Merge pull request owasp-modsecurity#15 in SECURITYGW/ngx_http_modsecurity from feature/SECURITYGW-708-response-custom-error_page to develop

Сарайкин Антон Юрьевич · Сарайкин Антон Юрьевич · commit b9ee899f3c20 · 2018-04-03T09:32:02.000+03:00
* commit '1759337c69ea63bfd38adff0b4326f863bc5acf9':
  Added workaround for correct working ModSecurity with custom error page
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -55,7 +55,6 @@ typedef struct {
     ngx_chain_t* temp_chain;
     ngx_chain_t* current_chain;
     unsigned response_body_filtered:1;
-    unsigned logged:1;
 } ngx_http_modsecurity_ctx_t;
 
 
@@ -66,6 +65,8 @@ typedef struct {
     ngx_flag_t sanity_checks_enabled;
 
     Rules *rules_set;
+
+    Rules *rules_backup;
 } ngx_http_modsecurity_conf_t;
 
 
@@ -86,6 +87,10 @@ ngx_http_modsecurity_ctx_t *ngx_http_modsecurity_create_ctx(ngx_http_request_t *
 char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p);
 ngx_pool_t *ngx_http_modsecurity_pcre_malloc_init(ngx_pool_t *pool);
 void ngx_http_modsecurity_pcre_malloc_done(ngx_pool_t *old_pool);
+ngx_http_variable_t *ngx_http_get_variable_by_name(ngx_http_request_t *r, ngx_str_t *name);
+ngx_int_t ngx_http_get_intervention_status(ngx_http_request_t *r);
+ngx_int_t ngx_http_set_intervention_status_done(ngx_http_request_t *r);
+void ngx_http_restore_ruleset_from_variable(ngx_http_request_t *r, ngx_http_modsecurity_conf_t *cf);
 
 /* ngx_http_modsecurity_body_filter.c */
 ngx_int_t ngx_http_modsecurity_body_filter_init(void);
diff --git a/src/ngx_http_modsecurity_log.c b/src/ngx_http_modsecurity_log.c
@@ -44,12 +44,24 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
     dd("catching a new _log_ phase handler");
 
     cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (cf == NULL || cf->enable != 1)
-    {
-        dd("ModSecurity not enabled... returning");
+    if (cf == NULL) {
+        dd("Something bad happened... returning");
         return NGX_OK;
     }
 
+    if (cf->enable != 1) {
+        if (!ngx_http_get_intervention_status(r)) {
+            dd("ModSecurity not enabled... returning");
+            return NGX_OK;
+        }
+    }
+
+    if (ngx_http_get_intervention_status(r) == 1 && cf->rules_backup != NULL) {
+        dd("restore ruleset %p from backup for current location", cf->rules_backup);
+        cf->rules_set = cf->rules_backup;
+        cf->rules_backup = NULL;
+    }
+
     /*
     if (r->method != NGX_HTTP_GET &&
         r->method != NGX_HTTP_POST && r->method != NGX_HTTP_HEAD) {
@@ -67,15 +79,12 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
         return NGX_ERROR;
     }
 
-    if (ctx->logged) {
-        dd("already logged earlier");
-        return NGX_OK;
-    }
-
     dd("calling msc_process_logging for %p", ctx);
     old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
     msc_process_logging(ctx->modsec_transaction);
     ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
+
+
     return NGX_OK;
 }
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
@@ -32,6 +32,19 @@ static char *ngx_http_modsecurity_merge_srv_conf(ngx_conf_t *cf, void *parent, v
 static void ngx_http_modsecurity_config_cleanup(void *data);
 static char *ngx_http_modsecurity_init_main_conf(ngx_conf_t *cf, void *conf);
 
+static ngx_int_t ngx_http_modsecurity_add_variables(ngx_conf_t *cf);
+static ngx_int_t ngx_http_intervention_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_rules_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data);
+
+ngx_http_variable_t ngx_http_modsecurity_vars[] = {
+    { ngx_string("intervention_done"), NULL,
+      ngx_http_intervention_variable, 0,
+      NGX_HTTP_VAR_NOCACHEABLE, 0},
+    { ngx_string("rules"), NULL,
+      ngx_http_rules_variable, 0,
+      NGX_HTTP_VAR_NOCACHEABLE, 0},
+    { ngx_null_string, NULL, NULL, 0, 0, 0 }
+};
 
