mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-13 21:36:00 +03:00
123 lines
3.5 KiB
C++
123 lines
3.5 KiB
C++
/*
|
|
* ModSecurity, http://www.modsecurity.org/
|
|
* Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
|
|
*
|
|
* You may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* If any of the files related to licensing are missing or if you have any
|
|
* other questions related to licensing please contact Trustwave Holdings, Inc.
|
|
* directly using the email address security@modsecurity.org.
|
|
*
|
|
*/
|
|
|
|
#include "src/operators/validate_url_encoding.h"
|
|
|
|
#include <string>
|
|
|
|
#include "src/operators/operator.h"
|
|
|
|
namespace modsecurity {
|
|
namespace operators {
|
|
|
|
|
|
int ValidateUrlEncoding::validate_url_encoding(const char *input,
|
|
uint64_t input_length, size_t *offset) {
|
|
int i;
|
|
*offset = 0;
|
|
|
|
if ((input == NULL) || (input_length == 0)) {
|
|
return -1;
|
|
}
|
|
|
|
i = 0;
|
|
while (i < input_length) {
|
|
if (input[i] == '%') {
|
|
if (i + 2 >= input_length) {
|
|
*offset = i;
|
|
/* Not enough bytes. */
|
|
return -3;
|
|
} else {
|
|
/* Here we only decode a %xx combination if it is valid,
|
|
* leaving it as is otherwise.
|
|
*/
|
|
char c1 = input[i + 1];
|
|
char c2 = input[i + 2];
|
|
|
|
if ( (((c1 >= '0') && (c1 <= '9'))
|
|
|| ((c1 >= 'a') && (c1 <= 'f'))
|
|
|| ((c1 >= 'A') && (c1 <= 'F')))
|
|
&& (((c2 >= '0') && (c2 <= '9'))
|
|
|| ((c2 >= 'a') && (c2 <= 'f'))
|
|
|| ((c2 >= 'A') && (c2 <= 'F'))) ) {
|
|
i += 3;
|
|
} else {
|
|
/* Non-hexadecimal characters used in encoding. */
|
|
*offset = i;
|
|
return -2;
|
|
}
|
|
}
|
|
} else {
|
|
i++;
|
|
}
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
|
|
bool ValidateUrlEncoding::evaluate(Transaction *transaction, Rule *rule,
|
|
const std::string &input, std::shared_ptr<RuleMessage> ruleMessage) {
|
|
size_t offset = 0;
|
|
bool res = false;
|
|
|
|
if (input.empty() == true) {
|
|
return res;
|
|
}
|
|
|
|
int rc = validate_url_encoding(input.c_str(), input.size(), &offset);
|
|
switch (rc) {
|
|
case 1 :
|
|
/* Encoding is valid */
|
|
if (transaction) {
|
|
ms_dbg_a(transaction, 7, "Valid URL Encoding at '" +input + "'");
|
|
}
|
|
res = false;
|
|
break;
|
|
case -2 :
|
|
if (transaction) {
|
|
ms_dbg_a(transaction, 7, "Invalid URL Encoding: Non-hexadecimal "
|
|
"digits used at '" + input + "'");
|
|
logOffset(ruleMessage, offset, input.size());
|
|
}
|
|
res = true; /* Invalid match. */
|
|
break;
|
|
case -3 :
|
|
if (transaction) {
|
|
ms_dbg_a(transaction, 7, "Invalid URL Encoding: Not enough " \
|
|
"characters at the end of input at '" + input + "'");
|
|
logOffset(ruleMessage, offset, input.size());
|
|
}
|
|
res = true; /* Invalid match. */
|
|
break;
|
|
case -1 :
|
|
default :
|
|
if (transaction) {
|
|
ms_dbg_a(transaction, 7, "Invalid URL Encoding: Internal " \
|
|
"Error (rc = " + std::to_string(rc) + ") at '" +
|
|
input + "'");
|
|
logOffset(ruleMessage, offset, input.size());
|
|
}
|
|
res = true;
|
|
break;
|
|
}
|
|
|
|
return res;
|
|
}
|
|
|
|
|
|
} // namespace operators
|
|
} // namespace modsecurity
|