Adds support for SecRuleRemoveByTag

2025-08-13 13:26:01 +03:00 · 2017-11-07 14:51:38 -03:00 · 2017-11-07 14:51:38 -03:00 · ec667a4609
commit ec667a4609
parent 381cf8ac21
12 changed files with 5509 additions and 5229 deletions
--- a/4
+++ b/4
@ -1,7 +1,9 @@

 v3.0.????? - ?
 ---------------------------
-
+ 
+ - Adds support for SecRuleRemoveByTag.
+   [Issue #1476 - @zimmerle, @victorhora]
 - Adds support for update target by message.
   [Issue #1474 - @zimmerle, @victorhora]
 - Adds support to SecRuleScript directive.
--- a/Makefile.am
+++ b/Makefile.am
@ -290,4 +290,5 @@ TESTS+=test/test-cases/regression/operator-inpectFile.json
 TESTS+=test/test-cases/regression/action-exec.json
 TESTS+=test/test-cases/regression/directive-sec_rule_script.json
 TESTS+=test/test-cases/regression/config-update-target-by-msg.json
+TESTS+=test/test-cases/regression/config-remove_by_msg.json

--- a/headers/modsecurity/rules_exceptions.h
+++ b/headers/modsecurity/rules_exceptions.h
@ -51,6 +51,7 @@ class RulesExceptions {
    bool merge(RulesExceptions& from);

    bool loadRemoveRuleByMsg(const std::string &msg, std::string *error);
+    bool loadRemoveRuleByTag(const std::string &msg, std::string *error);

    bool loadUpdateTargetByMsg(const std::string &msg,
        std::unique_ptr<std::vector<std::unique_ptr<Variables::Variable> > > var,
@ -68,6 +69,7 @@ class RulesExceptions {
    std::unordered_multimap<std::shared_ptr<std::string>, std::unique_ptr<Variables::Variable>> m_variable_update_target_by_msg;
    std::unordered_multimap<double, std::unique_ptr<Variables::Variable>> m_variable_update_target_by_id;
    std::list<std::string> m_remove_rule_by_msg;
+    std::list<std::string> m_remove_rule_by_tag;

