github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
3,231 Commits 55 Branches 109 Tags
Commit Graph

310 Commits

Author SHA1 Message Date
Martin Vierula
b8e1aedef3
Fix: Lua scripts cannot read whole collection at once 2023-06-13 06:41:40 -07:00
Martin Vierula
938707d117
Fix: quoted Include config with wildcard 2023-05-30 09:32:07 -07:00
martinhsv
09a135baab
Merge pull request #2736 from brandonpayton/add-regex-match-limits-and-error-reporting 
Add isolated PCRE match limits as a layer of ReDoS defense
 2023-05-09 06:09:28 -07:00
Marios Levogiannis
12add9aef0
Fix meta-actions not being applied if multiMatch is enabled in the chain starter rule 
Meta-actions can only be used in non-chained rules or in the chain starter
rule of a rule chain. The m_chainedRuleParent member of the RuleWithActions
class is NULL only if the rule is not chained or if it is the chain starter
rule of a rule chain.

Fixes #2867.
 2023-04-27 19:43:01 +03:00
martinhsv
5b709d9da7
Merge pull request #2866 from grnet/v3/fix-multimatch-tags 
Fix tags not being populated in audit log when multiMatch is enabled
 2023-04-25 07:45:41 -07:00
Brandon Payton
d875738bdb Add PCRE error tests for rx operator 2023-04-11 13:47:04 -04:00
Ervin Hegedüs
18adbb6fd3 Merge branch 'v3/master' of https://github.com/SpiderLabs/ModSecurity into v3/multipartpartheaderfix 2023-02-18 15:24:11 +01:00
Ervin Hegedüs
0a296af375 Add regression test case 2023-01-28 21:50:00 +01:00
Marios Levogiannis
d3a6b6a6fd
Fix tags not being populated in audit log when multiMatch is enabled 
Fixes #2754.
 2023-01-20 13:15:28 +02:00
Martin Vierula
ec1232a69b
Support equals sign in XPath expressions 2023-01-19 08:37:38 -08:00
Martin Vierula
62ec4edc42
Regression tests: remove dependency on modsecurity.org 2023-01-17 09:04:46 -08:00
Ervin Hegedüs
aa44c7b726 Fix FILES_TMP_CONTENT collection key naming mechanism 2022-11-14 17:03:50 +01:00
Martin Vierula
47fe75de32
Fix tests to match previous typo fix 2022-09-18 11:28:58 -07:00
Martin Vierula
622eb9e6c8
Adjust parser activation rules in modsecurity.conf-recommended 2022-09-07 08:49:56 -07:00
Martin Vierula
fa6e41857d
Multipart parsing fixes and new MULTIPART_PART_HEADERS collection 2022-09-07 06:29:20 -07:00
Martin Vierula
6e56950cdf
Tolerate other parameters after boundary in multipart C-T 2022-04-26 11:17:46 -07:00
Martin Vierula
1aa7616c18
Add DebugLog message for bad pattern in rx operator 2022-04-21 11:16:01 -07:00
Martin Vierula
4c526fc218
Support SecRequestBodyNoFilesLimit 2022-02-15 14:53:34 -08:00
martinhsv
2cde1933a7
Merge pull request #2680 from SpiderLabs/v3/dev/issue_2606_a 
Add ctl:auditengine action support
 2022-01-26 15:53:53 -05:00
Martin Vierula
2d51efae49 Add ctl:auditengine action support 2022-01-20 14:04:30 -08:00
Martin Vierula
3ee6e108d6
Fix multiMatch msg, etc, population in audit log 2022-01-14 09:25:07 -08:00
Martin Vierula
1a965a49ad
Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. 2022-01-04 11:47:18 -08:00
Martin Vierula
f34b49f666
Multipart names may include single quote if double-quote enclosed 2021-12-23 08:02:43 -08:00
Martin Vierula
ac79c1c29b
Support configurable limit on depth of JSON parsing 2021-11-15 18:51:25 -08:00
martinhsv
cd5fba8974 Handle URI received with uri-fragment 2021-07-05 14:51:21 -03:00
martinhsv
65e7e474b1
fix missing parentheses in filename* parsing 2021-05-11 13:46:50 -07:00
martinhsv
fbea73120c
Fix: FILES variable does not use multipart part name for key 2021-01-24 15:06:30 -03:00
Felipe Zimmerle
f1f2527c03
Using setenv instead of putenv on SetEnv action 2021-01-24 14:59:59 -03:00
Felipe Zimmerle
e8bd2151f2
Having _NAMES, variables proxied 
Some variables share content with others; that is the case
for ARGS and ARGS_NAMES. Those are different in value, as
ARGS_NAMES holds the key name as value.

