode.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

3
src/actions/transformations/parity_even_7bit.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"
@ -43,7 +44,7 @@ std::string ParityEven7bit::evaluate(std::string value,
return "";
}
memcpy(input, value.c_str(), value.length()+1);
std::memcpy(input, value.c_str(), value.length()+1);
inplace(input, value.length());

1
src/actions/transformations/parity_odd_7bit.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

1
src/actions/transformations/parity_zero_7bit.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

1
src/actions/transformations/remove_comments.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

1
src/actions/transformations/replace_comments.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

1
src/actions/transformations/sql_hex_decode.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

1
src/actions/transformations/url_decode.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

3
src/actions/transformations/url_decode_uni.cc
View File

@ -23,11 +23,12 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"
#include "src/utils.h"
#include "modsecurity/rules.h"
namespace modsecurity {
namespace actions {

1
src/actions/transformations/utf8_to_unicode.cc
View File

@ -21,6 +21,7 @@
#include <functional>
#include <cctype>
#include <locale>
#include <cstring>
#include "modsecurity/transaction.h"
#include "actions/transformations/transformation.h"

2
src/operators/rbl.cc
View File

@ -33,7 +33,7 @@ namespace operators {
std::string Rbl::mapIpToAddress(std::string ipStr, Transaction *trans) {
std::string addr;
int h0, h1, h2, h3;
std::string key = trans->m_rules->m_httpbl_key;
std::string key = trans->m_rules->m_httpblKey;
if (sscanf(ipStr.c_str(), "%d.%d.%d.%d", &h0, &h1, &h2, &h3) != 4) {
debug(trans, 0, std::string("Failed to understand `" + ipStr +

44
src/parser/driver.cc
View File

@ -27,14 +27,14 @@ namespace Parser {
Driver::Driver()
: trace_scanning(false),
trace_parsing(false) {
audit_log = new audit_log::AuditLog();
audit_log->refCountIncrease();
m_auditLog = new audit_log::AuditLog();
m_auditLog->refCountIncrease();
}
Driver::~Driver() {
if (audit_log != NULL) {
audit_log->refCountDecreaseAndCheck();
if (m_auditLog != NULL) {
m_auditLog->refCountDecreaseAndCheck();
}
delete loc.back();
}
@ -52,8 +52,8 @@ int Driver::addSecMarker(std::string marker) {
int Driver::addSecAction(Rule *rule) {
if (rule->phase > ModSecurity::Phases::NUMBER_OF_PHASES) {
parserError << "Unknown phase: " << std::to_string(rule->phase);
parserError << std::endl;
m_parserError << "Unknown phase: " << std::to_string(rule->phase);
m_parserError << std::endl;
return false;
}
@ -64,8 +64,8 @@ int Driver::addSecAction(Rule *rule) {
int Driver::addSecRule(Rule *rule) {
if (rule->phase > ModSecurity::Phases::NUMBER_OF_PHASES) {
parserError << "Unknown phase: " << std::to_string(rule->phase);
parserError << std::endl;
m_parserError << "Unknown phase: " << std::to_string(rule->phase);
m_parserError << std::endl;
return false;
}
@ -91,16 +91,16 @@ int Driver::addSecRule(Rule *rule) {
* by other rule
*/
if (rule->rule_id == 0) {
parserError << "Rules must have an ID. File: ";
parserError << rule->m_fileName << " at line: ";
parserError << std::to_string(rule->m_lineNumber) << std::endl;
m_parserError << "Rules must have an ID. File: ";
m_parserError << rule->m_fileName << " at line: ";
m_parserError << std::to_string(rule->m_lineNumber) << std::endl;
return false;
}
for (int i = 0; i < ModSecurity::Phases::NUMBER_OF_PHASES; i++) {
std::vector<Rule *> rules = this->rules[i];
for (int j = 0; j < rules.size(); j++) {
if (rules[j]->rule_id == rule->rule_id) {
parserError << "Rule id: " << std::to_string(rule->rule_id) \
m_parserError << "Rule id: " << std::to_string(rule->rule_id) \
<< " is duplicated" << std::endl;
return false;
}
@ -129,8 +129,8 @@ int Driver::parse(const std::string &f, const std::string &ref) {
int res = parser.parse();
scan_end();
if (audit_log->init() == false) {
parserError << "Problems while initializing the audit logs" \
if (m_auditLog->init() == false) {
m_parserError << "Problems while initializing the audit logs" \
<< std::endl;
return false;
}
@ -144,7 +144,7 @@ int Driver::parseFile(const std::string &f) {
std::string str;
if (t.is_open() == false) {
parserError << "Failed to open the file: " << f << std::endl;
m_parserError << "Failed to open the file: " << f << std::endl;
return false;
}
@ -166,21 +166,21 @@ void Driver::error(const yy::location& l, const std::string& m) {
void Driver::error(const yy::location& l, const std::string& m,
const std::string& c) {
if (parserError.tellp() == 0) {
parserError << "Rules error. ";
if (m_parserError.tellp() == 0) {
m_parserError << "Rules error. ";
if (ref.empty() == false) {
parserError << "File: " << ref.back() << ". ";
m_parserError << "File: " << ref.back() << ". ";
}
parserError << "Line: " << l.end.line << ". ";
parserError << "Column: " << l.end.column - 1 << ". ";
m_parserError << "Line: " << l.end.line << ". ";
m_parserError << "Column: " << l.end.column - 1 << ". ";
}
if (m.empty() == false) {
parserError << "" << m << " ";
m_parserError << "" << m << " ";
}
if (c.empty() == false) {
parserError << c;
m_parserError << c;
}
}

