PoC: Adds support to direct access on ARGS collection

headers/modsecurity/rule.h

@@ -18,6 +18,7 @@
 #include <vector>
 #include <string>
 #include <list>
+#include <memory>
 #endif
 
 #ifndef HEADERS_MODSECURITY_RULE_H_

headers/modsecurity/transaction.h

@@ -25,6 +25,7 @@
 #include <unordered_map>
 #include <utility>
 #include <vector>
+#include <memory>
 #endif
 
 #include <stdlib.h>
@@ -87,6 +88,77 @@ class Operator;
 }
 
 
+struct MyEqual {
+    bool operator()(const std::string& Left, const std::string& Right) const {
+        return Left.size() == Right.size()
+             && std::equal(Left.begin(), Left.end(), Right.begin(),
+            [](char a, char b) {
+            return tolower(a) == tolower(b);
+        });
+    }
+};
+
+struct MyHash{
+    size_t operator()(const std::string& Keyval) const {
+        // You might need a better hash function than this
+        size_t h = 0;
+        std::for_each(Keyval.begin(), Keyval.end(), [&](char c) {
+            h += tolower(c);
+        });
+        return h;
+    }
+};
+
+class AnchoredSetVariable : public std::unordered_multimap<std::string,
+	collection::Variable *, MyHash, MyEqual> {
+ public:
+    AnchoredSetVariable(Transaction *t, std::string name)
+        : m_name(""),
+        m_transaction(t) {
+            m_name.append(name);
+        }
+
+    ~AnchoredSetVariable() {
+        for (const auto& x : *this) {
+            collection::Variable *var = x.second;
+            delete var->m_key;
+            delete var;
+        }
+    }
+
+    void set(const std::string &key, const std::string &value,
+        size_t offset) {
+        std::string *v = new std::string(value);
+        std::string *k = new std::string(m_name + ":" + key);
+
+        collection::Variable *var = new collection::Variable(k, v);
+        var->m_dynamic_value = true;
+        var->m_dynamic = false;
+        emplace(key, var);
+    }
+
+    void resolve(std::vector<const collection::Variable *> *l) {
+        for (const auto& x : *this) {
+            l->insert(l->begin(), x.second);
+        }
+    }
+
+    void resolve(const std::string &key,
+        std::vector<const collection::Variable *> *l) {
+        auto range = this->equal_range(key);
+        for (auto it = range.first; it != range.second; ++it) {
+            l->push_back(it->second);
+        }
+    }
+
+    void resolveRegularExpression(const std::string &var,
+        std::vector<const collection::Variable *> *l);
+
+    Transaction *m_transaction;
+    std::string m_name;
+};
+
+
 class AnchoredVariable {
  public:
     AnchoredVariable(Transaction *t, std::string name)
@@ -213,7 +285,8 @@ class TransactionAnchoredVariables {
         m_variableUniqueID(t, "UNIQUE_ID"),
         m_variableUrlEncodedError(t, "URLENCODED_ERROR"),
         m_variableUserID(t, "USERID"),
-        m_variableOffset(0)
+        m_variableOffset(0),
+        m_variableArgs(t, "ARGS")
         { }
 
     AnchoredVariable m_variableArgsNames;
@@ -272,6 +345,8 @@ class TransactionAnchoredVariables {
     AnchoredVariable m_variableUrlEncodedError;
     AnchoredVariable m_variableUserID;
 
+    AnchoredSetVariable m_variableArgs;
+
     int m_variableOffset;
 };
 

src/Makefile.am

@@ -242,6 +242,7 @@ libmodsecurity_la_SOURCES = \
 	parser/seclang-scanner.cc \
 	parser/driver.cc \
 	transaction.cc \
+	anchored_set_variable.cc \
 	audit_log/audit_log.cc \
 	audit_log/writer/writer.cc \
 	audit_log/writer/https.cc \

src/actions/ctl/audit_log_parts.cc

@@ -17,6 +17,7 @@
 
 #include <iostream>
 #include <string>
+#include <utility>
 
 #include "modsecurity/transaction.h"
 

src/actions/ctl/rule_remove_target_by_id.cc

@@ -18,6 +18,7 @@
 #include <iostream>
 #include <string>
 #include <vector>
+#include <utility>
 
