Failed to load locate the unicode map file from: unicode.mapping 20127

[tinyoafman]

Describe the bug

v3 of ModSecurity - pulling from master branch.

Running mod security on Nginx inside docker container using ModSecurity nginx connector and getting the following error when the container starts up:

"modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/modsecurity.conf. Line: 192. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127'. in /etc/nginx/nginx.conf:17

nginx.conf (/etc/nginx/nginx.conf)

load_module modules/ngx_http_modsecurity_module.so;
error_log /dev/stdout ${LOG_LEVEL};

events {
  worker_connections 1024;
}

http {
    access_log /dev/stdout;
    server_tokens off;
    server {
        listen 443 ssl;
        server_name waf;
        ssl_certificate certs/cert.pem;
        ssl_certificate_key certs/key.pem;
        modsecurity on;
        modsecurity_rules_file /etc/nginx/modsec/main.conf;


        location / {
            proxy_pass https://${LOCATION_ADDRESS};
            modsecurity on;
        }

        error_page 403 404 405 500 501 502 503 504 /error/error.html;

        location ^~ /error/ {
            internal;
            root /usr/share/nginx;
            modsecurity off;
        }

        location = /amihealthy {
            return 200;
        }
    }
}

Dockerfile

FROM nginx:1.15.3-alpine
RUN set -xe && \
    apk --no-cache update && \
        apk add --no-cache --virtual .build-deps \
        gcc \
        libc-dev \
        make \
        openssl-dev \
        pcre-dev \
        zlib-dev \
        linux-headers \
        curl \
        gnupg \
        libxslt-dev \
        gd-dev \
        perl-dev \
        py-pip \
        py-setuptools \
    && apk add --no-cache --virtual .libmodsecurity-deps \
        pcre-dev \
        libxml2-dev \
        automake \
        autoconf \
        g++ \
        flex \
        bison \
        yajl-dev \
    # dependencies that should not be removed
    && apk add --no-cache \
        libtool \
        doxygen \
        geoip \
        geoip-dev \
        yajl \
        libstdc++ \
        git \
        sed \
        python

# install aws cli
RUN set -xe && \
    pip --no-cache-dir install --upgrade pip && \
    pip --no-cache-dir install awscli

# install modsecurity
WORKDIR /opt/ModSecurity
RUN set -xe && \
    git clone -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity . && \
    git submodule init && \
    git submodule update && \
    ./build.sh && \
    ./configure && make && make install

# install nginx connector
WORKDIR /opt
RUN git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git && \
    wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
    tar zxvf nginx-$NGINX_VERSION.tar.gz

WORKDIR /opt/nginx-$NGINX_VERSION
RUN set -xe && \
    ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx && \
    make modules && \
    cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

# install owasp ruleset
WORKDIR /opt
RUN set -xe && \
    git clone -b v3.0/master https://github.com/SpiderLabs/owasp-modsecurity-crs && \
    mv owasp-modsecurity-crs/ /usr/local/

RUN set -xe && \
    mkdir /etc/nginx/modsec && \
    rm -fr /etc/nginx/nginx.conf

COPY conf/nginx/nginx.conf /etc/nginx/nginx.conf.template
COPY conf/modsec/ /etc/nginx/modsec/
COPY conf/owasp/ /usr/local/owasp-modsecurity-crs/
COPY error/ /usr/share/nginx/error/
COPY certs/ /etc/nginx/certs/

# remove unnecessary stuff
RUN set -xe && \
    apk del .build-deps && \
    apk del .libmodsecurity-deps && \
    rm -fr ModSecurity && \
    rm -fr ModSecurity-nginx && \
    rm -fr nginx-$NGINX_VERSION.tar.gz && \
    rm -fr nginx-$NGINX_VERSION && \
    rm -fr /etc/nginx/conf.d

# execute stuff
COPY ./setupEnvAndStart.sh /etc/nginx/
RUN chmod +x /etc/nginx/setupEnvAndStart.sh
CMD ["sh", "-c", ". /etc/nginx/setupEnvAndStart.sh"]

setupEnvAndStart.sh

#! /bin/bash
config=<config>

for i in $(echo $config | sed "s/,/ /g")
do
  export $i
done

envsubst < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
exec nginx -g 'daemon off;'

modsecurity.conf

Used the modsecurity.conf-recommended

Logs and dumps

[emerg] 1#1: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/modsecurity.conf. Line: 192. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127'. in /etc/nginx/nginx.conf:17

