PoC: Adds support to direct access on ARGS collection

2025-08-13 21:36:00 +03:00 · 2017-01-24 10:00:16 -03:00 · 2017-01-24 10:00:16 -03:00 · ca24b6bb06
commit ca24b6bb06
parent 17e5a63577
14 changed files with 2976 additions and 2732 deletions
--- a/headers/modsecurity/rule.h
+++ b/headers/modsecurity/rule.h
@ -18,6 +18,7 @@
 #include <vector>
 #include <string>
 #include <list>
+#include <memory>
 #endif

 #ifndef HEADERS_MODSECURITY_RULE_H_
--- a/headers/modsecurity/transaction.h
+++ b/headers/modsecurity/transaction.h
@ -25,6 +25,7 @@
 #include <unordered_map>
 #include <utility>
 #include <vector>
+#include <memory>
 #endif

 #include <stdlib.h>
@ -87,6 +88,77 @@ class Operator;
 }


+struct MyEqual {
+    bool operator()(const std::string& Left, const std::string& Right) const {
+        return Left.size() == Right.size()
+             && std::equal(Left.begin(), Left.end(), Right.begin(),
+            [](char a, char b) {
+            return tolower(a) == tolower(b);
+        });
+    }
+};
+
+struct MyHash{
+    size_t operator()(const std::string& Keyval) const {
+        // You might need a better hash function than this
+        size_t h = 0;
+        std::for_each(Keyval.begin(), Keyval.end(), [&](char c) {
+            h += tolower(c);
+        });
+        return h;
+    }
+};
+
+class AnchoredSetVariable : public std::unordered_multimap<std::string,
+	collection::Variable *, MyHash, MyEqual> {
+ public:
+    AnchoredSetVariable(Transaction *t, std::string name)
+        : m_name(""),
+        m_transaction(t) {
+            m_name.append(name);
+        }
+
+    ~AnchoredSetVariable() {
+        for (const auto& x : *this) {
+            collection::Variable *var = x.second;
+            delete var->m_key;
+            delete var;
+        }
+    }
+
+    void set(const std::string &key, const std::string &value,
+        size_t offset) {
+        std::string *v = new std::string(value);
+        std::string *k = new std::string(m_name + ":" + key);
+
+        collection::Variable *var = new collection::Variable(k, v);
+        var->m_dynamic_value = true;
+        var->m_dynamic = false;
+        emplace(key, var);
+    }
+
+    void resolve(std::vector<const collection::Variable *> *l) {
+        for (const auto& x : *this) {
+            l->insert(l->begin(), x.second);
+        }
+    }
+
+    void resolve(const std::string &key,
+        std::vector<const collection::Variable *> *l) {
+        auto range = this->equal_range(key);
+        for (auto it = range.first; it != range.second; ++it) {
+            l->push_back(it->second);
+        }
+    }
+
+    void resolveRegularExpression(const std::string &var,
+        std::vector<const collection::Variable *> *l);
+
+    Transaction *m_transaction;
+    std::string m_name;
+};
+
+
 class AnchoredVariable {
 public:
    AnchoredVariable(Transaction *t, std::string name)
@ -213,7 +285,8 @@ class TransactionAnchoredVariables {
        m_variableUniqueID(t, "UNIQUE_ID"),
        m_variableUrlEncodedError(t, "URLENCODED_ERROR"),
        m_variableUserID(t, "USERID"),
-        m_variableOffset(0)
+        m_variableOffset(0),
+        m_variableArgs(t, "ARGS")
        { }

    AnchoredVariable m_variableArgsNames;
@ -272,6 +345,8 @@ class TransactionAnchoredVariables {
    AnchoredVariable m_variableUrlEncodedError;
    AnchoredVariable m_variableUserID;

+    AnchoredSetVariable m_variableArgs;
+
    int m_variableOffset;
 };

--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -242,6 +242,7 @@ libmodsecurity_la_SOURCES = \
 	parser/seclang-scanner.cc \
 	parser/driver.cc \
 	transaction.cc \
+	anchored_set_variable.cc \
 	audit_log/audit_log.cc \
 	audit_log/writer/writer.cc \
 	audit_log/writer/https.cc \
--- a/src/actions/ctl/audit_log_parts.cc
+++ b/src/actions/ctl/audit_log_parts.cc
@ -17,6 +17,7 @@

