Update SQLi/XSS operators for libinjection v4.0.0 cleaned#3528
Update SQLi/XSS operators for libinjection v4.0.0 cleaned#3528Easton97-Jens wants to merge 6 commits intoowasp-modsecurity:v3/masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates ModSecurity’s @detectSQLi / @detectXSS operators to support libinjection v4’s injection_result_t return codes, including explicit fail-safe handling for parser errors, and expands regression coverage around detection/false-positive behavior.
Changes:
- Add shared helpers for interpreting libinjection
TRUE/FALSE/ERRORresults. - Update
DetectSQLi/DetectXSSto treatLIBINJECTION_RESULT_ERRORas a match and preserve capture behavior. - Expand regression test cases for multiple XSS/SQLi payloads and benign inputs.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
src/operators/libinjection_utils.h |
Adds shared helpers to map libinjection results to match/no-match semantics and diagnostic strings. |
src/operators/detect_xss.cc |
Switches XSS operator logic to injection_result_t and adds explicit handling for TRUE/FALSE/ERROR. |
src/operators/detect_sqli.cc |
Switches SQLi operator logic to injection_result_t, modernizes fingerprint storage, and handles TRUE/FALSE/ERROR. |
test/test-cases/regression/operator-detectxss.json |
Adds multiple positive and negative XSS regression cases. |
test/test-cases/regression/operator-detectsqli.json |
Adds multiple positive and negative SQLi regression cases (including fingerprint expectations). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| case LIBINJECTION_RESULT_ERROR: | ||
| ms_dbg_a(t, 4, | ||
| std::string("libinjection parser error during XSS analysis (") | ||
| + libinjectionResultToString(xss_result) | ||
| + "); treating as match (fail-safe). Input: " | ||
| + input) | ||
| if (rule != nullptr && rule->hasCaptureAction()) { | ||
| t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input); | ||
| ms_dbg_a(t, 7, std::string("Added DetectXSS error input TX.0: ") + input) | ||
| } |
There was a problem hiding this comment.
The new LIBINJECTION_RESULT_ERROR fail-safe behavior (treating parser errors as matches and capturing raw input into TX.0 when capture is enabled) is not exercised by the current regression tests. Add a regression case that reliably triggers libinjection_xss returning ERROR and asserts both the disruptive outcome and TX.0 capture behavior.
| case LIBINJECTION_RESULT_ERROR: | ||
| ms_dbg_a(t, 4, | ||
| std::string("libinjection parser error during SQLi analysis (") | ||
| + libinjectionResultToString(sqli_result) | ||
| + "); treating as match (fail-safe). Input: '" | ||
| + input + "'") | ||
|
|
||
| if (rule != nullptr && rule->hasCaptureAction()) { | ||
| t->m_collections.m_tx_collection->storeOrUpdateFirst( | ||
| "0", input); | ||
|
|
||
| ms_dbg_a(t, 7, | ||
| std::string("Added DetectSQLi error input TX.0: ") | ||
| + input) | ||
| } | ||
| break; |
There was a problem hiding this comment.
The new LIBINJECTION_RESULT_ERROR path (fail-safe match + storing raw input in TX.0 when capture is enabled) does not appear to be covered by the regression tests. Add a regression case that triggers libinjection_sqli returning ERROR and asserts both that the operator matches and that TX.0 contains the raw input (not the fingerprint) when capture is enabled.
…for-modsecurity-operators Add regression coverage for detectSQLi/detectXSS capture semantics
|
what
libinjectionreturn codes (injection_result_t).TRUE,FALSE, andERRORresults fromlibinjection_sqliandlibinjection_xss.LIBINJECTION_RESULT_ERRORas a fail-safe match to avoid missing potentially malicious input.TX.0whencaptureis enabled, even on parser errors.why
libinjectionintroducedinjection_result_t, requiring explicit handling in ModSecurity operators.references
libinjectionAPIs.