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/modsecurity.conf. Line: 192. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127'. in /etc/nginx/nginx.conf:17

To Reproduce

Steps to reproduce the behavior:

docker build on the Dockerfile.
Add config values in setupEnvAndStart.sh for variables listed in the nginx.conf above
docker run on resulting image (exposing port 443)

Expected behavior

Nginx should start up without errors, instead it errors as above

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v3.0.2 (but pulled from v3/master at build time) with nginx-connector v1.0.0
• WebServer: nginx-1.15.3
• OS (and distro): RHEL 7.5

Rule Set (please complete the following information):

v3.0/master https://github.com/SpiderLabs/owasp-modsecurity-crs

Additional context

This has previously worked - on 23/10/18 this was built with image size of 451.11 MB...today's (25/10/18) build is 462.04 MB - no additional config was included from our end.

[zimmerle]

Hi @tinyoafman,

Thank you for the detailed report. The support for SecUnicodeMapFile was broken and partially fixed on v3/master. The file mentioned on the recommended configuration is available here:
https://github.com/SpiderLabs/ModSecurity/blob/49495f1925a14f74f93cb0ef01172e5abc3e4c55/unicode.mapping#L7-L17

However, as you well noticed, it is not part of v3/master yet.

Yet, there is still an issue on SecUnicodeMapFile, as it is not separating the map code from the file name.

Three things that needs to be done before mark this issue as closed:
1 - Put the unicode.mapping as part of v3/master
2 - Fix SecUnicodeMapFile to better understand the map code (last parameter).
3 - Create a test case for this thing.

Further reading on SecUnicodeMapFile available here.

[victorhora]

1 - Put the unicode.mapping as part of v3/master

Added as of 662fe63.

The error message "Failed to load locate the unicode map file" should go away as long as the file is on the same directory as the configuration file. Alternatively, the user can also change / disable the functionality on the modsecurity.conf-recommended.

2 - Fix SecUnicodeMapFile to better understand the map code (last parameter).
3 - Create a test case for this thing.

Working on it :)

same issue, and Even If the unicode.mapping file is placed inside the configuration folder, still the Nginx can't be started.

Nginx does detect the file unicode.mapping , but can't make use of it .

[victorhora]

@sp9ood

I can not reproduce the same issue. Are you sure you are running the latest commit from master? As of 662fe63 the unicode.mapping file is available on the v3/master branch and Nginx with libModSecurity should start fine.

The SecUnicodeMapFile directive using the syntax from modsecurity.conf-recommended should not cause errors if the file is present.

[victorhora]

Results of some testing with SecUnicodeMapFile:

Rules:

SecRule "ARGS" "@contains dop" "phase:2,id:210839,deny,log,auditlog,msg:BOOM,t:none,t:utf8toUnicode,t:urlDecodeUni,multiMatch"
SecUnicodeMapFile unicode.mapping-1251 1251

Content of unicode.mapping-1251 file:

1251 0434:64 043e:6f 0440:70

Request:

curl -v /?http://127.0.0.1:80/?a=дор

V2 debug logs without SecUnicodeMapFile specified:

18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Recipe: Invoking rule 55811caa30c0; [file "/usr/local/nginx/conf/modsecurity.conf"] [line "296"] [id "210839"].
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][5] Rule 55811caa30c0: SecRule "ARGS" "@contains dop" "phase:2,id:210839,deny,log,auditlog,msg:BOOM,t:none,t:utf8toUnicode,t:urlDecodeUni,multiMatch"
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Transformation completed in 1 usec.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Executing operator "contains" with param "dop" against ARGS:a.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][9] Target value: "\xd0\xb4\xd0\xbe\xd1\x80"
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Operator completed in 1 usec.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][9] T (0) Utf8toUnicode: "%u0434%u043e%u0440"
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Transformation completed in 24 usec.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Executing operator "contains" with param "dop" against ARGS:a.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][9] Target value: "%u0434%u043e%u0440"
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Operator completed in 1 usec.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][9] T (0) urlDecodeUni: "4>@"
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Transformation completed in 44 usec.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Executing operator "contains" with param "dop" against ARGS:a.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][9] Target value: "4>@"
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Operator completed in 0 usec.
[18/Oct/2018:07:59:06 --0400] [127.0.0.1/sid#55811ca68c50][rid#55811cadd820][/][4] Rule returned 0.