 #include <iostream>
 #include <string>
+#include <utility>

 #include "modsecurity/transaction.h"

--- a/src/actions/ctl/rule_remove_target_by_id.cc
+++ b/src/actions/ctl/rule_remove_target_by_id.cc
@ -18,6 +18,7 @@
 #include <iostream>
 #include <string>
 #include <vector>
+#include <utility>

 #include "modsecurity/transaction.h"
 #include "src/utils/string.h"
--- a/src/actions/ctl/rule_remove_target_by_tag.cc
+++ b/src/actions/ctl/rule_remove_target_by_tag.cc
@ -18,6 +18,7 @@
 #include <iostream>
 #include <string>
 #include <vector>
+#include <utility>

 #include "modsecurity/transaction.h"
 #include "src/utils/string.h"
--- a/src/anchored_set_variable.cc
+++ b/src/anchored_set_variable.cc
@ -0,0 +1,45 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "modsecurity/transaction.h"
+
+#include <ctime>
+#include <iostream>
+#include <fstream>
+#include <string>
+#include <vector>
+
+#include "modsecurity/modsecurity.h"
+#include "modsecurity/transaction.h"
+#include "src/utils/regex.h"
+
+namespace modsecurity {
+
+
+void AnchoredSetVariable::resolveRegularExpression(const std::string &var,
+    std::vector<const collection::Variable *> *l) {
+    Utils::Regex *r = new Utils::Regex(var);
+    for (const auto& x : *this) {
+        int ret = Utils::regex_search(x.first, *r);
+        if (ret <= 0) {
+            continue;
+        }
+        l->insert(l->begin(), x.second);
+    }
+    delete r;
+}
+
+
+}  // namespace modsecurity
--- a/src/parser/seclang-parser.cc
+++ b/src/parser/seclang-parser.cc
--- a/src/parser/seclang-parser.hh
+++ b/src/parser/seclang-parser.hh
--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@ -144,6 +144,7 @@ class Driver;
 #include "src/utils/geo_lookup.h"
 #include "src/utils/string.h"
 #include "src/utils/system.h"
+#include "src/variables/args.h"
 #include "src/variables/args_names.h"
 #include "src/variables/xml.h"
 #include "src/variables/args_combined_size.h"
@ -315,6 +316,7 @@ using modsecurity::operators::Operator;
  COMMA    ","
  PIPE
  NEW_LINE
+  VARIABLE_ARGS
  VARIABLE_ARGS_COMBINED_SIZE
  VARIABLE_ARGS_GET_NAMES
  VARIABLE_ARGS_NAMES           "Variable ARGS_NAMES"
@ -575,6 +577,8 @@ using modsecurity::operators::Operator;
  VARIABLE_COL                                 "VARIABLE_COL"
  VARIABLE_STATUS                              "VARIABLE_STATUS"
  VARIABLE_TX                                  "VARIABLE_TX"
+  DICT_ELEMENT                                 "Dictionary element"
+  DICT_ELEMENT_REGEXP                          "Dictionary element, selected by regexp"
 ;

 %type <std::unique_ptr<actions::Action>> act
@ -1256,6 +1260,21 @@ var:
        std::unique_ptr<Variable> c(new Variables::ArgsNames());
        $$ = std::move(c);
      }
+    | VARIABLE_ARGS DICT_ELEMENT
+      {
+        std::unique_ptr<Variable> c(new Variables::Args_DictElement($2));
+        $$ = std::move(c);
+      }
+    | VARIABLE_ARGS DICT_ELEMENT_REGEXP
+      {
+        std::unique_ptr<Variable> c(new Variables::Args_DictElementRegexp($2));
+        $$ = std::move(c);
+      }
+    | VARIABLE_ARGS
+      {
+        std::unique_ptr<Variable> c(new Variables::Args_NoDictElement());
+        $$ = std::move(c);
+      }
    | VARIABLE_ARGS_GET_NAMES
      {
        std::unique_ptr<Variable> c(new Variables::ArgsGetNames());
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@ -307,7 +307,8 @@ VARIABLE_USER_ID                          (?i:USERID)
 VARIABLE_WEBSERVER_ERROR_LOG              (?i:WEBSERVER_ERROR_LOG)