 #include "modsecurity/transaction.h"
 #include "src/utils/string.h"

src/actions/ctl/rule_remove_target_by_tag.cc

@@ -18,6 +18,7 @@
 #include <iostream>
 #include <string>
 #include <vector>
+#include <utility>
 
 #include "modsecurity/transaction.h"
 #include "src/utils/string.h"

src/anchored_set_variable.cc

@@ -0,0 +1,45 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "modsecurity/transaction.h"
+
+#include <ctime>
+#include <iostream>
+#include <fstream>
+#include <string>
+#include <vector>
+
+#include "modsecurity/modsecurity.h"
+#include "modsecurity/transaction.h"
+#include "src/utils/regex.h"
+
+namespace modsecurity {
+
+
+void AnchoredSetVariable::resolveRegularExpression(const std::string &var,
+    std::vector<const collection::Variable *> *l) {
+    Utils::Regex *r = new Utils::Regex(var);
+    for (const auto& x : *this) {
+        int ret = Utils::regex_search(x.first, *r);
+        if (ret <= 0) {
+            continue;
+        }
+        l->insert(l->begin(), x.second);
+    }
+    delete r;
+}
+
+
+}  // namespace modsecurity

src/parser/seclang-parser.yy

@@ -144,6 +144,7 @@ class Driver;
 #include "src/utils/geo_lookup.h"
 #include "src/utils/string.h"
 #include "src/utils/system.h"
+#include "src/variables/args.h"
 #include "src/variables/args_names.h"
 #include "src/variables/xml.h"
 #include "src/variables/args_combined_size.h"
@@ -315,6 +316,7 @@ using modsecurity::operators::Operator;
   COMMA    ","
   PIPE
   NEW_LINE
+  VARIABLE_ARGS
   VARIABLE_ARGS_COMBINED_SIZE
   VARIABLE_ARGS_GET_NAMES
   VARIABLE_ARGS_NAMES           "Variable ARGS_NAMES"
@@ -575,6 +577,8 @@ using modsecurity::operators::Operator;
   VARIABLE_COL                                 "VARIABLE_COL"
   VARIABLE_STATUS                              "VARIABLE_STATUS"
   VARIABLE_TX                                  "VARIABLE_TX"
+  DICT_ELEMENT                                 "Dictionary element"
+  DICT_ELEMENT_REGEXP                          "Dictionary element, selected by regexp"
 ;
 
 %type <std::unique_ptr<actions::Action>> act
@@ -1256,6 +1260,21 @@ var:
         std::unique_ptr<Variable> c(new Variables::ArgsNames());
         $$ = std::move(c);
       }
+    | VARIABLE_ARGS DICT_ELEMENT
+      {
+        std::unique_ptr<Variable> c(new Variables::Args_DictElement($2));
+        $$ = std::move(c);
+      }
+    | VARIABLE_ARGS DICT_ELEMENT_REGEXP
+      {
+        std::unique_ptr<Variable> c(new Variables::Args_DictElementRegexp($2));
+        $$ = std::move(c);
+      }
+    | VARIABLE_ARGS
+      {
+        std::unique_ptr<Variable> c(new Variables::Args_NoDictElement());
+        $$ = std::move(c);
+      }
     | VARIABLE_ARGS_GET_NAMES
       {
         std::unique_ptr<Variable> c(new Variables::ArgsGetNames());

src/parser/seclang-scanner.ll

@@ -307,7 +307,8 @@ VARIABLE_USER_ID                          (?i:USERID)
 VARIABLE_WEBSERVER_ERROR_LOG              (?i:WEBSERVER_ERROR_LOG)
 
