Implement id ranges for ctl:ruleRemoveTargetById

.travis.yml

@@ -1,4 +1,4 @@
-dist: trusty
+dist: bionic
 sudo: true
 
 addons:
@@ -9,7 +9,6 @@ addons:
     - libgeoip-dev
     - liblua5.2-dev
     - liblmdb-dev
-    - cppcheck
 
 language: cpp
 
@@ -38,9 +37,12 @@ before_script:
   - '[ "$TRAVIS_OS_NAME" != osx ] || brew install libmaxminddb'
   - '[ "$TRAVIS_OS_NAME" != osx ] || brew install lmdb'
   - '[ "$TRAVIS_OS_NAME" != linux ] || sudo add-apt-repository --yes ppa:maxmind/ppa'
+  - '[ "$TRAVIS_OS_NAME" != linux ] || sudo add-apt-repository --yes ppa:grochefort/cppcheck'
   - '[ "$TRAVIS_OS_NAME" != linux ] || sudo apt-get update'
   - '[ "$TRAVIS_OS_NAME" != linux ] || sudo apt-cache search maxmind'
   - '[ "$TRAVIS_OS_NAME" != linux ] || sudo apt-get install -y libmaxminddb-dev'
+  - '[ "$TRAVIS_OS_NAME" != linux ] || sudo apt-get install -y cppcheck'
+  - '[ "$TRAVIS_OS_NAME" != linux ] || cppcheck --version'
 
 script:
   - ./build.sh

CHANGES

@@ -1,6 +1,38 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
-
+
+  - Implement id ranges for ctl:ruleRemoveTargetById
+    [#2110 - @j0k2r, @martinhsv]  
+  - Removed unnecessary while processing the transformations.
+    [#2368 - @WGH-, @zimmerle]  
+  - auditlog: Computes whether or not to save while loading the rules.
+    [@zimmerle]
+  - actions: Computes Rule association while loading the rules given a
+    performance boost on run time.
+    [@zimmerle]
+  - Regression: Mark the test as failed in case of segfault.
+    [@zimmerle]
+  - Replaced t:lowerCase backend for a better performance.
+    [@zimmerle]
+  - More structured rules dump. Better supporting debugging.
+    [@zimmerle]
+  - Added the basics for supporting better error/warning handling while
+    loading configurations.
+    [@zimmerle]
+  - IMPORTANT: SecDefaultAction behaves changing: SecDefaultAction specified
+    on a child configuration will overwrite the ones specified on the parent;
+    Previously it was concatenating.
+    [@zimmerle]
+  - Using std::shared_ptr instead of generates its own references counters
+    for Rules and related.
+    [@zimmerle]
+  - Better handle shared_pointers on messages aiming for better performance.
+    [@zimmerle]
+  - Better handle memory usage on transformations aiming for better
+    performance.
+    [@zimmerle]
+  - Coding refactoring on the Rule class. The Rule class is now refactored
+    into RuleWithOperator, RuleWithActions, and RuleUnconditional.
   - Fix IP address logging in Section A
     [Issue #2300 - @inaratech, @zavazingo, @martinhsv]
   - Adds support to lua 5.4

Makefile.am

@@ -57,14 +57,16 @@ parser:
 
 cppcheck:
 	@cppcheck -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \
-		-D MS_CPPCHECK_DISABLED_FOR_PARSER \
+		-D MS_CPPCHECK_DISABLED_FOR_PARSER -U YY_USER_INIT \
 		--suppressions-list=./test/cppcheck_suppressions.txt \
 		--enable=all \
 		--inconclusive \
 		--template="warning: {file},{line},{severity},{id},{message}" \
 		-I headers -I . -I others -I src -I others/mbedtls -I src/parser \
 		--error-exitcode=1 \
-		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
+		-i "src/parser/seclang-parser.cc" \
+		-i "src/parser/seclang-scanner.cc" \
+		-i "parser/driver.cc" \
 		--force --verbose .
 
 

examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h

@@ -176,21 +176,22 @@ class ReadingLogsViaRuleMessage {
             return;
         }
 
-        const modsecurity::RuleMessage *ruleMessage = \
-            reinterpret_cast<const modsecurity::RuleMessage *>(ruleMessagev);
+        modsecurity::RuleMessage ruleMessage(
+            *reinterpret_cast<const modsecurity::RuleMessage *>(ruleMessagev));
 
