From 83c31de9abf9cd864737c7d473d2a233a44f83ff Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Fri, 11 Jan 2019 08:24:45 +0000 Subject: [PATCH 01/10] Added some other fixes to build workflow --- Makefile.am | 11 ++- build/ax_prog_apache.m4 | 10 ++- .../regression/misc/60-pmfromfile-external.t | 84 ------------------- 3 files changed, 18 insertions(+), 87 deletions(-) delete mode 100644 tests/regression/misc/60-pmfromfile-external.t diff --git a/Makefile.am b/Makefile.am index e4aedc1..980cd02 100644 --- a/Makefile.am +++ b/Makefile.am @@ -18,11 +18,18 @@ CLEANFILES = \ t/conf/httpd.conf \ t/conf/apache_test_config.pm \ t/conf/httpd.conf \ + t/conf/mime.types \ + t/conf/modules.conf \ src/*.lo \ - src/*.slo + src/*.slo \ + src/*.o \ + src/*.so \ + src/.libs/*.so + CLEANDIRECTORIES = \ - t/logs + t/logs \ + src/.libs all: diff --git a/build/ax_prog_apache.m4 b/build/ax_prog_apache.m4 index b1dd5c6..aad2f2d 100644 --- a/build/ax_prog_apache.m4 +++ b/build/ax_prog_apache.m4 @@ -114,6 +114,9 @@ AC_DEFUN([AX_PROG_APACHE], if test -z "$APACHE" ; then AC_PATH_PROG(APACHE, httpd, , /usr/local/apache/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/usr/local/apache2/bin) fi + if test -z "$APACHE" ; then + AC_PATH_PROG(APACHE, apache2, , /usr/local/apache/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/usr/local/apache2/bin) + fi AC_SUBST(APACHE) if test -z "$APACHE" ; then AC_MSG_ERROR("apache server executable not found"); @@ -149,7 +152,12 @@ AC_DEFUN([AX_PROG_APACHE], # # Find out if .so modules are in libexec/module.so or modules/module.so # - HTTP_ROOT=`$APACHE -V | grep HTTPD_ROOT | sed -e 's/.*"\(.*\)"/\1/'` + if test -f /etc/apache2/envvars + then + HTTP_ROOT=`. /etc/apache2/envvars && $APACHE -V | grep HTTPD_ROOT | sed -e 's/.*"\(.*\)"/\1/'` + else + HTTP_ROOT=`$APACHE -V | grep HTTPD_ROOT | sed -e 's/.*"\(.*\)"/\1/'` + fi AC_MSG_CHECKING(apache modules) for dir in libexec modules do diff --git a/tests/regression/misc/60-pmfromfile-external.t b/tests/regression/misc/60-pmfromfile-external.t deleted file mode 100644 index 2910ed1..0000000 --- a/tests/regression/misc/60-pmfromfile-external.t +++ /dev/null @@ -1,84 +0,0 @@ -### pmfromfile external resource - -{ - type => "misc", - comment => "pmfromfile", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - SecRequestBodyAccess On - SecRule REQUEST_FILENAME "\@pmFromFile https://www.modsecurity.org/modsecurity-regression-test.txt" "id:'123',phase:2,log,pass,t:none" - ), - match_log => { - error => [ qr/ModSecurity: Warning. Matched phrase \"127.0.0.1\" at REQUEST_FILENAME./, 1], - debug => [ qr/Matched phrase \"127.0.0.1\" at REQUEST_FILENAME/, 1 ], - -error => [ qr/ModSecurity: Problems loading external resources:/, 1], - }, - match_response => { - status => qr/^404$/, - }, - request => new HTTP::Request( - POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/127.0.0.1.html", - [ - "Content-Type" => "application/x-www-form-urlencoded", - ], - # Args - "some_variable=-1' and 1=1 union/* foo */select load_file('/etc/passwd')--" - ), -}, -{ - type => "misc", - comment => "pmfromfile - 404 download", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - SecRequestBodyAccess On - SecRemoteRulesFailAction Warn - SecRule REQUEST_FILENAME "\@pmFromFile https://www.modsecurity.org/modsecurity-regression-test-404.txt" "id:'123',phase:2,log,pass,t:none" - - ), - match_log => { - error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/www.modsecurity.org\/modsecurity-regression-test-404.txt\" error: HTTP response code said error./, 1], - }, - match_response => { - status => qr/^404$/, - }, - request => new HTTP::Request( - POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/127.0.0.1.html", - [ - "Content-Type" => "application/x-www-form-urlencoded", - ], - # Args - "some_variable=-1' and 1=1 union/* foo */select load_file('/etc/passwd')--" - ), -}, -{ - type => "misc", - comment => "pmfromfile - bad certificate name", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - SecRequestBodyAccess On - SecRemoteRulesFailAction Warn - SecRule REQUEST_FILENAME "\@pmFromFile https://status.modsecurity.org/modsecurity-regression-test.txt" "id:'123',phase:2,log,pass,t:none" - - ), - match_log => { - error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/status.modsecurity.org\/modsecurity-regression-test.txt\" error: [SSL peer certificate or SSH remote key was not OK.