[appsec] implement count transformation (#2698)

* implement count transfo
crowdsecurity · Jan 12, 2024 · 896dfef · 896dfef
1 parent 6960419
commit 896dfef
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/pkg/appsec/appsec_rule/modsec_rule_test.go b/pkg/appsec/appsec_rule/modsec_rule_test.go
@@ -8,6 +8,16 @@ func TestVPatchRuleString(t *testing.T) {
 		rule     CustomRule
 		expected string
 	}{
+		{
+			name: "Collection count",
+			rule: CustomRule{
+				Zones:     []string{"ARGS"},
+				Variables: []string{"foo"},
+				Match:     match{Type: "eq", Value: "1"},
+				Transform: []string{"count"},
+			},
+			expected: `SecRule &ARGS_GET:foo "@eq 1" "id:853070236,phase:2,deny,log,msg:'Collection count',tag:'crowdsec-Collection count'"`,
+		},
 		{
 			name: "Base Rule",
 			rule: CustomRule{

diff --git a/pkg/appsec/appsec_rule/modsecurity.go b/pkg/appsec/appsec_rule/modsecurity.go
@@ -122,6 +122,16 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, appsecRuleName string, an
 		return ret, nil
 	}
 
+	zone_prefix := ""
+	variable_prefix := ""
+	if rule.Transform != nil {
+		for tidx, transform := range rule.Transform {
+			if transform == "count" {
+				zone_prefix = "&"
+				rule.Transform[tidx] = ""
+			}
+		}
+	}
 	for idx, zone := range rule.Zones {
 		if idx > 0 {
 			r.WriteByte('|')
@@ -137,7 +147,7 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, appsecRuleName string, an
 				if j > 0 {
 					r.WriteByte('|')
 				}
-				r.WriteString(fmt.Sprintf("%s:%s", mappedZone, variable))
+				r.WriteString(fmt.Sprintf("%s%s:%s%s", zone_prefix, mappedZone, variable_prefix, variable))
 			}
 		}
 	}
@@ -160,6 +170,9 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, appsecRuleName string, an
 
 	if rule.Transform != nil {
 		for _, transform := range rule.Transform {
+			if transform == "" {
+				continue
+			}
 			r.WriteByte(',')
 			if mappedTransform, ok := transformMap[transform]; ok {
 				r.WriteString(mappedTransform)