Using a custom VariableMatch* implementation

Delay the variable name resolution till last minute.

Fix one of the issues raised in #2376

Author: zimmerle

CHANGES

@@ -1,6 +1,9 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
 
+
+  - Using a custom VariableMatch* implementation
+    [#2428 - @zimmerle, @martinhsv]
   - Avoids to cleanup GeoIp on ModSecurity destructor
     [#2041 - @zimmerle, @jptosso, @victorhora]
   - Fix memory leak of RuleMessages objects

headers/modsecurity/anchored_set_variable_match_vars.h

@@ -0,0 +1,85 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2020 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address [email protected].
+ *
+ */
+
+#ifdef __cplusplus
+#include <vector>
+#include <utility>
+
+#include "modsecurity/string_view.hpp"
+#endif
+
+#include "modsecurity/variable_value.h"
+
+
+#ifndef HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_MATCH_VARS_H_
+#define HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_MATCH_VARS_H_
+
+#ifdef __cplusplus
+
+namespace modsecurity {
+class Transaction;
+namespace Utils {
+class Regex;
+}
+namespace variables {
+class KeyExclusions;
+}
+
+
+class AnchoredVariableMatchVars {
+ public:
+    explicit AnchoredVariableMatchVars(Transaction *t)
+        : m_name("MATCHED_VARS"),
+        m_transaction(t)
+    { }
+
+    AnchoredVariableMatchVars(const AnchoredVariableMatchVars &a) = delete;
+    AnchoredVariableMatchVars &operator= (const AnchoredVariableMatchVars &a) = delete;
+
+    void set(std::shared_ptr<const VariableValue> v) noexcept {
+        m_vvs.push_back(v);
+    }
+
+    void unset() noexcept {
+        m_vvs.clear();
+    }
+
+    void resolve(VariableValues *l,
+        const variables::KeyExclusions &ke) const noexcept;
+
+    void resolve(const std::string &key,
+        VariableValues *l) const noexcept;
+
+
+    void resolveRegularExpression(const Utils::Regex *r,
+        VariableValues *l,
+        const variables::KeyExclusions &ke) const noexcept;
+
+    std::unique_ptr<std::string> resolveFirst(const std::string &key) const noexcept;
+
+ private:
+    std::vector<std::shared_ptr<const VariableValue>> m_vvs;
+    const std::string m_name;
+    const Transaction *m_transaction;
+};
+
+
+}  // namespace modsecurity
+
+#endif
+
+
+#endif  // HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_MATCH_VARS_H_
+

headers/modsecurity/anchored_set_variable_match_vars_names.h

@@ -0,0 +1,85 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2020 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address [email protected].
+ *
+ */
+
+#ifdef __cplusplus
+#include <vector>
+#include <utility>
+
+#include "modsecurity/string_view.hpp"
+#endif
+
+#include "modsecurity/variable_value.h"
+
+
+#ifndef HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_MATCH_VARS_NAMES_H_
+#define HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_MATCH_VARS_NAMES_H_
+
+#ifdef __cplusplus
+
+namespace modsecurity {
+class Transaction;
+namespace Utils {
+class Regex;
+}
+namespace variables {
+class KeyExclusions;
+}
+
+
+class AnchoredVariableMatchVarsNames {
+ public:
+    explicit AnchoredVariableMatchVarsNames(Transaction *t)
+        : m_name("MATCHED_VARS_NAMES"),
+        m_transaction(t)
+    { }
+
+    AnchoredVariableMatchVarsNames(const AnchoredVariableMatchVarsNames &a) = delete;
+    AnchoredVariableMatchVarsNames &operator= (const AnchoredVariableMatchVarsNames &a) = delete;
+
+    void set(std::shared_ptr<const VariableValue> v) noexcept {
+        m_vvs.push_back(v);
+    }
+
+    void unset() noexcept {
+        m_vvs.clear();
+    }
+
+    void resolve(VariableValues *l,
+        const variables::KeyExclusions &ke) const noexcept;
+
+    void resolve(const std::string &key,
+        VariableValues *l) const noexcept;
+
+
+    void resolveRegularExpression(const Utils::Regex *r,
+        VariableValues *l,
+        const variables::KeyExclusions &ke) const noexcept;
+
+    std::unique_ptr<std::string> resolveFirst(const std::string &key) const noexcept;
+
+ private:
+    std::vector<std::shared_ptr<const VariableValue>> m_vvs;
+    const std::string m_name;
+    const Transaction *m_transaction;
+};
+
+
+}  // namespace modsecurity
+
+#endif
+
+
+#endif  // HEADERS_MODSECURITY_ANCHORED_SET_VARIABLE_MATCH_VARS_NAMES_H_
+

