Adds support for the exec action

CHANGES

@@ -2,6 +2,8 @@
 v3.0.????? - ?
 ---------------------------
 
+ - Adds support for the exec action.
+   [Issue #1050 - @zimmerle]
  - Adds support for transformations inside Lua engine
    [Issue #994 - @zimmerle]
  - Adds initial support for Lua engine.

Makefile.am

@@ -287,4 +287,5 @@ TESTS+=test/test-cases/regression/misc-variable-under-quotes.json
 TESTS+=test/test-cases/regression/operator-fuzzyhash.json
 TESTS+=test/test-cases/regression/collection-resource.json
 TESTS+=test/test-cases/regression/operator-inpectFile.json
+TESTS+=test/test-cases/regression/action-exec.json
 

src/Makefile.am

@@ -121,6 +121,7 @@ ACTIONS = \
 	actions/disruptive/deny.cc \
 	actions/disruptive/redirect.cc \
 	actions/disruptive/pass.cc \
+	actions/exec.cc \
 	actions/init_col.cc \
 	actions/log.cc \
 	actions/log_data.cc \
@@ -273,6 +274,7 @@ libmodsecurity_la_SOURCES = \
 	macro_expansion.cc \
 	rule.cc \
 	rule_message.cc \
+	rule_script.cc \
 	unique_id.cc \
 	rules_exceptions.cc \
 	${BODY_PROCESSORS} \

src/actions/exec.cc

@@ -0,0 +1,61 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/actions/exec.h"
+
+#include <iostream>
+#include <string>
+
+#include "modsecurity/actions/action.h"
+#include "modsecurity/transaction.h"
+#include "modsecurity/rule.h"
+#include "src/macro_expansion.h"
+#include "src/utils/system.h"
+#include "src/engine/lua.h"
+
+
+namespace modsecurity {
+namespace actions {
+
+
+bool Exec::init(std::string *error) {
+    std::string err;
+
+    m_script = utils::find_resource(m_parser_payload, "", &err);
+
+    if (m_script.size() == 0) {
+        error->assign("exec: Script not found: " + err);
+        return false;
+    }
+
+    if (engine::Lua::isCompatible(m_script, &m_lua, &err) == false) {
+        error->assign("exec: " + err);
+        return false;
+    }
+
+    return true;
+}
+
+
+bool Exec::evaluate(Rule *rule, Transaction *t) {
+    t->debug(8, "Running script... " + m_script);
+
+    m_lua.run(t);
+    return true;
+}
+
+
+}  // namespace actions
+}  // namespace modsecurity

src/actions/exec.h

@@ -0,0 +1,51 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <string>
+
+#include "modsecurity/actions/action.h"
+#include "src/engine/lua.h"
+
+#ifndef SRC_ACTIONS_EXEC_H_
+#define SRC_ACTIONS_EXEC_H_
+
+class Transaction;
+
+namespace modsecurity {
+class Transaction;
+namespace actions {
+
+
+class Exec : public Action {
+ public:
+    explicit Exec(std::string action)
+        : Action(action),
+        m_script("") { }
+
+    ~Exec() { }
+
+    bool evaluate(Rule *rule, Transaction *transaction) override;
+    bool init(std::string *error) override;
+
+ private:
+    std::string m_script;
+    engine::Lua m_lua;
+};
+
+
+}  // namespace actions
+}  // namespace modsecurity
+
+#endif  // SRC_ACTIONS_EXEC_H_

src/parser/seclang-parser.hh

@@ -51,6 +51,7 @@ class Driver;
 }
 }
 
+#include "src/rule_script.h"
 
 #include "src/actions/accuracy.h"
 #include "src/actions/audit_log.h"
@@ -71,6 +72,7 @@ class Driver;
 #include "src/actions/disruptive/pass.h"
 #include "src/actions/disruptive/redirect.h"
 #include "src/actions/init_col.h"
+#include "src/actions/exec.h"
 #include "src/actions/log_data.h"
 #include "src/actions/log.h"
 #include "src/actions/maturity.h"
@@ -368,7 +370,7 @@ using modsecurity::operators::Operator;
 
 
 
-#line 372 "seclang-parser.hh" // lalr1.cc:377
+#line 374 "seclang-parser.hh" // lalr1.cc:377
 
 # include <cassert>
 # include <cstdlib> // std::abort
@@ -445,7 +447,7 @@ using modsecurity::operators::Operator;
 
 
 namespace yy {
-#line 449 "seclang-parser.hh" // lalr1.cc:377
+#line 451 "seclang-parser.hh" // lalr1.cc:377
 
 
 
@@ -5768,7 +5770,7 @@ namespace yy {
 
 
 } // yy
-#line 5772 "seclang-parser.hh" // lalr1.cc:377
+#line 5774 "seclang-parser.hh" // lalr1.cc:377
 
 
 

src/parser/seclang-parser.yy

@@ -17,6 +17,7 @@ class Driver;
 }
 }
 
+#include "src/rule_script.h"
 
