Fix parsing of SecComponentSignature, SecServerSignature and SecWebAppId

[meirdev]

Fix: owasp-modsecurity/ModSecurity-nginx#365

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[meirdev]

Quality Gate failed on auto-generated code

[airween]

Hi @meirdev,

thanks for this PR - just out of curiosity: do you have the same Flex version as the previous .cc file was generated (2.6.4)?

How did you generate this file? (If someone made some changes on the parser, the generated diff used to be much bigger than this...)

[meirdev]

I generated the file using make.

flex -V

flex 2.6.4

./configure --enable-parser-generation

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C++... yes
checking whether g++ accepts -g... yes
checking for g++ option to enable C++11 features... none needed
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking for gawk... (cached) mawk
checking for gcc... (cached) gcc
checking whether the compiler supports GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to enable C11 features... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking whether g++ supports C++17 features with -std=c++17... yes
configure: Auto-detecting YAJL...
configure: YAJL found via pkg-config: yajl v2.1.0
configure: using YAJL v2.1.0
configure: Auto-detecting GEOIP...
configure: GEOIP library not found
configure: Auto-detecting MAXMIND...
configure: MAXMIND library not found
configure: Auto-detecting LMDB...
configure: LMDB library not found
configure: Auto-detecting SSDEEP...
configure: SSDEEP library not found
configure: Auto-detecting LUA...
configure: LUA library not found
configure: Auto-detecting CURL...
configure: CURL found via pkg-config: libcurl v8.5.0
configure: using CURL v8.5.0
checking if libcurl supports TLSv1.2... yes
checking if libcurl is linked with gnutls... no
configure: Auto-detecting LIBXML2...
configure: LIBXML2 found via pkg-config: libxml-2.0 v2.9.14
configure: using LIBXML2 v2.9.14
configure: Auto-detecting PCRE2...
configure: PCRE2 found via pkg-config: libpcre2-8 v10.42
configure: using PCRE2 v10.42
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for vfork.h... no
checking for string... no
checking for iostream... no
checking for sys/utsname.h... yes
checking for arpa/inet.h... yes
checking for fcntl.h... yes
checking for inttypes.h... (cached) yes
checking for libintl.h... yes
checking for malloc.h... yes
checking for netdb.h... yes
checking for netinet/in.h... yes
checking for stdint.h... (cached) yes
checking for sys/ioctl.h... yes
checking for sys/param.h... yes
checking for sys/socket.h... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for _Bool... yes
checking for stdbool.h that conforms to C99... yes
checking for inline... inline
checking for int16_t... yes
checking for int32_t... yes
checking for int64_t... yes
checking for int8_t... yes
checking for off_t... yes
checking for pid_t... yes
checking for size_t... yes
checking for ssize_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint64_t... yes
checking for uint8_t... yes
checking for ptrdiff_t... yes
checking for time_t... yes
checking for error_at_line... yes
checking for fork... yes
checking for vfork... yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for GNU libc compatible malloc... yes
checking for GNU libc compatible realloc... yes
checking for alarm... yes
checking for clock_gettime... yes
checking for gethostname... yes
checking for gettimeofday... yes
checking for inet_ntoa... yes
checking for localtime_r... yes
checking for memmove... yes
checking for memset... yes
checking for mkdir... yes
checking for select... yes
checking for setenv... yes
checking for socket... yes
checking for strcasecmp... yes
checking for strchr... yes
checking for strdup... yes
checking for strerror... yes
checking for strncasecmp... yes
checking for strspn... yes
checking for strstr... yes
checking for strtol... yes
checking for strtoul... yes
checking for strtoull... yes
checking for uname... yes
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for file... file
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking how to run the C++ preprocessor... g++ -std=c++17 -E
checking for ld used by g++ -std=c++17... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ -std=c++17 linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking for g++ -std=c++17 option to produce PIC... -fPIC -DPIC
checking if g++ -std=c++17 PIC flag -fPIC -DPIC works... yes
checking if g++ -std=c++17 static flag -static works... yes
checking if g++ -std=c++17 supports -c -o file.o... yes
checking if g++ -std=c++17 supports -c -o file.o... (cached) yes
checking whether the g++ -std=c++17 linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
Checking platform... Identified as Linux
checking for bison... bison -y
checking for flex... flex
checking for lex output file root... lex.yy
checking for lex library... none needed
checking whether yytext is a pointer... yes
checking for flex... /usr/bin/flex
checking for bison... /usr/bin/bison
checking for bison... /usr/bin/bison
checking for doxygen... no
configure: WARNING: doxygen not found - will not generate any doxygen documentation
checking for perl... /usr/bin/perl
checking for valgrind... no
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating modsecurity.pc
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating src/Makefile
config.status: creating others/Makefile
config.status: creating tools/Makefile
config.status: creating tools/rules-check/Makefile
config.status: creating test/Makefile
config.status: creating test/benchmark/Makefile
config.status: creating examples/Makefile
config.status: creating examples/simple_example_using_c/Makefile
config.status: creating examples/multiprocess_c/Makefile
config.status: creating examples/multithread/Makefile
config.status: creating examples/reading_logs_with_offset/Makefile
config.status: creating examples/reading_logs_via_rule_message/Makefile
config.status: creating examples/using_bodies_in_chunks/Makefile
config.status: creating src/parser/Makefile
config.status: creating src/config.h
config.status: executing depfiles commands
config.status: executing libtool commands
 
 
ModSecurity - v3.0.15 for Linux
 
 Mandatory dependencies
   + libInjection                                  ....v4.0.0
   + Mbed TLS                                      ....v4.1.0
   + SecLang tests                                 ....a3d4405
 
 Optional dependencies
   + GeoIP/MaxMind                                 ....not found
   + LibCURL                                       ....found v8.5.0
      -lcurl , -I/usr/include/x86_64-linux-gnu 
   + YAJL                                          ....found v2.1.0
      -lyajl ,  -DWITH_YAJL -I/usr/include
   + LMDB                                          ....not found
   + LibXML2                                       ....found v2.9.14
      -lxml2 , -I/usr/include/libxml2 
   + SSDEEP                                        ....not found
   + LUA                                           ....not found
   + PCRE2                                          ....found v10.42
      -lpcre2-8 , 
 
 Other Options
   + Test Utilities                                ....enabled
   + Assertions                                    ....disabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....enabled
   + Treating pm operations as critical section    ....disabled

[Copilot]

Pull request overview

This PR fixes SecLang directive argument extraction for SecComponentSignature, SecServerSignature, and SecWebAppId so their values are parsed consistently (notably for quoted values), addressing the parsing issue reported in ModSecurity-nginx#365.

Changes:

• Update SecLang scanner rules to extract directive arguments via find_separator(yytext) and sanitize them with parserSanitizer(...) (instead of using strchr(...)+2 for some directives).
• Add a regression test validating that SecComponentSignature is emitted correctly in the JSON audit log components array.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
test/test-cases/regression/auditlog.json	Adds a regression test ensuring SecComponentSignature is serialized correctly in JSON audit logs.
src/parser/seclang-scanner.ll	Updates lexer rules for SecComponentSignature, SecServerSignature, and SecWebAppId to use separator finding + sanitization for argument parsing.
src/parser/seclang-scanner.cc	Regenerated scanner output reflecting the .ll changes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[meirdev]

@airween - That's a good comment from Copilot.

I used the same pattern as the other directives (CONFIG_DIR_AUDIT_LOG, CONFIG_DIR_AUDIT_STS, CONFIG_DIR_AUDIT_DIR, ...). Do you want me to change the find_separator function?