Forces disruptive to be first-rule-only

Felipe Zimmerle · Felipe Zimmerle · commit 6421ff087a25 · 2017-04-24T21:06:35.000-03:00
ModSecurity version 3 is capable to handle disruptive actions in different
rules from the chain. However, lets get it working in the same fashion that
we have in version 2.
diff --git a/headers/modsecurity/rule.h b/headers/modsecurity/rule.h
@@ -76,7 +76,7 @@ class Rule {
     std::vector<std::string> getActionNames();
     std::vector<actions::Action *> getActionsByName(const std::string& name);
     bool containsTag(const std::string& name, Transaction *t);
-
+    bool containsDisruptiveAction();
 
     int refCountDecreaseAndCheck() {
         m_referenceCount--;
diff --git a/src/actions/disruptive/allow.h b/src/actions/disruptive/allow.h
@@ -60,6 +60,7 @@ class Allow : public Action {
 
     bool init(std::string *error) override;
     bool evaluate(Rule *rule, Transaction *transaction) override;
+    bool isDisruptive() override { return true; }
 
     AllowType m_allowType;
 
diff --git a/src/parser/driver.cc b/src/parser/driver.cc
@@ -70,23 +70,34 @@ int Driver::addSecRule(Rule *rule) {
         return false;
     }
 
-    if (lastRule && lastRule->m_chained && lastRule->m_chainedRule == NULL) {
-        rule->m_phase = lastRule->m_phase;
-        lastRule->m_chainedRule = rule;
-        return true;
-    }
-
-    if (lastRule && lastRule->m_chained && lastRule->m_chainedRule != NULL) {
-        Rule *a = lastRule->m_chainedRule;
-        while (a->m_chained && a->m_chainedRule != NULL) {
-            a = a->m_chainedRule;
-        }
-        if (a->m_chained && a->m_chainedRule == NULL) {
-            a->m_chainedRule = rule;
+    if (lastRule && lastRule->m_chained) {
+        if (lastRule->m_chainedRule == NULL) {
+            rule->m_phase = lastRule->m_phase;
+            lastRule->m_chainedRule = rule;
+            if (rule->containsDisruptiveAction()) {
+                m_parserError << "Disruptive actions can only be specified by";
+                m_parserError << " chain starter rules.";
+                return false;
+            }
             return true;
+        } else {
+            Rule *a = lastRule->m_chainedRule;
+            while (a->m_chained && a->m_chainedRule != NULL) {
+                a = a->m_chainedRule;
+            }
+            if (a->m_chained && a->m_chainedRule == NULL) {
+                a->m_chainedRule = rule;
+                if (a->containsDisruptiveAction()) {
+                    m_parserError << "Disruptive actions can only be ";
+                    m_parserError << "specified by chain starter rules.";
+                    return false;
+                }
+                return true;
+            }
         }
     }
 
+
     /*
      * Checking if the rule has an ID and also checking if this ID is not used
      * by other rule
diff --git a/src/rule.cc b/src/rule.cc
@@ -706,6 +706,27 @@ bool Rule::evaluate(Transaction *trans,
 }
 
