github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity
3,012 Commits 55 Branches 109 Tags
e8bd2151f274acd6a1241f61dc47f39381fe620c
Commit Graph

321 Commits

Author SHA1 Message Date
Felipe Zimmerle
e8bd2151f2 Having _NAMES, variables proxied 
Some variables share content with others; that is the case
for ARGS and ARGS_NAMES. Those are different in value, as
ARGS_NAMES holds the key name as value.

Instead of duplicating the strings for the different
collections, this patch unifies the collection in radix,
avoiding memory fragmentation. It is currently doing some
fragmentation while resolving the variable, but to be
mitigated by shared_ptr is VariableValues, a different
change.

TODO: place others variables such as COOKIE*NAMES to use
the same proxy.
 2021-01-24 11:30:22 -03:00
Felipe Zimmerle
9b40a045bb Cosmetics: fix some cppcheck complains to please QA 2021-01-13 13:30:04 -03:00
Felipe Zimmerle
f18595f428 Makes regular expression selection on collections key case insensitive 
This issue was initially reported by @michaelgranzow-avi on #2296.

@airween made an initial attempt to provide a fixed at #2107; As a
consequence of the pull request review - provided by @victorhora,
@zimmerle, and @michaelgranzow-avi - @airween made a second attempt
at #2297. After reviewing by @martinhsv, @zimmerle, I have absorbed
the essential pieces from @airween patch into this one.

This patch differs from @airween's because @airween's patches were
partially working: Key exclusions with regex weren't covered, same
for anchored variables (e.g. ARGS). During the review, I have
highlighted the importance of having elementary test cases. A simple
test case on ARGS could spot the issue. Since that is an important
fix, I don't want to hold this for one more review cycle; therefore,
I am committing the fix myself.

