Skip to content

Commit

Permalink
Adds support to BodyLimitAction and support for parser errors
Browse files Browse the repository at this point in the history
  • Loading branch information
Felipe Zimmerle committed Jul 23, 2015
1 parent 30b2624 commit 261ee9f
Show file tree
Hide file tree
Showing 8 changed files with 337 additions and 23 deletions.
18 changes: 18 additions & 0 deletions headers/modsecurity/rules.h
View file
Expand Up @@ -74,6 +74,7 @@ class Rules {
int merge(Rules *rules);

int evaluate(int phase, Assay *assay);
std::string getParserError();

std::vector<Rule *> rules[7]; // Number of Phases.

Expand Down Expand Up @@ -101,6 +102,18 @@ class Rules {
DetectionOnlyRuleEngine
};

enum BodyLimitAction {
/**
* Process partial
*
*/
ProcessPartialBodyLimitAction,
/**
* Process partial
*
*/
RejectBodyLimitAction
};
static const char *ruleEngineStateString(RuleEngine i) {
switch (i) {
case DisabledRuleEngine:
Expand Down Expand Up @@ -128,6 +141,11 @@ class Rules {

int requestBodyLimit;
int responseBodyLimit;
int requestBodyLimitAction;
int responseBodyLimitAction;

std::string parserError;

AuditLog *audit_log;

private:
Expand Down
46 changes: 42 additions & 4 deletions src/assay.cc
View file
Expand Up @@ -31,6 +31,7 @@
#include "modsecurity/modsecurity.h"
#include "modsecurity/intervention.h"
#include "actions/action.h"
#include "actions/block.h"
#include "src/utils.h"
#include "src/audit_log.h"
#include "src/unique_id.h"
Expand Down Expand Up @@ -613,6 +614,24 @@ int Assay::appendRequestBody(const unsigned char *buf, size_t len) {
if (this->m_rules->requestBodyLimit > 0
&& this->m_rules->requestBodyLimit < len + current_size) {
store_variable("INBOUND_DATA_ERROR", "1");
debug(5, "Rquest body is bigger than the maximum expected.");
if (this->m_rules->requestBodyLimitAction ==
Rules::BodyLimitAction::ProcessPartialBodyLimitAction) {
size_t spaceLeft = this->m_rules->requestBodyLimit - current_size;
this->m_requestBody.write(reinterpret_cast<const char*>(buf),
spaceLeft);
debug(5, "Request body limit is marked to process partial");
return false;
} else {
if (this->m_rules->requestBodyLimitAction ==
Rules::BodyLimitAction::RejectBodyLimitAction) {
debug(5, "Request body limit is marked to reject the " \
"request");
Action *a = new actions::Block("block");
actions.push_back(a);
}
return true;
}
}

this->m_requestBody.write(reinterpret_cast<const char*>(buf), len);
Expand Down Expand Up @@ -778,23 +797,42 @@ int Assay::processResponseBody() {
*
* @returns If the operation was successful or not.
* @retval true Operation was successful.
* @retval false Operation failed.
* @retval false Operation failed, process partial demanded.
*
*/
int Assay::appendResponseBody(const unsigned char *buf, size_t len) {
int current_size = this->m_responseBody.tellp();

debug(9, "Appending response body: " + std::to_string(len) + " bytes. " \
"Limit set to: " + std::to_string(this->m_rules->responseBodyLimit));
debug(9, "Appending response body: " + std::to_string(len + current_size)
+ " bytes. Limit set to: " +
std::to_string(this->m_rules->responseBodyLimit));

if (this->m_rules->responseBodyLimit > 0
&& this->m_rules->responseBodyLimit < len + current_size) {
store_variable("OUTBOUND_DATA_ERROR", "1");
debug(5, "Response body is bigger than the maximum expected.");
if (this->m_rules->responseBodyLimitAction ==
Rules::BodyLimitAction::ProcessPartialBodyLimitAction) {
size_t spaceLeft = this->m_rules->responseBodyLimit - current_size;
this->m_responseBody.write(reinterpret_cast<const char*>(buf),
spaceLeft);
debug(5, "Response body limit is marked to process partial");
return false;
} else {
if (this->m_rules->responseBodyLimitAction ==
Rules::BodyLimitAction::RejectBodyLimitAction) {
debug(5, "Response body limit is marked to reject the " \
"request");
Action *a = new actions::Block("block");
actions.push_back(a);
}
return true;
}
}

this->m_responseBody.write(reinterpret_cast<const char*>(buf), len);

return 0;
return true;
}


Expand Down
18 changes: 12 additions & 6 deletions src/parser/driver.cc
View file
Expand Up @@ -74,8 +74,7 @@ int Driver::parse(const std::string &f) {

int res = parser.parse();

if (this->audit_log->init() == false)
{
if (this->audit_log->init() == false) {
return false;
}

