sync code

components/security_apps/waap/waap_clib/DeepParser.cc

@@ -390,6 +390,38 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
         }
     }
 
+    if (flags & BUFFERED_RECEIVER_F_FIRST && offset < 0 && valueStats.hasPercent &&
+        m_key.first().size() == 6 && m_key.first() == "cookie") {
+        dbgTrace(D_WAAP_DEEP_PARSER)
+            << "1st pass of createInternalParser() failed. "
+            << "Will try to decode percent-encoded data and repeate search for parser";
+        orig_val.erase(unquote_plus(orig_val.begin(), orig_val.end()), orig_val.end());
+        cur_val_html_escaped = orig_val;
+        cur_val_html_escaped.erase(
+            escape_html(cur_val_html_escaped.begin(), cur_val_html_escaped.end()), cur_val_html_escaped.end()
+        );
+        offset = createInternalParser(
+            k,
+            k_len,
+            orig_val,
+            valueStats,
+            isBodyPayload,
+            isRefererPayload,
+            isRefererParamPayload,
+            isUrlPayload,
+            isUrlParamPayload,
+            flags,
+            parser_depth,
+            base64BinaryFileType
+        );
+        if (offset >= 0) {
+            dbgTrace(D_WAAP_DEEP_PARSER) << "2nd pass of createInternalParser succeeded. Update values and proceed";
+            ValueStatsAnalyzer valueStatsUpdated(cur_val_html_escaped);
+            cur_val.erase(unquote_plus(cur_val.begin(), cur_val.end()), cur_val.end());
+            Waap::Util::decodeUtf16Value(valueStatsUpdated, cur_val);
+        }
+    }
+
     // If there's a parser in parsers stack, push the value to the top parser
     if (!m_parsersDeque.empty()
         && offset >= 0
@@ -1183,6 +1215,7 @@ DeepParser::createInternalParser(
             offset = 0;
         }
     }
+    bool isCockiePapameter = m_key.depth() == 2 && m_key.first().size() == 6 && m_key.first() == "cookie";
     if (offset < 0) {
         if (isPipesType) {
             dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse pipes, positional: " << isKeyValDelimited;
@@ -1279,7 +1312,7 @@ DeepParser::createInternalParser(
                 );
             } else if (!Waap::Util::testUrlBareUtf8Evasion(cur_val)) {
                 dbgTrace(D_WAAP_DEEP_PARSER) << "!Waap::Util::testUrlBareUtf8Evasion(cur_val)";
-                if (!valueStats.hasSpace
+                if ((!valueStats.hasSpace || (valueStats.hasSpace && isCockiePapameter))
                     && valueStats.hasCharAmpersand
                     && valueStats.hasTwoCharsEqual
                     && !isBinaryData()
@@ -1305,7 +1338,7 @@ DeepParser::createInternalParser(
             }
         } else if (!Waap::Util::testUrlBareUtf8Evasion(cur_val)) {
             dbgTrace(D_WAAP_DEEP_PARSER) << "!Waap::Util::testUrlBareUtf8Evasion(cur_val)";
-            if (!valueStats.hasSpace
+            if ((!valueStats.hasSpace || (valueStats.hasSpace && isCockiePapameter))
                 && valueStats.hasCharAmpersand
                 && valueStats.hasTwoCharsEqual
                 && !isBinaryData()

components/security_apps/waap/waap_clib/ParserUrlEncode.cc

@@ -103,6 +103,9 @@ ParserUrlEncode::push(const char *buf, size_t len)
         }
         case s_key_start: {
             dbgTrace(D_WAAP_PARSER_URLENCODE) << "ParserUrlEncode::push(): s_key_start";
+            if (isspace(c)){
+                break;
+            }
             mark = i;
             m_state = s_key;
 
@@ -112,12 +115,6 @@ ParserUrlEncode::push(const char *buf, size_t len)
         case s_key: {
             dbgTrace(D_WAAP_PARSER_URLENCODE) << "ParserUrlEncode::push(): s_key";
 