95
src/parser/seclang-parser.yy
View File

@ -18,6 +18,7 @@ class Driver;
}
#include "modsecurity/modsecurity.h"
#include "modsecurity/rules_properties.h"
#include "actions/accuracy.h"
#include "actions/action.h"
@ -328,51 +329,51 @@ audit_log:
/* SecAuditLogDirMode */
CONFIG_DIR_AUDIT_DIR_MOD
{
driver.audit_log->setStorageDirMode(strtol($1.c_str(), NULL, 8));
driver.m_auditLog->setStorageDirMode(strtol($1.c_str(), NULL, 8));
}
/* SecAuditLogStorageDir */
| CONFIG_DIR_AUDIT_DIR
{
driver.audit_log->setStorageDir($1);
driver.m_auditLog->setStorageDir($1);
}
/* SecAuditEngine */
| CONFIG_DIR_AUDIT_ENG CONFIG_VALUE_RELEVANT_ONLY
{
driver.audit_log->setStatus(modsecurity::audit_log::AuditLog::RelevantOnlyAuditLogStatus);
driver.m_auditLog->setStatus(modsecurity::audit_log::AuditLog::RelevantOnlyAuditLogStatus);
}
| CONFIG_DIR_AUDIT_ENG CONFIG_VALUE_OFF
{
driver.audit_log->setStatus(modsecurity::audit_log::AuditLog::OffAuditLogStatus);
driver.m_auditLog->setStatus(modsecurity::audit_log::AuditLog::OffAuditLogStatus);
}
| CONFIG_DIR_AUDIT_ENG CONFIG_VALUE_ON
{
driver.audit_log->setStatus(modsecurity::audit_log::AuditLog::OnAuditLogStatus);
driver.m_auditLog->setStatus(modsecurity::audit_log::AuditLog::OnAuditLogStatus);
}
/* SecAuditLogFileMode */
| CONFIG_DIR_AUDIT_FLE_MOD
{
driver.audit_log->setFileMode(strtol($1.c_str(), NULL, 8));
driver.m_auditLog->setFileMode(strtol($1.c_str(), NULL, 8));
}
/* SecAuditLog2 */
| CONFIG_DIR_AUDIT_LOG2
{
driver.audit_log->setFilePath2($1);
driver.m_auditLog->setFilePath2($1);
}
/* SecAuditLogParts */
| CONFIG_DIR_AUDIT_LOG_P
{
driver.audit_log->setParts($1);
driver.m_auditLog->setParts($1);
}
/* SecAuditLog */
| CONFIG_DIR_AUDIT_LOG
{
driver.audit_log->setFilePath1($1);
driver.m_auditLog->setFilePath1($1);
}
/* SecAuditLogRelevantStatus */
@ -381,51 +382,53 @@ audit_log:
std::string relevant_status($1);
relevant_status.pop_back();
relevant_status.erase(0, 1);
driver.audit_log->setRelevantStatus(relevant_status);
driver.m_auditLog->setRelevantStatus(relevant_status);
}
/* SecAuditLogType */
| CONFIG_DIR_AUDIT_TPE CONFIG_VALUE_SERIAL
{
driver.audit_log->setType(modsecurity::audit_log::AuditLog::SerialAuditLogType);
driver.m_auditLog->setType(modsecurity::audit_log::AuditLog::SerialAuditLogType);
}
| CONFIG_DIR_AUDIT_TPE CONFIG_VALUE_PARALLEL
{
driver.audit_log->setType(modsecurity::audit_log::AuditLog::ParallelAuditLogType);
driver.m_auditLog->setType(modsecurity::audit_log::AuditLog::ParallelAuditLogType);
}
| CONFIG_DIR_AUDIT_TPE CONFIG_VALUE_HTTPS
{
driver.audit_log->setType(modsecurity::audit_log::AuditLog::HttpsAuditLogType);
driver.m_auditLog->setType(modsecurity::audit_log::AuditLog::HttpsAuditLogType);
}
/* Upload */
| CONFIG_UPDLOAD_KEEP_FILES CONFIG_VALUE_ON
{
driver.uploadKeepFiles = true;
driver.m_uploadKeepFiles = modsecurity::RulesProperties::TrueConfigBoolean;
}
| CONFIG_UPDLOAD_KEEP_FILES CONFIG_VALUE_OFF
{
driver.uploadKeepFiles = false;
driver.m_uploadKeepFiles = modsecurity::RulesProperties::FalseConfigBoolean;
}
| CONFIG_UPLOAD_FILE_LIMIT
{
driver.uploadFileLimit = strtol($1.c_str(), NULL, 10);
driver.m_uploadFileLimit.m_set = true;
driver.m_uploadFileLimit.m_value = strtol($1.c_str(), NULL, 10);
}
| CONFIG_UPLOAD_FILE_MODE
{
driver.uploadFileMode = strtol($1.c_str(), NULL, 8);
driver.m_uploadFileMode.m_set = true;
driver.m_uploadFileMode.m_value = strtol($1.c_str(), NULL, 8);
}
| CONFIG_UPLOAD_DIR
{
driver.uploadDirectory = $1;
driver.m_uploadDirectory = $1;
}
| CONFIG_UPDLOAD_SAVE_TMP_FILES CONFIG_VALUE_ON
{
driver.tmpSaveUploadedFiles = true;
driver.m_tmpSaveUploadedFiles = modsecurity::RulesProperties::TrueConfigBoolean;
}
| CONFIG_UPDLOAD_SAVE_TMP_FILES CONFIG_VALUE_OFF
{
driver.tmpSaveUploadedFiles = false;
driver.m_tmpSaveUploadedFiles = modsecurity::RulesProperties::FalseConfigBoolean;
}
;
@ -581,35 +584,35 @@ expression:
}
| CONFIG_DIR_RULE_ENG CONFIG_VALUE_OFF
{
driver.secRuleEngine = modsecurity::Rules::DisabledRuleEngine;
driver.m_secRuleEngine = modsecurity::Rules::DisabledRuleEngine;
}
| CONFIG_DIR_RULE_ENG CONFIG_VALUE_ON
{
driver.secRuleEngine = modsecurity::Rules::EnabledRuleEngine;
