feat: improved XMLArgs processing #3358
Conversation
|
|
This is a great new feature. This will open up ModSecurity to anyone who needs to do serious processing of XML APIs (lots of legacy and current applications!). Especially with pre-written rule sets like CRS, this makes the task of handling false positives possible. Thank you for the work that has gone into this 🚀 |
|
@airween Could you share how the new option parses / advertises multi-level documents with multiple leaves carrying the same name? Is the hierarchy part of the name or is that hidden? Needless to say, that I really like this option. |
|
I hope I understand your question as well 😄, so consider this file: cat test.xml
<?xml version="1.0" encoding="UTF-8"?>
<root>
<level1>
<level2>
<node>foo1</node>
<node>bar1</node>
</level2>
<level2>
<node>foo2</node>
<node>bar2</node>
</level2>
</level1>
<level1>
<level2>
<node>foo1</node>
<node>bar1</node>
</level2>
<level2>
<node>foo2</node>
<node>bar2</node>
</level2>
</level1>
</root>and this request: curl -v -H "Content-Type: application/xml" -X POST -d @test.xml http://localhost/post.phpThis will generates these arguments (it's totally the same as in case of JSON): |
|
This was what I expected. Thanks for the confirmation. Very good. |
| static void msc_xml_on_start_elementns( | ||
| void *ctx, | ||
| const xmlChar *localname, | ||
| const xmlChar *prefix, | ||
| const xmlChar *URI, | ||
| int nb_namespaces, | ||
| const xmlChar **namespaces, | ||
| int nb_attributes, | ||
| int nb_defaulted, | ||
| const xmlChar **attributes | ||
| ) { |
There was a problem hiding this comment.
Is this new formatting for the code? Or was adopted as standard already?
Having mixed format in parameters, in general makes more difficult reading the code. So my suggestion will be:
- use the same format as all other files
- propose a new standard
- once accepted, apply to all files once and for all
- enforce the new format in the pipeline.
| static void msc_xml_on_end_elementns( | ||
| void* ctx, | ||
| const xmlChar* localname, | ||
| const xmlChar* prefix, | ||
| const xmlChar* URI | ||
| ) { |
| arg->value = xml_parser_state->currval; | ||
| arg->value_len = strlen(xml_parser_state->currval); | ||
| arg->value_origin_len = arg->value_len; | ||
| //arg->value_origin_offset = value-base_offset; |
There was a problem hiding this comment.
| //arg->value_origin_offset = value-base_offset; |
| // decrease the length of current path length - +1 because of the '\0' | ||
| xml_parser_state->pathlen -= (taglen + 1); | ||
|
|
||
| // -1 need because we don't need the '.' |
There was a problem hiding this comment.
| // -1 need because we don't need the '.' | |
| // -1 is needed because we don't need the last '.' |
| } | ||
| } else { | ||
|
|
||
| /* Not a first invocation. */ | ||
| msr_log(msr, 4, "XML: Continue parsing."); |
There was a problem hiding this comment.
What does even "Continue parsing" means?
| /* error reporting and XML array flag */ | ||
| char *xml_error; | ||
|
|
||
| /* another parser context for arguments */ |
There was a problem hiding this comment.
| /* another parser context for arguments */ | |
| /* additional parser context for arguments */ |
what
This PR adds a new feature within XML processing.
Old (current) behavior: in case of
XML:/*target the body processor expands the node values from the XML payload. Eg.:will produce this value:
In this case, there is no option to exclude any node. For example, if a node contains a term that a rule is looking for, the administrator could not create an exclusion. The only solution is to exclude the whole rule.
New behavior: there is a new configuration keyword,
SecParseXMLintoArgswith possible valuesOn,OffandOnlyArgs. The default value isOff. This won't change anything. If the administrator set this toOn, then the engine will parse the XML intoARGSAND theXML:/*target will still contain the only text content as before. If the value isOnlyArgsthen only the parsed content will appear inARGStarget; theXML:/*target won't contain the parsed content anymore.If administrator sets it to
On, then the node values will appear inARGS, and it's easy to make any exclusion against the named target.why
A customer request has been received to solve this.
references
See #3178.