-        std::cout << "Rule Id: " << std::to_string(ruleMessage->m_ruleId);
-        std::cout << " phase: " << std::to_string(ruleMessage->m_phase);
+
+        std::cout << "Rule Id: " << std::to_string(ruleMessage.getRuleId());
+        std::cout << " phase: " << std::to_string(ruleMessage.getPhase());
         std::cout << std::endl;
-        if (ruleMessage->m_isDisruptive) {
+        if (ruleMessage.isDisruptive()) {
             std::cout << " * Disruptive action: ";
-            std::cout << modsecurity::RuleMessage::log(ruleMessage);
+            std::cout << modsecurity::RuleMessage::log(&ruleMessage);
             std::cout << std::endl;
             std::cout << " ** %d is meant to be informed by the webserver.";
             std::cout << std::endl;
         } else {
             std::cout << " * Match, but no disruptive action: ";
-            std::cout << modsecurity::RuleMessage::log(ruleMessage);
+            std::cout << modsecurity::RuleMessage::log(&ruleMessage);
             std::cout << std::endl;
         }
     }

examples/using_bodies_in_chunks/simple_request.cc

@@ -69,21 +69,21 @@ static void logCb(void *data, const void *ruleMessagev) {
         return;
     }
 
-    const modsecurity::RuleMessage *ruleMessage = \
-        reinterpret_cast<const modsecurity::RuleMessage *>(ruleMessagev);
+    modsecurity::RuleMessage ruleMessage(
+        *reinterpret_cast<const modsecurity::RuleMessage *>(ruleMessagev));
 
-    std::cout << "Rule Id: " << std::to_string(ruleMessage->m_ruleId);
-    std::cout << " phase: " << std::to_string(ruleMessage->m_phase);
+    std::cout << "Rule Id: " << std::to_string(ruleMessage.getRuleId());
+    std::cout << " phase: " << std::to_string(ruleMessage.getPhase());
     std::cout << std::endl;
-    if (ruleMessage->m_isDisruptive) {
+    if (ruleMessage.isDisruptive()) {
         std::cout << " * Disruptive action: ";
-        std::cout << modsecurity::RuleMessage::log(ruleMessage);
+        std::cout << modsecurity::RuleMessage::log(&ruleMessage);
         std::cout << std::endl;
         std::cout << " ** %d is meant to be informed by the webserver.";
         std::cout << std::endl;
     } else {
         std::cout << " * Match, but no disruptive action: ";
-        std::cout << modsecurity::RuleMessage::log(ruleMessage);
+        std::cout << modsecurity::RuleMessage::log(&ruleMessage);
         std::cout << std::endl;
     }
 }

headers/modsecurity/actions/action.h

@@ -16,14 +16,11 @@
 #ifdef __cplusplus
 
 #include <string>
-#include <iostream>
-#include <memory>
+
+#include <assert.h>
 
 #endif
 
-#include "modsecurity/intervention.h"
-#include "modsecurity/rule.h"
-#include "modsecurity/rule_with_actions.h"
 
 #ifndef HEADERS_MODSECURITY_ACTIONS_ACTION_H_
 #define HEADERS_MODSECURITY_ACTIONS_ACTION_H_
@@ -32,103 +29,96 @@
 
 namespace modsecurity {
 class Transaction;
-class RuleWithOperator;
-
 namespace actions {
 
 
 class Action {
  public:
-    explicit Action(const std::string& _action)
-        : m_isNone(false),
-        temporaryAction(false),
-        action_kind(2),
-        m_name(nullptr),
-        m_parser_payload("") {
-            set_name_and_payload(_action);
-        }
-    explicit Action(const std::string& _action, int kind)
-        : m_isNone(false),
-        temporaryAction(false),
-        action_kind(kind),
-        m_name(nullptr),
-        m_parser_payload("") {
-            set_name_and_payload(_action);
-        }
+    Action()
+        : m_parserPayload(""),
+        m_name("")
+    {
+        assert(0);
+    }
+
+
+    explicit Action(const std::string& action)
+        : m_parserPayload(sort_payload(action)),
+        m_name(sort_name(action))
+    { }
 
-    virtual ~Action() { }
 
-    virtual std::string evaluate(const std::string &exp,
-        Transaction *transaction);
-    virtual bool evaluate(RuleWithActions *rule, Transaction *transaction);
-    virtual bool evaluate(RuleWithActions *rule, Transaction *transaction,
-        std::shared_ptr<RuleMessage> ruleMessage) {
-        return evaluate(rule, transaction);
+    Action(const Action &other)
+        : m_parserPayload(other.m_parserPayload),
+        m_name(other.m_name)
+    { }
+
+
+    Action &operator=(const Action& a) {
+        m_name = a.m_name;
+        m_parserPayload = a.m_parserPayload;
+        return *this;
     }
-    virtual bool init(std::string *error) { return true; }
-    virtual bool isDisruptive() { return false; }
 