driver.m_secRuleEngine = modsecurity::Rules::EnabledRuleEngine;
}
| CONFIG_DIR_RULE_ENG CONFIG_VALUE_DETC
{
driver.secRuleEngine = modsecurity::Rules::DetectionOnlyRuleEngine;
driver.m_secRuleEngine = modsecurity::Rules::DetectionOnlyRuleEngine;
}
| CONFIG_DIR_REQ_BODY CONFIG_VALUE_ON
{
driver.secRequestBodyAccess = true;
driver.m_secRequestBodyAccess = modsecurity::RulesProperties::TrueConfigBoolean;
}
| CONFIG_DIR_REQ_BODY CONFIG_VALUE_OFF
{
driver.secRequestBodyAccess = false;
driver.m_secRequestBodyAccess = modsecurity::RulesProperties::FalseConfigBoolean;
}
| CONFIG_DIR_RES_BODY CONFIG_VALUE_ON
{
driver.secResponseBodyAccess = true;
driver.m_secResponseBodyAccess = modsecurity::RulesProperties::TrueConfigBoolean;
}
| CONFIG_DIR_RES_BODY CONFIG_VALUE_OFF
{
driver.secResponseBodyAccess = false;
driver.m_secResponseBodyAccess = modsecurity::RulesProperties::FalseConfigBoolean;
}
| CONFIG_COMPONENT_SIG
{
driver.components.push_back($1);
driver.m_components.push_back($1);
}
| CONFIG_SEC_RULE_REMOVE_BY_ID
{
@ -671,43 +674,47 @@ expression:
/* Body limits */
| CONFIG_DIR_REQ_BODY_LIMIT
{
driver.requestBodyLimit = atoi($1.c_str());
driver.m_requestBodyLimit.m_set = true;
driver.m_requestBodyLimit.m_value = atoi($1.c_str());
}
| CONFIG_DIR_REQ_BODY_NO_FILES_LIMIT
{
driver.requestBodyNoFilesLimit = atoi($1.c_str());
driver.m_requestBodyNoFilesLimit.m_set = true;
driver.m_requestBodyNoFilesLimit.m_value = atoi($1.c_str());
}
| CONFIG_DIR_REQ_BODY_IN_MEMORY_LIMIT
{
driver.requestBodyInMemoryLimit = atoi($1.c_str());
driver.m_requestBodyInMemoryLimit.m_set = true;
driver.m_requestBodyInMemoryLimit.m_value = atoi($1.c_str());
}
| CONFIG_DIR_RES_BODY_LIMIT
{
driver.responseBodyLimit = atoi($1.c_str());
driver.m_responseBodyLimit.m_set = true;
driver.m_responseBodyLimit.m_value = atoi($1.c_str());
}
| CONFIG_DIR_REQ_BODY_LIMIT_ACTION CONFIG_VALUE_PROCESS_PARTIAL
{
driver.requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
driver.m_requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
}
| CONFIG_DIR_REQ_BODY_LIMIT_ACTION CONFIG_VALUE_REJECT
{
driver.requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
driver.m_requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
}
| CONFIG_DIR_RES_BODY_LIMIT_ACTION CONFIG_VALUE_PROCESS_PARTIAL
{
driver.responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
driver.m_responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
}
| CONFIG_DIR_RES_BODY_LIMIT_ACTION CONFIG_VALUE_REJECT
{
driver.responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
driver.m_responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
}
| CONFIG_SEC_REMOTE_RULES_FAIL_ACTION CONFIG_VALUE_ABORT
{
driver.remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction;
driver.m_remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction;
}
| CONFIG_SEC_REMOTE_RULES_FAIL_ACTION CONFIG_VALUE_WARN
{
driver.remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction;
driver.m_remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction;
}
| CONFIG_DIR_PCRE_MATCH_LIMIT_RECURSION
| CONFIG_DIR_PCRE_MATCH_LIMIT
@ -724,11 +731,11 @@ expression:
}
| CONFIG_XML_EXTERNAL_ENTITY CONFIG_VALUE_OFF
{
driver.secXMLExternalEntity = false;
driver.m_secXMLExternalEntity = modsecurity::RulesProperties::FalseConfigBoolean;
}
| CONFIG_XML_EXTERNAL_ENTITY CONFIG_VALUE_ON
{
driver.secXMLExternalEntity = true;
driver.m_secXMLExternalEntity = modsecurity::RulesProperties::TrueConfigBoolean;
}
| CONGIG_DIR_SEC_TMP_DIR
| CONGIG_DIR_SEC_DATA_DIR
@ -949,7 +956,7 @@ act:
$$ = Action::instantiate($1);
if ($$->init(&error) == false) {
driver.parserError << error;
driver.m_parserError << error;
YYERROR;
}
}
@ -1067,7 +1074,7 @@ act:
SetSID *setSID = new SetSID($1);
if (setSID->init(&error) == false) {
driver.parserError << error;
driver.m_parserError << error;
YYERROR;
}
@ -1079,7 +1086,7 @@ act:
SetUID *setUID = new SetUID($1);
if (setUID->init(&error) == false) {
driver.parserError << error;
driver.m_parserError << error;
YYERROR;
}
@ -1091,7 +1098,7 @@ act:
SetVar *setVar = new SetVar($1);
if (setVar->init(&error) == false) {
driver.parserError << error;
driver.m_parserError << error;
YYERROR;
}

