modsecurity: remove sanity checks

Author: pracj3am

src/ddebug.h

@@ -17,19 +17,6 @@
  * #define MODSECURITY_DDEBUG 1
  */
 
-/*
- * Setting MODSECURITY_SANITY_CHECKS will help you in the debug process. By
- * defining MODSECURITY_SANITY_CHECKS a set of functions will be executed in
- * order to make sure the well behavior of ModSecurity, letting you know (via
- * debug_logs) if something unexpected happens.
- *
- * If performance is not a concern, it is safe to keep it set.
- *
- */
-#ifndef MODSECURITY_SANITY_CHECKS
-#define MODSECURITY_SANITY_CHECKS 0
-#endif
-
 #if defined(MODSECURITY_DDEBUG) && (MODSECURITY_DDEBUG)
 
 #   if (NGX_HAVE_VARIADIC_MACROS)

src/ngx_http_modsecurity_body_filter.c

@@ -34,13 +34,8 @@ ngx_int_t
 ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
 {
     ngx_chain_t *chain = in;
-    ngx_http_modsecurity_ctx_t *ctx = NULL;
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modsecurity_conf_t *mcf;
-    ngx_list_part_t *part = &r->headers_out.headers.part;
-    ngx_table_elt_t *data = part->elts;
-    ngx_uint_t i = 0;
-#endif
+
+    ngx_http_modsecurity_ctx_t  *ctx;
 
     if (in == NULL) {
         return ngx_http_next_body_filter(r, in);
@@ -56,84 +51,6 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
         return ngx_http_next_body_filter(r, in);
     }
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (mcf != NULL && mcf->sanity_checks_enabled != NGX_CONF_UNSET)
-    {
-#if 0
-        dd("dumping stored ctx headers");
-        for (i = 0; i < ctx->sanity_headers_out->nelts; i++)
-        {
-            ngx_http_modsecurity_header_t *vals = ctx->sanity_headers_out->elts;
-            ngx_str_t *s2 = &vals[i].name, *s3 = &vals[i].value;
-            dd(" dump[%d]: name = '%.*s', value = '%.*s'", (int)i,
-                (int)s2->len, (char*)s2->data,
-                (int)s3->len, (char*)s3->data);
-        }
-#endif
-        /*
-         * Identify if there is a header that was not inspected by ModSecurity.
-         */
-        int worth_to_fail = 0;
-
-        for (i = 0; ; i++)
-        {
-            int found = 0;
-            ngx_uint_t j = 0;
-            ngx_table_elt_t *s1;
-            ngx_http_modsecurity_header_t *vals;
-
-            if (i >= part->nelts)
-            {
-                if (part->next == NULL) {
-                    break;
-                }
-
-                part = part->next;
-                data = part->elts;
-                i = 0;
-            }
-
-            vals = ctx->sanity_headers_out->elts;
-            s1 = &data[i];
-
-            /*
-             * Headers that were inspected by ModSecurity.
-             */
-            while (j < ctx->sanity_headers_out->nelts)
-            {
-                ngx_str_t *s2 = &vals[j].name;
-                ngx_str_t *s3 = &vals[j].value;
-
-                if (s1->key.len == s2->len && ngx_strncmp(s1->key.data, s2->data, s1->key.len) == 0)
-                {
-                    if (s1->value.len == s3->len && ngx_strncmp(s1->value.data, s3->data, s1->value.len) == 0)
-                    {
-                        found = 1;
-                        break;
-                    }
-                }
-                j++;
-            }
-            if (!found) {
-                dd("header: `%.*s' with value: `%.*s' was not inspected by ModSecurity",
-                    (int) s1->key.len,
-                    (const char *) s1->key.data,
-                    (int) s1->value.len,
-                    (const char *) s1->value.data);
-                worth_to_fail++;
-            }
-        }
-
-        if (worth_to_fail)
-        {
-            dd("%d header(s) were not inspected by ModSecurity, so exiting", worth_to_fail);
-            return ngx_http_filter_finalize_request(r,
-                &ngx_http_modsecurity_module, NGX_HTTP_INTERNAL_SERVER_ERROR);
-        }
-    }
-#endif
-
     int is_request_processed = 0;
     for (; chain != NULL; chain = chain->next)
     {

src/ngx_http_modsecurity_common.h

@@ -71,27 +71,10 @@
 #define MODSECURITY_NGINX_WHOAMI "ModSecurity-nginx v" \
     MODSECURITY_NGINX_VERSION
 