|Couldn't connect to server.]/, 1], - }, - match_response => { - status => qr/^404$/, - }, - request => new HTTP::Request( - POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/127.0.0.1.html", - [ - "Content-Type" => "application/x-www-form-urlencoded", - ], - # Args - "some_variable=-1' and 1=1 union/* foo */select load_file('/etc/passwd')--" - ), -}, - From 7a8c78f3d20a4848bdd7e6eb056e808a184b164e Mon Sep 17 00:00:00 2001 From: Victor Hora Date: Sun, 20 Jan 2019 12:54:52 -0500 Subject: [PATCH 02/10] Add basic usage docs Thanks to @porjo for reminding us to do that :) --- README.md | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/README.md b/README.md index e9a1a1d..9031160 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,89 @@ $ make $ sudo make install ``` +# Usage + +libModSecurity for Apache extends your configuration directives. In order to load the module into Apache add the following directive to your Apache configuration: + +``` +LoadModule security3_module modules/mod_security3.so +``` + +The module adds new directives to Apache and some them are documented below: + +modsecurity +----------- +**syntax:** *modsecurity on | off* + +**context:** *http, server, location* + +**default:** *off* + +Turns on or off ModSecurity functionality. +Note that this configuration directive is no longer related to the SecRule state. +Instead, it now serves solely as an Apache flag to enable or disable the module. + +modsecurity_rules_file +---------------------- +**syntax:** *modsecurity_rules_file <path to rules file>* + +**context:** *http, server, location* + +**default:** *no* + +Specifies the location of the ModSecurity configuration file, e.g.: + +``` +modsecurity on +modsecurity_rules_file /etc/my_modsecurity_rules.conf; +``` + +modsecurity_rules_remote +------------------------ +**syntax:** *modsecurity_rules_remote <key> <URL to rules>* + +**context:** *http, server, location* + +**default:** *no* + +Specifies from where (on the internet) a modsecurity configuration file will be downloaded. +It also specifies the key that will be used to authenticate to that server: + +``` +modsecurity on +modsecurity_rules_remote my-server-key https://my-own-server/rules/download; +``` + +modsecurity_rules +----------------- +**syntax:** *modsecurity_rules <modsecurity rule>* + +**context:** *http, server, location* + +**default:** *no* + +Allows for the direct inclusion of a ModSecurity rule into the Apache configuration. +The following example is loading rules from a file and injecting specific configurations per directory/alias: + +``` +TODO +``` + +modsecurity_transaction_id +-------------------------- +**syntax:** *modsecurity_transaction_id string* + +**context:** *http, server, location* + +**default:** *no* + +Allows to pass transaction ID from Apache instead of generating it in the library. +This can be useful for tracing purposes, e.g. consider this configuration: + +``` +TODO +``` + # Contributing As an open source project we invite (and encourage) anyone from the community to contribute to our project. This may take the form of: new From f76aaae5495291202404a0d2f548cfd2c025a9cb Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Fri, 11 Jan 2019 12:20:23 +0000 Subject: [PATCH 03/10] Fix make test --- src/msc_filters.c | 3 +++ t/conf/extra.conf.in | 2 ++ 2 files changed, 5 insertions(+) diff --git a/src/msc_filters.c b/src/msc_filters.c index ab9b9dd..3a18e21 100644 --- a/src/msc_filters.c +++ b/src/msc_filters.c @@ -62,6 +62,9 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, return send_error_bucket(msr, f, it); } + // FIXME: Now we should have the body. Is this sane? + msc_process_request_body(msr->t); + pbktOut = apr_bucket_heap_create(data, len, 0, c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(pbbOut, pbktOut); apr_bucket_delete(pbktIn); diff --git a/t/conf/extra.conf.in b/t/conf/extra.conf.in index eb267a4..6518559 100644 --- a/t/conf/extra.conf.in +++ b/t/conf/extra.conf.in @@ -20,6 +20,7 @@ modsecurity_rules 'SecDebugLogLevel 9' + modsecurity_rules 'SecRequestBodyAccess On' modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:403,block,deny"' @@ -43,6 +44,7 @@ modsecurity_rules 'SecDebugLogLevel 9' + modsecurity_rules 'SecRequestBodyAccess On' modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:402,block,deny"' From f692ea994e1d4ad0b3fb4cafa4f6a4909d756147 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Wed, 