4
src/parser/seclang-scanner.ll
View File

@ -540,10 +540,10 @@ CONFIG_DIR_UNICODE_MAP_FILE (?i:SecUnicodeMapFile)
if (ret == false) {
BEGIN(INITIAL);
if (driver.remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction) {
if (driver.m_remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction) {
/** TODO: Implement the server logging mechanism. */
}
if (driver.remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction) {
if (driver.m_remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction) {
driver.error (*driver.loc.back(), "", yytext + std::string(" - Failed to download: ") + c.error);
throw yy::seclang_parser::syntax_error(*driver.loc.back(), "");
}

28
src/request_body_processor/multipart.cc
View File

@ -27,6 +27,7 @@
#include <string>
#include "modsecurity/collection/collections.h"
#include "modsecurity/rules.h"
#include "src/utils.h"
namespace modsecurity {
@ -65,10 +66,12 @@ Multipart::Multipart(std:: string header, Transaction *transaction)
Multipart::~Multipart() {
debug(4, "Multipart: Cleanup started (remove files " \
+ std::to_string(!m_transaction->m_rules->uploadKeepFiles) \
+ RulesProperties::configBooleanString(
m_transaction->m_rules->m_uploadKeepFiles) \
+ ")");
if (m_transaction->m_rules->uploadKeepFiles == false) {
if (m_transaction->m_rules->m_uploadKeepFiles
!= RulesProperties::TrueConfigBoolean) {
for (MultipartPart *m : m_parts) {
if (m->m_type == MULTIPART_FILE) {
if (!m->m_tmp_file_name.empty()) {
@ -405,8 +408,8 @@ int Multipart::tmp_file_name(std::string *filename) {
localtime_r(&tt, &timeinfo);
path = m_transaction->m_rules->uploadDirectory;
mode = m_transaction->m_rules->uploadFileMode;
path = m_transaction->m_rules->m_uploadDirectory;
mode = m_transaction->m_rules->m_uploadFileMode.m_value;
memset(tstr, '\0', 300);
strftime(tstr, 299, "/%Y%m%d-%H%M%S", &timeinfo);
@ -454,8 +457,10 @@ int Multipart::process_part_data(std::string *error) {
/* add data to the part we are building */
if (m_mpp->m_type == MULTIPART_FILE) {
int extract = m_transaction->m_rules->uploadKeepFiles \
|| m_transaction->m_rules->tmpSaveUploadedFiles;
bool extract = m_transaction->m_rules->m_uploadKeepFiles \
== RulesProperties::TrueConfigBoolean \
|| m_transaction->m_rules->m_tmpSaveUploadedFiles \
== RulesProperties::TrueConfigBoolean;
/* remember where we started */
if (m_mpp->m_length == 0) {
@ -463,14 +468,17 @@ int Multipart::process_part_data(std::string *error) {
}
/* check if the file limit has been reached */
if (extract && m_transaction->m_rules->uploadFileLimit
&& (m_nfiles >= m_transaction->m_rules->uploadFileLimit)) {
if (extract && m_transaction->m_rules->m_uploadFileLimit.m_value
&& (m_nfiles >=
m_transaction->m_rules->m_uploadFileLimit.m_value)) {
if (m_flag_file_limit_exceeded == 0) {
debug(1, "Multipart: Upload file limit exceeded " \
+ std::to_string(m_transaction->m_rules->uploadFileLimit) \
+ std::to_string(
m_transaction->m_rules->m_uploadFileLimit.m_value) \
+ ". Use SecUploadFileLimit to change the limit.");
error->assign("Multipart: Upload file limit exceeded " \
+ std::to_string(m_transaction->m_rules->uploadFileLimit) \
+ std::to_string(
m_transaction->m_rules->m_uploadFileLimit.m_value) \
+ ". Use SecUploadFileLimit to change the limit.");
m_flag_file_limit_exceeded = 1;
}