 private:
    std::list<std::pair<int, int> > m_ranges;
--- a/src/parser/seclang-parser.cc
+++ b/src/parser/seclang-parser.cc
--- a/src/parser/seclang-parser.hh
+++ b/src/parser/seclang-parser.hh
--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@ -574,6 +574,7 @@ using modsecurity::operators::Operator;
  CONFIG_SEC_REMOTE_RULES_FAIL_ACTION          "CONFIG_SEC_REMOTE_RULES_FAIL_ACTION"
  CONFIG_SEC_RULE_REMOVE_BY_ID                 "CONFIG_SEC_RULE_REMOVE_BY_ID"
  CONFIG_SEC_RULE_REMOVE_BY_MSG                "CONFIG_SEC_RULE_REMOVE_BY_MSG"
+  CONFIG_SEC_RULE_REMOVE_BY_TAG                "CONFIG_SEC_RULE_REMOVE_BY_TAG"
  CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG         "CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG"
  CONFIG_SEC_RULE_UPDATE_TARGET_BY_MSG         "CONFIG_SEC_RULE_UPDATE_TARGET_BY_MSG"
  CONFIG_SEC_RULE_UPDATE_TARGET_BY_ID          "CONFIG_SEC_RULE_UPDATE_TARGET_BY_ID"
@ -1264,6 +1265,19 @@ expression:
            YYERROR;
        }
      }
+    | CONFIG_SEC_RULE_REMOVE_BY_TAG
+      {
+        std::string error;
+        if (driver.m_exceptions.loadRemoveRuleByTag($1, &error) == false) {
+            std::stringstream ss;
+            ss << "SecRuleRemoveByTag: failed to load:";
+            ss << $1;
+            ss << ". ";
+            ss << error;
+            driver.error(@0, ss.str());
+            YYERROR;
+        }
+      }
    | CONFIG_SEC_RULE_REMOVE_BY_MSG
      {
        std::string error;
--- a/src/parser/seclang-scanner.cc
+++ b/src/parser/seclang-scanner.cc
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@ -296,6 +296,7 @@ CONFIG_SEC_REMOTE_RULES                 (?i:SecRemoteRules)
 CONFIG_SEC_REMOTE_RULES_FAIL_ACTION     (?i:SecRemoteRulesFailAction)
 CONFIG_SEC_REMOVE_RULES_BY_ID           (?i:SecRuleRemoveById)
 CONFIG_SEC_REMOVE_RULES_BY_MSG          (?i:SecRuleRemoveByMsg)
+CONFIG_SEC_REMOVE_RULES_BY_TAG          (?i:SecRuleRemoveByTag)
 CONFIG_SEC_UPDATE_TARGET_BY_TAG         (?i:SecRuleUpdateTargetByTag)
 CONFIG_SEC_UPDATE_TARGET_BY_MSG         (?i:SecRuleUpdateTargetByMsg)
 CONFIG_SEC_UPDATE_TARGET_BY_ID          (?i:SecRuleUpdateTargetById)
@ -630,6 +631,9 @@ EQUALS_MINUS                            (?i:=\-)
 {CONFIG_SEC_REMOVE_RULES_BY_ID}[ ]+{FREE_TEXT_NEW_LINE}                 { return p::make_CONFIG_SEC_RULE_REMOVE_BY_ID(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_REMOVE_RULES_BY_MSG}[ \t]+{FREE_TEXT_NEW_LINE}              { return p::make_CONFIG_SEC_RULE_REMOVE_BY_MSG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_REMOVE_RULES_BY_MSG}[ \t]+["]{FREE_TEXT_NEW_LINE}["]        { return p::make_CONFIG_SEC_RULE_REMOVE_BY_MSG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
+{CONFIG_SEC_REMOVE_RULES_BY_TAG}[ \t]+{FREE_TEXT_NEW_LINE}              { return p::make_CONFIG_SEC_RULE_REMOVE_BY_TAG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
+{CONFIG_SEC_REMOVE_RULES_BY_TAG}[ \t]+["]{FREE_TEXT_NEW_LINE}["]        { return 
+p::make_CONFIG_SEC_RULE_REMOVE_BY_TAG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_UPDATE_TARGET_BY_TAG}[ ]+["]{FREE_TEXT_NEW_LINE}["]         { state_variable_from = 1; BEGIN(TRANSACTION_TO_VARIABLE); return p::make_CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_UPDATE_TARGET_BY_TAG}[ ]+{FREE_TEXT_SPACE_COMMA_QUOTE}      { state_variable_from = 1; BEGIN(TRANSACTION_TO_VARIABLE); return p::make_CONFIG_SEC_RULE_UPDATE_TARGET_BY_TAG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
 {CONFIG_SEC_UPDATE_TARGET_BY_MSG}[ ]+["]{FREE_TEXT_NEW_LINE}["]         { state_variable_from = 1; BEGIN(TRANSACTION_TO_VARIABLE); return p::make_CONFIG_SEC_RULE_UPDATE_TARGET_BY_MSG(parserSanitizer(strchr(yytext, ' ') + 1), *driver.loc.back()); }
--- a/src/rules.cc
+++ b/src/rules.cc
@ -202,14 +202,27 @@ int Rules::evaluate(int phase, Transaction *transaction) {
        } else if (m_exceptions.contains(rule->m_ruleId)) {
            debug(9, "Skipped rule id '" + std::to_string(rule->m_ruleId) \
                + "'. Removed by an SecRuleRemove directive.");
-        } else if (m_exceptions.m_remove_rule_by_msg.empty() == false) {
-            for (auto &z : m_exceptions.m_remove_rule_by_msg) {
-                if (rule->containsMsg(z, transaction) == true) {
-                    debug(9, "Skipped rule id '" + std::to_string(rule->m_ruleId) \
-                        + "'. Removed by a SecRuleRemoveByMsg directive.");
+        } else {
+            if (m_exceptions.m_remove_rule_by_msg.empty() == false) {
+                for (auto &z : m_exceptions.m_remove_rule_by_msg) {
+                    if (rule->containsMsg(z, transaction) == true) {
+                        debug(9, "Skipped rule id '" + std::to_string(rule->m_ruleId) \
+                            + "'. Removed by a SecRuleRemoveByMsg directive.");
+                        return 1;
+                    }
                }
            }
-        } else {
+
+            if (m_exceptions.m_remove_rule_by_tag.empty() == false) {
+                for (auto &z : m_exceptions.m_remove_rule_by_tag) {
+                    if (rule->containsTag(z, transaction) == true) {
+                        debug(9, "Skipped rule id '" + std::to_string(rule->m_ruleId) \
+                            + "'. Removed by a SecRuleRemoveByTag directive.");
+                        return 1;
+                    }
+                }
+            }
+
            rule->evaluate(transaction, NULL);
            if (transaction->m_it.disruptive == true) {
                debug(8, "Skipping this phase as this " \
--- a/src/rules_exceptions.cc
+++ b/src/rules_exceptions.cc
@ -39,6 +39,14 @@ bool RulesExceptions::loadRemoveRuleByMsg(const std::string &msg,
 }