-typedef struct {
-    ngx_str_t name;
-    ngx_str_t value;
-} ngx_http_modsecurity_header_t;
-
 
 typedef struct {
     Transaction *modsec_transaction;
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    /*
-     * Should be filled with the headers that were sent to ModSecurity.
-     *
-     * The idea is to compare this set of headers with the headers that were
-     * sent to the client. This check was placed because we don't have control
-     * over other modules, thus, we may partially inspect the headers.
-     *
-     */
-    ngx_array_t *sanity_headers_out;
-#endif
-
     unsigned waiting_more_body:1;
     unsigned body_requested:1;
     unsigned processed:1;
@@ -109,12 +92,7 @@ typedef struct {
 typedef struct {
     /* RulesSet or Rules */
     void                      *rules_set;
-
     ngx_flag_t                 enable;
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_flag_t                 sanity_checks_enabled;
-#endif
-
     ngx_http_complex_value_t  *transaction_id;
 } ngx_http_modsecurity_conf_t;
 
@@ -150,9 +128,6 @@ ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *i
 
 /* ngx_http_modsecurity_header_filter.c */
 void ngx_http_modsecurity_header_filter_init(void);
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-int ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value);
-#endif
 
 /* ngx_http_modsecurity_log.c */
 void ngx_http_modsecurity_log(void *log, const void* data);

src/ngx_http_modsecurity_header_filter.c

@@ -103,46 +103,6 @@ ngx_http_modsecurity_header_out_t ngx_http_modsecurity_headers_out[] = {
 };
 
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-int
-ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value)
-{
-    ngx_http_modsecurity_ctx_t     *ctx;
-    ngx_http_modsecurity_conf_t    *mcf;
-    ngx_http_modsecurity_header_t  *hdr;
-
-    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
-    if (ctx == NULL || ctx->sanity_headers_out == NULL) {
-        return NGX_ERROR;
-    }
-
-    mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (mcf == NULL || mcf->sanity_checks_enabled == NGX_CONF_UNSET)
-    {
-        return NGX_OK;
-    }
-
-    hdr = ngx_array_push(ctx->sanity_headers_out);
-    if (hdr == NULL) {
-        return NGX_ERROR;
-    }
-
-    hdr->name.data = ngx_pnalloc(r->pool, name->len);
-    hdr->value.data = ngx_pnalloc(r->pool, value->len);
-    if (hdr->name.data == NULL || hdr->value.data == NULL) {
-        return NGX_ERROR;
-    }
-
-    ngx_memcpy(hdr->name.data, name->data, name->len);
-    hdr->name.len = name->len;
-    ngx_memcpy(hdr->value.data, value->data, value->len);
-    hdr->value.len = value->len;
-
-    return NGX_OK;
-}
-#endif
-
-
 static ngx_int_t
 ngx_http_modsecurity_resolv_header_server(ngx_http_request_t *r, ngx_str_t name, off_t offset)
 {
@@ -170,10 +130,6 @@ ngx_http_modsecurity_resolv_header_server(ngx_http_request_t *r, ngx_str_t name,
         value.len =  h->value.len;
     }
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
-#endif
-
     return msc_add_n_response_header(ctx->modsec_transaction,
         (const unsigned char *) name.data,
         name.len,
@@ -199,10 +155,6 @@ ngx_http_modsecurity_resolv_header_date(ngx_http_request_t *r, ngx_str_t name, o
         date.len = h->value.len;
     }
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modsecurity_store_ctx_header(r, &name, &date);
-#endif
-
     return msc_add_n_response_header(ctx->modsec_transaction,
         (const unsigned char *) name.data,
         name.len,
@@ -226,9 +178,6 @@ ngx_http_modsecurity_resolv_header_content_length(ngx_http_request_t *r, ngx_str
         value.data = (unsigned char *)buf;
         value.len = strlen(buf);
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
-#endif
         return msc_add_n_response_header(ctx->modsec_transaction,
             (const unsigned char *) name.data,
             name.len,
@@ -249,11 +198,6 @@ ngx_http_modsecurity_resolv_header_content_type(ngx_http_request_t *r, ngx_str_t
 
