Adds support to SecRuleRemoveByMsg

src/parser/seclang-parser.yy

@@ -567,6 +567,7 @@ using modsecurity::operators::Operator;
   CONFIG_SEC_HTTP_BLKEY                        "CONFIG_SEC_HTTP_BLKEY"
   CONFIG_SEC_REMOTE_RULES_FAIL_ACTION          "CONFIG_SEC_REMOTE_RULES_FAIL_ACTION"
   CONFIG_SEC_RULE_REMOVE_BY_ID                 "CONFIG_SEC_RULE_REMOVE_BY_ID"
+  CONFIG_SEC_RULE_REMOVE_BY_MSG                "CONFIG_SEC_RULE_REMOVE_BY_MSG"
   CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG         "CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG"
   CONFIG_SEC_RULE_UPDATE_TARGET_BY_ID          "CONFIG_SEC_RULE_UPDATE_TARGET_BY_ID"
   CONFIG_UPDLOAD_KEEP_FILES                    "CONFIG_UPDLOAD_KEEP_FILES"
@@ -1212,6 +1213,19 @@ expression:
             YYERROR;
         }
       }
+    | CONFIG_SEC_RULE_REMOVE_BY_MSG
+      {
+        std::string error;
+        if (driver.m_exceptions.loadRemoveRuleByMsg($1, &error) == false) {
+            std::stringstream ss;
+            ss << "SecRuleRemoveByMsg: failed to load:";
+            ss << $1;
+            ss << ". ";
+            ss << error;
+            driver.error(@0, ss.str());
+            YYERROR;
+        }
+      }
     | CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG variables
       {
         std::string error;

src/parser/seclang-scanner.ll

@@ -294,6 +294,7 @@ CONFIG_SEC_HTTP_BLKEY                   (?i:SecHttpBlKey)
 CONFIG_SEC_REMOTE_RULES                 (?i:SecRemoteRules)
 CONFIG_SEC_REMOTE_RULES_FAIL_ACTION     (?i:SecRemoteRulesFailAction)
 CONFIG_SEC_REMOVE_RULES_BY_ID           (?i:SecRuleRemoveById)
+CONFIG_SEC_REMOVE_RULES_BY_MSG          (?i:SecRuleRemoveByMsg)
 CONFIG_SEC_UPDATE_TARGET_BY_TAG         (?i:SecRuleUpdateTargetByTag)
 CONFIG_SEC_UPDATE_TARGET_BY_ID          (?i:SecRuleUpdateTargetById)
 CONFIG_UPDLOAD_KEEP_FILES               (?i:SecUploadKeepFiles)
@@ -611,6 +612,8 @@ EQUALS_MINUS                            (?i:=\-)
 {CONFIG_DIR_SEC_MARKER}[ \t]+{NEW_LINE_FREE_TEXT}                       { return p::make_CONFIG_DIR_SEC_MARKER(strchr(yytext, ' ') + 1, *driver.loc.back()); }
 {CONFIG_DIR_UNICODE_MAP_FILE}[ ]{FREE_TEXT_NEW_LINE}                    { return p::make_CONFIG_DIR_UNICODE_MAP_FILE(strchr(yytext, ' ') + 1, *driver.loc.back()); }
 {CONFIG_SEC_REMOVE_RULES_BY_ID}[ ]+{FREE_TEXT_NEW_LINE}                 { return p::make_CONFIG_SEC_RULE_REMOVE_BY_ID(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
+{CONFIG_SEC_REMOVE_RULES_BY_MSG}[ \t]+{FREE_TEXT_NEW_LINE}              { return p::make_CONFIG_SEC_RULE_REMOVE_BY_MSG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
+{CONFIG_SEC_REMOVE_RULES_BY_MSG}[ \t]+["]{FREE_TEXT_NEW_LINE}["]        { return p::make_CONFIG_SEC_RULE_REMOVE_BY_MSG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_UPDATE_TARGET_BY_TAG}[ ]+["]{FREE_TEXT_NEW_LINE}["]         { state_variable_from = 1; BEGIN(TRANSACTION_TO_VARIABLE); return p::make_CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_UPDATE_TARGET_BY_TAG}[ ]+{FREE_TEXT_SPACE_COMMA_QUOTE}      { state_variable_from = 1; BEGIN(TRANSACTION_TO_VARIABLE); return p::make_CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_UPDATE_TARGET_BY_ID}[ ]+["]{FREE_TEXT_NEW_LINE}["]          { state_variable_from = 1; BEGIN(TRANSACTION_TO_VARIABLE); return p::make_CONFIG_SEC_RULE_UPDATE_TARGET_BY_ID(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }

src/rule.cc

@@ -850,4 +850,15 @@ bool Rule::containsTag(const std::string& name, Transaction *t) {
 }
 
 
+bool Rule::containsMsg(const std::string& name, Transaction *t) {
+    for (auto &z : this->m_actionsRuntimePos) {
+        actions::Msg *msg = dynamic_cast<actions::Msg *> (z);
+        if (msg != NULL && msg->data(t) == name) {
+            return true;
+        }
+    }
+    return false;
+}
+
+
 }  // namespace modsecurity

src/rules.cc

@@ -208,6 +208,13 @@ int Rules::evaluate(int phase, Transaction *transaction) {
         } else if (m_exceptions.contains(rule->m_ruleId)) {
             debug(9, "Skipped rule id '" + std::to_string(rule->m_ruleId) \
                 + "'. Removed by an SecRuleRemove directive.");
+        } else if (m_exceptions.m_remove_rule_by_msg.empty() == false) {
+            for (auto &z : m_exceptions.m_remove_rule_by_msg) {
+                if (rule->containsMsg(z, transaction) == true) {
+                    debug(9, "Skipped rule id '" + std::to_string(rule->m_ruleId) \
+                        + "'. Removed by a SecRuleRemoveByMsg directive.");
+                }
+            }
         } else {
             rule->evaluate(transaction, NULL);
             if (transaction->m_it.disruptive == true) {

src/rules_exceptions.cc

@@ -31,6 +31,14 @@ RulesExceptions::~RulesExceptions() {
 }
 
 
+bool RulesExceptions::loadRemoveRuleByMsg(const std::string &msg,
+    std::string *error) {
+    m_remove_rule_by_msg.push_back(msg);
+
+    return true;
+}
+
+
 bool RulesExceptions::loadUpdateTargetByTag(const std::string &tag,
     std::unique_ptr<std::vector<std::unique_ptr<Variables::Variable> > > var,
     std::string *error) {
@@ -42,6 +50,7 @@ bool RulesExceptions::loadUpdateTargetByTag(const std::string &tag,
     return true;
 }
 
+
 bool RulesExceptions::loadUpdateTargetById(double id,
     std::unique_ptr<std::vector<std::unique_ptr<Variables::Variable> > > var,
     std::string *error) {
@@ -53,6 +62,7 @@ bool RulesExceptions::loadUpdateTargetById(double id,
     return true;
 }
 
+
 bool RulesExceptions::load(const std::string &a, std::string *error) {
     bool added = false;
     std::vector<std::string> toRemove = utils::string::ssplit(a, ' ');
@@ -161,6 +171,10 @@ bool RulesExceptions::merge(RulesExceptions& from) {
         m_variable_update_target_by_id.emplace(std::pair<double, std::unique_ptr<Variables::Variable>>(p.first, std::move(p.second)));
     }
 
+    for (auto &p : from.m_remove_rule_by_msg) {
+        m_remove_rule_by_msg.push_back(p);
+    }
+
     return true;
 }