headers/modsecurity/anchored_variable_match_var_name.h

@@ -0,0 +1,92 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2020 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address [email protected].
+ *
+ */
+
+#ifdef __cplusplus
+#include <ctime>
+#include <fstream>
+#include <iomanip>
+#include <iostream>
+#include <list>
+#include <map>
+#include <sstream>
+#include <string>
+#include <unordered_map>
+#include <utility>
+#include <vector>
+#include <memory>
+#include <cstring>
+
+#include "modsecurity/string_view.hpp"
+#endif
+
+#include "modsecurity/variable_value.h"
+
+
+#ifndef HEADERS_MODSECURITY_ANCHORED_VARIABLE_NAME_H_
+#define HEADERS_MODSECURITY_ANCHORED_VARIABLE_NAME_H_
+
+#ifdef __cplusplus
+
+
+namespace modsecurity {
+class Transaction;
+
+class AnchoredVariableMatchVarName {
+ public:
+    AnchoredVariableMatchVarName()
+        : m_name("MATCHED_VAR_NAME")
+    { }
+
+    AnchoredVariableMatchVarName(const AnchoredVariableMatchVarName &a) = delete;
+    AnchoredVariableMatchVarName &operator= (const AnchoredVariableMatchVarName &a) = delete;
+
+    void set(std::shared_ptr<const VariableValue> v) noexcept {
+        m_vv = v;
+    }
+
+    void unset() noexcept {
+        m_vv = nullptr;
+    }
+
+    void evaluate(VariableValues *l) const noexcept {
+        if (!m_vv) {
+            return;
+        }
+        const VariableValue *var = new VariableValue(
+            std::unique_ptr<std::string>(new std::string(m_vv->getName())),
+            &m_name
+            );
+        l->push_back(std::unique_ptr<const VariableValue>(var));
+    }
+
+    std::unique_ptr<std::string> resolveFirst() const noexcept {
+        if (m_vv) {
+            return std::unique_ptr<std::string>(new std::string(m_vv->getName()));
+        }
+        return std::unique_ptr<std::string>(new std::string(""));
+    }
+
+ private:
+    std::shared_ptr<const VariableValue> m_vv;
+    const std::string m_name;
+};
+
+
+}  // namespace modsecurity
+
+#endif
+
+
+#endif  // HEADERS_MODSECURITY_ANCHORED_VARIABLE_NAME_H_

headers/modsecurity/transaction.h

@@ -42,6 +42,9 @@ typedef struct Rules_t RulesSet;
 #endif
 
 #include "modsecurity/anchored_set_variable.h"
+#include "modsecurity/anchored_set_variable_match_vars_names.h"
+#include "modsecurity/anchored_set_variable_match_vars.h"
+#include "modsecurity/anchored_variable_match_var_name.h"
 #include "modsecurity/anchored_variable.h"
 #include "modsecurity/intervention.h"
 #include "modsecurity/collection/collections.h"
@@ -136,7 +139,7 @@ class TransactionAnchoredVariables {
         m_variableFullRequestLength(t, "FULL_REQUEST_LENGTH"),
         m_variableInboundDataError(t, "INBOUND_DATA_ERROR"),
         m_variableMatchedVar(t, "MATCHED_VAR"),
-        m_variableMatchedVarName(t, "MATCHED_VAR_NAME"),
+        m_variableMatchedVarName(),
         m_variableMultipartBoundaryQuoted(t, "MULTIPART_BOUNDARY_QUOTED"),
         m_variableMultipartBoundaryWhiteSpace(t,
             "MULTIPART_BOUNDARY_WHITESPACE"),
@@ -195,8 +198,8 @@ class TransactionAnchoredVariables {
         m_variableFilesTmpContent(t, "FILES_TMP_CONTENT"),
         m_variableMultipartFileName(t, "MULTIPART_FILENAME"),
         m_variableMultipartName(t, "MULTIPART_NAME"),
-        m_variableMatchedVarsNames(t, "MATCHED_VARS_NAMES"),
-        m_variableMatchedVars(t, "MATCHED_VARS"),
+        m_variableMatchedVarsNames(t),
+        m_variableMatchedVars(t),
         m_variableFiles(t, "FILES"),
         m_variableRequestCookies(t, "REQUEST_COOKIES"),
         m_variableRequestHeaders(t, "REQUEST_HEADERS"),
@@ -220,7 +223,7 @@ class TransactionAnchoredVariables {
     AnchoredVariable m_variableFullRequestLength;
     AnchoredVariable m_variableInboundDataError;
     AnchoredVariable m_variableMatchedVar;
-    AnchoredVariable m_variableMatchedVarName;
+    AnchoredVariableMatchVarName m_variableMatchedVarName;
     AnchoredVariable m_variableMultipartBoundaryQuoted;
     AnchoredVariable m_variableMultipartBoundaryWhiteSpace;
     AnchoredVariable m_variableMultipartCrlfLFLines;
@@ -276,8 +279,8 @@ class TransactionAnchoredVariables {
     AnchoredSetVariable m_variableFilesTmpContent;
     AnchoredSetVariable m_variableMultipartFileName;
     AnchoredSetVariable m_variableMultipartName;
-    AnchoredSetVariable m_variableMatchedVarsNames;
-    AnchoredSetVariable m_variableMatchedVars;
+    AnchoredVariableMatchVarsNames m_variableMatchedVarsNames;
+    AnchoredVariableMatchVars m_variableMatchedVars;
     AnchoredSetVariable m_variableFiles;
     AnchoredSetVariable m_variableRequestCookies;
     AnchoredSetVariable m_variableRequestHeaders;

src/Makefile.am

@@ -35,8 +35,11 @@ MAINTAINERCLEANFILES = \
 
 
 pkginclude_HEADERS = \
-	../headers/modsecurity/anchored_set_variable.h \
-	../headers/modsecurity/anchored_variable.h \
+    ../headers/modsecurity/anchored_set_variable.h \
+    ../headers/modsecurity/anchored_set_variable_match_vars.h \
+    ../headers/modsecurity/anchored_set_variable_match_vars_names.h \
+    ../headers/modsecurity/anchored_variable.h \
+    ../headers/modsecurity/anchored_variable_match_var_name.h \
 	../headers/modsecurity/audit_log.h \
 	../headers/modsecurity/debug_log.h \
 	../headers/modsecurity/intervention.h \
@@ -272,6 +275,8 @@ libmodsecurity_la_SOURCES = \
 	parser/driver.cc \
 	transaction.cc \
 	anchored_set_variable.cc \
+	anchored_set_variable_match_vars.cc \
+	anchored_set_variable_match_vars_names.cc \
 	anchored_variable.cc \
 	audit_log/audit_log.cc \
 	audit_log/writer/writer.cc \