 /*
  * PCRE malloc/free workaround, based on
@@ -137,14 +150,12 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
     intervention.url = NULL;
     intervention.log = NULL;
     intervention.disruptive = 0;
-    ngx_http_modsecurity_ctx_t *ctx = NULL;
 
     dd("processing intervention");
 
-    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
-    if (ctx == NULL)
-    {
-        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    if (ngx_http_get_intervention_status(r)) {
+        dd("already done earlier");
+        return 0;
     }
 
     if (msc_intervention(transaction, &intervention) == 0) {
@@ -201,8 +212,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
 
     if (intervention.status != 200)
     {
-        ngx_http_modsecurity_log_handler(r);
-        ctx->logged = 1;
+        ngx_http_set_intervention_status_done(r);
 
         if (r->header_sent)
         {
@@ -257,7 +267,7 @@ ngx_http_modsecurity_create_ctx(ngx_http_request_t *r)
     ctx->modsec_transaction = msc_new_transaction(cf->modsec, loc_cf->rules_set, r->connection->log);
 
     dd("transaction created");
-    
+
     ctx->response_body_filtered = 0;
     ngx_http_set_ctx(r, ctx, ngx_http_modsecurity_module);
 
@@ -395,7 +405,7 @@ static ngx_command_t ngx_http_modsecurity_commands[] =  {
 
 
 static ngx_http_module_t ngx_http_modsecurity_ctx = {
-    NULL,                                   /* preconfiguration */
+    ngx_http_modsecurity_add_variables,     /* preconfiguration */
     ngx_http_modsecurity_init,              /* postconfiguration */
 
     ngx_http_modsecurity_create_main_conf,  /* create main configuration */
@@ -672,3 +682,137 @@ ngx_http_modsecurity_config_cleanup(void *data)
 
 
 /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
+
+static ngx_int_t
+ngx_http_modsecurity_add_variables(ngx_conf_t *cf)
+{
+    ngx_http_variable_t *var, *v;
+    ngx_int_t index;
+
+    dd("adding variable");
+
+    for (v = ngx_http_modsecurity_vars; v->name.len; v++) {
+        var = ngx_http_add_variable(cf, &v->name, v->flags);
+        if (var == NULL) {
+            return NGX_ERROR;
+        }
+        var->get_handler = v->get_handler;
+
+        // initialization a variable
+        index = ngx_http_get_variable_index(cf, &v->name);
+        if (index == NGX_ERROR) {
+            return NGX_ERROR;
+        }
+        dd("variable %s, index %d", v->name.data, index);
+    }
+
+    return NGX_OK;
+}
+
+static ngx_int_t
+ngx_http_intervention_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data)
+{
+    if (v->data == NULL) {
+        dd("initialize variable at first time");
+        ngx_str_t str = ngx_string("no");
+        v->valid = 1;
+        v->not_found = 0;
+        v->no_cacheable = 0;
+        v->data = str.data;
+        v->len = str.len;
+    }
+    return NGX_OK;
+}
+
+static ngx_int_t
+ngx_http_rules_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data)
+{
+    return NGX_OK;
+}
+
+ngx_int_t
+ngx_http_get_intervention_status(ngx_http_request_t *r)
+{
+    ngx_http_variable_value_t *vv = NULL;
+    ngx_uint_t key;
+    ngx_str_t str = ngx_string("yes");
+    u_char* buf;
+
+    buf = ngx_palloc(r->pool, ngx_http_modsecurity_vars[0].name.len);
+    key = ngx_hash_strlow(buf, ngx_http_modsecurity_vars[0].name.data, ngx_http_modsecurity_vars[0].name.len);
+    vv = ngx_http_get_variable(r, &ngx_http_modsecurity_vars[0].name, key);
+    if (vv == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (ngx_strncasecmp(vv->data, str.data, str.len) == 0) {
+        return 1;
+    }
+
+    return 0;
+}
+
+ngx_int_t
+ngx_http_set_intervention_status_done(ngx_http_request_t *r)
+{
+    ngx_http_variable_value_t *vv = NULL;
+    ngx_uint_t key;
+    ngx_str_t str = ngx_string("yes");
+    u_char* buf;
+
+    buf = ngx_palloc(r->pool, ngx_http_modsecurity_vars[0].name.len);
+    key = ngx_hash_strlow(buf, ngx_http_modsecurity_vars[0].name.data, ngx_http_modsecurity_vars[0].name.len);
+    vv = ngx_http_get_variable(r, &ngx_http_modsecurity_vars[0].name, key);
+    if (vv == NULL) {
+        return NGX_ERROR;
+    }
+
+    vv->data = str.data;
+    vv->len = str.len;
+
+    return 1;
+}
+
+ngx_http_variable_t *
+ngx_http_get_variable_by_name(ngx_http_request_t *r, ngx_str_t *name)
+{
+    ngx_http_core_main_conf_t *cmcf;
+    ngx_http_variable_t *v;
+    ngx_uint_t i;
+
+    if (name->len == 0) {
+        ngx_log_error(NGX_LOG_EMERG, r->connection->log, 0, "invalid variable name");
+        return NULL;
+    }
+
+    cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
+
+    v = cmcf->variables.elts;
+
+    for (i = 0; i < cmcf->variables.nelts; i++) {
+        if (name->len != v[i].name.len || ngx_strncasecmp(name->data, v[i].name.data, name->len) != 0) {
+            continue;
+        }
+        return v;
+    }
+
+    return NULL;
+}
+
+void
+ngx_http_restore_ruleset_from_variable(ngx_http_request_t *r, ngx_http_modsecurity_conf_t *cf)
+{
+    ngx_http_variable_t *v;
+
+    // saving the ruleset pointer to make it available for the cleanup callback that invoked when the config pool will be destroyed
+    dd("backup ruleset %p for current location", cf->rules_set);
+    cf->rules_backup = cf->rules_set;
+
+    v = ngx_http_get_variable_by_name(r, &ngx_http_modsecurity_vars[1].name);
+    if (v != NULL) {
+        dd("restore ruleset %p from variable", (void *)v->data);
+        cf->rules_set = (Rules *)v->data;
+    } else {
+        dd("failed to restore ruleset from varibale");
+    }
+}
diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c
@@ -50,11 +50,17 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
     dd("catching a new _preaccess_ phase handler");
 
     cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (cf == NULL || cf->enable != 1)
-    {
-        dd("ModSecurity not enabled... returning");
+    if (cf == NULL) {
+        dd("Something bad happened... returning");
         return NGX_DECLINED;
     }
+
+    if (cf->enable != 1) {
+        if (!ngx_http_get_intervention_status(r)) {
+            dd("ModSecurity not enabled... returning");
+            return NGX_DECLINED;
+        }
+    }
     /*
      * FIXME:
      * In order to perform some tests, let's accept everything.
diff --git a/src/ngx_http_modsecurity_rewrite.c b/src/ngx_http_modsecurity_rewrite.c
@@ -26,13 +26,42 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
     ngx_http_modsecurity_ctx_t *ctx = NULL;
     ngx_http_modsecurity_conf_t *cf;
     ngx_pool_t *old_pool;
+    ngx_http_variable_t *v;
 
     cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (cf == NULL || cf->enable != 1) {
-        dd("ModSecurity not enabled... returning");
+    if (cf == NULL) {
+        dd("Something bad happened... returning");
         return NGX_DECLINED;
     }
 
+    if (cf->enable != 1) {
+        if (!ngx_http_get_intervention_status(r)) {
+            dd("ModSecurity not enabled... returning");
+            return NGX_DECLINED;
+        }
+    }
+
+    //explicitly clearing value
+    cf->rules_backup = NULL;
+
+    if (ngx_http_get_intervention_status(r)) {
+        dd("ruleset before restore: %p", cf->rules_set);
+        ngx_http_restore_ruleset_from_variable(r, cf);
+    }
+
+    if (!ngx_http_get_intervention_status(r)) {
+        dd("save current ruleset pointer");
+        ngx_str_t tmp = ngx_string("rules");
+        v = ngx_http_get_variable_by_name(r, &tmp);
+        if (v != NULL) {
+            dd("save ruleset %p to variable", cf->rules_set);
+            v->data = (uintptr_t) cf->rules_set;
+        } else {
+            dd("failed to save ruleset to varibale");
+            return NGX_DECLINED;
+        }
+    }
+
     /*
     if (r->method != NGX_HTTP_GET &&
         r->method != NGX_HTTP_POST && r->method != NGX_HTTP_HEAD) {