 #include "src/actions/accuracy.h"
 #include "src/actions/audit_log.h"
@@ -37,6 +38,7 @@ class Driver;
 #include "src/actions/disruptive/pass.h"
 #include "src/actions/disruptive/redirect.h"
 #include "src/actions/init_col.h"
+#include "src/actions/exec.h"
 #include "src/actions/log_data.h"
 #include "src/actions/log.h"
 #include "src/actions/maturity.h"
@@ -1109,8 +1111,27 @@ expression:
       }
     | DIRECTIVE_SECRULESCRIPT actions
       {
-        driver.error(@0, "SecRuleScript is not yet supported.");
+        std::vector<actions::Action *> *a = new std::vector<actions::Action *>();
-        YYERROR;
+        for (auto &i : *$2.get()) {
+            a->push_back(i.release());
+        }
+
+        RuleScript *r = new RuleScript(
+            /* path to script */ $1,
+            /* actions */ a,
+            /* file name */ driver.ref.back(),
+            /* line number */ @0.end.line
+            );
+        std::string err;
+        if (r->init(&err) == false) {
+            driver.error(@0, "Failed to load script: " + err);
+            delete r;
+            YYERROR;
+        }
+        if (driver.addSecRuleScript(r) == false) {
+            delete r;
+            YYERROR;
+        }
       }
     | CONFIG_DIR_SEC_DEFAULT_ACTION actions
       {
@@ -2296,7 +2317,7 @@ act:
       }
     | ACTION_EXEC
       {
-        //ACTION_CONTAINER($$, new actions::Exec($1));
+        ACTION_CONTAINER($$, new actions::Exec($1));
       }
     | ACTION_EXPIRE_VAR
       {

test/test-cases/regression/action-exec.json

@@ -0,0 +1,145 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "version_max":0,
+    "title":"Testing action :: exec (1/3)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":2313
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "User-Agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
+        "Accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
+        "Accept-Language":"en-us,en;q=0.5",
+        "Accept-Encoding":"gzip,deflate",
+        "Accept-Charset":"ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+        "Keep-Alive":"300",
+        "Connection":"keep-alive",
+        "Cookie":"PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
+        "Pragma":"no-cache",
+        "Cache-Control":"no-cache"
+      },
+      "uri":"\/test.pl?param1=   test   &param2=test2",
+      "method":"GET",
+      "http_version":1.1,
+      "body":""
+    },
+    "response":{
+      "headers":{
+        "Content-Type":"text\/xml; charset=utf-8\n\r",
+        "Content-Length":"length\n\r"
+      }
+    },
+    "expected":{
+      "audit_log":"",
+      "debug_log":"Saving msg: This is a test, text\/html,application",
+      "error_log":"",
+      "parser_error":"exec: Expecting a Lua script: /bin/ech"
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"id:1,t:lowercase,t:none,exec:/bin/echo\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "version_max":0,
+    "title":"Testing action :: exec (2/2)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":2313
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "User-Agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
+        "Accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
+        "Accept-Language":"en-us,en;q=0.5",
+        "Accept-Encoding":"gzip,deflate",
+        "Accept-Charset":"ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+        "Keep-Alive":"300",
+        "Connection":"keep-alive",
+        "Cookie":"PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
+        "Pragma":"no-cache",
+        "Cache-Control":"no-cache"
+      },
+      "uri":"\/test.pl?param1=   test   &param2=test2",
+      "method":"GET",
+      "http_version":1.1,
+      "body":""
+    },
+    "response":{
+      "headers":{
+        "Content-Type":"text\/xml; charset=utf-8\n\r",
+        "Content-Length":"length\n\r"
+      }
+    },
+    "expected":{
+      "audit_log":"",
+      "debug_log":"Running script... test-cases/data/test.lua",
+      "error_log":""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule REQUEST_HEADERS:Cookie \"@contains PHPSESSID\" \"id:1,exec:test-cases/data/test.lua\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "version_max":0,
+    "title":"Testing action :: exec (3/3)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":2313
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "User-Agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
+        "Accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
+        "Accept-Language":"en-us,en;q=0.5",
+        "Accept-Encoding":"gzip,deflate",
+        "Accept-Charset":"ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+        "Keep-Alive":"300",
+        "Connection":"keep-alive",
+        "Cookie":"PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
+        "Pragma":"no-cache",
+        "Cache-Control":"no-cache"
+      },
+      "uri":"\/test.pl?param1=   test   &param2=test2",
+      "method":"GET",
+      "http_version":1.1,
+      "body":""
+    },
+    "response":{
+      "headers":{
+        "Content-Type":"text\/xml; charset=utf-8\n\r",
+        "Content-Length":"length\n\r"
+      }
+    },
+    "expected":{
+      "audit_log":"",
+      "debug_log":"Running script... test-cases/data/match.lua",
+      "error_log":""
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule REQUEST_HEADERS:Cookie \"@contains PHPSESSID\" \"id:1,exec:test-cases/data/match.lua\""
+    ]
+  }
+]
+