github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds initial support to drop action

Browse Source
This commit is contained in:
Felipe Zimmerle 2018-12-24 16:35:41 -03:00
parent ba4273b8ec
commit d00ea5111d
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
10 changed files with 4076 additions and 3908 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -1,6 +1,8 @@
v3.0.4 - YYYY-MMM-DD (to be released) v3.0.4 - YYYY-MMM-DD (to be released)
------------------------------------- -------------------------------------
- Adds initially support to the drop action.
[@zimmerle]
- Complete merging of particular rule properties - Complete merging of particular rule properties
[Issue #1978 - @defanator] [Issue #1978 - @defanator]
- Replaces AC_CHECK_FILE with 'test -f' - Replaces AC_CHECK_FILE with 'test -f'

1
src/Makefile.am
View File

@ -121,6 +121,7 @@ ACTIONS = \
actions/ctl/request_body_access.cc\ actions/ctl/request_body_access.cc\
actions/disruptive/allow.cc \ actions/disruptive/allow.cc \
actions/disruptive/deny.cc \ actions/disruptive/deny.cc \
actions/disruptive/drop.cc \
actions/disruptive/redirect.cc \ actions/disruptive/redirect.cc \
actions/disruptive/pass.cc \ actions/disruptive/pass.cc \
actions/exec.cc \ actions/exec.cc \

52
src/actions/disruptive/drop.cc Normal file
View File

@ -0,0 +1,52 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#include "src/actions/disruptive/drop.h"
#include <string.h>
#include <iostream>
#include <string>
#include <cstring>
#include <memory>
#include "modsecurity/transaction.h"
namespace modsecurity {
namespace actions {
namespace disruptive {
bool Drop::evaluate(Rule *rule, Transaction *transaction,
std::shared_ptr<RuleMessage> rm) {
ms_dbg_a(transaction, 8, "Running action drop " \
"[executing deny instead of drop.]");
if (transaction->m_it.status == 200) {
transaction->m_it.status = 403;
}
transaction->m_it.disruptive = true;
intervention::freeLog(&transaction->m_it);
rm->m_isDisruptive = true;
transaction->m_it.log = strdup(
rm->log(RuleMessage::LogMessageInfo::ClientLogMessageInfo).c_str());
return true;
}
} // namespace disruptive
} // namespace actions
} // namespace modsecurity

141
src/parser/location.hh
View File

@ -1,4 +1,4 @@
// A Bison parser, made by GNU Bison 3.1. // A Bison parser, made by GNU Bison 3.2.
// Locations for Bison parsers in C++ // Locations for Bison parsers in C++
@ -38,11 +38,144 @@
#ifndef YY_YY_LOCATION_HH_INCLUDED #ifndef YY_YY_LOCATION_HH_INCLUDED
# define YY_YY_LOCATION_HH_INCLUDED # define YY_YY_LOCATION_HH_INCLUDED
# include "position.hh" # include <algorithm> // std::max
# include <iostream>
# include <string>
# ifndef YY_NULLPTR
# if defined __cplusplus
# if 201103L <= __cplusplus
# define YY_NULLPTR nullptr
# else
# define YY_NULLPTR 0
# endif
# else
# define YY_NULLPTR ((void*)0)
# endif
# endif
namespace yy { namespace yy {
#line 46 "location.hh" // location.cc:290 #line 60 "location.hh" // location.cc:339
/// Abstract a position.
class position
{
public:
/// Construct a position.
explicit position (std::string* f = YY_NULLPTR,
unsigned l = 1u,
unsigned c = 1u)
: filename (f)
, line (l)
, column (c)
{}
/// Initialization.
void initialize (std::string* fn = YY_NULLPTR,
unsigned l = 1u,
unsigned c = 1u)
{
filename = fn;
line = l;
column = c;
}
/** \name Line and Column related manipulators
** \{ */
/// (line related) Advance to the COUNT next lines.
void lines (int count = 1)
{
if (count)
{
column = 1u;
line = add_ (line, count, 1);
}
}
/// (column related) Advance to the COUNT next columns.
void columns (int count = 1)
{
column = add_ (column, count, 1);
}
/** \} */
/// File name to which this position refers.
std::string* filename;
/// Current line number.
unsigned line;
/// Current column number.
unsigned column;
private:
/// Compute max (min, lhs+rhs).
static unsigned add_ (unsigned lhs, int rhs, int min)
{
return static_cast<unsigned> (std::max (min,
static_cast<int> (lhs) + rhs));
}
};
/// Add \a width columns, in place.
inline position&
operator+= (position& res, int width)
{
res.columns (width);
return res;
}
/// Add \a width columns.
inline position
operator+ (position res, int width)
{
return res += width;
}
/// Subtract \a width columns, in place.
inline position&
operator-= (position& res, int width)
{
return res += -width;
}
/// Subtract \a width columns.
inline position
operator- (position res, int width)
{
return res -= width;
}
/// Compare two position objects.
inline bool
operator== (const position& pos1, const position& pos2)
{
return (pos1.line == pos2.line
&& pos1.column == pos2.column
&& (pos1.filename == pos2.filename
|| (pos1.filename && pos2.filename
&& *pos1.filename == *pos2.filename)));
}
/// Compare two position objects.
inline bool
operator!= (const position& pos1, const position& pos2)
{
return !(pos1 == pos2);
}
/** \brief Intercept output stream redirection.
** \param ostr the destination output stream
** \param pos a reference to the position to redirect
*/
template <typename YYChar>
std::basic_ostream<YYChar>&
operator<< (std::basic_ostream<YYChar>& ostr, const position& pos)
{
if (pos.filename)
ostr << *pos.filename << ':';
return ostr << pos.line << '.' << pos.column;
}
/// Abstract a location. /// Abstract a location.
class location class location
{ {
@ -185,5 +318,5 @@ namespace yy {
} // yy } // yy
#line 189 "location.hh" // location.cc:290 #line 322 "location.hh" // location.cc:339
#endif // !YY_YY_LOCATION_HH_INCLUDED #endif // !YY_YY_LOCATION_HH_INCLUDED