Expand All @@ -98,11 +97,18 @@ int Driver::parseFile(const std::string &f) {
}


void Driver::error(const yy::location& l, const std::string& m) {
std::cerr << l << ": " << m << std::endl;
void Driver::error(const yy::location& l, const std::string& m,
const std::string& c) {
if (parserError.tellp() == 0) {
parserError << "Parser error, ";
parserError << "Filename: " << file << ". ";
parserError << "Line: " << l.end.line << ". ";
parserError << "Column: " << l.end.column << ". ";
}
parserError << c;
}


void Driver::error(const std::string& m) {
std::cerr << m << std::endl;
void Driver::parser_error(const yy::location& l, const std::string& m) {
parserError << ". " << m << "." << std::endl;
}
7 changes: 6 additions & 1 deletion src/parser/driver.h
View file
Expand Up @@ -78,7 +78,8 @@ class Driver {

// Error handling.
void error(const yy::location& l, const std::string& m);
void error(const std::string& m);
void parser_error(const yy::location& l, const std::string& m);
void error(const yy::location& l, const std::string& m, const std::string& c);

std::vector<Rule *> rules[7]; // Number of Phases.

Expand All @@ -89,9 +90,13 @@ class Driver {
bool sec_response_body_access;
int requestBodyLimit;
int responseBodyLimit;
int requestBodyLimitAction;
int responseBodyLimitAction;

std::string debug_log_path;
std::list<std::string> components;
std::ostringstream parserError;
std::ostringstream syntaxError;

ModSecurity::AuditLog *audit_log;

Expand Down
33 changes: 27 additions & 6 deletions src/parser/seclang-parser.yy
View file
Expand Up @@ -73,7 +73,6 @@ using ModSecurity::Variables::TimeYear;
QUOTATION_MARK ")"
SPACE
PIPE
NEW_LINE
UNKNOWN
FREE_TEXT
;
Expand All @@ -83,6 +82,8 @@ using ModSecurity::Variables::TimeYear;
%token <std::string> CONFIG_DIRECTIVE
%token <std::string> CONFIG_DIR_REQ_BODY_LIMIT
%token <std::string> CONFIG_DIR_RES_BODY_LIMIT
%token <std::string> CONFIG_DIR_REQ_BODY_LIMIT_ACTION
%token <std::string> CONFIG_DIR_RES_BODY_LIMIT_ACTION
%token <std::string> CONFIG_DIR_RULE_ENG
%token <std::string> CONFIG_DIR_REQ_BODY
%token <std::string> CONFIG_DIR_RES_BODY
Expand All @@ -93,6 +94,8 @@ using ModSecurity::Variables::TimeYear;
%token <std::string> CONFIG_VALUE_SERIAL
%token <std::string> CONFIG_VALUE_PARALLEL
%token <std::string> CONFIG_VALUE_RELEVANT_ONLY
%token <std::string> CONFIG_VALUE_PROCESS_PARTIAL
%token <std::string> CONFIG_VALUE_REJECT

%token <std::string> CONFIG_DIR_AUDIT_DIR
%token <std::string> CONFIG_DIR_AUDIT_DIR_MOD
Expand Down Expand Up @@ -146,11 +149,12 @@ secrule:
| secrule line

line:
expression NEW_LINE
| SPACE expression NEW_LINE
| NEW_LINE
| SPACE NEW_LINE
expression
| SPACE expression
| SPACE
{

}

audit_log:
/* SecAuditLogDirMode */
Expand Down Expand Up @@ -280,6 +284,7 @@ expression:
{
GeoLookup::getInstance().setDataBase($1);
}
/* Body limits */
| CONFIG_DIR_REQ_BODY_LIMIT
{
driver.requestBodyLimit = atoi($1.c_str());
Expand All @@ -288,6 +293,22 @@ expression:
{
driver.responseBodyLimit = atoi($1.c_str());
}
| CONFIG_DIR_REQ_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_PROCESS_PARTIAL
{
driver.requestBodyLimitAction = ModSecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
}
| CONFIG_DIR_REQ_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_REJECT
{
driver.requestBodyLimitAction = ModSecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
}
| CONFIG_DIR_RES_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_PROCESS_PARTIAL
{
driver.responseBodyLimitAction = ModSecurity::Rules::BodyLimitAction::ProcessPartialBodyLimitAction;
}
| CONFIG_DIR_RES_BODY_LIMIT_ACTION SPACE CONFIG_VALUE_REJECT
{
driver.responseBodyLimitAction = ModSecurity::Rules::BodyLimitAction::RejectBodyLimitAction;
}

