Adds support to JSON request body parser

owasp-modsecurity · Jun 30, 2016 · 90adb53 · 90adb53
1 parent 2477470
commit 90adb53
Show file tree

Hide file tree

Showing 10 changed files with 551 additions and 4 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -222,3 +222,5 @@ TESTS+=test/test-cases/regression/variable-STATUS.json
 TESTS+=test/test-cases/regression/variable-RESPONSE_PROTOCOL.json
 TESTS+=test/test-cases/regression/variable-SERVER_NAME.json
 TESTS+=test/test-cases/regression/operator-UnconditionalMatch.json
+TESTS+=test/test-cases/regression/request-body-parser-json.json
+
diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h
@@ -76,6 +76,7 @@ class Action;
 }
 namespace RequestBodyProcessor {
 class XML;
+class JSON;
 }
 namespace operators {
 class Operator;
@@ -337,6 +338,7 @@ class Transaction {
     std::list<std::string> m_matched;
 
     RequestBodyProcessor::XML *m_xml;
+    RequestBodyProcessor::JSON *m_json;
 
  private:
     std::string *m_ARGScombinedSizeStr;

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -83,6 +83,7 @@ ACTIONS = \
 	actions/capture.cc \
 	actions/chain.cc \
 	actions/ctl_audit_log_parts.cc \
+	actions/ctl_request_body_processor_json.cc \
 	actions/ctl_request_body_processor_xml.cc \
 	actions/init_col.cc \
 	actions/deny.cc \
@@ -202,7 +203,8 @@ COLLECTION = \
 
 BODY_PROCESSORS = \
 	request_body_processor/multipart.cc \
-	request_body_processor/xml.cc
+	request_body_processor/xml.cc \
+	request_body_processor/json.cc
 
 
 libmodsecurity_la_SOURCES = \

diff --git a/src/actions/ctl_request_body_processor_json.cc b/src/actions/ctl_request_body_processor_json.cc
@@ -0,0 +1,37 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "actions/ctl_request_body_processor_json.h"
+
+#include <iostream>
+#include <string>
+
+#include "modsecurity/transaction.h"
+
+namespace modsecurity {
+namespace actions {
+
+
+bool CtlRequestBodyProcessorJSON::evaluate(Rule *rule,
+    Transaction *transaction) {
+    transaction->m_requestBodyProcessor = Transaction::JSONRequestBody;
+    transaction->m_collections.store("REQBODY_PROCESSOR", "JSON");
+
+    return true;
+}
+
+
+}  // namespace actions
+}  // namespace modsecurity
diff --git a/src/actions/ctl_request_body_processor_json.h b/src/actions/ctl_request_body_processor_json.h
@@ -0,0 +1,39 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <string>
+
+#include "actions/action.h"
+#include "modsecurity/transaction.h"
+
+#ifndef SRC_ACTIONS_CTL_REQUEST_BODY_PROCESSOR_JSON_H_
+#define SRC_ACTIONS_CTL_REQUEST_BODY_PROCESSOR_JSON_H_
+
+namespace modsecurity {
+namespace actions {
+
+
+class CtlRequestBodyProcessorJSON : public Action {
+ public:
+    explicit CtlRequestBodyProcessorJSON(std::string action)
+        : Action(action, RunTimeOnlyIfMatchKind) { }
+
+    bool evaluate(Rule *rule, Transaction *transaction) override;
+};
+
+}  // namespace actions
+}  // namespace modsecurity
+
+#endif  // SRC_ACTIONS_CTL_REQUEST_BODY_PROCESSOR_JSON_H_
diff --git a/src/parser/seclang-parser.yy b/src/parser/seclang-parser.yy
@@ -23,6 +23,7 @@ class Driver;
 #include "actions/action.h"
 #include "actions/audit_log.h"
 #include "actions/ctl_audit_log_parts.h"
+#include "actions/ctl_request_body_processor_json.h"
 #include "actions/ctl_request_body_processor_xml.h"
 #include "actions/init_col.h"
 #include "actions/set_sid.h"
@@ -73,6 +74,7 @@ using modsecurity::actions::Accuracy;
 using modsecurity::actions::Action;
 using modsecurity::actions::CtlAuditLogParts;
 using modsecurity::actions::CtlRequestBodyProcessorXML;
+using modsecurity::actions::CtlRequestBodyProcessorJSON;
 using modsecurity::actions::InitCol;
 using modsecurity::actions::SetSID;
 using modsecurity::actions::SetUID;
@@ -1184,8 +1186,7 @@ act:
       }
     | ACTION_CTL_BDY_JSON
       {
-        /* not ready yet. */
-        $$ = Action::instantiate($1);
+        $$ = new modsecurity::actions::CtlRequestBodyProcessorJSON($1);
       }
     | ACTION_CTL_AUDIT_LOG_PARTS
       {