added support for SecRuleUpdateTargetByTag and SecRuleUpdateTargetById
#46
Conversation
|
|
Also |
|
In the code:- the
Update:- Using the
As
|
Xhoenix
changed the title
SecRuleUpdateTargetByTag and SecRuleUpdateTargetById
|
|
||
| SecRuleUpdateTargetByTag: | ||
| 'SecRuleUpdateTargetByTag' '"'? tag=Tag '"'? '"'? negated='!'? variables=Variable '"'?; | ||
|
|
There was a problem hiding this comment.
Comment for both new rule above:
Here are the references of these directives, both for mod_security2 and libmodsecurity3:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secruleupdatetargetbyid
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secruleupdatetargetbytag
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)#secruleupdatetargetbyid
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)#secruleupdatetargetbytag
The syntax of two directives are almost the same, so we can take a look only for the first, for example.
Here are the syntax for mod_security2:
SecRuleUpdateTargetById RULEID TARGET1[,TARGET2,TARGET3] REPLACED_TARGET
and for libmodsecurity3:
SecRuleUpdateTargetById RULEID TARGET1[,TARGET2,TARGET3]
As you can see, the REPLACED_TARGET argument is gone.
IMHO without that this syntax makes no sense:
SecRuleUpdateTargetById 1234 "ARGS:foo"
Because you want to update a target - but for what? I mean there is no exclusion mark - with that, it makes sense:
SecRuleUpdateTargetById 1234 "!ARGS:foo"
This means you just want to remove this target.
If you want to be strict, you should allow one of these syntax:
SecRuleUpdateTargetById 1234 "!ARGS:foo"
SecRuleUpdateTargetById 1234 "ARGS:foo" "ARGS:bar"
But I'm sure this is not a critical thing, you can keep this as it is.
Also, both directives allows the list of TARGET:
... TARGET1[,TARGET2,TARGET3]
which is not allowed by this implementation. I suggest that you should add this syntax. Both mod_security2 and libmodsecurity3 allows this syntax.
There was a problem hiding this comment.
I've come up with this.
First, I'll create a new variable like this:-
TARGET: '"'? negated='!'? variables=Variable '"'?;
Then I'll change the rules based upon this. For e.g,
SecRuleUpdateTargetById:
'SecRuleUpdateTargetById' id=INT targets+=TARGET[',']?;
What do you think about this? I tested this and it works.
There was a problem hiding this comment.
Could you pull this modification to your repository? Thanks.
There was a problem hiding this comment.
Thanks, I pulled down, tested, and looks now it works as we expect.
added a new TARGET variable and updated rules accordingly
|
|
||
| SecRuleUpdateTargetByTag: | ||
| 'SecRuleUpdateTargetByTag' '"'? tag=Tag '"'? '"'? negated='!'? variables=Variable '"'?; | ||
|
|
There was a problem hiding this comment.
Thanks, I pulled down, tested, and looks now it works as we expect.
plugin-lint fails when
SecRuleUpdateTargetByTagis used. This issue can be taken as an example.