3
src/request_body_processor/xml.cc
View File

@ -42,7 +42,8 @@ XML::~XML() {
bool XML::init() {
xmlParserInputBufferCreateFilenameFunc entity;
if (m_transaction->m_rules->secXMLExternalEntity == true) {
if (m_transaction->m_rules->m_secXMLExternalEntity
== RulesProperties::TrueConfigBoolean) {
entity = xmlParserInputBufferCreateFilenameDefault(
__xmlParserInputBufferCreateFilename);
} else {

17
src/rule.cc
View File

@ -220,7 +220,7 @@ bool Rule::evaluateActions(Transaction *trasn) {
" (rule contains a disruptive action)");
#endif
} else {
if (trasn->m_rules->secRuleEngine
if (trasn->m_rules->m_secRuleEngine
== Rules::EnabledRuleEngine) {
#ifndef NO_LOGS
trasn->debug(4, "(SecDefaultAction) " \
@ -250,7 +250,7 @@ bool Rule::evaluateActions(Transaction *trasn) {
for (Action *a : this->actions_runtime_pos) {
if (a->isDisruptive()
&& trasn->m_rules->secRuleEngine
&& trasn->m_rules->m_secRuleEngine
== Rules::EnabledRuleEngine) {
#ifndef NO_LOGS
trasn->debug(4, "Running (disruptive) action: " + a->m_name);
@ -406,7 +406,8 @@ bool Rule::evaluate(Transaction *trasn) {
this->op->op + "' with parameter `" +
limitTo(200, this->op->param) +
"' against variable `" + v->m_key + "' (Value: `" +
limitTo(100, toHexIfNeeded(value)) + "' ) \" at " + v->m_key;
limitTo(100, toHexIfNeeded(value)) + "' ) \" at " +
v->m_key;
} else {
ruleMessage->m_match = this->op->m_match_message;
}
@ -460,7 +461,7 @@ bool Rule::evaluate(Transaction *trasn) {
" (rule contains a disruptive action)");
#endif
} else {
if (trasn->m_rules->secRuleEngine
if (trasn->m_rules->m_secRuleEngine
== Rules::EnabledRuleEngine) {
#ifndef NO_LOGS
trasn->debug(4, "(SecDefaultAction) " \
@ -492,7 +493,7 @@ bool Rule::evaluate(Transaction *trasn) {
for (Action *a :
this->actions_runtime_pos) {
if (a->isDisruptive()
&& trasn->m_rules->secRuleEngine
&& trasn->m_rules->m_secRuleEngine
== Rules::EnabledRuleEngine
&& containsPassAction == false) {
#ifndef NO_LOGS
@ -543,9 +544,11 @@ bool Rule::evaluate(Transaction *trasn) {
}
}
if (globalRet == true && rule_id != 0 && ruleMessage->m_saveMessage == true) {
if (globalRet == true && rule_id != 0
&& ruleMessage->m_saveMessage == true) {
ruleMessage->m_message = m_log_message;
trasn->debug(4, "Saving on the server log: " + ruleMessage->errorLog(trasn));
trasn->debug(4, "Saving on the server log: "
+ ruleMessage->errorLog(trasn));
trasn->serverLog(ruleMessage->errorLog(trasn));
} else {
delete ruleMessage;

