diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b741945..6c5cb3b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,9 +57,9 @@ jobs: - name: Install dependencies with apt run: | sudo add-apt-repository universe - sudo apt-get update - sudo apt-get -y \ - --fix-missing install \ + sudo apt-get -qq update + sudo apt-get -y -qq \ + --fix-missing --no-install-recommends install \ gcc make \ libxml2-dev \ libxslt-dev \ @@ -89,26 +89,28 @@ jobs: - name: Configure compilation of dynamic module run: | - ls -l cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }} ./configure \ --with-compat \ --add-dynamic-module=${{ github.workspace }}/ \ --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \ --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \ - --prefix=/usr/share/nginx \ + --prefix=/etc/nginx \ + --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --http-log-path=/var/log/nginx/access.log \ --error-log-path=/var/log/nginx/error.log \ --lock-path=/var/lock/nginx.lock \ --pid-path=/run/nginx.pid \ --modules-path=/usr/lib/nginx/modules \ - --http-client-body-temp-path=/var/lib/nginx/body \ - --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ - --http-proxy-temp-path=/var/lib/nginx/proxy \ - --http-scgi-temp-path=/var/lib/nginx/scgi \ - --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + --http-client-body-temp-path=/var/cache/nginx/client_temp \ + --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ + --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ + --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ + --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --with-debug \ + --with-file-aio \ + --with-threads \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_realip_module \ @@ -126,10 +128,22 @@ jobs: --with-http_xslt_module=dynamic \ --with-stream=dynamic - - name: Compile dynamic module - run: | + - name: Compile dynamic module and install nginx + run: | cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }} make modules + make + sudo make install + + - name: Run tests + run: | + wget http://hg.nginx.org/nginx-tests/archive/tip.tar.gz + tar xzf tip.tar.gz + cd nginx-tests-* + cp ../t/* . + export TEST_NGINX_BINARY=/usr/sbin/nginx + export TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";" + prove . -t coraza*.t - name: Upload a Build Artifact uses: actions/upload-artifact@v2 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f04c548..a8cd9e1 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,19 +1,19 @@ -#name: "Close stale issues" -#on: -# schedule: -# - cron: "0 0 * * *" -# -#jobs: -# stale: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/stale@v3 -# with: -# repo-token: ${{ secrets.GITHUB_TOKEN }} -# stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' -# stale-pr-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' -# stale-issue-label: 'no-issue-activity' -# stale-pr-label: 'no-pr-activity' -# exempt-issue-label: 'nostale,work-in-progress' -# days-before-stale: 30 -# days-before-close: 5 +name: "Close stale issues" +on: + schedule: + - cron: "0 0 * * *" + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v3 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' + stale-pr-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' + stale-issue-label: 'no-issue-activity' + stale-pr-label: 'no-pr-activity' + exempt-issue-label: 'nostale,work-in-progress' + days-before-stale: 30 + days-before-close: 5 diff --git a/.gitignore b/.gitignore index dbe9c82..1d74e21 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -.vscode/ \ No newline at end of file +.vscode/ diff --git a/Dockerfile b/Dockerfile index b4f19a8..8c0c071 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,56 +1,91 @@ -FROM ubuntu:latest - -RUN apt-get update \ - && apt install -y wget build-essential libpcre++-dev git-core libtool openssl libssl-dev zlib1g-dev\ - && wget http://nginx.org/download/nginx-1.22.0.tar.gz \ - && tar -xvzf nginx-1.22.0.tar.gz -WORKDIR /nginx-1.22.0 - -RUN wget