Update SQLi/XSS operators for libinjection v4.0.0#3522
Update SQLi/XSS operators for libinjection v4.0.0#3522Easton97-Jens wants to merge 18 commits intoowasp-modsecurity:v3/masterfrom
Conversation
…on-v4.0-api Treat libinjection parser errors as matches in DetectSQLi/DetectXSS and add benign regression tests
Easton97-Jens
changed the title
|
Hi @Easton97-Jens, thanks for this PR - could you take a look at the failed tests on macOS and also the SonarCloud reports? |
There was a problem hiding this comment.
Pull request overview
Updates ModSecurity’s @detectSQLi and @detectXSS operators to work with libinjection v4’s injection_result_t return codes, including explicit handling for TRUE/FALSE/ERROR and fail-safe matching on parser errors.
Changes:
- Switched SQLi/XSS operator evaluation to
injection_result_tand added explicitTRUE/FALSE/ERRORhandling. - Implemented fail-safe behavior by treating
LIBINJECTION_RESULT_ERRORas a match and preserving captured input whencaptureis enabled. - Added regression coverage for benign inputs for both operators.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
src/operators/detect_xss.cc |
Update XSS operator to handle libinjection v4 result codes and fail-safe error behavior. |
src/operators/detect_sqli.cc |
Update SQLi operator to handle libinjection v4 result codes and fail-safe error behavior. |
test/test-cases/regression/operator-detectxss.json |
Add benign-input regression case for @detectXSS. |
test/test-cases/regression/operator-detectsqli.json |
Add benign-input regression case for @detectSQLi. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/operators/detect_xss.cc
Outdated
| case LIBINJECTION_RESULT_ERROR: | ||
| is_match = true; | ||
| ms_dbg_a(t, 4, "libinjection parser error during XSS " | ||
| "analysis; treating as match (fail-safe). Input: " + input); | ||
| if (rule && rule->hasCaptureAction()) { | ||
| t->m_collections.m_tx_collection->storeOrUpdateFirst( | ||
| "0", std::string(input)); | ||
| ms_dbg_a(t, 7, "Added DetectXSS error input TX.0: " + \ | ||
| std::string(input)); | ||
| } | ||
| break; |
There was a problem hiding this comment.
The new LIBINJECTION_RESULT_ERROR fail-safe path changes behavior (treat error as match and optionally capture raw input). Please add a regression test that reliably triggers a libinjection ERROR result and asserts the match/capture behavior, so this security-critical branch stays covered.
| "Host": "localhost", | ||
| "User-Agent": "curl/7.38.0", | ||
| "Accept": "*/*", | ||
| "Content-Length": "18", |
There was a problem hiding this comment.
Content-Length doesn't match the request body length here (param1=just_a_value is 19 bytes). The regression harness may auto-correct it, but keeping it accurate avoids confusion when reusing this case outside the harness.
| "Content-Length": "18", | |
| "Content-Length": "19", |
|
|
||
| #include "src/operators/operator.h" | ||
| #include "libinjection/src/libinjection.h" | ||
| #include "libinjection/src/libinjection_error.h" |
There was a problem hiding this comment.
New dependency on libinjection/src/libinjection_error.h: please ensure this header is present in the vendored libinjection submodule version and is included in release artifacts (e.g., add it to others/Makefile.am noinst_HEADERS if make dist/packaging relies on that list). Otherwise builds from distribution tarballs can fail with a missing-header error.
| #include "libinjection/src/libinjection_error.h" |
| #include "libinjection/src/libinjection.h" | ||
| #include "libinjection/src/libinjection_error.h" |
There was a problem hiding this comment.
New dependency on libinjection/src/libinjection_error.h: please ensure this header is present in the vendored libinjection submodule version and is included in release artifacts (e.g., add it to others/Makefile.am noinst_HEADERS if make dist/packaging relies on that list). Otherwise builds from distribution tarballs can fail with a missing-header error.
| case LIBINJECTION_RESULT_ERROR: | ||
| is_match = true; | ||
| ms_dbg_a(t, 4, "libinjection parser error during SQLi " | ||
| "analysis; treating as match (fail-safe). Input: '" + input + "'"); | ||
| if (rule && rule->hasCaptureAction()) { | ||
| t->m_collections.m_tx_collection->storeOrUpdateFirst( | ||
| "0", std::string(input)); | ||
| ms_dbg_a(t, 7, "Added DetectSQLi error input TX.0: " + \ | ||
| std::string(input)); | ||
| } | ||
| break; |
There was a problem hiding this comment.
The new LIBINJECTION_RESULT_ERROR fail-safe path changes behavior (treat error as match and optionally capture raw input). Please add a regression test that reliably triggers a libinjection ERROR result and asserts the match/capture behavior, so this security-critical branch stays covered.
|
Hi, thanks for pointing that out! I had a look at the failed macOS tests and the SonarCloud report. The Lua-related error does not seem to be caused by the changes in this PR, but rather appears to be a general issue in the project. Therefore, I’d suggest addressing it separately from this PR. Let me know if you’d still like me to investigate it further here. Best regards |
|
The macos build should be fixed by #3524. Once it is merged, you can rebase. |
|
what
libinjectionreturn codes (injection_result_t).TRUE,FALSE, andERRORresults fromlibinjection_sqliandlibinjection_xss.LIBINJECTION_RESULT_ERRORas a fail-safe match to avoid missing potentially malicious input.TX.0whencaptureis enabled, even on parser errors.why
libinjectionintroducedinjection_result_t, requiring explicit handling in ModSecurity operators.references
libinjectionAPIs.