Update Regex util to support match limits

If the rx or rxGlobal operator encounters a regex error,
the RX_ERROR and RX_ERROR_RULE_ID variables are set.
RX_ERROR contains a simple error code which can be either
OTHER or MATCH_LIMIT. RX_ERROR_RULE_ID unsurprisingly
contains the ID of the rule associated with the error.
More than one rule may encounter regex errors,
but only the first error is reflected in these variables.

Author: brandonpayton

headers/modsecurity/rules_set_properties.h

@@ -379,6 +379,7 @@ class RulesSetProperties {
                                     from->m_responseBodyLimitAction,
                                     PropertyNotSetBodyLimitAction);
 
+        to->m_pcreMatchLimit.merge(&from->m_pcreMatchLimit);
         to->m_uploadFileLimit.merge(&from->m_uploadFileLimit);
         to->m_uploadFileMode.merge(&from->m_uploadFileMode);
         to->m_uploadDirectory.merge(&from->m_uploadDirectory);
@@ -470,6 +471,7 @@ class RulesSetProperties {
     ConfigDouble m_requestBodyLimit;
     ConfigDouble m_requestBodyNoFilesLimit;
     ConfigDouble m_responseBodyLimit;
+    ConfigInt m_pcreMatchLimit;
     ConfigInt m_uploadFileLimit;
     ConfigInt m_uploadFileMode;
     DebugLog *m_debugLog;

headers/modsecurity/transaction.h

@@ -184,6 +184,8 @@ class TransactionAnchoredVariables {
         m_variableUniqueID(t, "UNIQUE_ID"),
         m_variableUrlEncodedError(t, "URLENCODED_ERROR"),
         m_variableUserID(t, "USERID"),
+        m_variableRxError(t, "RX_ERROR"),
+        m_variableRxErrorRuleID(t, "RX_ERROR_RULE_ID"),
         m_variableArgs(t, "ARGS"),
         m_variableArgsGet(t, "ARGS_GET"),
         m_variableArgsPost(t, "ARGS_POST"),
@@ -265,6 +267,8 @@ class TransactionAnchoredVariables {
     AnchoredVariable m_variableUniqueID;
     AnchoredVariable m_variableUrlEncodedError;
     AnchoredVariable m_variableUserID;
+    AnchoredVariable m_variableRxError;
+    AnchoredVariable m_variableRxErrorRuleID;
 
     AnchoredSetVariable m_variableArgs;
     AnchoredSetVariable m_variableArgsGet;

src/operators/rx.cc

@@ -51,12 +51,41 @@ bool Rx::evaluate(Transaction *transaction, RuleWithActions *rule,
         re = m_re;
     }
 
-    std::vector<Utils::SMatchCapture> captures;
     if (re->hasError()) {
         ms_dbg_a(transaction, 3, "Error with regular expression: \"" + re->pattern + "\"");
         return false;
     }
-    re->searchOneMatch(input, captures);
+
+    Utils::RegexResult regex_result;
+    std::vector<Utils::SMatchCapture> captures;
+
+    if (transaction && transaction->m_rules->m_pcreMatchLimit.m_set) {
+        unsigned long match_limit = transaction->m_rules->m_pcreMatchLimit.m_value;
+        regex_result = re->searchOneMatch(input, captures, match_limit);
+    } else {
+        regex_result = re->searchOneMatch(input, captures);
+    }
+
+    // FIXME: DRY regex error reporting. This logic is currently duplicated in other operators.
+    if (regex_result != Utils::RegexResult::Ok) {
+        std::string regex_error_str = "OTHER";
+        if (regex_result == Utils::RegexResult::ErrorMatchLimit) {
+            regex_error_str = "MATCH_LIMIT";
+        }
+
+        ms_dbg_a(transaction, 1, "rx: regex error '" + regex_error_str + "' for pattern '" + re->pattern + "'");
+
+        // Only expose the first regex error to indicate there is an issue
+        if (rule && transaction && transaction->m_variableRxError.m_value.empty()) {
+            transaction->m_variableRxError.set(regex_error_str, transaction->m_variableOffset);
+            transaction->m_variableRxErrorRuleID.set(
+                std::to_string(rule->m_ruleId),
+                transaction->m_variableOffset
+            );
+        }
+
+        return false;
+    }
 
     if (rule && rule->hasCaptureAction() && transaction) {
         for (const Utils::SMatchCapture& capture : captures) {

src/operators/rx_global.cc

@@ -51,8 +51,36 @@ bool RxGlobal::evaluate(Transaction *transaction, RuleWithActions *rule,
         re = m_re;
     }
 
+    Utils::RegexResult regex_result;
     std::vector<Utils::SMatchCapture> captures;
-    re->searchGlobal(input, captures);
+    if (transaction && transaction->m_rules->m_pcreMatchLimit.m_set) {
+        unsigned long match_limit = transaction->m_rules->m_pcreMatchLimit.m_value;
+        regex_result = re->searchGlobal(input, captures, match_limit);
+    } else {
+        regex_result = re->searchGlobal(input, captures);
+    }
+
+    // FIXME: DRY regex error reporting. This logic is currently duplicated in other operators.
+    if (regex_result != Utils::RegexResult::Ok) {
+        std::string regex_error_str = "OTHER";
+        if (regex_result == Utils::RegexResult::ErrorMatchLimit) {
+            regex_error_str = "MATCH_LIMIT";
+        }
+
+        ms_dbg_a(transaction, 1, "rxGlobal: regex error '" + regex_error_str + "' for pattern '" + re->pattern + "'");
+
+        // Only expose the first regex error to indicate there is an issue
+        if (rule && transaction && transaction->m_variableRxError.m_value.empty()) {
+            transaction->m_variableRxError.set(regex_error_str, transaction->m_variableOffset);
+            transaction->m_variableRxErrorRuleID.set(
+                std::to_string(rule->m_ruleId),
+                transaction->m_variableOffset
+            );
+        }
+
+        return false;
+    }
+
 
     if (rule && rule->hasCaptureAction() && transaction) {
         for (const Utils::SMatchCapture& capture : captures) {

src/parser/location.hh

@@ -1,4 +1,4 @@
-// A Bison parser, made by GNU Bison 3.7.6.
+// A Bison parser, made by GNU Bison 3.7.5.
 
 // Locations for Bison parsers in C++
 
@@ -15,7 +15,7 @@
 // GNU General Public License for more details.
 
 // You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 // As a special exception, you may create a larger work that contains
 // part or all of the Bison parser skeleton and distribute that work

src/parser/position.hh

@@ -1,4 +1,4 @@
-// A Bison parser, made by GNU Bison 3.7.6.
+// A Bison parser, made by GNU Bison 3.7.5.
 
 // Starting with Bison 3.2, this file is useless: the structure it
 // used to define is now defined in "location.hh".