kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

security/modsecurity3: Add patch for CVE-2020-15598

Browse source 
PR:		249312
Submitted by:	Felipe Zipitria <fzipitria@perceptyx.com>
Approved by:	Marius Halden <marius.halden@modirum.com> (maintainer)
MFH:		2020Q3
Security:	CVE-2020-15598
This commit is contained in:
Li-Wen Hsu 2020-09-30 17:11:21 +00:00
parent 0e87108e31
commit 6939bbd197
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=550723
5 changed files with 273 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
security/modsecurity3/Makefile
View file

@ -3,7 +3,7 @@
PORTNAME= modsecurity
DISTVERSIONPREFIX= v
DISTVERSION= 3.0.4
PORTREVISION= 0
PORTREVISION= 1
CATEGORIES= security www
MASTER_SITES= https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/
PKGNAMESUFFIX= 3

51
security/modsecurity3/files/patch-src_operators_rx.cc Normal file
View file

@ -0,0 +1,51 @@
--- src/operators/rx.cc.orig 2020-01-13 13:09:28 UTC
+++ src/operators/rx.cc
@@ -38,7 +38,6 @@ bool Rx::init(const std::string &arg, st
bool Rx::evaluate(Transaction *transaction, Rule *rule,
const std::string& input, std::shared_ptr<RuleMessage> ruleMessage) {
- std::list<SMatch> matches;
Regex *re;
if (m_param.empty() && !m_string->m_containsMacro) {
@@ -52,29 +51,29 @@ bool Rx::evaluate(Transaction *transacti
re = m_re;
}
- matches = re->searchAll(input);
+ std::vector<Utils::SMatchCapture> captures;
+ re->searchOneMatch(input, captures);
+
if (rule && rule->m_containsCaptureAction && transaction) {
- int i = 0;
- matches.reverse();
- for (const SMatch& a : matches) {
+ for (const Utils::SMatchCapture& capture : captures) {
+ const std::string capture_substring(input.substr(capture.m_offset,capture.m_length));
transaction->m_collections.m_tx_collection->storeOrUpdateFirst(
- std::to_string(i), a.str());
+ std::to_string(capture.m_group), capture_substring);
ms_dbg_a(transaction, 7, "Added regex subexpression TX." +
- std::to_string(i) + ": " + a.str());
- transaction->m_matched.push_back(a.str());
- i++;
+ std::to_string(capture.m_group) + ": " + capture_substring);
+ transaction->m_matched.push_back(capture_substring);
}
}
- for (const auto & i : matches) {
- logOffset(ruleMessage, i.offset(), i.str().size());
+ for (const auto & capture : captures) {
+ logOffset(ruleMessage, capture.m_offset, capture.m_length);
}
if (m_string->m_containsMacro) {
delete re;
}
- if (matches.size() > 0) {
+ if (captures.size() > 0) {
return true;
}

40
security/modsecurity3/files/patch-src_utils_regex.cc Normal file
View file

@ -0,0 +1,40 @@
--- src/utils/regex.cc.orig 2020-01-13 13:09:28 UTC
+++ src/utils/regex.cc
@@ -16,10 +16,6 @@
#include "src/utils/regex.h"
#include <pcre.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
#include <string>
#include <list>
@@ -99,6 +95,26 @@ std::list<SMatch> Regex::searchAll(const
return retList;
}
+bool Regex::searchOneMatch(const std::string& s, std::vector<SMatchCapture>& captures) const {
+ const char *subject = s.c_str();
+ int ovector[OVECCOUNT];
+
+ int rc = pcre_exec(m_pc, m_pce, subject, s.size(), 0, 0, ovector, OVECCOUNT);
+
+ for (int i = 0; i < rc; i++) {
+ size_t start = ovector[2*i];
+ size_t end = ovector[2*i+1];
+ size_t len = end - start;
+ if (end > s.size()) {
+ continue;
+ }
+ SMatchCapture capture(i, start, len);
+ captures.push_back(capture);
+ }
+
+ return (rc > 0);
+}
+
int Regex::search(const std::string& s, SMatch *match) const {
int ovector[OVECCOUNT];
int ret = pcre_exec(m_pc, m_pce, s.c_str(),

35
security/modsecurity3/files/patch-src_utils_regex.h Normal file
View file

@ -0,0 +1,35 @@
--- src/utils/regex.h.orig 2020-01-13 13:09:28 UTC
+++ src/utils/regex.h
@@ -19,6 +19,7 @@
#include <fstream>
#include <string>
#include <list>
+#include <vector>
#ifndef SRC_UTILS_REGEX_H_
#define SRC_UTILS_REGEX_H_
@@ -47,6 +48,16 @@ class SMatch {
size_t m_offset;
};
+struct SMatchCapture {
+ SMatchCapture(size_t group, size_t offset, size_t length) :
+ m_group(group),
+ m_offset(offset),
+ m_length(length) { }
+
+ size_t m_group; // E.g. 0 = full match; 6 = capture group 6
+ size_t m_offset; // offset of match within the analyzed string
+ size_t m_length;
+};
class Regex {
public:
@@ -58,6 +69,7 @@ class Regex {
Regex& operator=(const Regex&) = delete;
std::list<SMatch> searchAll(const std::string& s) const;
+ bool searchOneMatch(const std::string& s, std::vector<SMatchCapture>& captures) const;
int search(const std::string &s, SMatch *m) const;
int search(const std::string &s) const;

146
security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json Normal file
View file

@ -0,0 +1,146 @@
--- test/test-cases/regression/variable-TX.json.orig 2020-01-13 13:09:28 UTC
+++ test/test-cases/regression/variable-TX.json
@@ -80,5 +80,143 @@
"SecRule REQUEST_HEADERS \"@rx ([A-z]+)\" \"id:1,log,pass,capture,id:14\"",
"SecRule TX:0 \"@rx ([A-z]+)\" \"id:15\""
]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: capture group match after unused group",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=aadd",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx (aa)(bb|cc)?(dd)\" \"id:1,log,pass,capture,id:16\"",
+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\""
+ ]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: empty capture group match followed by nonempty capture group",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=aadd",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx (aa)(bb|cc|)(dd)\" \"id:18,phase:1,log,pass,capture\"",
+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\""
+ ]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: repeating capture group -- alternates",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=_abc123_",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.2: abc[\\s\\S]*Added regex subexpression TX\\.3: 123"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx _((?:(abc)|(123))+)_\" \"id:18,phase:1,log,pass,capture\""
+ ]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: repeating capture group -- same (nested)",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=a:5a:8a:9",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.1: 5[\\s\\S]*Added regex subexpression TX\\.2: 8[\\s\\S]*Added regex subexpression TX\\.3: 9"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx a:([0-9])(?:a:([0-9])(?:a:([0-9]))*)*\" \"id:18,phase:1,log,pass,capture\""
+ ]
}
]