-            // skip leading spaces in the key
-            if (isspace(c)) {
-                m_state = s_key_start; // skip the space character without including it in the output
-                break;
-            }
-
             if (c == '%' && should_decode_percent) {
                 if (i - mark > 0) {
                     if (m_receiver.onKey(buf + mark, i - mark) != 0) {

components/security_apps/waap/waap_clib/WaapOverride.h

@@ -48,7 +48,7 @@ public:
 
             if (m_tag != "sourceip" && m_tag != "sourceidentifier" && m_tag != "url" && m_tag != "hostname" &&
                 m_tag != "keyword" && m_tag != "paramname" && m_tag != "paramvalue" && m_tag != "paramlocation" &&
-                m_tag != "responsebody" &&  m_tag != "headername" && m_tag != "headervalue" ) {
+                m_tag != "responsebody" &&  m_tag != "headername" && m_tag != "headervalue" && m_tag != "method") {
                 m_isValid = false;
                 dbgDebug(D_WAAP_OVERRIDE) << "Invalid override tag: " << m_tag;
             }

components/security_apps/waap/waap_clib/WaapOverrideFunctor.cc

@@ -51,7 +51,10 @@ bool WaapOverrideFunctor::operator()(const std::string& tag, const boost::regex&
     std::string tagLower = tag;
     std::transform(tagLower.begin(), tagLower.end(), tagLower.begin(), ::tolower);
     try {
-        if (tagLower == "url") {
+        if (tagLower == "method") {
+            return NGEN::Regex::regexMatch(__FILE__, __LINE__, waf2Transaction.getMethod().c_str(), what, rx);
+        }
+        else if (tagLower == "url") {
             return NGEN::Regex::regexMatch(__FILE__, __LINE__, waf2Transaction.getUriStr().c_str(), what, rx);
         }
         else if (tagLower == "hostname") {

components/security_apps/waap/waap_clib/WaapValueStatsAnalyzer.cc

@@ -95,7 +95,9 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
     canSplitPipe(true),
     hasSpace(false),
     isUrlEncoded(false),
-    hasCharLess(false)
+    hasCharLess(false),
+    hasDoubleQuote(false),
+    hasPercent(false)
 {
     unsigned int zerosSeq[2] = {0};
     bool lastNul = false; // whether last processed character was ASCII NUL
@@ -146,6 +148,9 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
             case '\"':
                 hasDoubleQuote = true;
                 break;
+            case '%':
+                hasPercent = true;
+                break;
         }
 
         if (isspace(ch)) {
@@ -270,4 +275,6 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
     textual +=(hasCharLess ? "true" : "false");
     textual.append("\nhasDoubleQuote = ");
     textual +=(hasDoubleQuote ? "true" : "false");
+    textual.append("\nhasPercent = ");
+    textual +=(hasPercent ? "true" : "false");
 }

components/security_apps/waap/waap_clib/WaapValueStatsAnalyzer.h

@@ -36,6 +36,7 @@ struct ValueStatsAnalyzer
     bool isUrlEncoded;
     bool hasCharLess;
     bool hasDoubleQuote;
+    bool hasPercent;
     std::string textual;
 };
 

components/security_apps/waap/waap_clib/Waf2Engine.cc

@@ -867,7 +867,7 @@ void Waf2Transaction::parseCookie(const char* value, int value_len)
     if (value_len > 0) {
         dbgTrace(D_WAAP_HEADERS) << "[transaction:" << this << "] scanning the cookie value";
         m_deepParser.m_key.push("cookie", 6);
-        ParserUrlEncode cookieValueParser(m_deepParserReceiver, 0, ';');
+        ParserUrlEncode cookieValueParser(m_deepParserReceiver, 0, ';', false);
         cookieValueParser.push(value, value_len);
         cookieValueParser.finish();
         m_deepParser.m_key.pop("cookie");
@@ -1077,6 +1077,9 @@ void Waf2Transaction::add_request_hdr(const char* name, int name_len, const char
     std::string header_name(name, name_len);
     boost::algorithm::to_lower(header_name);
     hdrs_map[header_name] = std::string(value, value_len);
+    if (header_name == "host") {
+        m_hostStr = hdrs_map[header_name];
+    }
 }
 
 void Waf2Transaction::end_request_hdrs() {

components/security_apps/waap/waap_component_impl.cc

@@ -117,7 +117,7 @@ WaapComponent::Impl::fini()
 std::string
 WaapComponent::Impl::getListenerName() const
 {
-    return "waap application";
+    return WAAP_APPLICATION_NAME;
 }
 
 // Start request (called before headers arrive). However, the method and URL path is known at this stage.