22 Apr 2020 10:01:05 -0300 Subject: [PATCH 04/10] Makes it workable with v3/master --- src/mod_security3.c | 4 ++-- src/mod_security3.h | 12 +++++++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/mod_security3.c b/src/mod_security3.c index f3ce7b0..76b3fb7 100644 --- a/src/mod_security3.c +++ b/src/mod_security3.c @@ -148,10 +148,10 @@ static msc_t *create_tx_context(request_rec *r) { unique_id = getenv("UNIQUE_ID"); if (unique_id != NULL && strlen(unique_id) > 0) { msr->t = msc_new_transaction_with_id(msc_apache->modsec, - (Rules *)z->rules_set, unique_id, (void *)r); + z->rules_set, unique_id, (void *)r); } else { msr->t = msc_new_transaction(msc_apache->modsec, - (Rules *)z->rules_set, (void *)r); + z->rules_set, (void *)r); } store_tx_context(msr, r); diff --git a/src/mod_security3.h b/src/mod_security3.h index 258d4eb..b1e9b28 100644 --- a/src/mod_security3.h +++ b/src/mod_security3.h @@ -3,7 +3,17 @@ #include #include +#if defined(MODSECURITY_CHECK_VERSION) +#if MODSECURITY_VERSION_NUM >= 304010 +#define MSC_USE_RULES_SET 1 +#endif +#endif + +#if defined(MSC_USE_RULES_SET) +#include +#else #include +#endif #include #include "apr_buckets.h" @@ -46,7 +56,7 @@ typedef struct typedef struct { - Rules *rules_set; + void *rules_set; int msc_state; char *name_for_debug; } msc_conf_t; From 726260d2ce328579c32765ff58038948e661dee6 Mon Sep 17 00:00:00 2001 From: Samy Mahmoudi Date: Tue, 20 Oct 2020 02:26:25 -0400 Subject: [PATCH 05/10] README: Remove four trailing spaces --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9031160..06c6364 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ [![](https://raw.githubusercontent.com/ZenHubIO/support/master/zenhub-badge.png)](https://zenhub.com) -The ModSecurity-apache connector is the connection point between Apache and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between Apache and libmodsecurity. This connector is required to use LibModSecurity with Apache. +The ModSecurity-apache connector is the connection point between Apache and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between Apache and libmodsecurity. This connector is required to use LibModSecurity with Apache. The ModSecurity-apache connector takes the form of an Apache module. The module simply serves as a layer of communication between Apache and ModSecurity. @@ -132,7 +132,7 @@ Please respect the coding style. Pull requests can include various commits, so p Please respect the coding style in use. Pull requests can include various commits, so provide one fix or one functionality per commit. Do not change anything outside the scope of your target work (e.g. coding style in a function that you have -passed by). +passed by). ### Don’t know where to start? @@ -149,7 +149,7 @@ You may also take a look at recent bug reports and open issues to get an idea of ### Testing your patch Along with the manual testing, we strongly recommend that you to use the Apache test -utility to make sure that you patch does not adversly affect the behavior or performance of Apache. +utility to make sure that you patch does not adversly affect the behavior or performance of Apache. The Apache testing tools are available on: http://httpd.apache.org/test/ @@ -158,7 +158,7 @@ To use those tests .... If you are facing problems getting your added functionality to pass all the Apache tests, feel free to contact us or the Apache mailing list at: http://httpd.apache.org/lists.html -### Debugging +### Debugging Because the ModSecurity Apache Connector runs as part of Apache, one needs to debug the Apache process. Debugging may require several steps. In general debugging can be enabled by compiling the Apache connector with debugging as follows: ```CFLAGS="-g -O0" ./configure ...normal configure parameters...)