https://go.dev/dl/go1.19.linux-amd64.tar.gz && \ - tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz - -ENV PATH="$PATH:/usr/local/go/bin" -ENV CPPFLAGS="-DPNG_ARM_NEON_OPT=0" -COPY . coraza - -RUN git clone https://github.com/corazawaf/libcoraza && \ - cd libcoraza && \ - ./build.sh && \ - ./configure && \ - make && \ - make install - -RUN ./configure \ - --with-compat \ - --add-module=/nginx-1.22.0/coraza/ \ - --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \ - --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \ - --prefix=/usr/share/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --lock-path=/var/lock/nginx.lock \ - --pid-path=/run/nginx.pid \ - --modules-path=/usr/lib/nginx/modules \ - --http-client-body-temp-path=/var/lib/nginx/body \ - --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ - --http-proxy-temp-path=/var/lib/nginx/proxy \ - --http-scgi-temp-path=/var/lib/nginx/scgi \ - --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ - --with-debug \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - #--with-http_realip_module \ - --with-http_auth_request_module \ - --with-http_v2_module \ - #--with-http_dav_module \ - --with-http_slice_module \ - --with-threads \ - --with-http_addition_module \ - #--with-http_geoip_module=dynamic \ - --with-http_gunzip_module \ - #--with-http_gzip_static_module \ - #--with-http_image_filter_module=dynamic \ - --with-http_sub_module \ - #--with-http_xslt_module=dynamic \ - --with-stream=dynamic \ No newline at end of file +FROM golang as go-builder + +ARG libcoraza_version=master + +# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile +RUN set -eux; \ + apt-get update -qq; \ + apt-get install -qq --no-install-recommends \ + autoconf \ + automake \ + libtool \ + gcc \ + bash \ + make + +COPY ./libcoraza /tmp/master + +RUN set -eux; \ + #wget https://github.com/corazawaf/libcoraza/tarball/master -O /tmp/master; \ + #tar -xvf /tmp/master; \ + #cd corazawaf-libcoraza-*; \ + cd /tmp/master; \ + ./build.sh; \ + ./configure; \ + make; \ + make V=1 install + +FROM nginx:stable as ngx-coraza + +COPY --from=go-builder /usr/local/include/coraza /usr/local/include/coraza +COPY --from=go-builder /usr/local/lib/libcorazacore.a /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazautils.a /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib + +# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile +RUN set -eux; \ + apt-get update -qq; \ + apt-get install -qq --no-install-recommends \ + gcc \ + gnupg1 \ + ca-certificates \ + libc-dev \ + make \ + openssl \ + curl \ + gnupg \ + wget \ + libpcre3 libpcre3-dev \ + zlib1g-dev + +COPY . /usr/src/coraza-nginx + +# Download sources +RUN set -eux; \ + curl "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o - | tar zxC /usr/src -f -; + # Reuse same cli arguments as the nginx:alpine image used to build + +RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\ + cd /usr/src/nginx-$NGINX_VERSION; \ + ./configure --with-compat "$CONFARGS" --add-dynamic-module=/usr/src/coraza-nginx; \ + make modules; \ + mkdir -p /usr/lib/nginx/modules; \ + find objs/*.so -print; \ + cp objs/ngx_*.so /usr/lib/nginx/modules + +FROM nginx:stable + +RUN sed -i -e "s|events {|load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";\n\nevents {|" /etc/nginx/nginx.conf; + +COPY ./coraza.conf /etc/nginx/conf.d/coraza.conf +COPY --from=ngx-coraza /usr/lib/nginx/modules/ /usr/lib/nginx/modules/ +COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib + +RUN ldconfig -v + +COPY ./t /tmp/t + +RUN set -eux; \ + apt-get update -qq; \ + apt-get install -qq --no-install-recommends curl perl; \ + curl http://hg.nginx.org/nginx-tests/archive/tip.tar.gz -o tip.tar.gz; \ + tar xzf tip.tar.gz; \ + cd nginx-tests-*; \ + cp /tmp/t/* . ;\ + export TEST_NGINX_BINARY=/usr/sbin/nginx; \ + export TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";"; \ + prove . -t coraza*.t + +>>>>>>> db83d99 (fix error) diff --git a/config b/config index d28a3d9..a2c380c 