184
src/parser/position.hh
View File

@ -1,177 +1,11 @@
// A Bison parser, made by GNU Bison 3.1. // A Bison parser, made by GNU Bison 3.2.
// Positions for Bison parsers in C++ // Starting with Bison 3.2, this file is useless: the structure it
// used to define is now defined in "location.hh".
//
// To get rid of this file:
// 1. add 'require "3.2"' (or newer) to your grammar file
// 2. remove references to this file from your build system
// 3. if you used to include it, include "location.hh" instead.
// Copyright (C) 2002-2015, 2018 Free Software Foundation, Inc. #include "location.hh"
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
// As a special exception, you may create a larger work that contains
// part or all of the Bison parser skeleton and distribute that work
// under terms of your choice, so long as that work isn't itself a
// parser generator using the skeleton or a modified version thereof
// as a parser skeleton. Alternatively, if you modify or redistribute
// the parser skeleton itself, you may (at your option) remove this
// special exception, which will cause the skeleton and the resulting
// Bison output files to be licensed under the GNU General Public
// License without this special exception.
// This special exception was added by the Free Software Foundation in
// version 2.2 of Bison.
/**
** \file position.hh
** Define the yy::position class.
*/
#ifndef YY_YY_POSITION_HH_INCLUDED
# define YY_YY_POSITION_HH_INCLUDED
# include <algorithm> // std::max
# include <iostream>
# include <string>
# ifndef YY_NULLPTR
# if defined __cplusplus && 201103L <= __cplusplus
# define YY_NULLPTR nullptr
# else
# define YY_NULLPTR 0
# endif
# endif
namespace yy {
#line 56 "position.hh" // location.cc:290
/// Abstract a position.
class position
{
public:
/// Construct a position.
explicit position (std::string* f = YY_NULLPTR,
unsigned l = 1u,
unsigned c = 1u)
: filename (f)
, line (l)
, column (c)
{}
/// Initialization.
void initialize (std::string* fn = YY_NULLPTR,
unsigned l = 1u,
unsigned c = 1u)
{
filename = fn;
line = l;
column = c;
}
/** \name Line and Column related manipulators
** \{ */
/// (line related) Advance to the COUNT next lines.
void lines (int count = 1)
{
if (count)
{
column = 1u;
line = add_ (line, count, 1);
}
}
/// (column related) Advance to the COUNT next columns.
void columns (int count = 1)
{
column = add_ (column, count, 1);
}
/** \} */
/// File name to which this position refers.
std::string* filename;
/// Current line number.
unsigned line;
/// Current column number.
unsigned column;
private:
/// Compute max(min, lhs+rhs).
static unsigned add_ (unsigned lhs, int rhs, int min)
{
return static_cast<unsigned>(std::max(min, static_cast<int>(lhs) + rhs));
}
};
/// Add \a width columns, in place.
inline position&
operator+= (position& res, int width)
{
res.columns (width);
return res;
}
/// Add \a width columns.
inline position
operator+ (position res, int width)
{
return res += width;
}
/// Subtract \a width columns, in place.
inline position&
operator-= (position& res, int width)
{
return res += -width;
}
/// Subtract \a width columns.
inline position
operator- (position res, int width)
{
return res -= width;
}
/// Compare two position objects.
inline bool
operator== (const position& pos1, const position& pos2)
{
return (pos1.line == pos2.line
&& pos1.column == pos2.column
&& (pos1.filename == pos2.filename
|| (pos1.filename && pos2.filename
&& *pos1.filename == *pos2.filename)));
}
/// Compare two position objects.
inline bool
operator!= (const position& pos1, const position& pos2)
{
return !(pos1 == pos2);
}
/** \brief Intercept output stream redirection.
** \param ostr the destination output stream
** \param pos a reference to the position to redirect
*/
template <typename YYChar>
std::basic_ostream<YYChar>&
operator<< (std::basic_ostream<YYChar>& ostr, const position& pos)
{
if (pos.filename)
ostr << *pos.filename << ':';
return ostr << pos.line << '.' << pos.column;
}
} // yy
#line 177 "position.hh" // location.cc:290
#endif // !YY_YY_POSITION_HH_INCLUDED