``` From b907ffa11e1b03f88612c10801950c300416cd02 Mon Sep 17 00:00:00 2001 From: Samy Mahmoudi Date: Tue, 20 Oct 2020 02:28:27 -0400 Subject: [PATCH 06/10] README: Correct four typos --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 06c6364..50902d9 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Notice that this project depends on libmodsecurity rather than ModSecurity (vers ### What is the difference between this project and the old ModSecurity module for Apache? -The old version of ModSecurity was origionally designed for and contained within an Apache module. This current version abstracts out some of the details allowing ModSecurity to more easily support multiple platforms and features outside beyond the scope of what Apache internals currently support. As a result using the new libmodsecurity engine is no longer reliant on the use of Apache and can be used to power multiple different connectors. As a result of this the current version is more flexible, has wider support, and allows for the support of new functionality that was not previously possible. +The old version of ModSecurity was originally designed for and contained within an Apache module. This current version abstracts out some of the details allowing ModSecurity to more easily support multiple platforms and features outside beyond the scope of what Apache internals currently support. As a result using the new libmodsecurity engine is no longer reliant on the use of Apache and can be used to power multiple different connectors. As a result of this the current version is more flexible, has wider support, and allows for the support of new functionality that was not previously possible. # Compilation @@ -122,7 +122,7 @@ are willing to help with. Thank you. ## Providing Patches -We prefer to have your patch within the GtiHub infrastructure to facilitate our +We prefer to have your patch within the GitHub infrastructure to facilitate our review work, and our QA integration. GitHub provides an excellent documentation on how to perform “Pull Requests”. More information available here: https://help.github.com/articles/using-pull-requests/ @@ -186,7 +186,7 @@ security@modsecurity.org to report the issue. Once the problem is fixed we will ## Feature Request -We would love to discuss any ideas that you may have for a new feature. Please keep in mind this is a community driven project so be sure to contact the community via the mailing list to get feedback first. Alternativly, feel free to open GitHub issues requesting for new features. Before opening a new issue, please check if there is an existing feature request for the desired functionalityt. +We would love to discuss any ideas that you may have for a new feature. Please keep in mind this is a community driven project so be sure to contact the community via the mailing list to get feedback first. Alternatively, feel free to open GitHub issues requesting for new features. Before opening a new issue, please check if there is an existing feature request for the desired functionality. ## Packing From 0d9ddcdad93752911eb7556ebd7efcd8b9a18a14 Mon Sep 17 00:00:00 2001 From: Samy Mahmoudi Date: Tue, 20 Oct 2020 02:33:07 -0400 Subject: [PATCH 07/10] README: Add three missing words --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 50902d9..9aa2c59 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ The old version of ModSecurity was originally designed for and contained within # Compilation -Before compile this software make sure that you have libmodsecurity installed. +Before you compile this software make sure that you have libmodsecurity installed. You can download it from the ModSecurity git repository. For information pertaining to the compilation and installation of libmodsecurity please consult the documentation provided along with it. With libmodsecurity installed, you can proceed with the installation of the ModSecurity-apache connector. Run the following commands: @@ -39,7 +39,7 @@ libModSecurity for Apache extends your configuration directives. In order to loa LoadModule security3_module modules/mod_security3.so ``` -The module adds new directives to Apache and some them are documented below: +The module adds new directives to Apache and some of them are documented below: modsecurity ----------- @@ -49,7 +49,7 @@ modsecurity **default:** *off* -Turns on or off ModSecurity functionality. +Turns on or off the ModSecurity functionality. Note that this configuration directive is no longer related to the SecRule state. Instead, it now serves solely as an Apache flag to enable or disable the module. From 97fc190887d0e17d3f26b83e689e46ba913027fc Mon Sep 17 00:00:00 2001 From: Samy Mahmoudi Date: Tue, 20 Oct 2020 02:51:35 -0400 Subject: [PATCH 08/10] README: Remove a duplicate word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9aa2c59..19be0f5 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Notice that this project depends on libmodsecurity rather than ModSecurity (vers ### What is the difference between this project and