159
src/rules.cc
View File

@ -52,6 +52,7 @@ void Rules::incrementReferenceCount(void) {
this->m_referenceCount++;
}
/**
* @name decrementReferenceCount
* @brief Decrement the number of transactions using this class
@ -98,8 +99,8 @@ Rules::~Rules() {
}
}
/** Cleanup audit log */
if (audit_log) {
audit_log->refCountDecreaseAndCheck();
if (m_auditLog) {
m_auditLog->refCountDecreaseAndCheck();
}
free(unicode_map_table);
@ -125,7 +126,7 @@ int Rules::loadFromUri(const char *uri) {
Driver *driver = new Driver();
if (driver->parseFile(uri) == false) {
parserError << driver->parserError.str();
m_parserError << driver->m_parserError.str();
return -1;
}
@ -135,17 +136,18 @@ int Rules::loadFromUri(const char *uri) {
return rules;
}
int Rules::load(const char *file, const std::string &ref) {
Driver *driver = new Driver();
if (driver->parse(file, ref) == false) {
parserError << driver->parserError.str();
m_parserError << driver->m_parserError.str();
delete driver;
return -1;
}
int rules = this->merge(driver);
if (rules == -1) {
parserError << driver->parserError.str();
m_parserError << driver->m_parserError.str();
delete driver;
return -1;
}
@ -174,7 +176,7 @@ int Rules::load(const char *plainRules) {
std::string Rules::getParserError() {
return this->parserError.str();
return this->m_parserError.str();
}
@ -238,83 +240,20 @@ int Rules::evaluate(int phase, Transaction *transaction) {
int Rules::merge(Driver *from) {
int amount_of_rules = 0;
for (int i = 0; i <= ModSecurity::Phases::NUMBER_OF_PHASES; i++) {
std::vector<Rule *> rules = from->rules[i];
std::vector<Rule *> rules_here = this->rules[i];
amount_of_rules = mergeProperties(
reinterpret_cast<RulesProperties *>(from),
reinterpret_cast<RulesProperties *>(this),
&m_parserError);
for (int j = 0; j < rules.size(); j++) {
Rule *rule = rules[j];
for (int z = 0; z < rules_here.size(); z++) {
Rule *rule_ckc = rules_here[z];
if (rule_ckc->rule_id == rule->rule_id) {
parserError << "Rule id: " \
<< std::to_string(rule->rule_id) \
<< " is duplicated" << std::endl;
return -1;
}
}
amount_of_rules++;
this->rules[i].push_back(rule);
rule->refCountIncrease();
}
if (from->m_auditLog != NULL && this->m_auditLog != NULL) {
this->m_auditLog->refCountDecreaseAndCheck();
}
this->secRuleEngine = from->secRuleEngine;
this->secRequestBodyAccess = from->secRequestBodyAccess;
this->secResponseBodyAccess = from->secResponseBodyAccess;
this->secXMLExternalEntity = from->secXMLExternalEntity;
if (from->m_debugLog && this->m_debugLog &&
from->m_debugLog->isLogFileSet()) {
this->m_debugLog->setDebugLogFile(from->m_debugLog->getDebugLogFile());
if (from->m_auditLog) {
this->m_auditLog = from->m_auditLog;
}
if (from->m_debugLog && this->m_debugLog &&
from->m_debugLog->isLogLevelSet()) {
this->m_debugLog->setDebugLogLevel(
from->m_debugLog->getDebugLogLevel());
}
this->components = from->components;
this->requestBodyLimit = from->requestBodyLimit;
this->responseBodyLimit = from->responseBodyLimit;
this->requestBodyLimitAction = from->requestBodyLimitAction;
this->responseBodyLimitAction = from->responseBodyLimitAction;
this->uploadKeepFiles = from->uploadKeepFiles;
this->uploadFileLimit = from->uploadFileLimit;
this->uploadFileMode = from->uploadFileMode;
this->uploadDirectory = from->uploadDirectory;
this->tmpSaveUploadedFiles = from->tmpSaveUploadedFiles;
for (std::set<std::string>::iterator
it = from->m_responseBodyTypeToBeInspected.begin();
it != from->m_responseBodyTypeToBeInspected.end(); ++it) {
m_responseBodyTypeToBeInspected.insert(*it);
}
this->m_exceptions = from->m_exceptions;
/*
*
* default Actions is something per configuration context, there is
* need to merge anything.
*
*/
for (int i = 0; i <= ModSecurity::Phases::NUMBER_OF_PHASES; i++) {
std::vector<Action *> actions = from->defaultActions[i];
this->defaultActions[i].clear();
for (int j = 0; j < actions.size(); j++) {
Action *action = actions[j];
this->defaultActions[i].push_back(action);
}
}
if (from->audit_log != NULL && this->audit_log != NULL) {
this->audit_log->refCountDecreaseAndCheck();
}
if (from->audit_log) {
this->audit_log = from->audit_log;
}
if (this->audit_log != NULL) {
this->audit_log->refCountIncrease();
if (this->m_auditLog != NULL) {
this->m_auditLog->refCountIncrease();
}
return amount_of_rules;
@ -323,66 +262,26 @@ int Rules::merge(Driver *from) {
int Rules::merge(Rules *from) {
int amount_of_rules = 0;
for (int i = 0; i <= ModSecurity::Phases::NUMBER_OF_PHASES; i++) {
std::vector<Rule *> rules = from->rules[i];
std::vector<Rule *> rules_here = this->rules[i];
amount_of_rules = mergeProperties(
reinterpret_cast<RulesProperties *>(from),
reinterpret_cast<RulesProperties *>(this),
&m_parserError);
for (int j = 0; j < rules.size(); j++) {
Rule *rule = rules[j];
for (int z = 0; z < rules_here.size(); z++) {
Rule *rule_ckc = rules_here[z];
if (rule_ckc->rule_id == rule->rule_id) {
parserError << "Rule id: " \
<< std::to_string(rule->rule_id) \
<< " is duplicated" << std::endl;
return -1;
}
}
amount_of_rules++;
this->rules[i].push_back(rule);
rule->refCountIncrease();
}
if (from->m_auditLog != NULL && this->m_auditLog != NULL) {
this->m_auditLog->refCountDecreaseAndCheck();
}
this->secRuleEngine = from->secRuleEngine;
this->secRequestBodyAccess = from->secRequestBodyAccess;
this->secResponseBodyAccess = from->secResponseBodyAccess;
this->components = from->components;
this->requestBodyLimit = from->requestBodyLimit;
this->responseBodyLimit = from->responseBodyLimit;
this->requestBodyLimitAction = from->requestBodyLimitAction;
this->responseBodyLimitAction = from->responseBodyLimitAction;
this->uploadKeepFiles = from->uploadKeepFiles;
this->uploadFileLimit = from->uploadFileLimit;
this->uploadFileMode = from->uploadFileMode;
this->uploadDirectory = from->uploadDirectory;
this->tmpSaveUploadedFiles = from->tmpSaveUploadedFiles;
if (from->m_debugLog && this->m_debugLog &&
from->m_debugLog->isLogFileSet()) {
this->m_debugLog->setDebugLogFile(from->m_debugLog->getDebugLogFile());
if (from->m_auditLog) {
this->m_auditLog = from->m_auditLog;
}
if (from->m_debugLog && this->m_debugLog &&
from->m_debugLog->isLogLevelSet()) {
this->m_debugLog->setDebugLogLevel(
from->m_debugLog->getDebugLogLevel());
}
if (from->audit_log != NULL && this->audit_log != NULL) {
this->audit_log->refCountDecreaseAndCheck();
}
if (from->audit_log) {
this->audit_log = from->audit_log;
}
if (this->audit_log != NULL) {
this->audit_log->refCountIncrease();
if (this->m_auditLog != NULL) {
this->m_auditLog->refCountIncrease();
}
return amount_of_rules;
}
void Rules::debug(int level, std::string message) {
if (m_debugLog != NULL) {
m_debugLog->write(level, message);