Instead of duplicating the strings for the different
collections, this patch unifies the collection in radix,
avoiding memory fragmentation. It is currently doing some
fragmentation while resolving the variable, but to be
mitigated by shared_ptr is VariableValues, a different
change.

TODO: place others variables such as COOKIE*NAMES to use
the same proxy.
 2021-01-24 11:30:22 -03:00
Felipe Zimmerle
f18595f428
Makes regular expression selection on collections key case insensitive 
This issue was initially reported by @michaelgranzow-avi on #2296.

@airween made an initial attempt to provide a fixed at #2107; As a
consequence of the pull request review - provided by @victorhora,
@zimmerle, and @michaelgranzow-avi - @airween made a second attempt
at #2297. After reviewing by @martinhsv, @zimmerle, I have absorbed
the essential pieces from @airween patch into this one.

This patch differs from @airween's because @airween's patches were
partially working: Key exclusions with regex weren't covered, same
for anchored variables (e.g. ARGS). During the review, I have
highlighted the importance of having elementary test cases. A simple
test case on ARGS could spot the issue. Since that is an important
fix, I don't want to hold this for one more review cycle; therefore,
I am committing the fix myself.

Thank you all involved in the solution of this very own issue.
 2020-12-10 10:05:07 -03:00
martinhsv
d72be1c470
Fix: Only delete Multipart tmp files after rules have run 2020-11-04 13:50:07 -03:00
Michael Granzow
1b7aa42c77
Issue-2423: Meta-actions like 'msg' should be applied at end of chain 2020-10-29 10:33:02 -03:00
martinhsv
2672db103e
Add support for new operator rxGlobal 2020-10-26 08:55:07 -03:00
martinhsv
b9620c26a0
rx:exit after full match; fix TX population after unused group 2020-06-29 06:13:45 -07:00
martinhsv
a1547eaa32
Regression tests: audit log compare support and test cases 2020-03-31 15:01:26 -03:00
Felipe Zimmerle
7a48245aed
Creates RuleUnconditional 
Makes RuleScript child of RuleWithActions instead of Operator
 2020-03-31 14:44:19 -03:00
Felipe Zimmerle
43f8aee6b6
Splits Rule class into: Rule, RuleBase, RuleMarker 2020-03-30 20:21:36 -03:00
Felipe Zimmerle
9d158611cf
Makes Rule a shared pointer 2020-03-25 16:11:23 -03:00
Felipe Zimmerle
1e26bf2078
Revert "Creates the RulesSetPhases clas" 
This reverts commit 072e4edc53e388fdf64a5eb9d4317544a1c8ada6.
 2020-03-11 08:17:56 -03:00
Felipe Zimmerle
072e4edc53
Creates the RulesSetPhases clas 2020-03-05 07:13:02 -03:00
martinhsv
f57265a3e2
Support configurable limit on number of arguments processed 2020-02-14 11:00:01 -03:00
martinhsv
136db3e582
Multipart Content-Disposition should allow filename* field 2020-02-11 10:29:38 -03:00
martinhsv
1b1fdc055b
Fix rule-update-target exclusions for plain (non-regex) variables 2020-02-11 09:42:37 -03:00
martinhsv
0470168056 Fix: audit log data omitted when nolog,auditlog 2020-01-07 11:16:07 -03:00
martinhsv
b8160cce6b Fix Cookie header parsing issues 2019-11-20 08:51:06 -03:00
Ervin Hegedus
7ba77631f9 Replace Cookie parsing method 2019-11-20 08:51:05 -03:00
martinhsv
9cac167faf Fix argument key-value pair parsing cases 2019-11-05 13:06:29 -03:00
Felipe Zimmerle
beedddd6c6 Fix @pm lookup for possible matches on offset zero 2019-10-02 08:05:14 -07:00
Felipe Zimmerle
2bdc5f9d0a
Adds test case to cover issue #2005 2019-06-18 15:10:43 -03:00
Felipe Zimmerle
6ab464ab78
negative lookup on the key name instead of COLLECTION:key 2019-06-17 13:04:25 -03:00