the old ModSecurity module for Apache? -The old version of ModSecurity was originally designed for and contained within an Apache module. This current version abstracts out some of the details allowing ModSecurity to more easily support multiple platforms and features outside beyond the scope of what Apache internals currently support. As a result using the new libmodsecurity engine is no longer reliant on the use of Apache and can be used to power multiple different connectors. As a result of this the current version is more flexible, has wider support, and allows for the support of new functionality that was not previously possible. +The old version of ModSecurity was originally designed for and contained within an Apache module. This current version abstracts out some of the details allowing ModSecurity to more easily support multiple platforms and features beyond the scope of what Apache internals currently support. As a result using the new libmodsecurity engine is no longer reliant on the use of Apache and can be used to power multiple different connectors. As a result of this the current version is more flexible, has wider support, and allows for the support of new functionality that was not previously possible. # Compilation From 2368a66a2c773a188749944e0b29e87c08ba1d2a Mon Sep 17 00:00:00 2001 From: Samy Mahmoudi Date: Tue, 20 Oct 2020 02:57:34 -0400 Subject: [PATCH 09/10] README: Remove a duplicate paragraph --- README.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/README.md b/README.md index 19be0f5..6fc03f9 100644 --- a/README.md +++ b/README.md @@ -127,12 +127,7 @@ review work, and our QA integration. GitHub provides an excellent documentation on how to perform “Pull Requests”. More information available here: https://help.github.com/articles/using-pull-requests/ -Please respect the coding style. Pull requests can include various commits, so provide one fix or one piece of functionality per commit. Please do not change anything outside the scope of your target work (e.g. coding style in a function that you have passed by). For further information about the coding style used in this project, please check: https://www.chromium.org/blink/coding-style - -Please respect the coding style in use. Pull requests can include various commits, so -provide one fix or one functionality per commit. Do not change anything outside -the scope of your target work (e.g. coding style in a function that you have -passed by). +Please respect the coding style in use. Pull requests can include various commits, so provide one fix or one piece of functionality per commit. Please do not change anything outside the scope of your target work (e.g. coding style in a function that you have passed by). For further information about the coding style used in this project, please check: https://www.chromium.org/blink/coding-style ### Don’t know where to start? From 0488c77f69669584324b70460614a382224b4883 Mon Sep 17 00:00:00 2001 From: martinhsv <55407942+martinhsv@users.noreply.github.com> Date: Thu, 19 Aug 2021 14:15:00 -0400 Subject: [PATCH 10/10] Update README.md Add warning about the project not being production ready. --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 6fc03f9..5f604ff 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,11 @@ The ModSecurity-apache connector takes the form of an Apache module. The module Notice that this project depends on libmodsecurity rather than ModSecurity (version 2.9 or less). +### NOTE: This project is not production ready + +This project should be considered under development and not production ready. The functionality is not complete and so should not be used. With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x. + + ### What is the difference between this project and the old ModSecurity module for Apache? The old version of ModSecurity was originally designed for and contained within an Apache module. This current version abstracts out some of the details allowing ModSecurity to more easily support multiple platforms and features beyond the scope of what Apache internals currently support. As a result using the new libmodsecurity engine is no longer reliant on the use of Apache and can be used to power multiple different connectors. As a result of this the current version is more flexible, has wider support, and allows for the support of new functionality that was not previously possible.