Update SQLi/XSS operators for libinjection v4.0.0 cleaned

src/operators/detect_sqli.cc

@@ -17,45 +17,70 @@
 
 #include <string>
 #include <list>
+#include <array>
 
 #include "src/operators/operator.h"
+#include "src/operators/libinjection_utils.h"
 #include "libinjection/src/libinjection.h"
+#include "libinjection/src/libinjection_error.h"
 
-namespace modsecurity {
-namespace operators {
-
+namespace modsecurity::operators {
 
 bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
     const std::string& input, RuleMessage &ruleMessage) {
-    char fingerprint[8];
-    int issqli;
 
-    issqli = libinjection_sqli(input.c_str(), input.length(), fingerprint);
+    std::array<char, 8> fingerprint{};
+
+    const injection_result_t sqli_result =
+        libinjection_sqli(input.c_str(), input.length(), fingerprint.data());
 
-    if (!t) {
-        goto tisempty;
+    if (t == nullptr) {
+        return isMaliciousLibinjectionResult(sqli_result);
     }
 
-    if (issqli) {
-        t->m_matched.push_back(fingerprint);
-        ms_dbg_a(t, 4, "detected SQLi using libinjection with " \
-            "fingerprint '" + std::string(fingerprint) + "' at: '" +
-            input + "'");
-        if (rule && rule->hasCaptureAction()) {
-            t->m_collections.m_tx_collection->storeOrUpdateFirst(
-                "0", std::string(fingerprint));
-            ms_dbg_a(t, 7, "Added DetectSQLi match TX.0: " + \
-                std::string(fingerprint));
-        }
-    } else {
-        ms_dbg_a(t, 9, "detected SQLi: not able to find an " \
-            "inject on '" + input + "'");
+    switch (sqli_result) {
+        case LIBINJECTION_RESULT_TRUE:
+            t->m_matched.emplace_back(fingerprint.data());
+
+            ms_dbg_a(t, 4,
+                std::string("detected SQLi using libinjection with fingerprint '")
+                + fingerprint.data() + "' at: '" + input + "'");
+
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst(
+                    "0", std::string(fingerprint.data()));
+
+                ms_dbg_a(t, 7,
+                    std::string("Added DetectSQLi match TX.0: ")
+                    + fingerprint.data());
+            }
+            break;
+
+        case LIBINJECTION_RESULT_ERROR:
+            ms_dbg_a(t, 4,
+                std::string("libinjection parser error during SQLi analysis (")
+                + libinjectionResultToString(sqli_result)
+                + "); treating as match (fail-safe). Input: '"
+                + input + "'");
+
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst(
+                    "0", input);
+
+                ms_dbg_a(t, 7,
+                    std::string("Added DetectSQLi error input TX.0: ")
+                    + input);
+            }
+            break;
+
+        case LIBINJECTION_RESULT_FALSE:
+            ms_dbg_a(t, 9,
+                std::string("libinjection was not able to find any SQLi in: ")
+                + input);
+            break;
     }
 
-tisempty:
-    return issqli != 0;
+    return isMaliciousLibinjectionResult(sqli_result);
 }
 
-
-}  // namespace operators
-}  // namespace modsecurity
+}  // namespace modsecurity::operators

src/operators/detect_xss.cc

@@ -18,36 +18,50 @@
 #include <string>
 
 #include "src/operators/operator.h"
+#include "src/operators/libinjection_utils.h"
 #include "libinjection/src/libinjection.h"
+#include "libinjection/src/libinjection_error.h"
 
-
-namespace modsecurity {
-namespace operators {
-
+namespace modsecurity::operators {
 
 bool DetectXSS::evaluate(Transaction *t, RuleWithActions *rule,
     const std::string& input, RuleMessage &ruleMessage) {
-    int is_xss;
-
-    is_xss = libinjection_xss(input.c_str(), input.length());
-
-    if (t) {
-        if (is_xss) {
-            ms_dbg_a(t, 5, "detected XSS using libinjection.");
-            if (rule && rule->hasCaptureAction()) {
-                t->m_collections.m_tx_collection->storeOrUpdateFirst(
-                    "0", std::string(input));
-                ms_dbg_a(t, 7, "Added DetectXSS match TX.0: " + \
-                    std::string(input));
+
+    const injection_result_t xss_result =
+        libinjection_xss(input.c_str(), input.length());
+
+    if (t == nullptr) {
+        return isMaliciousLibinjectionResult(xss_result);
+    }
+
+    switch (xss_result) {
+        case LIBINJECTION_RESULT_TRUE:
+            ms_dbg_a(t, 5, std::string("detected XSS using libinjection."));
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input);
+                ms_dbg_a(t, 7, std::string("Added DetectXSS match TX.0: ") + input);
             }
-        } else {
-            ms_dbg_a(t, 9, "libinjection was not able to " \
-                "find any XSS in: " + input);
+            break;
+
+        case LIBINJECTION_RESULT_ERROR:
+            ms_dbg_a(t, 4,
+                std::string("libinjection parser error during XSS analysis (")
+                + libinjectionResultToString(xss_result)
+                + "); treating as match (fail-safe). Input: "
+                + input);
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input);
+                ms_dbg_a(t, 7, std::string("Added DetectXSS error input TX.0: ") + input);
             }
+            break;
+
+        case LIBINJECTION_RESULT_FALSE:
+            ms_dbg_a(t, 9,
+                std::string("libinjection was not able to find any XSS in: ") + input);
+            break;
     }
-    return is_xss != 0;
-}
 
+    return isMaliciousLibinjectionResult(xss_result);
+}
 
-}  // namespace operators
-}  // namespace modsecurity
+}  // namespace modsecurity::operators

src/operators/libinjection_utils.h

@@ -0,0 +1,48 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifndef SRC_OPERATORS_LIBINJECTION_UTILS_H_
+#define SRC_OPERATORS_LIBINJECTION_UTILS_H_
+
+#include "libinjection/src/libinjection_error.h"
+
+namespace modsecurity::operators {
+
+/*
+ * libinjection parser errors are handled in fail-safe mode as suspicious
+ * results, so callers can block on both confirmed detections and parser
+ * failures.
+ */
+static inline bool isMaliciousLibinjectionResult(injection_result_t result) {
+    return result == LIBINJECTION_RESULT_TRUE
+        || result == LIBINJECTION_RESULT_ERROR;
+}
+
+static inline const char *libinjectionResultToString(injection_result_t result) {
+    switch (result) {
+        case LIBINJECTION_RESULT_TRUE:
+            return "attack-detected";
+        case LIBINJECTION_RESULT_FALSE:
+            return "no-attack";
+        case LIBINJECTION_RESULT_ERROR:
+            return "parser-error";
+    }
+
+    return "unexpected-result";
+}
+
+}  // namespace modsecurity::operators
+
+#endif  // SRC_OPERATORS_LIBINJECTION_UTILS_H_