diff --git a/examples/multiprocess_c/multi.c b/examples/multiprocess_c/multi.c index 786ee161..91effd6a 100644 --- a/examples/multiprocess_c/multi.c +++ b/examples/multiprocess_c/multi.c @@ -15,11 +15,13 @@ #include #include +#include #include #include #include #include - +#include +#include #define FORKS 5 #define REQUESTS_PER_PROCESS 100 diff --git a/examples/simple_example_using_c/test.c b/examples/simple_example_using_c/test.c index d4df506e..0299d81d 100644 --- a/examples/simple_example_using_c/test.c +++ b/examples/simple_example_using_c/test.c @@ -18,6 +18,7 @@ #include "stdlib.h" #include "modsecurity/modsecurity.h" +#include "modsecurity/rules.h" char main_rule_uri[] = "basic_rules.conf"; diff --git a/headers/modsecurity/modsecurity.h b/headers/modsecurity/modsecurity.h index a87574de..6bd62414 100644 --- a/headers/modsecurity/modsecurity.h +++ b/headers/modsecurity/modsecurity.h @@ -92,7 +92,6 @@ typedef struct ModSecurity_t modsecurity; #include "modsecurity/intervention.h" #include "modsecurity/transaction.h" #include "modsecurity/debug_log.h" -#include "modsecurity/rules.h" /** * TAG_NUM: @@ -129,9 +128,6 @@ namespace modsecurity { namespace actions { class Action; } -namespace operators { -class Operators; -} class Rule; /** @ingroup ModSecurity_CPP_API */ diff --git a/headers/modsecurity/rule.h b/headers/modsecurity/rule.h index 1b08280a..b979e2fc 100644 --- a/headers/modsecurity/rule.h +++ b/headers/modsecurity/rule.h @@ -23,7 +23,7 @@ #ifndef HEADERS_MODSECURITY_RULE_H_ #define HEADERS_MODSECURITY_RULE_H_ -#include "modsecurity/modsecurity.h" +#include "modsecurity/transaction.h" #ifdef __cplusplus @@ -32,6 +32,12 @@ namespace modsecurity { namespace Variables { class Variable; } +namespace actions { +class Action; +} +namespace operators { +class Operator; +} class Rule { public: diff --git a/headers/modsecurity/rules.h b/headers/modsecurity/rules.h index c1b0ff96..8b81a2f8 100644 --- a/headers/modsecurity/rules.h +++ b/headers/modsecurity/rules.h @@ -28,9 +28,9 @@ #ifndef HEADERS_MODSECURITY_RULES_H_ #define HEADERS_MODSECURITY_RULES_H_ +#include "modsecurity/rules_properties.h" #include "modsecurity/modsecurity.h" #include "modsecurity/transaction.h" -#include "modsecurity/rules_properties.h" #ifdef __cplusplus @@ -42,7 +42,7 @@ class Driver; } /** @ingroup ModSecurity_CPP_API */ -class Rules : public RulesProperties { +class Rules : public RulesProperties { public: Rules() : RulesProperties(new DebugLog()), diff --git a/headers/modsecurity/rules_properties.h b/headers/modsecurity/rules_properties.h index 4743db0f..c72581f6 100644 --- a/headers/modsecurity/rules_properties.h +++ b/headers/modsecurity/rules_properties.h @@ -13,6 +13,7 @@ * */ + #ifdef __cplusplus #include #include @@ -26,14 +27,15 @@ #ifndef HEADERS_MODSECURITY_RULES_PROPERTIES_H_ #define HEADERS_MODSECURITY_RULES_PROPERTIES_H_ + #include "modsecurity/modsecurity.h" -#include "modsecurity/transaction.h" +#include "modsecurity/rule.h" #include "modsecurity/rules_exceptions.h" + #ifdef __cplusplus namespace modsecurity { -class Rule; class RulesExceptions; namespace audit_log { class AuditLog; @@ -45,79 +47,77 @@ namespace Parser { class Driver; } + /** @ingroup ModSecurity_CPP_API */ +class ConfigInt { + public: + ConfigInt() : m_set(false), m_value(0) { } + bool m_set; + int m_value; +}; + + +class ConfigDouble { + public: + ConfigDouble() : m_set(false), m_value(0) { } + bool m_set; + double m_value; +}; + + +class ConfigString { + public: + ConfigString() : m_set(false), m_value("") { } + bool m_set; + std::string m_value; +}; + + class RulesProperties { public: - RulesProperties() - : audit_log(NULL), + RulesProperties() : m_auditLog(NULL), m_debugLog(new DebugLog()), - m_httpbl_key(""), - remoteRulesActionOnFailed(AbortOnFailedRemoteRulesAction), - requestBodyLimit(0), - requestBodyNoFilesLimit(0), - requestBodyInMemoryLimit(0), - secRequestBodyAccess(false), - secResponseBodyAccess(false), - secXMLExternalEntity(false), - requestBodyLimitAction(ProcessPartialBodyLimitAction), - responseBodyLimit(0), - responseBodyLimitAction(ProcessPartialBodyLimitAction), - secRuleEngine(DetectionOnlyRuleEngine), - uploadKeepFiles(0), - uploadFileLimit(100), - uploadFileMode(0), - tmpSaveUploadedFiles(false) { } + m_httpblKey(""), + m_remoteRulesActionOnFailed(PropertyNotSetRemoteRulesAction), + m_secRequestBodyAccess(PropertyNotSetConfigBoolean), + m_secResponseBodyAccess(PropertyNotSetConfigBoolean), + m_secXMLExternalEntity(PropertyNotSetConfigBoolean), + m_requestBodyLimitAction(PropertyNotSetBodyLimitAction), + m_responseBodyLimitAction(PropertyNotSetBodyLimitAction), + m_secRuleEngine(PropertyNotSetRuleEngine), + m_uploadKeepFiles(PropertyNotSetConfigBoolean), + m_tmpSaveUploadedFiles(PropertyNotSetConfigBoolean) { } - explicit RulesProperties(DebugLog *debugLog) - : audit_log(NULL), + + explicit RulesProperties(DebugLog *debugLog) : m_auditLog(NULL), m_debugLog(debugLog), - m_httpbl_key(""), - remoteRulesActionOnFailed(AbortOnFailedRemoteRulesAction), - requestBodyLimit(0), - requestBodyNoFilesLimit(0), - requestBodyInMemoryLimit(0), - secRequestBodyAccess(false), - secResponseBodyAccess(false), - secXMLExternalEntity(false), - requestBodyLimitAction(ProcessPartialBodyLimitAction), - responseBodyLimit(0), - responseBodyLimitAction(ProcessPartialBodyLimitAction), - secRuleEngine(DetectionOnlyRuleEngine), - uploadKeepFiles(0), - uploadFileLimit(100), - uploadFileMode(0), - tmpSaveUploadedFiles(false) { } + m_httpblKey(""), + m_remoteRulesActionOnFailed(PropertyNotSetRemoteRulesAction), + m_secRequestBodyAccess(PropertyNotSetConfigBoolean), + m_secResponseBodyAccess(PropertyNotSetConfigBoolean), + m_secXMLExternalEntity(PropertyNotSetConfigBoolean), + m_requestBodyLimitAction(PropertyNotSetBodyLimitAction), + m_responseBodyLimitAction(PropertyNotSetBodyLimitAction), + m_secRuleEngine(PropertyNotSetRuleEngine), + m_uploadKeepFiles(PropertyNotSetConfigBoolean), + m_tmpSaveUploadedFiles(PropertyNotSetConfigBoolean) { } + -/* - RulesProperties(const RulesProperties &other) - : audit_log(other.audit_log), - m_debugLog(other.m_debugLog), - remoteRulesActionOnFailed(other.remoteRulesActionOnFailed), - requestBodyLimit(other.requestBodyLimit), - requestBodyNoFilesLimit(other.requestBodyNoFilesLimit), - requestBodyInMemoryLimit(other.requestBodyInMemoryLimit), - secRequestBodyAccess(other.secRequestBodyAccess), - secResponseBodyAccess(other.secResponseBodyAccess), - requestBodyLimitAction(other.requestBodyLimitAction), - responseBodyLimit(other.responseBodyLimit), - responseBodyLimitAction(other.responseBodyLimitAction), - secRuleEngine(other.secRuleEngine) { } -*/ ~RulesProperties() { delete m_debugLog; } - std::vector rules[8]; - std::vector * getRulesForPhase(int phase) { - if (phase > 7) { - return NULL; - } - return &rules[phase]; - } - // ModSecurity::Phases::NUMBER_OF_PHASES - std::vector defaultActions[8]; - // ModSecurity::Phases::NUMBER_OF_PHASES + /** + * + * + */ + enum ConfigBoolean { + TrueConfigBoolean, + FalseConfigBoolean, + PropertyNotSetConfigBoolean + }; + /** * @@ -126,25 +126,30 @@ class RulesProperties { * */ enum RuleEngine { - /** - * - * Rules won't be evaluated if Rule Engine is set to DisabledRuleEngine - * - */ - DisabledRuleEngine, - /** - * - * Rules will be evaluated and disturb actions will take place if needed. - * - */ - EnabledRuleEngine, - /** - * Rules will be evaluated but it won't generate any disruptive action. - * - */ - DetectionOnlyRuleEngine + /** + * + * Rules won't be evaluated if Rule Engine is set to DisabledRuleEngine + * + */ + DisabledRuleEngine, + /** + * + * Rules will be evaluated and disturb actions will take place if needed. + * + */ + EnabledRuleEngine, + /** + * Rules will be evaluated but it won't generate any disruptive action. + * + */ + DetectionOnlyRuleEngine, + /** + * + */ + PropertyNotSetRuleEngine }; + /** * * Defines what actions should be taken in case the body (response or @@ -152,18 +157,22 @@ class RulesProperties { * */ enum BodyLimitAction { - /** - * - * Process partial - * - */ + /** + * + * Process partial + * + */ ProcessPartialBodyLimitAction, - /** - * - * Reject the request - * - */ - RejectBodyLimitAction + /** + * + * Reject the request + * + */ + RejectBodyLimitAction, + /** + * + */ + PropertyNotSetBodyLimitAction }; @@ -171,72 +180,226 @@ class RulesProperties { * * Defines what actions should be taken in case the remote rules failed to * be downloaded (independent of the circumstances) - * + * * */ enum OnFailedRemoteRulesAction { - /** - * - * Abort - * - */ + /** + * + * Abort + * + */ AbortOnFailedRemoteRulesAction, - /** - * - * Warn on logging - * - */ - WarnOnFailedRemoteRulesAction + /** + * + * Warn on logging + * + */ + WarnOnFailedRemoteRulesAction, + /** + * + */ + PropertyNotSetRemoteRulesAction }; static const char *ruleEngineStateString(RuleEngine i) { - switch (i) { - case DisabledRuleEngine: - return "Disabled"; - case EnabledRuleEngine: - return "Enabled"; - case DetectionOnlyRuleEngine: - return "DetectionOnly"; - } - return NULL; + switch (i) { + case DisabledRuleEngine: + return "Disabled"; + case EnabledRuleEngine: + return "Enabled"; + case DetectionOnlyRuleEngine: + return "DetectionOnly"; + case PropertyNotSetRuleEngine: + return "PropertyNotSet/DetectionOnly"; + } + return NULL; } - RuleEngine secRuleEngine; - double requestBodyNoFilesLimit; - double requestBodyInMemoryLimit; - double requestBodyLimit; - double responseBodyLimit; - BodyLimitAction requestBodyLimitAction; - BodyLimitAction responseBodyLimitAction; + static std::string configBooleanString(ConfigBoolean i) { + switch (i) { + case TrueConfigBoolean: + return "True"; + case FalseConfigBoolean: + return "False"; + case PropertyNotSetConfigBoolean: + return "Not set"; + } + return NULL; + } - bool secRequestBodyAccess; - bool secResponseBodyAccess; - bool secXMLExternalEntity; - std::string audit_log_path; - std::string audit_log_parts; - std::list components; - std::set m_responseBodyTypeToBeInspected; + static int mergeProperties(RulesProperties *from, RulesProperties *to, + std::ostringstream *err) { + int amount_of_rules = 0; + + amount_of_rules = appendRules(from->rules, to->rules, err); + if (amount_of_rules < 0) { + return amount_of_rules; + } + + if (from->m_secRuleEngine != PropertyNotSetRuleEngine) { + to->m_secRuleEngine = from->m_secRuleEngine; + } + + if (from->m_secRequestBodyAccess != PropertyNotSetConfigBoolean) { + to->m_secRequestBodyAccess = from->m_secRequestBodyAccess; + } + + if (from->m_secResponseBodyAccess != PropertyNotSetConfigBoolean) { + to->m_secResponseBodyAccess = from->m_secResponseBodyAccess; + } + + if (from->m_secXMLExternalEntity != PropertyNotSetConfigBoolean) { + to->m_secXMLExternalEntity = from->m_secXMLExternalEntity; + } + + if (from->m_uploadKeepFiles != PropertyNotSetConfigBoolean) { + to->m_uploadKeepFiles = from->m_uploadKeepFiles; + } + + if (from->m_tmpSaveUploadedFiles != PropertyNotSetConfigBoolean) { + to->m_tmpSaveUploadedFiles = from->m_tmpSaveUploadedFiles; + } + + to->m_components = from->m_components; + + if (from->m_requestBodyLimit.m_set == true) { + to->m_requestBodyLimit.m_value = from->m_requestBodyLimit.m_value; + } + + if (from->m_responseBodyLimit.m_set == true) { + to->m_responseBodyLimit.m_value = from->m_responseBodyLimit.m_value; + } + + if (from->m_requestBodyLimitAction != PropertyNotSetBodyLimitAction) { + to->m_requestBodyLimitAction = from->m_requestBodyLimitAction; + } + + if (from->m_responseBodyLimitAction != PropertyNotSetBodyLimitAction) { + to->m_responseBodyLimitAction = from->m_responseBodyLimitAction; + } + + + if (from->m_uploadFileLimit.m_set == true) { + to->m_uploadFileLimit.m_value = from->m_uploadFileLimit.m_value; + } + + if (from->m_uploadFileMode.m_set == true) { + to->m_uploadFileMode.m_value = from->m_uploadFileMode.m_value; + } + + to->m_uploadDirectory = from->m_uploadDirectory; + + to->m_exceptions = from->m_exceptions; + + for (std::set::iterator + it = from->m_responseBodyTypeToBeInspected.begin(); + it != from->m_responseBodyTypeToBeInspected.end(); ++it) { + to->m_responseBodyTypeToBeInspected.insert(*it); + } + + /* + * + * default Actions is something per configuration context, there is + * need to merge anything. + * + */ + for (int i = 0; i <= 8; i++) { + std::vector actions = from->defaultActions[i]; + to->defaultActions[i].clear(); + for (int j = 0; j < actions.size(); j++) { + actions::Action *action = actions[j]; + to->defaultActions[i].push_back(action); + } + } + + if (from->m_debugLog && to->m_debugLog && + from->m_debugLog->isLogFileSet()) { + to->m_debugLog->setDebugLogFile( + from->m_debugLog->getDebugLogFile()); + } + + if (from->m_debugLog && to->m_debugLog && + from->m_debugLog->isLogLevelSet()) { + to->m_debugLog->setDebugLogLevel( + from->m_debugLog->getDebugLogLevel()); + } + + return amount_of_rules; + } + + + static int appendRules(std::vector from[8], + std::vector to[8], + std::ostringstream *err) { + int amount_of_rules = 0; + for (int i = 0; i <= 8; i++) { + std::vector rules_to = to[i]; + std::vector rules_from = from[i]; + + for (int j = 0; j < rules_from.size(); j++) { + Rule *rule = rules_from[j]; + for (int z = 0; z < rules_to.size(); z++) { + Rule *rule_ckc = rules_to[z]; + if (rule_ckc->rule_id == rule->rule_id) { + if (err != NULL) { + *err << "Rule id: " \ + << std::to_string(rule->rule_id) \ + << " is duplicated" << std::endl; + } + return -1; + } + } + amount_of_rules++; + rules_to.push_back(rule); + rule->refCountIncrease(); + } + } + return amount_of_rules; + } + + + std::vector *getRulesForPhase(int phase) { + if (phase > 7) { + return NULL; + } + return &rules[phase]; + } + + + audit_log::AuditLog *m_auditLog; + BodyLimitAction m_requestBodyLimitAction; + BodyLimitAction m_responseBodyLimitAction; + ConfigBoolean m_secRequestBodyAccess; + ConfigBoolean m_secResponseBodyAccess; + ConfigBoolean m_secXMLExternalEntity; + ConfigBoolean m_tmpSaveUploadedFiles; + ConfigBoolean m_uploadKeepFiles; + ConfigDouble m_requestBodyInMemoryLimit; + ConfigDouble m_requestBodyLimit; + ConfigDouble m_requestBodyNoFilesLimit; + ConfigDouble m_responseBodyLimit; + ConfigInt m_uploadFileLimit; + ConfigInt m_uploadFileMode; DebugLog *m_debugLog; - - std::string m_httpbl_key; - std::ostringstream parserError; - - bool uploadKeepFiles; - int uploadFileLimit; - int uploadFileMode; - std::string uploadDirectory; - std::string uploadTmpDirectory; - bool tmpSaveUploadedFiles; - - audit_log::AuditLog *audit_log; - - OnFailedRemoteRulesAction remoteRulesActionOnFailed; - + OnFailedRemoteRulesAction m_remoteRulesActionOnFailed; + RuleEngine m_secRuleEngine; RulesExceptions m_exceptions; + std::list m_components; + std::ostringstream m_parserError; + std::set m_responseBodyTypeToBeInspected; + std::string m_auditLogParts; + std::string m_auditLogPath; + std::string m_httpblKey; + std::string m_uploadDirectory; + std::string m_uploadTmpDirectory; + std::vector defaultActions[8]; + std::vector rules[8]; }; + #endif #ifdef __cplusplus diff --git a/src/actions/transformations/escape_seq_decode.cc b/src/actions/transformations/escape_seq_decode.cc index aed9729c..23b490cb 100644 --- a/src/actions/transformations/escape_seq_decode.cc +++ b/src/actions/transformations/escape_seq_decode.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/hex_decode.cc b/src/actions/transformations/hex_decode.cc index 842bb65f..67e2dc25 100644 --- a/src/actions/transformations/hex_decode.cc +++ b/src/actions/transformations/hex_decode.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/parity_even_7bit.cc b/src/actions/transformations/parity_even_7bit.cc index 2ca037f0..dfacd819 100644 --- a/src/actions/transformations/parity_even_7bit.cc +++ b/src/actions/transformations/parity_even_7bit.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" @@ -43,7 +44,7 @@ std::string ParityEven7bit::evaluate(std::string value, return ""; } - memcpy(input, value.c_str(), value.length()+1); + std::memcpy(input, value.c_str(), value.length()+1); inplace(input, value.length()); diff --git a/src/actions/transformations/parity_odd_7bit.cc b/src/actions/transformations/parity_odd_7bit.cc index eb515563..bc2d24c2 100644 --- a/src/actions/transformations/parity_odd_7bit.cc +++ b/src/actions/transformations/parity_odd_7bit.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/parity_zero_7bit.cc b/src/actions/transformations/parity_zero_7bit.cc index 639927c4..890acf6e 100644 --- a/src/actions/transformations/parity_zero_7bit.cc +++ b/src/actions/transformations/parity_zero_7bit.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/remove_comments.cc b/src/actions/transformations/remove_comments.cc index 9ed0c6fa..c4e05208 100644 --- a/src/actions/transformations/remove_comments.cc +++ b/src/actions/transformations/remove_comments.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/replace_comments.cc b/src/actions/transformations/replace_comments.cc index 680b0e4f..9b8ab73e 100644 --- a/src/actions/transformations/replace_comments.cc +++ b/src/actions/transformations/replace_comments.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/sql_hex_decode.cc b/src/actions/transformations/sql_hex_decode.cc index d4e949ce..eed4b3dc 100644 --- a/src/actions/transformations/sql_hex_decode.cc +++ b/src/actions/transformations/sql_hex_decode.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/url_decode.cc b/src/actions/transformations/url_decode.cc index d8977c14..61e9edc6 100644 --- a/src/actions/transformations/url_decode.cc +++ b/src/actions/transformations/url_decode.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/actions/transformations/url_decode_uni.cc b/src/actions/transformations/url_decode_uni.cc index 97cc7bed..245a4c8d 100644 --- a/src/actions/transformations/url_decode_uni.cc +++ b/src/actions/transformations/url_decode_uni.cc @@ -23,11 +23,12 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" #include "src/utils.h" - +#include "modsecurity/rules.h" namespace modsecurity { namespace actions { diff --git a/src/actions/transformations/utf8_to_unicode.cc b/src/actions/transformations/utf8_to_unicode.cc index 4f2778e4..205ac21a 100644 --- a/src/actions/transformations/utf8_to_unicode.cc +++ b/src/actions/transformations/utf8_to_unicode.cc @@ -21,6 +21,7 @@ #include #include #include +#include #include "modsecurity/transaction.h" #include "actions/transformations/transformation.h" diff --git a/src/operators/rbl.cc b/src/operators/rbl.cc index ea89a9c6..4771f118 100644 --- a/src/operators/rbl.cc +++ b/src/operators/rbl.cc @@ -33,7 +33,7 @@ namespace operators { std::string Rbl::mapIpToAddress(std::string ipStr, Transaction *trans) { std::string addr; int h0, h1, h2, h3; - std::string key = trans->m_rules->m_httpbl_key; + std::string key = trans->m_rules->m_httpblKey; if (sscanf(ipStr.c_str(), "%d.%d.%d.