 
-VARIABLE_COL                            (?i:(ARGS_POST|ARGS_GET|ARGS|FILES_SIZES|FILES_NAMES|FILES_TMP_CONTENT|MULTIPART_FILENAME|MULTIPART_NAME|MATCHED_VARS_NAMES|MATCHED_VARS|FILES|REQUEST_COOKIES|REQUEST_HEADERS|RESPONSE_HEADERS|GEO|REQUEST_COOKIES_NAMES))
+VARIABLE_ARGS                           (?i:ARGS)
+VARIABLE_COL                            (?i:(ARGS_POST|ARGS_GET|FILES_SIZES|FILES_NAMES|FILES_TMP_CONTENT|MULTIPART_FILENAME|MULTIPART_NAME|MATCHED_VARS_NAMES|MATCHED_VARS|FILES|REQUEST_COOKIES|REQUEST_HEADERS|RESPONSE_HEADERS|GEO|REQUEST_COOKIES_NAMES))
 VARIABLE_SESSION                        (?i:(SESSION))
 VARIABLE_IP                             (?i:(IP))
 VARIABLE_USER                           (?i:(USER))
@@ -331,6 +332,7 @@ EQUALS_MINUS                            (?i:=\-)
 %x TRANSACTION_FROM_VARIABLE_TO_OPERATOR
 %x EXPECTING_OPERATOR
 %x COMMENT
+%x EXPECTING_VAR_PARAMETER
 %x EXPECTING_PARAMETER
 %x EXPECTING_ACTIONS
 %x TRANSACTION_FROM_OPERATOR_TO_ACTIONS
@@ -723,6 +725,15 @@ EQUALS_MINUS                            (?i:=\-)
 {VARIABLE_URL_ENCODED_ERROR}                { return p::make_VARIABLE_URL_ENCODED_ERROR(*driver.loc.back()); }
 {VARIABLE_USER_ID}                          { return p::make_VARIABLE_USER_ID(*driver.loc.back()); }
 
+{VARIABLE_ARGS}                             { return p::make_VARIABLE_ARGS(*driver.loc.back()); }
+{VARIABLE_ARGS}[:]                          { BEGIN(EXPECTING_VAR_PARAMETER); return p::make_VARIABLE_ARGS(*driver.loc.back()); }
+}
+
+
+<EXPECTING_VAR_PARAMETER>{
+[\/]{DICT_ELEMENT}[\/]                        { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT_REGEXP(yytext, *driver.loc.back()); }
+{DICT_ELEMENT}                                { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT(yytext, *driver.loc.back()); }
+.                                             { BEGIN(LEXING_ERROR_ACTION); yyless(0); }
 }
 
 <EXPECTING_VARIABLE,TRANSACTION_FROM_VARIABLE_TO_OPERATOR>{

src/request_body_processor/multipart.cc

@@ -1012,8 +1012,8 @@ int Multipart::multipart_complete(std::string *error) {
         } else {
             debug(4, "Adding request argument (BODY): name \"" +
                 m->m_name + "\", value \"" + m->m_value + "\"");
-            m_transaction->m_collections.store("ARGS:" + m->m_name,
+            m_transaction->m_variableArgs.set(m->m_name, m->m_value,
-                m->m_value);
+                m_transaction->m_variableOffset);
             m_transaction->m_collections.store("ARGS_POST:" + m->m_name,
                 m->m_value);
         }

src/request_body_processor/multipart.h

@@ -16,6 +16,7 @@
 #include <string>
 #include <iostream>
 #include <list>
+#include <unordered_map>
 
 #ifndef SRC_REQUEST_BODY_PROCESSOR_MULTIPART_H_
 #define SRC_REQUEST_BODY_PROCESSOR_MULTIPART_H_

src/transaction.cc

@@ -288,7 +288,7 @@ bool Transaction::addArgument(const std::string& orig, const std::string& key,
     debug(4, "Adding request argument (" + orig + "): name \"" + \
                 key + "\", value \"" + value + "\"");
 
-    m_collections.store("ARGS:" + key, value);
+    m_variableArgs.set(key, value, m_variableOffset);
 
     if (orig == "GET") {
         m_collections.store("ARGS_GET:" + key, value);