-VARIABLE_COL                            (?i:(ARGS_POST|ARGS_GET|ARGS|FILES_SIZES|FILES_NAMES|FILES_TMP_CONTENT|MULTIPART_FILENAME|MULTIPART_NAME|MATCHED_VARS_NAMES|MATCHED_VARS|FILES|REQUEST_COOKIES|REQUEST_HEADERS|RESPONSE_HEADERS|GEO|REQUEST_COOKIES_NAMES))
+VARIABLE_ARGS                           (?i:ARGS)
+VARIABLE_COL                            (?i:(ARGS_POST|ARGS_GET|FILES_SIZES|FILES_NAMES|FILES_TMP_CONTENT|MULTIPART_FILENAME|MULTIPART_NAME|MATCHED_VARS_NAMES|MATCHED_VARS|FILES|REQUEST_COOKIES|REQUEST_HEADERS|RESPONSE_HEADERS|GEO|REQUEST_COOKIES_NAMES))
 VARIABLE_SESSION                        (?i:(SESSION))
 VARIABLE_IP                             (?i:(IP))
 VARIABLE_USER                           (?i:(USER))
@ -331,6 +332,7 @@ EQUALS_MINUS                            (?i:=\-)
 %x TRANSACTION_FROM_VARIABLE_TO_OPERATOR
 %x EXPECTING_OPERATOR
 %x COMMENT
+%x EXPECTING_VAR_PARAMETER
 %x EXPECTING_PARAMETER
 %x EXPECTING_ACTIONS
 %x TRANSACTION_FROM_OPERATOR_TO_ACTIONS
@ -723,6 +725,15 @@ EQUALS_MINUS                            (?i:=\-)
 {VARIABLE_URL_ENCODED_ERROR}                { return p::make_VARIABLE_URL_ENCODED_ERROR(*driver.loc.back()); }
 {VARIABLE_USER_ID}                          { return p::make_VARIABLE_USER_ID(*driver.loc.back()); }

+{VARIABLE_ARGS}                             { return p::make_VARIABLE_ARGS(*driver.loc.back()); }
+{VARIABLE_ARGS}[:]                          { BEGIN(EXPECTING_VAR_PARAMETER); return p::make_VARIABLE_ARGS(*driver.loc.back()); }
+}
+
+
+<EXPECTING_VAR_PARAMETER>{
+[\/]{DICT_ELEMENT}[\/]                        { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT_REGEXP(yytext, *driver.loc.back()); }
+{DICT_ELEMENT}                                { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT(yytext, *driver.loc.back()); }
+.                                             { BEGIN(LEXING_ERROR_ACTION); yyless(0); }
 }

 <EXPECTING_VARIABLE,TRANSACTION_FROM_VARIABLE_TO_OPERATOR>{
--- a/src/request_body_processor/multipart.cc
+++ b/src/request_body_processor/multipart.cc
@ -1012,8 +1012,8 @@ int Multipart::multipart_complete(std::string *error) {
        } else {
            debug(4, "Adding request argument (BODY): name \"" +
                m->m_name + "\", value \"" + m->m_value + "\"");
-            m_transaction->m_collections.store("ARGS:" + m->m_name,
-                m->m_value);
+            m_transaction->m_variableArgs.set(m->m_name, m->m_value,
+                m_transaction->m_variableOffset);
            m_transaction->m_collections.store("ARGS_POST:" + m->m_name,
                m->m_value);
        }
--- a/src/request_body_processor/multipart.h
+++ b/src/request_body_processor/multipart.h
@ -16,6 +16,7 @@
 #include <string>
 #include <iostream>
 #include <list>
+#include <unordered_map>

 #ifndef SRC_REQUEST_BODY_PROCESSOR_MULTIPART_H_
 #define SRC_REQUEST_BODY_PROCESSOR_MULTIPART_H_
--- a/src/transaction.cc
+++ b/src/transaction.cc
@ -288,7 +288,7 @@ bool Transaction::addArgument(const std::string& orig, const std::string& key,
    debug(4, "Adding request argument (" + orig + "): name \"" + \
                key + "\", value \"" + value + "\"");

-    m_collections.store("ARGS:" + key, value);
+    m_variableArgs.set(key, value, m_variableOffset);

    if (orig == "GET") {
        m_collections.store("ARGS_GET:" + key, value);