First version of the inline highlight calculation

owasp-modsecurity · Feb 27, 2017 · 8b8fd84 · 8b8fd84
1 parent 42cb4e3
commit 8b8fd84
Show file tree

Hide file tree

Showing 12 changed files with 252 additions and 53 deletions.
diff --git a/examples/reading_logs_via_rule_message/blocked_request.conf b/examples/reading_logs_via_rule_message/blocked_request.conf
@@ -1,3 +1,3 @@
-SecRule ARGS:param1 "test" "id:1,deny,phase:2,chain,msg:'test'"
+SecRule ARGS:param1 "test" "id:1,deny,phase:2,t:lowercase,chain,msg:'test'"
 SecRule ARGS:param1 "test" "log"
 
diff --git a/examples/reading_logs_via_rule_message/blocked_request_engine_on.conf b/examples/reading_logs_via_rule_message/blocked_request_engine_on.conf
@@ -1,2 +1,2 @@
 SecRuleEngine On
-SecRule ARGS:param1 "test" "id:1,deny"
+SecRule ARGS:param1 "test" "id:1,deny,t:lowercase"
diff --git a/examples/reading_logs_via_rule_message/match.conf b/examples/reading_logs_via_rule_message/match.conf
@@ -1 +1 @@
-SecRule ARGS:param1 "test" "id:1,deny,msg:'this',msg:'is',msg:'a',msg:'test'"
+SecRule ARGS:param1 "test" "id:1,deny,msg:'this',t:replaceNulls,msg:'is',msg:'a',msg:'test',t:lowercase,t:trim"
diff --git a/examples/reading_logs_via_rule_message/no_match.conf b/examples/reading_logs_via_rule_message/no_match.conf
@@ -1 +1 @@
-SecRule ARGS:param1 "WHEEE" "id:1,phase:2,deny,msg:'this',msg:'is',msg:'a',msg:'test'"
+SecRule ARGS:param1 "WHEEE" "id:1,phase:2,deny,msg:'this',msg:'is',msg:'a',msg:'test',t:lower"
diff --git a/examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h b/examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h
@@ -67,8 +67,9 @@ class ReadingLogsViaRuleMessage {
             "net.tutsplus.com");
         modsecTransaction->processRequestHeaders();
         modsecTransaction->processRequestBody();
-        modsecTransaction->addResponseHeader("HTTP/1.1",
-            "200 OK");
+
+        modsecTransaction->addResponseHeader("Content-Type", "text/xml; charset=utf-8");
+        modsecTransaction->addResponseHeader("Content-Length", "123");
         modsecTransaction->processResponseHeaders(200, "HTTP 1.2");
         modsecTransaction->appendResponseBody(
             (const unsigned char*)m_response_body,
@@ -84,6 +85,38 @@ class ReadingLogsViaRuleMessage {
         return -1;
     }
 
+
+    static std::string highlightToText(
+        const modsecurity::RuleMessageHighlight &h) {
+        std::cout << " * ModSecurity variable to be highlighted" << std::endl;
+
+        for (const auto &i : h.m_variable) {
+            std::cout << "  - From: " << std::to_string(i.m_startingAt);
+            std::cout << " to: " << std::to_string(i.m_startingAt + i.m_size);
+            std::cout << std::endl;
+        }
+        std::cout << std::endl;
+
+        std::cout << " * Variable's values ";
+        std::cout << "(may include transformations)" << std::endl;
+        for (const auto &i : h.m_value) {
+            std::cout << "  - " << i.first << ": " << i.second << std::endl;
+        }
+        std::cout << std::endl;
+
+        std::cout << " * Operators match to be highlight inside ";
+        std::cout << "the variables (after transformations)" << std::endl;
+
+        for (const auto &i : h.m_op) {
+            std::cout << "  - From: " << i.m_area.m_startingAt;
+            std::cout << " to: " << std::to_string(i.m_area.m_startingAt \
+                + i.m_area.m_size);
+            std::cout << " [Value: " << i.m_value << "]" << std::endl;
+        }
+        std::cout << std::endl;
+        return "";
+    }
+
     static void logCb(void *data, const void *ruleMessagev) {
         if (ruleMessagev == NULL) {
             std::cout << "I've got a call but the message was null ;(";
@@ -108,6 +141,17 @@ class ReadingLogsViaRuleMessage {
             std::cout << modsecurity::RuleMessage::log(ruleMessage);
             std::cout << std::endl;
         }
+        std::cout << std::endl;
+        std::cout << "Verbose details on the match highlight" << std::endl;
+        std::cout << "  Highlight reference string: ";
+        std::cout << ruleMessage->m_reference << std::endl;
+        std::cout << std::endl;
+        std::cout << "Details:" << std::endl;
+        modsecurity::RuleMessageHighlight h =
+            modsecurity::RuleMessage::computeHighlight(ruleMessage,
+                ruleMessage->m_buf);
+        highlightToText(h);
+        std::cout << std::endl;
     }
 