54
src/transaction.cc
View File

@ -453,7 +453,7 @@ int Transaction::processRequestHeaders() {
debug(4, "Starting phase REQUEST_HEADERS. (SecRules 1)");
#endif
if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
#ifndef NO_LOGS
debug(4, "Rule engine disabled, returning...");
#endif
@ -618,7 +618,7 @@ int Transaction::processRequestBody() {
debug(4, "Starting phase REQUEST_BODY. (SecRules 2)");
#endif
if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
#ifndef NO_LOGS
debug(4, "Rule engine disabled, returning...");
#endif
@ -800,7 +800,8 @@ int Transaction::requestBodyFromFile(const char *path) {
#ifndef NO_LOGS
debug(9, "Adding request body: " + std::to_string(len) + " bytes. " \
"Limit set to: " + std::to_string(this->m_rules->requestBodyLimit));
"Limit set to: "
+ std::to_string(this->m_rules->m_requestBodyLimit.m_value));
#endif
return appendRequestBody(reinterpret_cast<const unsigned char*>(buf), len);
@ -811,18 +812,20 @@ int Transaction::appendRequestBody(const unsigned char *buf, size_t len) {
#ifndef NO_LOGS
debug(9, "Appending request body: " + std::to_string(len) + " bytes. " \
"Limit set to: " + std::to_string(this->m_rules->requestBodyLimit));
"Limit set to: "
+ std::to_string(this->m_rules->m_requestBodyLimit.m_value));
#endif
if (this->m_rules->requestBodyLimit > 0
&& this->m_rules->requestBodyLimit < len + current_size) {
if (this->m_rules->m_requestBodyLimit.m_value > 0
&& this->m_rules->m_requestBodyLimit.m_value < len + current_size) {
m_collections.store("INBOUND_DATA_ERROR", "1");
#ifndef NO_LOGS
debug(5, "Request body is bigger than the maximum expected.");
#endif
if (this->m_rules->requestBodyLimitAction ==
if (this->m_rules->m_requestBodyLimitAction ==
Rules::BodyLimitAction::ProcessPartialBodyLimitAction) {
size_t spaceLeft = this->m_rules->requestBodyLimit - current_size;
size_t spaceLeft = this->m_rules->m_requestBodyLimit.m_value
- current_size;
this->m_requestBody.write(reinterpret_cast<const char*>(buf),
spaceLeft);
#ifndef NO_LOGS
@ -830,7 +833,7 @@ int Transaction::appendRequestBody(const unsigned char *buf, size_t len) {
#endif
return false;
} else {
if (this->m_rules->requestBodyLimitAction ==
if (this->m_rules->m_requestBodyLimitAction ==
Rules::BodyLimitAction::RejectBodyLimitAction) {
#ifndef NO_LOGS
debug(5, "Request body limit is marked to reject the " \
@ -876,7 +879,7 @@ int Transaction::processResponseHeaders(int code, const std::string& proto) {
this->m_collections.store("STATUS", std::to_string(code));
m_collections.store("RESPONSE_PROTOCOL", proto);
if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
#ifndef NO_LOGS
debug(4, "Rule engine disabled, returning...");
#endif
@ -997,7 +1000,7 @@ int Transaction::processResponseBody() {
debug(4, "Starting phase RESPONSE_BODY. (SecRules 4)");
#endif
if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
#ifndef NO_LOGS
debug(4, "Rule engine disabled, returning...");
#endif
@ -1067,18 +1070,19 @@ int Transaction::appendResponseBody(const unsigned char *buf, size_t len) {
#ifndef NO_LOGS
debug(9, "Appending response body: " + std::to_string(len + current_size)
+ " bytes. Limit set to: " +
std::to_string(this->m_rules->responseBodyLimit));
std::to_string(this->m_rules->m_responseBodyLimit.m_value));
#endif
if (this->m_rules->responseBodyLimit > 0
&& this->m_rules->responseBodyLimit < len + current_size) {
if (this->m_rules->m_responseBodyLimit.m_value > 0
&& this->m_rules->m_responseBodyLimit.m_value < len + current_size) {
m_collections.store("OUTBOUND_DATA_ERROR", "1");