%d", &h0, &h1, &h2, &h3) != 4) { debug(trans, 0, std::string("Failed to understand `" + ipStr + diff --git a/src/parser/driver.cc b/src/parser/driver.cc index d2af5c2f..5ca314ce 100644 --- a/src/parser/driver.cc +++ b/src/parser/driver.cc @@ -27,14 +27,14 @@ namespace Parser { Driver::Driver() : trace_scanning(false), trace_parsing(false) { - audit_log = new audit_log::AuditLog(); - audit_log->refCountIncrease(); + m_auditLog = new audit_log::AuditLog(); + m_auditLog->refCountIncrease(); } Driver::~Driver() { - if (audit_log != NULL) { - audit_log->refCountDecreaseAndCheck(); + if (m_auditLog != NULL) { + m_auditLog->refCountDecreaseAndCheck(); } delete loc.back(); } @@ -52,8 +52,8 @@ int Driver::addSecMarker(std::string marker) { int Driver::addSecAction(Rule *rule) { if (rule->phase > ModSecurity::Phases::NUMBER_OF_PHASES) { - parserError << "Unknown phase: " << std::to_string(rule->phase); - parserError << std::endl; + m_parserError << "Unknown phase: " << std::to_string(rule->phase); + m_parserError << std::endl; return false; } @@ -64,8 +64,8 @@ int Driver::addSecAction(Rule *rule) { int Driver::addSecRule(Rule *rule) { if (rule->phase > ModSecurity::Phases::NUMBER_OF_PHASES) { - parserError << "Unknown phase: " << std::to_string(rule->phase); - parserError << std::endl; + m_parserError << "Unknown phase: " << std::to_string(rule->phase); + m_parserError << std::endl; return false; } @@ -91,16 +91,16 @@ int Driver::addSecRule(Rule *rule) { * by other rule */ if (rule->rule_id == 0) { - parserError << "Rules must have an ID. File: "; - parserError << rule->m_fileName << " at line: "; - parserError << std::to_string(rule->m_lineNumber) << std::endl; + m_parserError << "Rules must have an ID. File: "; + m_parserError << rule->m_fileName << " at line: "; + m_parserError << std::to_string(rule->m_lineNumber) << std::endl; return false; } for (int i = 0; i < ModSecurity::Phases::NUMBER_OF_PHASES; i++) { std::vector rules = this->rules[i]; for (int j = 0; j < rules.size(); j++) { if (rules[j]->rule_id == rule->rule_id) { - parserError << "Rule id: " << std::to_string(rule->rule_id) \ + m_parserError << "Rule id: " << std::to_string(rule->rule_id) \ << " is duplicated" << std::endl; return false; } @@ -129,8 +129,8 @@ int Driver::parse(const std::string &f, const std::string &ref) { int res = parser.parse(); scan_end(); - if (audit_log->init() == false) { - parserError << "Problems while initializing the audit logs" \ + if (m_auditLog->init() == false) { + m_parserError << "Problems while initializing the audit logs" \ << std::endl; return false; } @@ -144,7 +144,7 @@ int Driver::parseFile(const std::string &f) { std::string str; if (t.is_open() == false) { - parserError << "Failed to open the file: " << f << std::endl; + m_parserError << "Failed to open the file: " << f << std::endl; return false; } @@ -166,21 +166,21 @@ void Driver::error(const yy::location& l, const std::string& m) { void Driver::error(const yy::location& l, const std::string& m, const std::string& c) { - if (parserError.tellp() == 0) { - parserError << "Rules error. "; + if (m_parserError.tellp() == 0) { + m_parserError << "Rules error. "; if (ref.empty() == false) { - parserError << "File: " << ref.back() << ". "; + m_parserError << "File: " << ref.back() << ". "; } - parserError << "Line: " << l.end.line << ". "; - parserError << "Column: " << l.end.column - 1 << ". "; + m_parserError << "Line: " << l.end.line << ". "; + m_parserError << "Column: " << l.end.column - 1 << ". "; } if (m.empty() == false) { - parserError << "" << m << " "; + m_parserError << "" << m << " "; } if (c.empty() == false) { - parserError << c; + m_parserError << c; } } diff --git a/src/parser/seclang-parser.yy b/src/parser/seclang-parser.yy index ef58ef65..50ebc6b2 100644 --- a/src/parser/seclang-parser.yy +++ b/src/parser/seclang-parser.yy @@ -18,6 +18,7 @@ class Driver; } #include "modsecurity/modsecurity.h" +#include "modsecurity/rules_properties.h" #include "actions/accuracy.h" #include "actions/action.h" @@ -328,51 +329,51 @@ audit_log: /* SecAuditLogDirMode */ CONFIG_DIR_AUDIT_DIR_MOD { - driver.audit_log->setStorageDirMode(strtol($1.c_str(), NULL, 8)); + driver.m_auditLog->setStorageDirMode(strtol($1.c_str(), NULL, 8)); } /* SecAuditLogStorageDir */ | CONFIG_DIR_AUDIT_DIR { - driver.audit_log->setStorageDir($1); + driver.m_auditLog->setStorageDir($1); } /* SecAuditEngine */ | CONFIG_DIR_AUDIT_ENG CONFIG_VALUE_RELEVANT_ONLY { - driver.audit_log->setStatus(modsecurity::audit_log::AuditLog::RelevantOnlyAuditLogStatus); + driver.m_auditLog->setStatus(modsecurity::audit_log::AuditLog::RelevantOnlyAuditLogStatus); } | CONFIG_DIR_AUDIT_ENG CONFIG_VALUE_OFF { - driver.audit_log->setStatus(modsecurity::audit_log::AuditLog::OffAuditLogStatus); + driver.m_auditLog->setStatus(modsecurity::audit_log::AuditLog::OffAuditLogStatus); } | CONFIG_DIR_AUDIT_ENG CONFIG_VALUE_ON { - driver.audit_log->setStatus(modsecurity::audit_log::AuditLog::OnAuditLogStatus); + driver.m_auditLog->setStatus(modsecurity::audit_log::AuditLog::OnAuditLogStatus); } /* SecAuditLogFileMode */ | CONFIG_DIR_AUDIT_FLE_MOD { - driver.audit_log->setFileMode(strtol($1.c_str(), NULL, 8)); + driver.m_auditLog->setFileMode(strtol($1.c_str(), NULL, 8)); } /* SecAuditLog2 */ | CONFIG_DIR_AUDIT_LOG2 { - driver.audit_log->setFilePath2($1); + driver.m_auditLog->setFilePath2($1); } /* SecAuditLogParts */ | CONFIG_DIR_AUDIT_LOG_P { - driver.audit_log->setParts($1); + driver.m_auditLog->setParts($1); } /* SecAuditLog */ | CONFIG_DIR_AUDIT_LOG { - driver.audit_log->setFilePath1($1); + driver.m_auditLog->setFilePath1($1); } /* SecAuditLogRelevantStatus */ @@ -381,51 +382,53 @@ audit_log: std::string relevant_status($1); relevant_status.pop_back(); relevant_status.erase(0, 1); - driver.audit_log->setRelevantStatus(relevant_status); + driver.m_auditLog->setRelevantStatus(relevant_status); } /* SecAuditLogType */ | CONFIG_DIR_AUDIT_TPE CONFIG_VALUE_SERIAL { - driver.audit_log->setType(modsecurity::audit_log::AuditLog::SerialAuditLogType); + driver.m_auditLog->setType(modsecurity::audit_log::AuditLog::SerialAuditLogType); } | CONFIG_DIR_AUDIT_TPE CONFIG_VALUE_PARALLEL { - driver.audit_log->setType(modsecurity::audit_log::AuditLog::ParallelAuditLogType); + driver.m_auditLog->setType(modsecurity::audit_log::AuditLog::ParallelAuditLogType); } | CONFIG_DIR_AUDIT_TPE CONFIG_VALUE_HTTPS { - driver.audit_log->setType(modsecurity::audit_log::AuditLog::HttpsAuditLogType); + driver.m_auditLog->setType(modsecurity::audit_log::AuditLog::HttpsAuditLogType); } /* Upload */ | CONFIG_UPDLOAD_KEEP_FILES CONFIG_VALUE_ON { - driver.uploadKeepFiles = true; + driver.m_uploadKeepFiles = modsecurity::RulesProperties::TrueConfigBoolean; } | CONFIG_UPDLOAD_KEEP_FILES CONFIG_VALUE_OFF { - driver.uploadKeepFiles = false; + driver.m_uploadKeepFiles = modsecurity::RulesProperties::FalseConfigBoolean; } | CONFIG_UPLOAD_FILE_LIMIT { - driver.uploadFileLimit = strtol($1.c_str(), NULL, 10); + driver.m_uploadFileLimit.m_set = true; + driver.m_uploadFileLimit.m_value = strtol($1.c_str(), NULL, 10); } | CONFIG_UPLOAD_FILE_MODE { - driver.uploadFileMode = strtol($1.c_str(), NULL, 8); + driver.m_uploadFileMode.m_set = true; + driver.m_uploadFileMode.m_value = strtol($1.c_str(), NULL, 8); } | CONFIG_UPLOAD_DIR { - driver.uploadDirectory = $1; + driver.m_uploadDirectory = $1; } | CONFIG_UPDLOAD_SAVE_TMP_FILES CONFIG_VALUE_ON { - driver.tmpSaveUploadedFiles = true; + driver.m_tmpSaveUploadedFiles = modsecurity::RulesProperties::TrueConfigBoolean; } | CONFIG_UPDLOAD_SAVE_TMP_FILES CONFIG_VALUE_OFF { - driver.tmpSaveUploadedFiles = false; + driver.m_tmpSaveUploadedFiles = modsecurity::RulesProperties::FalseConfigBoolean; } ; @@ -581,35 +584,35 @@ expression: } | CONFIG_DIR_RULE_ENG CONFIG_VALUE_OFF { - driver.secRuleEngine = modsecurity::Rules::DisabledRuleEngine; + driver.m_secRuleEngine = modsecurity::Rules::DisabledRuleEngine; } | CONFIG_DIR_RULE_ENG CONFIG_VALUE_ON { - driver.secRuleEngine = modsecurity::Rules::EnabledRuleEngine; + driver.m_secRuleEngine = modsecurity::Rules::EnabledRuleEngine; } | CONFIG_DIR_RULE_ENG CONFIG_VALUE_DETC { - driver.secRuleEngine = modsecurity::Rules::DetectionOnlyRuleEngine; + driver.m_secRuleEngine = modsecurity::Rules::DetectionOnlyRuleEngine; } | CONFIG_DIR_REQ_BODY CONFIG_VALUE_ON { - driver.secRequestBodyAccess = true; + driver.m_secRequestBodyAccess = modsecurity::RulesProperties::TrueConfigBoolean; } | CONFIG_DIR_REQ_BODY CONFIG_VALUE_OFF { - driver.secRequestBodyAccess = false; + driver.m_secRequestBodyAccess = modsecurity::RulesProperties::FalseConfigBoolean; } | CONFIG_DIR_RES_BODY CONFIG_VALUE_ON { - driver.secResponseBodyAccess = true; + driver.m_secResponseBodyAccess = modsecurity::RulesProperties::TrueConfigBoolean; } | CONFIG_DIR_RES_BODY CONFIG_VALUE_OFF { - driver.secResponseBodyAccess = false; + driver.m_secResponseBodyAccess = modsecurity::RulesProperties::FalseConfigBoolean; } | CONFIG_COMPONENT_SIG { - driver.components.push_back($1); + driver.m_components.push_back($1); } | CONFIG_SEC_RULE_REMOVE_BY_ID { @@ -671,43 +674,47 @@ expression: /* Body limits */ | CONFIG_DIR_REQ_BODY_LIMIT { - driver.requestBodyLimit = atoi($1.c_str()); + driver.m_requestBodyLimit.m_set = true; + driver.m_requestBodyLimit.m_value = atoi($1.c_str()); } | CONFIG_DIR_REQ_BODY_NO_FILES_LIMIT { - driver.requestBodyNoFilesLimit = atoi($1.c_str()); + driver.m_requestBodyNoFilesLimit.m_set = true; + driver.m_requestBodyNoFilesLimit.m_value = atoi($1.c_str()); } | CONFIG_DIR_REQ_BODY_IN_MEMORY_LIMIT { - driver.requestBodyInMemoryLimit = atoi($1.c_str()); + driver.m_requestBodyInMemoryLimit.m_set = true; + driver.m_requestBodyInMemoryLimit.m_value = atoi($1.c_str()); } | CONFIG_DIR_RES_BODY_LIMIT { - driver.responseBodyLimit = atoi($1.c_str()); + driver.m_responseBodyLimit.m_set = true; + driver.m_responseBodyLimit.m_value = atoi($1.c_str()); } | CONFIG_DIR_REQ_BODY_LIMIT_ACTION CONFIG_VALUE_PROCESS_PARTIAL { - driver.requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction; + driver.m_requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction; } | CONFIG_DIR_REQ_BODY_LIMIT_ACTION CONFIG_VALUE_REJECT { - driver.requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction; + driver.m_requestBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction; } | CONFIG_DIR_RES_BODY_LIMIT_ACTION CONFIG_VALUE_PROCESS_PARTIAL { - driver.responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction; + driver.m_responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction; } | CONFIG_DIR_RES_BODY_LIMIT_ACTION CONFIG_VALUE_REJECT { - driver.responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction; + driver.m_responseBodyLimitAction = modsecurity::Rules::BodyLimitAction::RejectBodyLimitAction; } | CONFIG_SEC_REMOTE_RULES_FAIL_ACTION CONFIG_VALUE_ABORT { - driver.remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction; + driver.m_remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction; } | CONFIG_SEC_REMOTE_RULES_FAIL_ACTION CONFIG_VALUE_WARN { - driver.remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction; + driver.m_remoteRulesActionOnFailed = Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction; } | CONFIG_DIR_PCRE_MATCH_LIMIT_RECURSION | CONFIG_DIR_PCRE_MATCH_LIMIT @@ -724,11 +731,11 @@ expression: } | CONFIG_XML_EXTERNAL_ENTITY CONFIG_VALUE_OFF { - driver.secXMLExternalEntity = false; + driver.m_secXMLExternalEntity = modsecurity::RulesProperties::FalseConfigBoolean; } | CONFIG_XML_EXTERNAL_ENTITY CONFIG_VALUE_ON { - driver.secXMLExternalEntity = true; + driver.m_secXMLExternalEntity = modsecurity::RulesProperties::TrueConfigBoolean; } | CONGIG_DIR_SEC_TMP_DIR | CONGIG_DIR_SEC_DATA_DIR @@ -949,7 +956,7 @@ act: $$ = Action::instantiate($1); if ($$->init(&error) == false) { - driver.parserError << error; + driver.m_parserError << error; YYERROR; } } @@ -1067,7 +1074,7 @@ act: SetSID *setSID = new SetSID($1); if (setSID->init(&error) == false) { - driver.parserError << error; + driver.m_parserError << error; YYERROR; } @@ -1079,7 +1086,7 @@ act: SetUID *setUID = new SetUID($1); if (setUID->init(&error) == false) { - driver.parserError << error; + driver.m_parserError << error; YYERROR; } @@ -1091,7 +1098,7 @@ act: SetVar *setVar = new SetVar($1); if (setVar->init(&error) == false) { - driver.parserError << error; + driver.m_parserError << error; YYERROR; } diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll index fb230722..f8b61050 100755 --- a/src/parser/seclang-scanner.ll +++ b/src/parser/seclang-scanner.ll @@ -540,10 +540,10 @@ CONFIG_DIR_UNICODE_MAP_FILE (?i:SecUnicodeMapFile) if (ret == false) { BEGIN(INITIAL); - if (driver.remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction) { + if (driver.m_remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::WarnOnFailedRemoteRulesAction) { /** TODO: Implement the server logging mechanism. */ } - if (driver.remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction) { + if (driver.m_remoteRulesActionOnFailed == Rules::OnFailedRemoteRulesAction::AbortOnFailedRemoteRulesAction) { driver.error (*driver.loc.back(), "", yytext + std::string(" - Failed to download: ") + c.error); throw yy::seclang_parser::syntax_error(*driver.loc.back(), ""); } diff --git a/src/request_body_processor/multipart.cc b/src/request_body_processor/multipart.cc index 2c6d0fac..150f9bc7 100644 --- a/src/request_body_processor/multipart.cc +++ b/src/request_body_processor/multipart.cc @@ -27,6 +27,7 @@ #include #include "modsecurity/collection/collections.h" +#include "modsecurity/rules.h" #include "src/utils.h" namespace modsecurity { @@ -65,10 +66,12 @@ Multipart::Multipart(std:: string header, Transaction *transaction) Multipart::~Multipart() { debug(4, "Multipart: Cleanup started (remove files " \ - + std::to_string(!m_transaction->m_rules->uploadKeepFiles) \ + + RulesProperties::configBooleanString( + m_transaction->m_rules->m_uploadKeepFiles) \ + ")"); - if (m_transaction->m_rules->uploadKeepFiles == false) { + if (m_transaction->m_rules->m_uploadKeepFiles + != RulesProperties::TrueConfigBoolean) { for (MultipartPart *m : m_parts) { if (m->m_type == MULTIPART_FILE) { if (!m->m_tmp_file_name.empty()) { @@ -405,8 +408,8 @@ int Multipart::tmp_file_name(std::string *filename) { localtime_r(&tt, &timeinfo); - path = m_transaction->m_rules->uploadDirectory; - mode = m_transaction->m_rules->uploadFileMode; + path = m_transaction->m_rules->m_uploadDirectory; + mode = m_transaction->m_rules->m_uploadFileMode.m_value; memset(tstr, '\0', 300); strftime(tstr, 299, "/%Y%m%d-%H%M%S", &timeinfo); @@ -454,8 +457,10 @@ int Multipart::process_part_data(std::string *error) { /* add data to the part we are building */ if (m_mpp->m_type == MULTIPART_FILE) { - int extract = m_transaction->m_rules->uploadKeepFiles \ - || m_transaction->m_rules->tmpSaveUploadedFiles; + bool extract = m_transaction->m_rules->m_uploadKeepFiles \ + == RulesProperties::TrueConfigBoolean \ + || m_transaction->m_rules->m_tmpSaveUploadedFiles \ + == RulesProperties::TrueConfigBoolean; /* remember where we started */ if (m_mpp->m_length == 0) { @@ -463,14 +468,17 @@ int Multipart::process_part_data(std::string *error) { } /* check if the file limit has been reached */ - if (extract && m_transaction->m_rules->uploadFileLimit - && (m_nfiles >= m_transaction->m_rules->uploadFileLimit)) { + if (extract && m_transaction->m_rules->m_uploadFileLimit.m_value + && (m_nfiles >= + m_transaction->m_rules->m_uploadFileLimit.m_value)) { if (m_flag_file_limit_exceeded == 0) { debug(1, "Multipart: Upload file limit exceeded " \ - + std::to_string(m_transaction->m_rules->uploadFileLimit) \ + + std::to_string( + m_transaction->m_rules->m_uploadFileLimit.m_value) \ + ". Use SecUploadFileLimit to change the limit."); error->assign("Multipart: Upload file limit exceeded " \ - + std::to_string(m_transaction->m_rules->uploadFileLimit) \ + + std::to_string( + m_transaction->m_rules->m_uploadFileLimit.m_value) \ + ". Use SecUploadFileLimit to change the limit."); m_flag_file_limit_exceeded = 1; } diff --git a/src/request_body_processor/xml.cc b/src/request_body_processor/xml.cc index c2211a12..31bdbb4e 100644 --- a/src/request_body_processor/xml.cc +++ b/src/request_body_processor/xml.cc @@ -42,7 +42,8 @@ XML::~XML() { bool XML::init() { xmlParserInputBufferCreateFilenameFunc entity; - if (m_transaction->m_rules->secXMLExternalEntity == true) { + if (m_transaction->m_rules->m_secXMLExternalEntity + == RulesProperties::TrueConfigBoolean) { entity = xmlParserInputBufferCreateFilenameDefault( __xmlParserInputBufferCreateFilename); } else { diff --git a/src/rule.cc b/src/rule.cc index 9e2583a3..fdd019e4 100644 --- a/src/rule.cc +++ b/src/rule.cc @@ -220,7 +220,7 @@ bool Rule::evaluateActions(Transaction *trasn) { " (rule contains a disruptive action)"); #endif } else { - if (trasn->m_rules->secRuleEngine + if (trasn->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) { #ifndef NO_LOGS trasn->debug(4, "(SecDefaultAction) " \ @@ -250,7 +250,7 @@ bool Rule::evaluateActions(Transaction *trasn) { for (Action *a : this->actions_runtime_pos) { if (a->isDisruptive() - && trasn->m_rules->secRuleEngine + && trasn->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) { #ifndef NO_LOGS trasn->debug(4, "Running (disruptive) action: " + a->m_name); @@ -406,7 +406,8 @@ bool Rule::evaluate(Transaction *trasn) { this->op->op + "' with parameter `" + limitTo(200, this->op->param) + "' against variable `" + v->m_key + "' (Value: `" + - limitTo(100, toHexIfNeeded(value)) + "' ) \" at " + v->m_key; + limitTo(100, toHexIfNeeded(value)) + "' ) \" at " + + v->m_key; } else { ruleMessage->m_match = this->op->m_match_message; } @@ -460,7 +461,7 @@ bool Rule::evaluate(Transaction *trasn) { " (rule contains a disruptive action)"); #endif } else { - if (trasn->m_rules->secRuleEngine + if (trasn->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) { #ifndef NO_LOGS trasn->debug(4, "(SecDefaultAction) " \ @@ -492,7 +493,7 @@ bool Rule::evaluate(Transaction *trasn) { for (Action *a : this->actions_runtime_pos) { if (a->isDisruptive() - && trasn->m_rules->secRuleEngine + && trasn->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine && containsPassAction == false) { #ifndef NO_LOGS @@ -543,9 +544,11 @@ bool Rule::evaluate(Transaction *trasn) { } } - if (globalRet == true && rule_id != 0 && ruleMessage->m_saveMessage == true) { + if (globalRet == true && rule_id != 0 + && ruleMessage->m_saveMessage == true) { ruleMessage->m_message = m_log_message; - trasn->debug(4, "Saving on the server log: " + ruleMessage->errorLog(trasn)); + trasn->debug(4, "Saving on the server log: " + + ruleMessage->errorLog(trasn)); trasn->serverLog(ruleMessage->errorLog(trasn)); } else { delete ruleMessage; diff --git a/src/rules.cc b/src/rules.cc index e16917bf..375a3aa1 100644 --- a/src/rules.cc +++ b/src/rules.cc @@ -52,6 +52,7 @@ void Rules::incrementReferenceCount(void) { this->m_referenceCount++; } + /** * @name decrementReferenceCount * @brief Decrement the number of transactions using this class @@ -98,8 +99,8 @@ Rules::~Rules() { } } /** Cleanup audit log */ - if (audit_log) { - audit_log->refCountDecreaseAndCheck(); + if (m_auditLog) { + m_auditLog->refCountDecreaseAndCheck(); } free(unicode_map_table); @@ -125,7 +126,7 @@ int Rules::loadFromUri(const char *uri) { Driver *driver = new Driver(); if (driver->parseFile(uri) == false) { - parserError << driver->parserError.str(); + m_parserError << driver->m_parserError.str(); return -1; } @@ -135,17 +136,18 @@ int Rules::loadFromUri(const char *uri) { return rules; } + int Rules::load(const char *file, const std::string &ref) { Driver *driver = new Driver(); if (driver->parse(file, ref) == false) { - parserError << driver->parserError.str(); + m_parserError << driver->m_parserError.str(); delete driver; return -1; } int rules = this->merge(driver); if (rules == -1) { - parserError << driver->parserError.str(); + m_parserError << driver->m_parserError.str(); delete driver; return -1; } @@ -174,7 +176,7 @@ int Rules::load(const char *plainRules) { std::string Rules::getParserError() { - return this->parserError.str(); + return this->m_parserError.str(); } @@ -238,83 +240,20 @@ int Rules::evaluate(int phase, Transaction *transaction) { int Rules::merge(Driver *from) { int amount_of_rules = 0; - for (int i = 0; i <= ModSecurity::Phases::NUMBER_OF_PHASES; i++) { - std::vector rules = from->rules[i]; - std::vector rules_here = this->rules[i]; + amount_of_rules = mergeProperties( + reinterpret_cast(from), + reinterpret_cast(this), + &m_parserError); - for (int j = 0; j < rules.size(); j++) { - Rule *rule = rules[j]; - for (int z = 0; z < rules_here.size(); z++) { - Rule *rule_ckc = rules_here[z]; - if (rule_ckc->rule_id == rule->rule_id) { - parserError << "Rule id: " \ - << std::to_string(rule->rule_id) \ - << " is duplicated" << std::endl; - return -1; - } - } - amount_of_rules++; - this->rules[i].push_back(rule); - rule->refCountIncrease(); - } + if (from->m_auditLog != NULL && this->m_auditLog != NULL) { + this->m_auditLog->refCountDecreaseAndCheck(); } - this->secRuleEngine = from->secRuleEngine; - this->secRequestBodyAccess = from->secRequestBodyAccess; - this->secResponseBodyAccess = from->secResponseBodyAccess; - this->secXMLExternalEntity = from->secXMLExternalEntity; - if (from->m_debugLog && this->m_debugLog && - from->m_debugLog->isLogFileSet()) { - this->m_debugLog->setDebugLogFile(from->m_debugLog->getDebugLogFile()); + if (from->m_auditLog) { + this->m_auditLog = from->m_auditLog; } - if (from->m_debugLog && this->m_debugLog && - from->m_debugLog->isLogLevelSet()) { - this->m_debugLog->setDebugLogLevel( - from->m_debugLog->getDebugLogLevel()); - } - this->components = from->components; - this->requestBodyLimit = from->requestBodyLimit; - this->responseBodyLimit = from->responseBodyLimit; - this->requestBodyLimitAction = from->requestBodyLimitAction; - this->responseBodyLimitAction = from->responseBodyLimitAction; - - this->uploadKeepFiles = from->uploadKeepFiles; - this->uploadFileLimit = from->uploadFileLimit; - this->uploadFileMode = from->uploadFileMode; - this->uploadDirectory = from->uploadDirectory; - this->tmpSaveUploadedFiles = from->tmpSaveUploadedFiles; - - for (std::set::iterator - it = from->m_responseBodyTypeToBeInspected.begin(); - it != from->m_responseBodyTypeToBeInspected.end(); ++it) { - m_responseBodyTypeToBeInspected.insert(*it); - } - - this->m_exceptions = from->m_exceptions; - - /* - * - * default Actions is something per configuration context, there is - * need to merge anything. - * - */ - for (int i = 0; i <= ModSecurity::Phases::NUMBER_OF_PHASES; i++) { - std::vector actions = from->defaultActions[i]; - this->defaultActions[i].clear(); - for (int j = 0; j < actions.size(); j++) { - Action *action = actions[j]; - this->defaultActions[i].push_back(action); - } - } - - if (from->audit_log != NULL && this->audit_log != NULL) { - this->audit_log->refCountDecreaseAndCheck(); - } - if (from->audit_log) { - this->audit_log = from->audit_log; - } - if (this->audit_log != NULL) { - this->audit_log->refCountIncrease(); + if (this->m_auditLog != NULL) { + this->m_auditLog->refCountIncrease(); } return amount_of_rules; @@ -323,66 +262,26 @@ int Rules::merge(Driver *from) { int Rules::merge(Rules *from) { int amount_of_rules = 0; - for (int i = 0; i <= ModSecurity::Phases::NUMBER_OF_PHASES; i++) { - std::vector rules = from->rules[i]; - std::vector rules_here = this->rules[i]; + amount_of_rules = mergeProperties( + reinterpret_cast(from), + reinterpret_cast(this), + &m_parserError); - for (int j = 0; j < rules.size(); j++) { - Rule *rule = rules[j]; - for (int z = 0; z < rules_here.size(); z++) { - Rule *rule_ckc = rules_here[z]; - if (rule_ckc->rule_id == rule->rule_id) { - parserError << "Rule id: " \ - << std::to_string(rule->rule_id) \ - << " is duplicated" << std::endl; - return -1; - } - } - amount_of_rules++; - this->rules[i].push_back(rule); - rule->refCountIncrease(); - } + if (from->m_auditLog != NULL && this->m_auditLog != NULL) { + this->m_auditLog->refCountDecreaseAndCheck(); } - - this->secRuleEngine = from->secRuleEngine; - this->secRequestBodyAccess = from->secRequestBodyAccess; - this->secResponseBodyAccess = from->secResponseBodyAccess; - this->components = from->components; - this->requestBodyLimit = from->requestBodyLimit; - this->responseBodyLimit = from->responseBodyLimit; - this->requestBodyLimitAction = from->requestBodyLimitAction; - this->responseBodyLimitAction = from->responseBodyLimitAction; - - this->uploadKeepFiles = from->uploadKeepFiles; - this->uploadFileLimit = from->uploadFileLimit; - this->uploadFileMode = from->uploadFileMode; - this->uploadDirectory = from->uploadDirectory; - this->tmpSaveUploadedFiles = from->tmpSaveUploadedFiles; - - if (from->m_debugLog && this->m_debugLog && - from->m_debugLog->isLogFileSet()) { - this->m_debugLog->setDebugLogFile(from->m_debugLog->getDebugLogFile()); + if (from->m_auditLog) { + this->m_auditLog = from->m_auditLog; } - if (from->m_debugLog && this->m_debugLog && - from->m_debugLog->isLogLevelSet()) { - this->m_debugLog->setDebugLogLevel( - from->m_debugLog->getDebugLogLevel()); - } - - if (from->audit_log != NULL && this->audit_log != NULL) { - this->audit_log->refCountDecreaseAndCheck(); - } - if (from->audit_log) { - this->audit_log = from->audit_log; - } - if (this->audit_log != NULL) { - this->audit_log->refCountIncrease(); + if (this->m_auditLog != NULL) { + this->m_auditLog->refCountIncrease(); } return amount_of_rules; } + void Rules::debug(int level, std::string message) { if (m_debugLog != NULL) { m_debugLog->write(level, message); diff --git a/src/transaction.cc b/src/transaction.cc index 61f1bdf0..6682875a 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -453,7 +453,7 @@ int Transaction::processRequestHeaders() { debug(4, "Starting phase REQUEST_HEADERS. (SecRules 1)"); #endif - if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) { + if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) { #ifndef NO_LOGS debug(4, "Rule engine disabled, returning..."); #endif @@ -618,7 +618,7 @@ int Transaction::processRequestBody() { debug(4, "Starting phase REQUEST_BODY. (SecRules 2)"); #endif - if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) { + if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) { #ifndef NO_LOGS debug(4, "Rule engine disabled, returning..."); #endif @@ -800,7 +800,8 @@ int Transaction::requestBodyFromFile(const char *path) { #ifndef NO_LOGS debug(9, "Adding request body: " + std::to_string(len) + " bytes. " \ - "Limit set to: " + std::to_string(this->m_rules->requestBodyLimit)); + "Limit set to: " + + std::to_string(this->m_rules->m_requestBodyLimit.m_value)); #endif return appendRequestBody(reinterpret_cast(buf), len); @@ -811,18 +812,20 @@ int Transaction::appendRequestBody(const unsigned char *buf, size_t len) { #ifndef NO_LOGS debug(9, "Appending request body: " + std::to_string(len) + " bytes. " \ - "Limit set to: " + std::to_string(this->m_rules->requestBodyLimit)); + "Limit set to: " + + std::to_string(this->m_rules->m_requestBodyLimit.m_value)); #endif - if (this->m_rules->requestBodyLimit > 0 - && this->m_rules->requestBodyLimit < len + current_size) { + if (this->m_rules->m_requestBodyLimit.m_value > 0 + && this->m_rules->m_requestBodyLimit.m_value < len + current_size) { m_collections.store("INBOUND_DATA_ERROR", "1"); #ifndef NO_LOGS debug(5, "Request body is bigger than the maximum expected."); #endif - if (this->m_rules->requestBodyLimitAction == + if (this->m_rules->m_requestBodyLimitAction == Rules::BodyLimitAction::ProcessPartialBodyLimitAction) { - size_t spaceLeft = this->m_rules->requestBodyLimit - current_size; + size_t spaceLeft = this->m_rules->m_requestBodyLimit.m_value + - current_size; this->m_requestBody.write(reinterpret_cast(buf), spaceLeft); #ifndef NO_LOGS @@ -830,7 +833,7 @@ int Transaction::appendRequestBody(const unsigned char *buf, size_t len) { #endif return false; } else { - if (this->m_rules->requestBodyLimitAction == + if (this->m_rules->m_requestBodyLimitAction == Rules::BodyLimitAction::RejectBodyLimitAction) { #ifndef NO_LOGS debug(5, "Request body limit is marked to reject the " \ @@ -876,7 +879,7 @@ int Transaction::processResponseHeaders(int code, const std::string& proto) { this->m_collections.store("STATUS", std::to_string(code)); m_collections.store("RESPONSE_PROTOCOL", proto); - if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) { + if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) { #ifndef NO_LOGS debug(4, "Rule engine disabled, returning..."); #endif @@ -997,7 +1000,7 @@ int Transaction::processResponseBody() { debug(4, "Starting phase RESPONSE_BODY. (SecRules 4)"); #endif - if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) { + if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) { #ifndef NO_LOGS debug(4, "Rule engine disabled, returning..."); #endif @@ -1067,18 +1070,19 @@ int Transaction::appendResponseBody(const unsigned char *buf, size_t len) { #ifndef NO_LOGS debug(9, "Appending response body: " + std::to_string(len + current_size) + " bytes. Limit set to: " + - std::to_string(this->m_rules->responseBodyLimit)); + std::to_string(this->m_rules->m_responseBodyLimit.m_value)); #endif - if (this->m_rules->responseBodyLimit > 0 - && this->m_rules->responseBodyLimit < len + current_size) { + if (this->m_rules->m_responseBodyLimit.m_value > 0 + && this->m_rules->m_responseBodyLimit.m_value < len + current_size) { m_collections.store("OUTBOUND_DATA_ERROR", "1"); #ifndef NO_LOGS debug(5, "Response body is bigger than the maximum expected."); #endif - if (this->m_rules->responseBodyLimitAction == + if (this->m_rules->m_responseBodyLimitAction == Rules::BodyLimitAction::ProcessPartialBodyLimitAction) { - size_t spaceLeft = this->m_rules->responseBodyLimit - current_size; + size_t spaceLeft = this->m_rules->m_responseBodyLimit.m_value \ + - current_size; this->m_responseBody.write(reinterpret_cast(buf), spaceLeft); #ifndef NO_LOGS @@ -1086,7 +1090,7 @@ int Transaction::appendResponseBody(const unsigned char *buf, size_t len) { #endif return false; } else { - if (this->m_rules->responseBodyLimitAction == + if (this->m_rules->m_responseBodyLimitAction == Rules::BodyLimitAction::RejectBodyLimitAction) { #ifndef NO_LOGS debug(5, "Response body limit is marked to reject the " \ @@ -1171,7 +1175,7 @@ int Transaction::processLogging() { debug(4, "Starting phase LOGGING. (SecRules 5)"); #endif - if (m_rules->secRuleEngine == Rules::DisabledRuleEngine) { + if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) { #ifndef NO_LOGS debug(4, "Rule engine disabled, returning..."); #endif @@ -1181,7 +1185,7 @@ int Transaction::processLogging() { this->m_rules->evaluate(ModSecurity::LoggingPhase, this); /* If relevant, save this transaction information at the audit_logs */ - if (m_rules != NULL && m_rules->audit_log != NULL) { + if (m_rules != NULL && m_rules->m_auditLog != NULL) { int parts = -1; #ifndef NO_LOGS debug(8, "Checking if this request is suitable to be " \ @@ -1193,17 +1197,17 @@ int Transaction::processLogging() { debug(4, "There was an audit log modifier for this transaction."); #endif std::list>::iterator it; - parts = this->m_rules->audit_log->m_parts; + parts = this->m_rules->m_auditLog->m_parts; debug(7, "AuditLog parts before modification(s): " + std::to_string(parts) + "."); for (it = m_auditLogModifier.begin(); it != m_auditLogModifier.end(); ++it) { std::pair p = *it; if (p.first == 0) { // Add - parts = this->m_rules->audit_log->addParts(parts, + parts = this->m_rules->m_auditLog->addParts(parts, p.second); } else { // Remove - parts = this->m_rules->audit_log->removeParts(parts, + parts = this->m_rules->m_auditLog->removeParts(parts, p.second); } } @@ -1216,7 +1220,7 @@ int Transaction::processLogging() { #endif debug(8, "Checking if this request is relevant to be " \ "part of the audit logs."); - bool saved = this->m_rules->audit_log->saveIfRelevant(this, parts); + bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, parts); if (saved) { #ifndef NO_LOGS debug(8, "Request was relevant to be saved. Parts: " + @@ -1497,7 +1501,7 @@ std::string Transaction::toJSON(int parts) { /* producer > engine state */ LOGFY_ADD("secrules_engine", - Rules::ruleEngineStateString(m_rules->secRuleEngine)); + Rules::ruleEngineStateString(m_rules->m_secRuleEngine)); /* producer > components */ yajl_gen_string(g, @@ -1505,7 +1509,7 @@ std::string Transaction::toJSON(int parts) { strlen("components")); yajl_gen_array_open(g); - for (auto a : m_rules->components) { + for (auto a : m_rules->m_components) { yajl_gen_string(g, reinterpret_cast (a.c_str()), a.length()); diff --git a/test/benchmark/benchmark.cc b/test/benchmark/benchmark.cc index f1a625df..a234433e 100644 --- a/test/benchmark/benchmark.cc +++ b/test/benchmark/benchmark.cc @@ -81,7 +81,7 @@ int main(int argc, char *argv[]) { rules = new modsecurity::Rules(); if (rules->loadFromUri(rules_file) < 0) { std::cout << "Problems loading the rules..." << std::endl; - std::cout << rules->parserError.str() << std::endl; + std::cout << rules->m_parserError.str() << std::endl; return -1; }