2384
src/parser/seclang-parser.cc
View File

File diff suppressed because it is too large Load Diff

5037
src/parser/seclang-parser.hh
View File

File diff suppressed because it is too large Load Diff

4
src/parser/seclang-parser.yy
View File

@ -37,6 +37,7 @@ class Driver;
#include "src/actions/data/status.h" #include "src/actions/data/status.h"
#include "src/actions/disruptive/allow.h" #include "src/actions/disruptive/allow.h"
#include "src/actions/disruptive/deny.h" #include "src/actions/disruptive/deny.h"
#include "src/actions/disruptive/drop.h"
#include "src/actions/disruptive/pass.h" #include "src/actions/disruptive/pass.h"
#include "src/actions/disruptive/redirect.h" #include "src/actions/disruptive/redirect.h"
#include "src/actions/init_col.h" #include "src/actions/init_col.h"
@ -2707,8 +2708,7 @@ act:
} }
| ACTION_DROP | ACTION_DROP
{ {
//ACTION_NOT_SUPPORTED("Drop", @0); ACTION_CONTAINER($$, new actions::disruptive::Drop($1));
ACTION_CONTAINER($$, new actions::Action($1));
} }
| ACTION_EXEC | ACTION_EXEC
{ {

163
src/parser/stack.hh
View File

@ -1,157 +1,8 @@
// A Bison parser, made by GNU Bison 3.1. // A Bison parser, made by GNU Bison 3.2.
// Stack handling for Bison parsers in C++ // Starting with Bison 3.2, this file is useless: the structure it
// used to define is now defined with the parser itself.
// Copyright (C) 2002-2015, 2018 Free Software Foundation, Inc. //
// To get rid of this file:
// This program is free software: you can redistribute it and/or modify // 1. add 'require "3.2"' (or newer) to your grammar file
// it under the terms of the GNU General Public License as published by // 2. remove references to this file from your build system.
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
// As a special exception, you may create a larger work that contains
// part or all of the Bison parser skeleton and distribute that work
// under terms of your choice, so long as that work isn't itself a
// parser generator using the skeleton or a modified version thereof
// as a parser skeleton. Alternatively, if you modify or redistribute
// the parser skeleton itself, you may (at your option) remove this
// special exception, which will cause the skeleton and the resulting
// Bison output files to be licensed under the GNU General Public
// License without this special exception.
// This special exception was added by the Free Software Foundation in
// version 2.2 of Bison.
/**
** \file stack.hh
** Define the yy::stack class.
*/
#ifndef YY_YY_STACK_HH_INCLUDED
# define YY_YY_STACK_HH_INCLUDED
# include <vector>
namespace yy {
#line 46 "stack.hh" // stack.hh:132
/// A stack with random access from its top.
template <class T, class S = std::vector<T> >
class stack
{
public:
// Hide our reversed order.
typedef typename S::reverse_iterator iterator;
typedef typename S::const_reverse_iterator const_iterator;
typedef typename S::size_type size_type;
stack ()
{
seq_.reserve (200);
}
stack (size_type n)
: seq_ (n)
{}
/// Random access.
///
/// Index 0 returns the topmost element.
T&
operator[] (size_type i)
{
return seq_[seq_.size () - 1 - i];
}
/// Random access.
///
/// Index 0 returns the topmost element.
const T&
operator[] (size_type i) const
{
return seq_[seq_.size () - 1 - i];
}
/// Steal the contents of \a t.
///
/// Close to move-semantics.
void
push (T& t)
{
seq_.push_back (T());
operator[](0).move (t);
}
void
pop (size_type n = 1)
{
for (; n; --n)
seq_.pop_back ();
}
void
clear ()
{
seq_.clear ();
}
size_type
size () const
{
return seq_.size ();
}
const_iterator
begin () const
{
return seq_.rbegin ();
}
const_iterator
end () const
{
return seq_.rend ();
}
private:
stack (const stack&);
stack& operator= (const stack&);
/// The wrapped container.
S seq_;
};
/// Present a slice of the top of a stack.
template <class T, class S = stack<T> >
class slice
{
public:
typedef typename S::size_type size_type;
slice (const S& stack, size_type range)
: stack_ (stack)
, range_ (range)
{}
const T&
operator[] (size_type i) const
{
return stack_[range_ - i];
}
private:
const S& stack_;
size_type range_;
};
} // yy
#line 156 "stack.hh" // stack.hh:132
#endif // !YY_YY_STACK_HH_INCLUDED

12
test/test-cases/regression/action-disruptive.json
View File

@ -64,5 +64,17 @@
"SecDefaultAction \"phase:2,deny,status:404\"", "SecDefaultAction \"phase:2,deny,status:404\"",
"SecAction \"id:'1',phase:request,nolog,pass,t:none\"" "SecAction \"id:'1',phase:request,nolog,pass,t:none\""
] ]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing Disruptive actions (6/n)",
"expected":{
"http_code":403
},
"rules":[
"SecRuleEngine On",
"SecAction \"id:'1',phase:request,drop,nolog,t:none\""
]
} }
] ]