100644 --- a/config +++ b/config @@ -10,38 +10,39 @@ ngx_addon_name="ngx_http_coraza_module" coraza_dependency="ngx_http_postpone_filter_module \ - ngx_http_ssi_filter_module \ - ngx_http_charset_filter_module \ - ngx_http_sub_filter_module \ - ngx_http_addition_filter_module \ - ngx_http_gunzip_filter_module \ - ngx_http_userid_filter_module \ - ngx_http_headers_filter_module \ - ngx_http_copy_filter_module" + ngx_http_ssi_filter_module \ + ngx_http_charset_filter_module \ + ngx_http_xslt_filter_module \ + ngx_http_image_filter_module \ + ngx_http_sub_filter_module \ + ngx_http_addition_filter_module \ + ngx_http_gunzip_filter_module \ + ngx_http_userid_filter_module \ + ngx_http_headers_filter_module \ + ngx_http_copy_filter_module" if test -n "$ngx_module_link"; then ngx_module_type=HTTP_FILTER ngx_module_name="$ngx_addon_name" ngx_module_srcs="$ngx_addon_dir/src/ngx_http_coraza_module.c \ - $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ - $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_log.c \ - $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ - " + $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ + $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_log.c \ + $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ + $ngx_addon_dir/src/ngx_http_coraza_utils.c \ + " ngx_module_deps="$ngx_addon_dir/src/ddebug.h \ - $ngx_addon_dir/src/ngx_http_coraza_common.h \ - " ngx_module_libs="-lcoraza" ngx_module_incs="-L/usr/local/lib" - ngx_module_order="ngx_http_chunked_filter_module \ - ngx_http_v2_filter_module \ - ngx_http_range_header_filter_module \ - ngx_http_gzip_filter_module \ - $ngx_module_name \ - $coraza_dependency"; + ngx_module_order="ngx_http_chunked_filter_module \ + ngx_http_v2_filter_module \ + ngx_http_range_header_filter_module \ + ngx_http_gzip_filter_module \ + $ngx_module_name \ + $coraza_dependency"; . auto/module else @@ -52,19 +53,18 @@ else CORE_LIBS="$CORE_LIBS $ngx_feature_libs" HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES ngx_http_coraza_module" - NGX_ADDON_SRCS="\ - $NGX_ADDON_SRCS \ - $ngx_addon_dir/src/ngx_http_coraza_module.c \ - $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ - $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_log.c \ - $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ - " + NGX_ADDON_SRCS="$NGX_ADDON_SRCS \ + $ngx_addon_dir/src/ngx_http_coraza_module.c \ + $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ + $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_log.c \ + $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ + $ngx_addon_dir/src/ngx_http_coraza_utils.c \ + " - NGX_ADDON_DEPS="\ - $NGX_ADDON_DEPS \ - $ngx_addon_dir/src/ddebug.h \ - $ngx_addon_dir/src/ngx_http_coraza_common.h \ - " + NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ + $ngx_addon_dir/src/ddebug.h \ + $ngx_addon_dir/src/ngx_http_coraza_common.h \ + " fi diff --git a/coraza.conf b/coraza.conf new file mode 100644 index 0000000..9bf4971 --- /dev/null +++ b/coraza.conf @@ -0,0 +1,5 @@ +coraza on; +coraza_rules 'SecRuleEngine On + SecRule ARGS "@streq whee" "id:10,phase:2" + SecRule ARGS "@streq whee" "id:11,phase:2" + '; diff --git a/ngx-modsec.stp b/ngx-coraza.stp similarity index 77% rename from ngx-modsec.stp rename to ngx-coraza.stp index 8c5fa65..29b8a73 100755 --- a/ngx-modsec.stp +++ b/ngx-coraza.stp @@ -6,12 +6,12 @@ global rules_phase # Rules -probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*") +probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*") { begin_rule = gettimeofday_us(); } -probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*").return +probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*").return { elapsed_rule = gettimeofday_us() - begin_rule rules[$this->m_ruleId] <<< elapsed_rule diff --git a/src/ngx_http_coraza_common.h b/src/ngx_http_coraza_common.h index 2d6f6a6..bebdaf7 100644 --- a/src/ngx_http_coraza_common.h +++ b/src/ngx_http_coraza_common.h @@ -126,5 +126,7 @@ ngx_int_t