     if (r->headers_out.content_type.len > 0)
     {
-
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modsecurity_store_ctx_header(r, &name, &r->headers_out.content_type);
-#endif
-
         return msc_add_n_response_header(ctx->modsec_transaction,
             (const unsigned char *) name.data,
             name.len,
@@ -283,10 +227,6 @@ ngx_http_modsecurity_resolv_header_last_modified(ngx_http_request_t *r, ngx_str_
     value.data = buf;
     value.len = (int)(p-buf);
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
-#endif
-
     return msc_add_n_response_header(ctx->modsec_transaction,
         (const unsigned char *) name.data,
         name.len,
@@ -319,10 +259,6 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
             value.data = buf;
             value.len = strlen((char *)buf);
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-            ngx_http_modsecurity_store_ctx_header(r, &name2, &value);
-#endif
-
             msc_add_n_response_header(ctx->modsec_transaction,
                 (const unsigned char *) name2.data,
                 name2.len,
@@ -336,10 +272,6 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
     value.data = (u_char *) connection;
     value.len = strlen(connection);
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
-#endif
-
     return msc_add_n_response_header(ctx->modsec_transaction,
         (const unsigned char *) name.data,
         name.len,
@@ -357,10 +289,6 @@ ngx_http_modsecurity_resolv_header_transfer_encoding(ngx_http_request_t *r, ngx_
 
         ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
-#endif
-
         return msc_add_n_response_header(ctx->modsec_transaction,
             (const unsigned char *) name.data,
             name.len,
@@ -384,10 +312,6 @@ ngx_http_modsecurity_resolv_header_vary(ngx_http_request_t *r, ngx_str_t name, o
 
         ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
-#endif
-
         return msc_add_n_response_header(ctx->modsec_transaction,
             (const unsigned char *) name.data,
             name.len,
@@ -474,10 +398,6 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
             i = 0;
         }
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modsecurity_store_ctx_header(r, &data[i].key, &data[i].value);
-#endif
-
         /*
          * Doing this ugly cast here, explanation on the request_header
          */

src/ngx_http_modsecurity_module.c

@@ -218,10 +218,6 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
         r->headers_out.location = location;
         r->headers_out.location->hash = 1;
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modsecurity_store_ctx_header(r, &location->key, &location->value);
-#endif
-
         return intervention.status;
     }
 
@@ -286,13 +282,6 @@ ngx_http_modsecurity_create_ctx(ngx_http_request_t *r, ModSecurity *modsec,
 
     dd("transaction created");
 
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ctx->sanity_headers_out = ngx_array_create(r->pool, 12, sizeof(ngx_http_modsecurity_header_t));
-    if (ctx->sanity_headers_out == NULL) {
-        return NULL;
-    }
-#endif
-
     cln = ngx_pool_cleanup_add(r->pool, sizeof(ngx_http_modsecurity_ctx_t));
     if (cln == NULL) {
         return NULL;
@@ -635,16 +624,12 @@ ngx_http_modsecurity_create_conf(ngx_conf_t *cf)
      * set by ngx_pcalloc():
      *
      *     conf->enable = 0;
-     *     conf->sanity_checks_enabled = 0;
      *     conf->rules_set = NULL;
      *     conf->transaction_id = NULL;
      */
 
     conf->enable = NGX_CONF_UNSET;
     conf->transaction_id = NGX_CONF_UNSET_PTR;
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    conf->sanity_checks_enabled = NGX_CONF_UNSET;
-#endif
 
     return conf;
 }
@@ -661,10 +646,6 @@ ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_value(conf->enable, prev->enable, 0);
     ngx_conf_merge_ptr_value(conf->transaction_id, prev->transaction_id, NULL);
-#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_conf_merge_value(conf->sanity_checks_enabled,
-                         prev->sanity_checks_enabled, 0);
-#endif
 
     if (prev->rules_set != NULL) {
         if (conf->rules_set != NULL) {