-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Update SQLi/XSS operators for libinjection v4.0.0 #3522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Easton97-Jens
wants to merge
19
commits into
owasp-modsecurity:v3/master
Choose a base branch
from
Easton97-Jens:v3/master-libinjection-v4.0
base: v3/master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+503
−51
Open
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
289b6e3
Update libinjection to v4.0.0
38d9391
Stabilize detectSQLi/XSS regression coverage for full test run
Easton97-Jens 0c610c0
Make benign detectSQLi/XSS regression cases assert no-match logs
Easton97-Jens 0b29169
Merge pull request #23 from Easton97-Jens/codex/migrate-to-libinjecti…
Easton97-Jens 46dabc0
Harden libinjection v4 handling in DetectSQLi/DetectXSS operators
Easton97-Jens c816add
Fix namespace declaration in libinjection_utils.h
Easton97-Jens d94cbeb
Fix namespace declaration syntax in libinjection_utils.h
Easton97-Jens b4b81aa
fix(logging): remove trailing semicolon from debug macros (ms_dbg, ms…
Easton97-Jens 15fd157
Update detect_sqli.cc
Easton97-Jens 4bacc36
Add array header to detect_sqli.cc
Easton97-Jens f9b2885
Fix formatting issues in transaction.h debug macros
Easton97-Jens a8debeb
Refactor fingerprint handling in detect_sqli.cc
Easton97-Jens c67f876
Fix debug logging for XSS detection in detect_xss.cc
Easton97-Jens 7b5bf7f
Fix debug message formatting in detect_sqli.cc
Easton97-Jens e169d59
Replace push_back with emplace_back for efficiency
Easton97-Jens 724b197
Update operator-detectsqli.json
Easton97-Jens b9393e7
Update XSS test cases with new payloads
Easton97-Jens d1eaa04
Update operator-detectsqli.json
Easton97-Jens 7e1d08b
Merge branch 'owasp-modsecurity:v3/master' into v3/master-libinjectio…
Easton97-Jens File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
Submodule libinjection
updated
155 files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,36 +18,50 @@ | |
| #include <string> | ||
|
|
||
| #include "src/operators/operator.h" | ||
| #include "src/operators/libinjection_utils.h" | ||
| #include "libinjection/src/libinjection.h" | ||
| #include "libinjection/src/libinjection_error.h" | ||
|
Comment on lines
22
to
+23
|
||
|
|
||
|
|
||
| namespace modsecurity { | ||
| namespace operators { | ||
|
|
||
| namespace modsecurity::operators { | ||
|
|
||
| bool DetectXSS::evaluate(Transaction *t, RuleWithActions *rule, | ||
| const std::string& input, RuleMessage &ruleMessage) { | ||
| int is_xss; | ||
|
|
||
| is_xss = libinjection_xss(input.c_str(), input.length()); | ||
|
|
||
| if (t) { | ||
| if (is_xss) { | ||
| ms_dbg_a(t, 5, "detected XSS using libinjection."); | ||
| if (rule && rule->hasCaptureAction()) { | ||
| t->m_collections.m_tx_collection->storeOrUpdateFirst( | ||
| "0", std::string(input)); | ||
| ms_dbg_a(t, 7, "Added DetectXSS match TX.0: " + \ | ||
| std::string(input)); | ||
|
|
||
| const injection_result_t xss_result = | ||
| libinjection_xss(input.c_str(), input.length()); | ||
|
|
||
| if (t == nullptr) { | ||
| return isMaliciousLibinjectionResult(xss_result); | ||
| } | ||
|
|
||
| switch (xss_result) { | ||
| case LIBINJECTION_RESULT_TRUE: | ||
| ms_dbg_a(t, 5, std::string("detected XSS using libinjection.")) | ||
| if (rule != nullptr && rule->hasCaptureAction()) { | ||
| t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input); | ||
| ms_dbg_a(t, 7, std::string("Added DetectXSS match TX.0: ") + input) | ||
| } | ||
| } else { | ||
| ms_dbg_a(t, 9, "libinjection was not able to " \ | ||
| "find any XSS in: " + input); | ||
| break; | ||
|
|
||
| case LIBINJECTION_RESULT_ERROR: | ||
| ms_dbg_a(t, 4, | ||
| std::string("libinjection parser error during XSS analysis (") | ||
| + libinjectionResultToString(xss_result) | ||
| + "); treating as match (fail-safe). Input: " | ||
| + input) | ||
| if (rule != nullptr && rule->hasCaptureAction()) { | ||
| t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input); | ||
| ms_dbg_a(t, 7, std::string("Added DetectXSS error input TX.0: ") + input) | ||
| } | ||
| break; | ||
|
|
||
| case LIBINJECTION_RESULT_FALSE: | ||
| ms_dbg_a(t, 9, | ||
| std::string("libinjection was not able to find any XSS in: ") + input) | ||
| break; | ||
| } | ||
| return is_xss != 0; | ||
| } | ||
|
|
||
| return isMaliciousLibinjectionResult(xss_result); | ||
| } | ||
|
|
||
| } // namespace operators | ||
| } // namespace modsecurity | ||
| } // namespace modsecurity::operators | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| /* | ||
| * ModSecurity, http://www.modsecurity.org/ | ||
| * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) | ||
| * | ||
| * You may not use this file except in compliance with | ||
| * the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * If any of the files related to licensing are missing or if you have any | ||
| * other questions related to licensing please contact Trustwave Holdings, Inc. | ||
| * directly using the email address security@modsecurity.org. | ||
| * | ||
| */ | ||
|
|
||
| #ifndef SRC_OPERATORS_LIBINJECTION_UTILS_H_ | ||
| #define SRC_OPERATORS_LIBINJECTION_UTILS_H_ | ||
|
|
||
| #include "libinjection/src/libinjection_error.h" | ||
|
|
||
| namespace modsecurity::operators { | ||
|
|
||
| /* | ||
| * libinjection parser errors are handled in fail-safe mode as suspicious | ||
| * results, so callers can block on both confirmed detections and parser | ||
| * failures. | ||
| */ | ||
| static inline bool isMaliciousLibinjectionResult(injection_result_t result) { | ||
| return result == LIBINJECTION_RESULT_TRUE | ||
| || result == LIBINJECTION_RESULT_ERROR; | ||
| } | ||
|
|
||
| static inline const char *libinjectionResultToString(injection_result_t result) { | ||
| switch (result) { | ||
| case LIBINJECTION_RESULT_TRUE: | ||
| return "attack-detected"; | ||
| case LIBINJECTION_RESULT_FALSE: | ||
| return "no-attack"; | ||
| case LIBINJECTION_RESULT_ERROR: | ||
| return "parser-error"; | ||
| } | ||
|
|
||
| return "unexpected-result"; | ||
| } | ||
|
|
||
| } // namespace modsecurity::operators | ||
|
|
||
| #endif // SRC_OPERATORS_LIBINJECTION_UTILS_H_ |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New dependency on
libinjection/src/libinjection_error.h: please ensure this header is present in the vendored libinjection submodule version and is included in release artifacts (e.g., add it toothers/Makefile.amnoinst_HEADERSifmake dist/packaging relies on that list). Otherwise builds from distribution tarballs can fail with a missing-header error.