  protected:

diff --git a/examples/reading_logs_via_rule_message/simple_request.cc b/examples/reading_logs_via_rule_message/simple_request.cc
@@ -37,14 +37,10 @@ char request_header[] =  "" \
     "Pragma: no-cache\n\r" \
     "Cache-Control: no-cache\n\r";
 
-char request_uri[] = "/test.pl?param1=test&para2=test2";
+char request_uri[] = "/TeSt.Pl?param1=TEsT&para2=TEST2";
 
 char request_body[] = "";
 
-char response_headers[] = "" \
-    "HTTP/1.1 200 OK\n\r" \
-    "Content-Type: text/xml; charset=utf-8\n\r" \
-    "Content-Length: length\n\r";
 
 char response_body[] = "" \
     "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n\r" \
@@ -62,16 +58,16 @@ char ip[] = "200.249.12.31";
 
 
 int main(int argc, char **argv) {
-    (*argv)++;
+    (*argv++);
     if (*argv == NULL) {
-        (*argv)--;
+        (*argv--);
         std::cout << "Use " << *argv << " test-case-file.conf";
         std::cout << std::endl << std::endl;
         return -1;
     }
     std::string rules(*argv);
     ReadingLogsViaRuleMessage rlvrm(request_header, request_uri, request_body,
-        response_headers, response_body, ip, rules);
+        "", response_body, ip, rules);
     rlvrm.process();
     return 0;
 }
diff --git a/headers/modsecurity/modsecurity.h b/headers/modsecurity/modsecurity.h
@@ -301,11 +301,11 @@ class ModSecurity {
     collection::Collection *m_ip_collection;
     collection::Collection *m_session_collection;
     collection::Collection *m_user_collection;
+    int m_logProperties;
 
  private:
     std::string m_connector;
     ModSecLogCb m_logCb;
-    int m_logProperties;
 };
 
 

diff --git a/headers/modsecurity/rule_message.h b/headers/modsecurity/rule_message.h
@@ -24,6 +24,11 @@
 #ifndef HEADERS_MODSECURITY_RULE_MESSAGE_H_
 #define HEADERS_MODSECURITY_RULE_MESSAGE_H_
 
+#ifdef __cplusplus
+#include <utility>
+#endif
+
+#include "modsecurity/modsecurity.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
 
@@ -32,32 +37,36 @@
 
 namespace modsecurity {
 
+class RuleMessageHighlightArea {
+ public:
+    RuleMessageHighlightArea()
+        : m_startingAt(0),
+        m_size(0) { }
+    size_t m_startingAt;
+    size_t m_size;
+};
+
+
+class RuleMessageHighlightOperator {
+ public:
+    RuleMessageHighlightOperator()
+        : m_value("") { }
+    RuleMessageHighlightArea m_area;
+    std::string m_value;
+};
+
+
+class RuleMessageHighlight {
+ public:
+    std::list<RuleMessageHighlightArea> m_variable;
+    std::list<std::pair<std::string, std::string>> m_value;
+    std::list<RuleMessageHighlightOperator> m_op;
+};
+
+
 class RuleMessage {
  public:
-    explicit RuleMessage(Rule *rule, Transaction *trans) :
-        m_accuracy(rule->m_accuracy),
-        m_clientIpAddress(trans->m_clientIpAddress),
-        m_data(""),
-        m_disruptiveMessage(""),
-        m_id(trans->m_id),
-        m_isDisruptive(false),
-        m_match(""),
-        m_maturity(rule->m_maturity),
-        m_message(""),
-        m_noAuditLog(false),
-        m_phase(rule->m_phase - 1),
-        m_reference(""),
-        m_rev(rule->m_rev),
-        m_rule(rule),
-        m_ruleFile(rule->m_fileName),
-        m_ruleId(rule->m_ruleId),
-        m_ruleLine(rule->m_lineNumber),
-        m_saveMessage(true),
-        m_serverIpAddress(trans->m_serverIpAddress),
-        m_severity(0),
-        m_uriNoQueryStringDecoded(trans->m_uri_no_query_string_decoded),
-        m_ver(rule->m_ver)
-    { }
+    RuleMessage(Rule *rule, Transaction *trans);
 