variables:
variables PIPE VARIABLE
Expand Down Expand Up @@ -544,5 +565,5 @@ void
yy::seclang_parser::error (const location_type& l,
const std::string& m)
{
driver.error (l, m);
driver.parser_error (l, m);
}
23 changes: 17 additions & 6 deletions src/parser/seclang-scanner.ll
View file
Expand Up @@ -17,14 +17,16 @@
static yy::location loc;
%}
%option noyywrap nounput batch debug noinput
ACTION (?i:accuracy|allow|append|auditlog|block|capture|chain|ctl|deny|deprecatevar|drop|exec|expirevar|id:[0-9]+|initcol|log|logdata|maturity|msg|multiMatch|noauditlog|nolog|pass|pause|phase:[0-9]+|prepend|proxy|redirect:[A-z0-9_\|\&\:\/\/\.]+|rev|sanitiseArg|sanitiseMatched|sanitiseMatchedBytes|sanitiseRequestHeader|sanitiseResponseHeader|setuid|setrsc|setsid|setenv|setvar|skip|skipAfter|status:[0-9]+|tag|ver|xmlns|t)
ACTION (?i:accuracy|allow|append|auditlog|block|capture|chain|ctl|deny|deprecatevar|drop|exec|expirevar|id:[0-9]+|initcol|log|logdata|maturity|msg|multiMatch|noauditlog|nolog|pass|pause|phase:[0-9]+|prepend|proxy|redirect:[A-z0-9_\|\&\:\/\/\.]+|rev|sanitiseArg|sanitiseMatched|sanitiseMatchedBytes|sanitiseRequestHeader|sanitiseResponseHeader|setuid|setrsc|setsid|setenv|setvar|skip|skipAfter|status:[0-9]+|tag|ver|xmlns)
ACTION_SEVERITY (?i:severity:[0-9]+|severity:'[0-9]+'|severity:(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)|severity:'(EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG)')
DIRECTIVE SecRule

CONFIG_DIRECTIVE SecRequestBodyLimitAction|SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecResponseBodyLimitAction|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine
CONFIG_DIRECTIVE SecRequestBodyNoFilesLimit|SecRequestBodyInMemoryLimit|SecPcreMatchLimitRecursion|SecPcreMatchLimit|SecResponseBodyMimeType|SecTmpDir|SecDataDir|SecArgumentSeparator|SecCookieFormat|SecStatusEngine

CONFIG_DIR_REQ_BODY_LIMIT (?i:SecRequestBodyLimit)
CONFIG_DIR_RES_BODY_LIMIT (?i:SecResponseBodyLimit)

CONFIG_DIR_REQ_BODY_LIMIT_ACTION (?i:SecRequestBodyLimitAction)
CONFIG_DIR_RES_BODY_LIMIT_ACTION (?i:SecResponseBodyLimitAction)

CONFIG_DIR_GEO_DB (?i:SecGeoLookupDb)

Expand Down Expand Up @@ -85,6 +87,10 @@ CONFIG_VALUE_SERIAL Serial
CONFIG_VALUE_PARALLEL Parallel
CONFIG_VALUE_RELEVANT_ONLY RelevantOnly

CONFIG_VALUE_PROCESS_PARTIAL (?i:ProcessPartial)
CONFIG_VALUE_REJECT (?i:Reject)


CONFIG_VALUE_PATH [A-Za-z_/\.]+
AUDIT_PARTS [ABCDEFHJKZ]+
CONFIG_VALUE_NUMBER [0-9]+
Expand All @@ -101,7 +107,7 @@ FREE_TEXT_NEW_LINE [^\"|\n]+

%{
// Code run each time yylex is called.
loc.step ();
loc.step();
%}

{DIRECTIVE} { return yy::seclang_parser::make_DIRECTIVE(yytext, loc); }
Expand Down Expand Up @@ -148,8 +154,10 @@ FREE_TEXT_NEW_LINE [^\"|\n]+