V2 debug logs with SecUnicodeMapFile specified:

[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Recipe: Invoking rule 55961dcc12c8; [file "/usr/local/nginx/conf/modsecurity.conf"] [line "296"] [id "210839"].
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][5] Rule 55961dcc12c8: SecRule "ARGS" "@contains dop" "phase:2,id:210839,deny,log,auditlog,msg:BOOM,t:none,t:utf8toUnicode,t:urlDecodeUni,multiMatch"
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Transformation completed in 1 usec.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Executing operator "contains" with param "dop" against ARGS:a.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][9] Target value: "\xd0\xb4\xd0\xbe\xd1\x80"
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Operator completed in 1 usec.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][9] T (0) Utf8toUnicode: "%u0434%u043e%u0440"
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Transformation completed in 23 usec.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Executing operator "contains" with param "dop" against ARGS:a.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][9] Target value: "%u0434%u043e%u0440"
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Operator completed in 0 usec.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][9] T (0) urlDecodeUni: "dop"
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Transformation completed in 43 usec.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Executing operator "contains" with param "dop" against ARGS:a.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][9] Target value: "dop"
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Operator completed in 0 usec.
[18/Oct/2018:08:53:30 --0400] [127.0.0.1/sid#55961dc86c50][rid#55961dcfb820][/][4] Rule returned 1.

V3 debug logs with/without SecUnicodeMapFile specified:

[153986746362.341084] [/?a=дор] [4] (Rule: 210839) Executing operator "Contains" with param "dop" against ARGS.
[153986746362.341084] [/?a=дор] [9]  T (1) t:utf8toUnicode: "%u0434%u043e%u0440"
[153986746362.341084] [/?a=дор] [9]  T (2) t:urlDecodeUni: "4>@"
[153986746362.341084] [/?a=дор] [9] multiMatch is enabled. 3 values to be tested.
[153986746362.341084] [/?a=дор] [9] Target value: "\xd0\xb4\xd0\xbe\xd1\x80" (Variable: ARGS:a)
[153986746362.341084] [/?a=дор] [9] Target value: "%u0434%u043e%u0440" (Variable: ARGS:a)
[153986746362.341084] [/?a=дор] [9] Target value: "4>@" (Variable: ARGS:a)
[153986746362.341084] [/?a=дор] [4] Rule returned 0.
[153986746362.341084] [/?a=дор] [9] Matched vars cleaned.

Translating this into a test case for v3.

[nasatome]

same issue with v3/master: 662fe63

@victorhora

First this Error

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/modsecurity.conf. Line: 234. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127', '/etc/nginx/modsec/unicode.mapping 20127'. in /etc/nginx/nginx.conf:28
nginx: configuration file /etc/nginx/nginx.conf test failed

Then $ sudo cp ~/ModSecurity/unicode.mapping /etc/nginx/modsec/

$ sudo nginx -t
Segmentation fault

$systemctl status nginx.service
● nginx.service - nginx - high performance web server
Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: core-dump) since Mon 2018-10-29 06:13:10 UTC; 7s ago

Commenting out #SecUnicodeMapFile unicode.mapping 20127

Makes Everything Normal.

[Jumbledwords]

I'm encountering this issue as well, except not in a docker. I'm running a minimal install of Ubuntu server.

Shubham-Panwar describes exactly what I encountered.

[AnoopAlias]

ls /etc/nginx/conf.d/modsecurity.conf /etc/nginx/conf.d/unicode.mapping

/etc/nginx/conf.d/modsecurity.conf /etc/nginx/conf.d/unicode.mapping

This works ( I mean having modsecurity.conf and unicode.mapping in the same folder)