     std::string errorLog() {
         return RuleMessage::errorLog(this);
@@ -79,8 +88,11 @@ class RuleMessage {
     static std::string errorLogTail(const RuleMessage *rm);
     static std::string errorLog(const RuleMessage *rm);
     static std::string log(const RuleMessage *rm);
+    static RuleMessageHighlight computeHighlight(const RuleMessage *rm,
+        const std::string buf);
 
     int m_accuracy;
+    std::string m_buf;
     std::string m_clientIpAddress;
     std::string m_data;
     std::string m_disruptiveMessage;
@@ -90,6 +102,7 @@ class RuleMessage {
     int m_maturity;
     std::string m_message;
     bool m_noAuditLog;
+    std::string m_opValue;
     int m_phase;
     std::string m_reference;
     std::string m_rev;
@@ -101,9 +114,11 @@ class RuleMessage {
     std::string m_serverIpAddress;
     int m_severity;
     std::string m_uriNoQueryStringDecoded;
+    std::string m_varValue;
     std::string m_ver;
 
     std::list<std::string> m_tags;
+    RuleMessageHighlight m_highlight;
 };
 
 

diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h
@@ -326,6 +326,7 @@ class Transaction : public TransactionAnchoredVariables {
     void serverLog(std::shared_ptr<RuleMessage> rm);
 
     std::string toJSON(int parts);
+    std::string toBuf();
     std::string toOldAuditLogFormat(int parts, const std::string &trailer);
     std::string toOldAuditLogFormatIndex(const std::string &filename,
         double size, const std::string &md5);

diff --git a/src/rule.cc b/src/rule.cc
@@ -347,16 +347,11 @@ std::list<std::pair<std::shared_ptr<std::string>,
                 if (multiMatch == true) {
                     if (*newValue != *value) {
                         ret.push_back(std::make_pair(
-                            newValue,
-                                          transStr));
+                            newValue, transStr));
                     }
                 }
                 value = std::shared_ptr<std::string>(newValue);
-                if (transStr->empty()) {
-                    transStr->append(a->m_name);
-                } else {
-                    transStr->append("," + a->m_name);
-                }
+                transStr->append(a->m_name);
                 trans->debug(9, "(SecDefaultAction) T (" + \
                     std::to_string(transformations) + ") " + \
                     a->m_name + ": \"" + \
@@ -375,8 +370,7 @@ std::list<std::pair<std::shared_ptr<std::string>,
             if (multiMatch == true) {
                 if (*value != *newValue) {
                     ret.push_back(std::make_pair(
-                        newValue,
-                                      transStr));
+                        newValue, transStr));
                     value = newValue;
                 }
             }
@@ -386,11 +380,7 @@ std::list<std::pair<std::shared_ptr<std::string>,
                 std::to_string(transformations) + ") " + \
                 a->m_name + ": \"" + \
                 utils::string::limitTo(80, *value) + "\"");
-            if (transStr->empty()) {
-                transStr->append(a->m_name);
-            } else {
-                transStr->append("," + a->m_name);
-            }
+            transStr->append(a->m_name);
             transformations++;
         }
         if (a->m_isNone) {
@@ -698,6 +688,9 @@ bool Rule::evaluate(Transaction *trans,
 end_exec:
     executeActionsAfterFullMatch(trans, containsDisruptive, ruleMessage);
     if (this->m_chained == false && ruleMessage->m_saveMessage != false) {
+        if (trans->m_ms->m_logProperties & IncludeFullHighlightLogProperty) {
+            ruleMessage->m_buf.assign(trans->toBuf());
+        }
         trans->serverLog(ruleMessage);
         trans->m_rulesMessages.push_back(*ruleMessage);
     }