 
-    void set_name_and_payload(const std::string& data) {
+    virtual ~Action()
+    { }
+
+
+    virtual bool init(std::string *error) {
+        return true;
+    }
+
+    const std::string *getName() const noexcept {
+        return &m_name;
+    }
+
+
+ protected:
+    std::string m_parserPayload;
+
+
+ private:
+    std::string m_name;
+
+    static size_t get_payload_pos(const std::string& data) {
         size_t pos = data.find(":");
         std::string t = "t:";
 
         if (data.compare(0, t.length(), t) == 0) {
             pos = data.find(":", 2);
         }
 
+        return pos;
+    }
+
+
+    static std::string sort_name(const std::string& data) {
+        size_t pos = get_payload_pos(data);
         if (pos == std::string::npos) {
-            m_name = std::shared_ptr<std::string>(new std::string(data));
-            return;
+            return data;
         }
 
-        m_name = std::shared_ptr<std::string>(new std::string(data, 0, pos));
-        m_parser_payload = std::string(data, pos + 1, data.length());
+        std::string ret(data, 0, pos);
+        return ret;
+    }
+
 
-        if (m_parser_payload.at(0) == '\'' && m_parser_payload.size() > 2) {
-            m_parser_payload.erase(0, 1);
-            m_parser_payload.pop_back();
+    static std::string sort_payload(const std::string& data) {
+        size_t pos = get_payload_pos(data);
+        std::string ret("");
+        if (pos != std::string::npos) {
+            ret = std::string(data, pos + 1, data.length());
+
+            if (ret.at(0) == '\'' && ret.size() > 2) {
+                ret.erase(0, 1);
+                ret.pop_back();
+            }
         }
-    }
 
-    bool m_isNone;
-    bool temporaryAction;
-    int action_kind;
-    std::shared_ptr<std::string> m_name;
-    std::string m_parser_payload;
-
-    /**
-     *
-     * Define the action kind regarding to the execution time.
-     * 
-     * 
-     */
-    enum Kind {
-    /**
-     *
-     * Action that are executed while loading the configuration. For instance
-     * the rule ID or the rule phase.
-     *
-     */
-     ConfigurationKind,
-    /**
-     *
-     * Those are actions that demands to be executed before call the operator.
-     * For instance the tranformations.
-     *
-     *
-     */
-     RunTimeBeforeMatchAttemptKind,
-    /**
-     *
-     * Actions that are executed after the execution of the operator, only if
-     * the operator returned Match (or True). For instance the disruptive
-     * actions.
-     *
-     */
-     RunTimeOnlyIfMatchKind,
-    };
- };
+        return ret;
+    }
+};
 
 
 }  // namespace actions

headers/modsecurity/anchored_set_variable.h

@@ -27,10 +27,13 @@
 #include <vector>
 #include <algorithm>
 #include <memory>
+
+#include "modsecurity/string_view.hpp"
 #endif
 
 #include "modsecurity/variable_value.h"
 
+
 #ifndef HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_H_
 #define HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_H_
 
@@ -69,36 +72,37 @@ struct MyHash{
 
 
 class AnchoredSetVariable : public std::unordered_multimap<std::string,
-	VariableValue *, MyHash, MyEqual> {
+	std::shared_ptr<const VariableValue>, MyHash, MyEqual> {
  public:
     AnchoredSetVariable(Transaction *t, const std::string &name);
-    ~AnchoredSetVariable();
 
     void unset();
 
-    void set(const std::string &key, const std::string &value,
-        size_t offset);
+    void set(const std::string &key, const std::string &value, size_t offset) {
+        set(key, value, offset, value.size());
+    }
 
     void set(const std::string &key, const std::string &value,
         size_t offset, size_t len);
 
-    void setCopy(std::string key, std::string value, size_t offset);
+    void set(const std::string &key, const bpstd::string_view &value,
+        size_t offset);
 
-    void resolve(std::vector<const VariableValue *> *l);
-    void resolve(std::vector<const VariableValue *> *l,
-        variables::KeyExclusions &ke);
+    void resolve(VariableValues *l) const noexcept;
+    void resolve(VariableValues *l,
+        const variables::KeyExclusions &ke) const noexcept;
 
     void resolve(const std::string &key,
-        std::vector<const VariableValue *> *l);
+        VariableValues *l) const noexcept;
 
-    void resolveRegularExpression(Utils::Regex *r,
-        std::vector<const VariableValue *> *l);
+    void resolveRegularExpression(const Utils::Regex *r,
+        VariableValues *l) const noexcept;
 
-    void resolveRegularExpression(Utils::Regex *r,
-        std::vector<const VariableValue *> *l,
-        variables::KeyExclusions &ke);
+    void resolveRegularExpression(const Utils::Regex *r,
+        VariableValues *l,
+        const variables::KeyExclusions &ke) const noexcept;
 
-    std::unique_ptr<std::string> resolveFirst(const std::string &key);
+    std::unique_ptr<std::string> resolveFirst(const std::string &key) const noexcept;
 
     Transaction *m_transaction;
     std::string m_name;