%{ /* Request body limit */ %}
{CONFIG_DIR_REQ_BODY_LIMIT}[ ]{CONFIG_VALUE_NUMBER} { return yy::seclang_parser::make_CONFIG_DIR_REQ_BODY_LIMIT(strchr(yytext, ' ') + 1, loc); }
{CONFIG_DIR_REQ_BODY_LIMIT_ACTION} { return yy::seclang_parser::make_CONFIG_DIR_REQ_BODY_LIMIT_ACTION(yytext, loc); }
%{ /* Reponse body limit */ %}
{CONFIG_DIR_RES_BODY_LIMIT}[ ]{CONFIG_VALUE_NUMBER} { return yy::seclang_parser::make_CONFIG_DIR_RES_BODY_LIMIT(strchr(yytext, ' ') + 1, loc); }
{CONFIG_DIR_RES_BODY_LIMIT_ACTION} { return yy::seclang_parser::make_CONFIG_DIR_RES_BODY_LIMIT_ACTION(yytext, loc); }

{CONFIG_COMPONENT_SIG}[ ]["]{FREE_TEXT}["] { return yy::seclang_parser::make_CONFIG_COMPONENT_SIG(strchr(yytext, ' ') + 2, loc); }

Expand All @@ -159,6 +167,9 @@ FREE_TEXT_NEW_LINE [^\"|\n]+
{CONFIG_VALUE_PARALLEL} { return yy::seclang_parser::make_CONFIG_VALUE_PARALLEL(yytext, loc); }
{CONFIG_VALUE_DETC} { return yy::seclang_parser::make_CONFIG_VALUE_DETC(yytext, loc); }
{CONFIG_VALUE_RELEVANT_ONLY} { return yy::seclang_parser::make_CONFIG_VALUE_RELEVANT_ONLY(yytext, loc); }
{CONFIG_VALUE_PROCESS_PARTIAL} { return yy::seclang_parser::make_CONFIG_VALUE_PROCESS_PARTIAL(yytext, loc); }
{CONFIG_VALUE_REJECT} { return yy::seclang_parser::make_CONFIG_VALUE_REJECT(yytext, loc); }

["]{OPERATOR}[ ]{FREE_TEXT}["] { return yy::seclang_parser::make_OPERATOR(yytext, loc); }
["]{OPERATORNOARG}["] { return yy::seclang_parser::make_OPERATOR(yytext, loc); }
{ACTION} { return yy::seclang_parser::make_ACTION(yytext, loc); }
Expand All @@ -168,8 +179,8 @@ FREE_TEXT_NEW_LINE [^\"|\n]+
[|] { return yy::seclang_parser::make_PIPE(loc); }
{VARIABLENOCOLON} { return yy::seclang_parser::make_VARIABLE(yytext, loc); }
[ \t]+ { return yy::seclang_parser::make_SPACE(loc); }
\n { return yy::seclang_parser::make_NEW_LINE(loc); }
. driver.error (loc, "invalid character");
[\n]+ { loc.lines(yyleng); loc.step(); }
. { driver.error (loc, "invalid character", yytext); }
<<EOF>> { return yy::seclang_parser::make_END(loc); }
%%
Expand Down
10 changes: 10 additions & 0 deletions src/rules.cc
View file
Expand Up @@ -124,6 +124,7 @@ int Rules::load(const char *plain_rules) {
Driver *driver = new Driver();
if (driver->parse("/tmp/modsec_ugly_hack.txt")) {
ret = false;
parserError = driver->parserError.str();
}
this->merge(driver);
delete driver;
Expand All @@ -132,6 +133,11 @@ int Rules::load(const char *plain_rules) {
}


std::string Rules::getParserError() {
return this->parserError;
}


int Rules::evaluate(int phase, Assay *assay) {
if (phase > ModSecurity::Phases::NUMBER_OF_PHASES) {
return 0;
Expand Down Expand Up @@ -169,6 +175,8 @@ int Rules::merge(Driver *from) {
this->components = from->components;
this->requestBodyLimit = from->requestBodyLimit;
this->responseBodyLimit = from->responseBodyLimit;
this->requestBodyLimitAction = from->requestBodyLimitAction;
this->responseBodyLimitAction = from->responseBodyLimitAction;

if (m_custom_debug_log) {
this->debug_log = m_custom_debug_log->new_instance();
Expand Down Expand Up @@ -205,6 +213,8 @@ int Rules::merge(Rules *from) {
this->components = from->components;
this->requestBodyLimit = from->requestBodyLimit;
this->responseBodyLimit = from->responseBodyLimit;
this->requestBodyLimitAction = from->requestBodyLimitAction;
this->responseBodyLimitAction = from->responseBodyLimitAction;

this->debug_log = from->debug_log;

Expand Down

0 comments on commit 261ee9f

Please sign in to comment.