#ifndef NO_LOGS
debug(5, "Response body is bigger than the maximum expected.");
#endif
if (this->m_rules->responseBodyLimitAction ==
if (this->m_rules->m_responseBodyLimitAction ==
Rules::BodyLimitAction::ProcessPartialBodyLimitAction) {
size_t spaceLeft = this->m_rules->responseBodyLimit - current_size;
size_t spaceLeft = this->m_rules->m_responseBodyLimit.m_value \
- current_size;
this->m_responseBody.write(reinterpret_cast<const char*>(buf),
spaceLeft);
#ifndef NO_LOGS
@ -1086,7 +1090,7 @@ int Transaction::appendResponseBody(const unsigned char *buf, size_t len) {
#endif
return false;
} else {
if (this->m_rules->responseBodyLimitAction ==
if (this->m_rules->m_responseBodyLimitAction ==
Rules::BodyLimitAction::RejectBodyLimitAction) {
#ifndef NO_LOGS
debug(5, "Response body limit is marked to reject the " \
@ -1171,7 +1175,7 @@ int Transaction::processLogging() {
debug(4, "Starting phase LOGGING. (SecRules 5)");
#endif
if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) {
if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
#ifndef NO_LOGS
debug(4, "Rule engine disabled, returning...");
#endif
@ -1181,7 +1185,7 @@ int Transaction::processLogging() {
this->m_rules->evaluate(ModSecurity::LoggingPhase, this);
/* If relevant, save this transaction information at the audit_logs */
if (m_rules != NULL && m_rules->audit_log != NULL) {
if (m_rules != NULL && m_rules->m_auditLog != NULL) {
int parts = -1;
#ifndef NO_LOGS
debug(8, "Checking if this request is suitable to be " \
@ -1193,17 +1197,17 @@ int Transaction::processLogging() {
debug(4, "There was an audit log modifier for this transaction.");
#endif
std::list<std::pair<int, std::string>>::iterator it;
parts = this->m_rules->audit_log->m_parts;
parts = this->m_rules->m_auditLog->m_parts;
debug(7, "AuditLog parts before modification(s): " +
std::to_string(parts) + ".");
for (it = m_auditLogModifier.begin();
it != m_auditLogModifier.end(); ++it) {
std::pair <int, std::string> p = *it;
if (p.first == 0) { // Add
parts = this->m_rules->audit_log->addParts(parts,
parts = this->m_rules->m_auditLog->addParts(parts,
p.second);
} else { // Remove
parts = this->m_rules->audit_log->removeParts(parts,
parts = this->m_rules->m_auditLog->removeParts(parts,
p.second);
}
}
@ -1216,7 +1220,7 @@ int Transaction::processLogging() {
#endif
debug(8, "Checking if this request is relevant to be " \
"part of the audit logs.");
bool saved = this->m_rules->audit_log->saveIfRelevant(this, parts);
bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, parts);
if (saved) {
#ifndef NO_LOGS
debug(8, "Request was relevant to be saved. Parts: " +
@ -1497,7 +1501,7 @@ std::string Transaction::toJSON(int parts) {
/* producer > engine state */
LOGFY_ADD("secrules_engine",
Rules::ruleEngineStateString(m_rules->secRuleEngine));
Rules::ruleEngineStateString(m_rules->m_secRuleEngine));
/* producer > components */
yajl_gen_string(g,
@ -1505,7 +1509,7 @@ std::string Transaction::toJSON(int parts) {
strlen("components"));
yajl_gen_array_open(g);
for (auto a : m_rules->components) {
for (auto a : m_rules->m_components) {
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>
(a.c_str()), a.length());

2
test/benchmark/benchmark.cc
View File

@ -81,7 +81,7 @@ int main(int argc, char *argv[]) {
rules = new modsecurity::Rules();
if (rules->loadFromUri(rules_file) < 0) {
std::cout << "Problems loading the rules..." << std::endl;
std::cout << rules->parserError.str() << std::endl;
std::cout << rules->m_parserError.str() << std::endl;
return -1;
}