+bool RulesExceptions::loadRemoveRuleByTag(const std::string &msg,
+    std::string *error) {
+    m_remove_rule_by_tag.push_back(msg);
+
+    return true;
+}
+
+
 bool RulesExceptions::loadUpdateTargetByMsg(const std::string &msg,
    std::unique_ptr<std::vector<std::unique_ptr<Variables::Variable> > > var,
    std::string *error) {
@ -190,6 +198,10 @@ bool RulesExceptions::merge(RulesExceptions& from) {
        m_remove_rule_by_msg.push_back(p);
    }

+    for (auto &p : from.m_remove_rule_by_tag) {
+        m_remove_rule_by_tag.push_back(p);
+    }
+
    return true;
 }

--- a/test/test-cases/regression/config-remove_by_msg.json
+++ b/test/test-cases/regression/config-remove_by_msg.json
@ -0,0 +1,84 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"SecRuleRemoveByMsg (1/2)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Skipped rule id '2'. Removed by a SecRuleRemoveByMsg directive."
+    },
+    "rules":[
+      "SecRuleRemoveByMsg tag123",
+      "SecRule ARGS \"@contains test\" \"id:1,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:2,pass,t:trim,msg:'tag123'\"",
+      "SecRule ARGS \"@contains test\" \"id:3,pass,t:trim\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"SecRuleRemoveByMsg (2/2)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Skipped rule id '3'. Removed by a SecRuleRemoveByMsg directive."
+    },
+    "rules":[
+      "SecRuleRemoveByMsg whee",
+      "SecRule ARGS \"@contains test\" \"id:1,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:2,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:3,pass,t:trim,msg:'whee'\""
+    ]
+  }
+]
--- a/test/test-cases/regression/config-remove_by_tag.json
+++ b/test/test-cases/regression/config-remove_by_tag.json
@ -0,0 +1,84 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"SecRuleRemoveByTag (1/2)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Skipped rule id '2'. Removed by a SecRuleRemoveByTag directive"
+    },
+    "rules":[
+      "SecRuleRemoveByTag tag123",
+      "SecRule ARGS \"@contains test\" \"id:1,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:2,pass,t:trim,tag:tag123\"",
+      "SecRule ARGS \"@contains test\" \"id:3,pass,t:trim\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"SecRuleRemoveByTag (2/2)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Skipped rule id '3'. Removed by a SecRuleRemoveByTag directive."
+    },
+    "rules":[
+      "SecRuleRemoveByTag whee",
+      "SecRule ARGS \"@contains test\" \"id:1,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:2,pass,t:trim\"",
+      "SecRule ARGS \"@contains test\" \"id:3,pass,t:trim,tag:whee\""
+    ]
+  }
+]