Thank you all involved in the solution of this very own issue.
 2020-12-10 10:05:07 -03:00
martinhsv
d72be1c470 Fix: Only delete Multipart tmp files after rules have run 2020-11-04 13:50:07 -03:00
Michael Granzow
1b7aa42c77 Issue-2423: Meta-actions like 'msg' should be applied at end of chain 2020-10-29 10:33:02 -03:00
martinhsv
2672db103e Add support for new operator rxGlobal 2020-10-26 08:55:07 -03:00
Felipe Zimmerle
377fb723ca Makes lua 5.1 workable again 
Issue #2389
 2020-09-21 10:04:40 -03:00
martinhsv
b9620c26a0 rx:exit after full match; fix TX population after unused group 2020-06-29 06:13:45 -07:00
martinhsv
a1547eaa32 Regression tests: audit log compare support and test cases 2020-03-31 15:01:26 -03:00
Felipe Zimmerle
7a48245aed Creates RuleUnconditional 
Makes RuleScript child of RuleWithActions instead of Operator
 2020-03-31 14:44:19 -03:00
Felipe Zimmerle
43f8aee6b6 Splits Rule class into: Rule, RuleBase, RuleMarker 2020-03-30 20:21:36 -03:00
Felipe Zimmerle
9d158611cf Makes Rule a shared pointer 2020-03-25 16:11:23 -03:00
Felipe Zimmerle
1e26bf2078 Revert "Creates the RulesSetPhases clas" 
This reverts commit 072e4edc53.
 2020-03-11 08:17:56 -03:00
Felipe Zimmerle
072e4edc53 Creates the RulesSetPhases clas 2020-03-05 07:13:02 -03:00
martinhsv
f57265a3e2 Support configurable limit on number of arguments processed 2020-02-14 11:00:01 -03:00
martinhsv
136db3e582 Multipart Content-Disposition should allow filename* field 2020-02-11 10:29:38 -03:00
martinhsv
1b1fdc055b Fix rule-update-target exclusions for plain (non-regex) variables 2020-02-11 09:42:37 -03:00
martinhsv
0470168056 Fix: audit log data omitted when nolog,auditlog 2020-01-07 11:16:07 -03:00
martinhsv
b8160cce6b Fix Cookie header parsing issues 2019-11-20 08:51:06 -03:00
Ervin Hegedus
7ba77631f9 Replace Cookie parsing method 2019-11-20 08:51:05 -03:00
martinhsv
9cac167faf Fix argument key-value pair parsing cases 2019-11-05 13:06:29 -03:00
felipe
c41ab312f3 Updates test cases 2019-10-24 09:59:57 -03:00
Felipe Zimmerle
beedddd6c6 Fix @pm lookup for possible matches on offset zero 2019-10-02 08:05:14 -07:00
Felipe Zimmerle
2bdc5f9d0a Adds test case to cover issue #2005 2019-06-18 15:10:43 -03:00
Felipe Zimmerle
6ab464ab78 negative lookup on the key name instead of COLLECTION:key 2019-06-17 13:04:25 -03:00
Ervin Hegedus
c0142cf326 Changed compared variables of range id intervall in ruleRemoveById ctl action. #2111 
* changed the variables in clause
* added test case (@theMiddle)
* fixes #2111
 2019-06-04 10:28:30 -03:00
Felipe Zimmerle
9ebebfc838 Fix test case 1960 2019-06-04 08:38:45 -03:00
Felipe Zimmerle
50abc072c4 Make block action execution dependent of the SecEngine status 2019-06-03 19:55:02 -03:00
Felipe Zimmerle
a4e8484115 Having body limits to respect the rule engine state 2019-06-03 14:05:10 -03:00
Felipe Zimmerle
20b90364fa Adds test case for #1872 2019-05-31 11:50:47 -03:00
Felipe Zimmerle
1b8d69da02 Fix dict element regular expression selection on SecRuleUpdateTargetByTag 2019-05-31 01:42:51 -03:00
Felipe Zimmerle
5472362313 Fix SecRuleUpdateTargetByTag with regular expressions 2019-05-31 01:42:47 -03:00
Ervin Hegedus
7a93bea8f7 Added some test cases related to #2099 2019-05-30 09:52:27 -03:00
Rufus125
86ce479b59 Adds new operator to check for data leakage of Austrian social security number 2019-05-29 20:57:08 -03:00
Felipe Zimmerle
b574418386 regression: Using github instead of modsecurity.org for SecRemoteRules 2019-04-05 12:59:34 -03:00
Ervin Hegedus
a6e6bc2b5f Allow empty anchored variable to use 2019-02-12 09:31:19 -03:00
Ervin Hegedus
2d3fbbc56a Modified affected test cases, which checked wrong variables 2019-02-12 09:16:07 -03:00
Ervin Hegedus
17d79ed7ba Fixed data collecting in multipart parsing 2019-02-12 09:16:07 -03:00
Ervin Hegedus
4b3e6328e3 Fixed validateByteRange parsing method 2019-02-12 09:10:36 -03:00
Felipe Zimmerle
145f2f35b7 tests: Updates secrules-language-tests 2019-02-05 11:26:03 -03:00
Felipe Zimmerle
d00ea5111d Adds initial support to drop action 2018-12-24 16:35:41 -03:00
Felipe Zimmerle
25bb1f1bcc Changes ENV test case to read the default MODSECURTIY env var 2018-11-29 15:21:28 -03:00
Felipe Zimmerle
d2b14de268 Allow 0 length JSON requests 
As discussed at: #1822
 2018-11-29 10:39:46 -03:00
Felipe Zimmerle
ce3abf2626 Adds support to multiple ranges in ctl:ruleRemoveById 
Issue #1956
 2018-11-26 20:48:18 -03:00
Victor Hora
cbf2fe9703 Adjust boundary test cases for the less strict parsing 2018-11-20 22:17:53 -03:00
Victor Hora
b638e523af Make the boundary check less strict as per RFC2046 2018-11-20 22:17:22 -03:00
Felipe Zimmerle
9d80983e55 Fix on top of #1943 + adding test cases 2018-11-01 16:11:39 -03:00
Victor Hora
e3b9f7c913 Fix SecUnicodeMapFile support 
Makes SecUnicodeMapFile read the file and adjust transformation to use the
right variable.
 2018-10-31 22:57:39 -03:00
Victor Hora
84ece3edcb Add test case for SecUnicodeMap 2018-10-31 22:19:27 -03:00
Felipe Zimmerle
065c2e67b6 Adds test case for #1850 2018-10-30 18:25:46 -03:00