 
+bool Rule::containsDisruptiveAction() {
+    for (Action *a : m_actionsRuntimePos) {
+        if (a->isDisruptive() == true) {
+            return true;
+        }
+    }
+    for (Action *a : m_actionsRuntimePre) {
+        if (a->isDisruptive() == true) {
+            return true;
+        }
+    }
+    for (Action *a : m_actionsConf) {
+        if (a->isDisruptive() == true) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+
 std::vector<actions::Action *> Rule::getActionsByName(const std::string& name) {
     std::vector<actions::Action *> ret;
     for (auto &z : m_actionsRuntimePos) {
diff --git a/test/test-cases/regression/config-calling_phases_by_name.json b/test/test-cases/regression/config-calling_phases_by_name.json
@@ -2,7 +2,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Testing Variables :: MATCHED_VAR (1/2)",
+    "title":"Testing Config :: Phases by name (1/2)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -35,14 +35,14 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:key \"@contains other_value\" \"id:1,phase:request,chain\"",
-      "SecRule MATCHED_VAR \"@contains asdf\" \"phase:request,pass\""
+      "SecRule ARGS:key \"@contains other_value\" \"id:1,phase:request,pass,chain\"",
+      "SecRule MATCHED_VAR \"@contains asdf\" \"\""
     ]
   },
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Testing Variables :: MATCHED_VAR (2/2)",
+    "title":"Testing Config :: Phases by name (2/2)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -75,8 +75,8 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:key \"@contains other_value\" \"chain,phase:response,id:28\"",
-      "SecRule MATCHED_VAR \"@contains Aasdf\" \"pass\"",
+      "SecRule ARGS:key \"@contains other_value\" \"chain,pass,phase:response,id:28\"",
+      "SecRule MATCHED_VAR \"@contains Aasdf\" \"\"",
       "SecRule MATCHED_VAR \"@contains other_value\" \"id:29,phase:response,pass\"",
       "SecRule MATCHED_VAR \"@contains other_value\" \"id:30,phase:response,pass\""
     ]
diff --git a/test/test-cases/regression/variable-MATCHED_VAR.json b/test/test-cases/regression/variable-MATCHED_VAR.json
@@ -35,8 +35,8 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:key \"@contains other_value\" \"chain,id:28\"",
-      "SecRule MATCHED_VAR \"@contains asdf\" \"pass\""
+      "SecRule ARGS:key \"@contains other_value\" \"chain,id:28,pass\"",
+      "SecRule MATCHED_VAR \"@contains asdf\" \"\""
     ]
   },
   {
@@ -75,8 +75,9 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:key \"@contains other_value\" \"chain,id:28\"",
-      "SecRule MATCHED_VAR \"@contains Aasdf\" \"pass\"",
+      "SecRule ARGS:key \"@contains other_value\" \"chain,id:28,pass\"",
+      "SecRule MATCHED_VAR \"@contains Aasdf\" \"\"",
+
       "SecRule MATCHED_VAR \"@contains other_value\" \"id:29,pass\"",
       "SecRule MATCHED_VAR \"@contains other_value\" \"id:30,pass\""
     ]
diff --git a/test/test-cases/regression/variable-MATCHED_VARS.json b/test/test-cases/regression/variable-MATCHED_VARS.json
@@ -35,9 +35,9 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
       "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
-      "SecRule MATCHED_VARS \"@contains asdf\" \"pass\""
+      "SecRule MATCHED_VARS \"@contains asdf\" \"\""
     ]
   },
   {
@@ -76,9 +76,9 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
       "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
-      "SecRule MATCHED_VARS \"@contains asdf\" \"pass\"",
+      "SecRule MATCHED_VARS \"@contains asdf\" \"\"",
       "SecRule MATCHED_VARS \"@contains value\" \"id:29\""
     ]
   }
diff --git a/test/test-cases/regression/variable-MATCHED_VARS_NAMES.json b/test/test-cases/regression/variable-MATCHED_VARS_NAMES.json
@@ -35,9 +35,9 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
       "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
-      "SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"pass\""
+      "SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"\""
     ]
   },
   {
@@ -76,9 +76,9 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
       "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
-      "SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"pass\"",
+      "SecRule MATCHED_VARS_NAMES \"@contains asdf\" \"\"",
       "SecRule MATCHED_VARS_NAMES \"@contains value\" \"id:29\""
     ]
   }
diff --git a/test/test-cases/regression/variable-MATCHED_VAR_NAME.json b/test/test-cases/regression/variable-MATCHED_VAR_NAME.json
@@ -35,9 +35,9 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
       "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
-      "SecRule MATCHED_VAR_NAME \"@contains asdf\" \"pass\""
+      "SecRule MATCHED_VAR_NAME \"@contains asdf\" \"\""
     ]
   },
   {
@@ -76,9 +76,9 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",
+      "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",
       "SecRule ARGS:keyII \"@contains other_value\" \"chain\"",
-      "SecRule MATCHED_VAR_NAME \"@contains asdf\" \"pass\"",
+      "SecRule MATCHED_VAR_NAME \"@contains asdf\" \"\"",
       "SecRule MATCHED_VAR_NAME \"@contains value\" \"id:29\""
     ]
   }

Original file line number	Diff line number	Diff line change
`@@ -35,9 +35,9 @@`
`35`	`35`	`},`
`36`	`36`	`"rules":[`
`37`	`37`	`"SecRuleEngine On",`
`38`		`- "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",`
	`38`	`+ "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",`
`39`	`39`	`"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",`
`40`		`- "SecRule MATCHED_VARS \"@contains asdf\" \"pass\""`
	`40`	`+ "SecRule MATCHED_VARS \"@contains asdf\" \"\""`
`41`	`41`	`]`
`42`	`42`	`},`
`43`	`43`	`{`
`@@ -76,9 +76,9 @@`
`76`	`76`	`},`
`77`	`77`	`"rules":[`
`78`	`78`	`"SecRuleEngine On",`
`79`		`- "SecRule ARGS:keyI \"@contains value\" \"chain,id:28\"",`
	`79`	`+ "SecRule ARGS:keyI \"@contains value\" \"chain,id:28,pass\"",`
`80`	`80`	`"SecRule ARGS:keyII \"@contains other_value\" \"chain\"",`
`81`		`- "SecRule MATCHED_VARS \"@contains asdf\" \"pass\"",`
	`81`	`+ "SecRule MATCHED_VARS \"@contains asdf\" \"\"",`
`82`	`82`	`"SecRule MATCHED_VARS \"@contains value\" \"id:29\""`
`83`	`83`	`]`
`84`	`84`	`}`