Check for disruptive action on SecDefaultAction

2025-08-13 13:26:01 +03:00 · 2018-02-28 13:57:41 -03:00 · 2018-02-28 13:57:41 -03:00 · c8666fae31
commit c8666fae31
parent 6842d4bba8
5 changed files with 774 additions and 680 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 v3.0.x - YYYY-MMM-DD (To be released)
 -------------------------------------

+ - Check for disruptive action on SecDefaultAction.
+   [Issue #1614 - @zimmerle, @michaelgranzow-avi]
 - Fix block-block infinite loop.
   [Issue #1614 - @zimmerle, @michaelgranzow-avi]
 - Correction remove_by_tag and remove_by_msg logic.
--- a/src/parser/seclang-parser.cc
+++ b/src/parser/seclang-parser.cc
--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@ -1145,6 +1145,7 @@ expression:
      }
    | CONFIG_DIR_SEC_DEFAULT_ACTION actions
      {
+        bool hasDisruptive = false;
        std::vector<actions::Action *> *actions = new std::vector<actions::Action *>();
        for (auto &i : *$2.get()) {
            actions->push_back(i.release());
@ -1154,6 +1155,9 @@ expression:
        int secRuleDefinedPhase = -1;
        for (actions::Action *a : *actions) {
            actions::Phase *phase = dynamic_cast<actions::Phase *>(a);
+            if (a->isDisruptive() == true && dynamic_cast<actions::disruptive::Block *>(a) == NULL) {
+                hasDisruptive = true;
+            }
            if (phase != NULL) {
                definedPhase = phase->m_phase;
                secRuleDefinedPhase = phase->m_secRulesPhase;
@ -1175,6 +1179,11 @@ expression:
            definedPhase = modsecurity::Phases::RequestHeadersPhase;
        }

+        if (hasDisruptive == false) {
+            driver.error(@0, "SecDefaultAction must specify a disruptive action.");
+            YYERROR;
+        }
+
        if (!driver.m_defaultActions[definedPhase].empty()) {
            std::stringstream ss;
            ss << "SecDefaultActions can only be placed once per phase and configuration context. Phase ";
@ -1184,6 +1193,10 @@ expression:
            YYERROR;
        }

+        for (actions::Action *a : checkedActions) {
+            
+        }
+
        for (actions::Action *a : checkedActions) {
            driver.m_defaultActions[definedPhase].push_back(a);
        }
--- a/test/test-cases/regression/action-block.json
+++ b/test/test-cases/regression/action-block.json
@ -0,0 +1,66 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing 'block' action without desruptive action",
+    "expected":{
+      "parser_error": "Line: 1. Column: 16. SecDefaultAction must specify a disruptive action."
+    },
+    "client":{
+      "ip":"200.249.12.31",
+      "port":12300
+    },
+    "request":{
+      "headers":{
+        "Host":"a.b.com",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "User-Agent":"My sweet little browser",
+        "Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120"
+      },
+      "uri":"/path1",
+      "method":"GET"
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDefaultAction \"phase:1,log,block,status:404\"",
+      "SecRule REQUEST_URI \"@contains path1\" \"phase:1,block,id:5\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing 'block' action with desruptive action",
+    "expected":{
+      "http_code": 400
+    },
+    "client":{
+      "ip":"200.249.12.31",
+      "port":12300
+    },
+    "request":{
+      "headers":{
+        "Host":"a.b.com",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "User-Agent":"My sweet little browser",
+        "Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120"
+      },
+      "uri":"/path1",
+      "method":"GET"
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDefaultAction \"phase:1,log,block,deny,status:400\"",
+      "SecRule REQUEST_URI \"@contains path1\" \"phase:1,block,id:5\""
+    ]
+  }
+]
--- a/test/test-cases/regression/config-secdefaultaction.json
+++ b/test/test-cases/regression/config-secdefaultaction.json
@ -53,7 +53,7 @@
    },
    "rules":[
      "SecRuleEngine On",
-      "SecDefaultAction \"phase:2,t:lowercase\"",
+      "SecDefaultAction \"phase:2,t:lowercase,pass\"",
      "SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"phase:2,id:1,msg:'This is a test, %{REQUEST_HEADERS:Accept}%'\"",
      "SecRule TX \"@contains to_test\" \"id:2,t:lowercase,t:none\""
    ]
@ -112,7 +112,7 @@
    },
    "rules":[
      "SecRuleEngine On",
-      "SecDefaultAction \"phase:2,t:lowercase\"",
+      "SecDefaultAction \"phase:2,t:lowercase,pass\"",
      "SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"t:none,phase:2,id:1,msg:'This is a test, %{REQUEST_HEADERS:Accept}%'\"",
      "SecRule TX \"@contains to_test\" \"id:2,t:lowercase,t:none\""
    ]
@ -277,8 +277,8 @@
    },
    "rules":[
      "SecRuleEngine On",
-      "SecDefaultAction \"phase:2,log,auditlog,status:302\"",
-      "SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"phase:2,id:1,redirect:'http://www.google.com'\"",
+      "SecDefaultAction \"phase:2,log,auditlog,status:302,redirect:'http://www.google.com'\"",
+      "SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"phase:2,id:1\"",
      "SecRule TX \"@contains to_test\" \"id:2,t:lowercase,t:none\""
    ]
  }