ngx_http_coraza_pre_access_handler(ngx_http_request_t *r); /* ngx_http_coraza_rewrite.c */ ngx_int_t ngx_http_coraza_rewrite_handler(ngx_http_request_t *r); +/* ngx_http_coraza_utils.c */ +ngx_int_t ngx_str_to_char(ngx_str_t a, char *str, ngx_pool_t *p); #endif /* _ngx_http_coraza_COMMON_H_INCLUDED_ */ diff --git a/src/ngx_http_coraza_module.c b/src/ngx_http_coraza_module.c index 73f9d37..c7b5c11 100644 --- a/src/ngx_http_coraza_module.c +++ b/src/ngx_http_coraza_module.c @@ -142,7 +142,9 @@ void ngx_http_coraza_cleanup(void *data) ctx = (ngx_http_coraza_ctx_t *)data; - coraza_free_transaction(ctx->coraza_transaction); + if (coraza_free_transaction(ctx->coraza_transaction) != NGX_OK) { + dd("cleanup -- transaction free failed: %d", res); + }; } ngx_inline ngx_http_coraza_ctx_t * @@ -199,15 +201,20 @@ char * ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { int res; - char *rules; + char *rules = NULL; ngx_str_t *value; - char *error; + char *error = NULL; ngx_http_coraza_conf_t *mcf = conf; ngx_http_coraza_main_conf_t *mmcf; value = cf->args->elts; - res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error); + if (ngx_str_to_char(value[1], rules, cf->pool) != NGX_OK) { + dd("Failed to get the rules"); + return NGX_CONF_ERROR; + } + + res = coraza_rules_add(mcf->waf, rules, &error); if (res < 0) { @@ -225,15 +232,20 @@ char * ngx_conf_set_rules_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { int res; - char *rules_set; + char *rules_set = NULL; ngx_str_t *value; - char **error; + char **error = NULL; ngx_http_coraza_conf_t *mcf = conf; ngx_http_coraza_main_conf_t *mmcf; value = cf->args->elts; - res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error); + if (ngx_str_to_char(value[1], rules_set, cf->pool) != NGX_OK) { + dd("Failed to get the rules_file"); + return NGX_CONF_ERROR; + } + + res = coraza_rules_add(mcf->waf, rules_set, error); if (res < 0) { @@ -554,11 +566,11 @@ ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *child) dd("CHILD RULES"); coraza_rules_dump(c->rules_set); #endif - rules = coraza_rules_merge(c->waf, p->waf, &error); + rules = coraza_rules_merge(c->waf, p->waf, error); if (rules < 0) { - return error; + return *error; } #if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG) diff --git a/src/ngx_http_coraza_pre_access.c b/src/ngx_http_coraza_pre_access.c index 8ef6abf..e533ff2 100644 --- a/src/ngx_http_coraza_pre_access.c +++ b/src/ngx_http_coraza_pre_access.c @@ -138,6 +138,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r) { int ret = 0; int already_inspected = 0; + char *file_name = NULL; dd("request body is ready to be processed"); @@ -156,8 +157,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r) if (r->request_body->temp_file != NULL) { ngx_str_t file_path = r->request_body->temp_file->file.name; - const char *file_name = ngx_str_to_char(file_path, r->pool); - if (file_name == (char*)-1) { + if (ngx_str_to_char(file_path, file_name, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } /* @@ -166,7 +166,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r) */ dd("request body inspection: file -- %s", file_name); - coraza_request_body_from_file(ctx->coraza_transaction, (char*)file_name); + coraza_request_body_from_file(ctx->coraza_transaction, file_name); already_inspected = 1; } else { diff --git a/src/ngx_http_coraza_rewrite.c b/src/ngx_http_coraza_rewrite.c index 3526fc9..87179db 100644 --- a/src/ngx_http_coraza_rewrite.c +++ b/src/ngx_http_coraza_rewrite.c @@ -25,6 +25,12 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) { ngx_http_coraza_ctx_t *ctx; ngx_http_coraza_conf_t *mcf; + ngx_str_t ngx_server_addr; + char *client_addr = NULL; + char *server_addr = NULL; + char *uri = NULL; + char *method = NULL; + char *http_version = NULL; mcf = ngx_http_get_module_loc_conf(r, ngx_http_coraza_module); if (mcf == NULL || mcf->enable != 1) { @@ -43,12 +49,9 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) int ret = 0; ngx_connection_t *connection = r->connection; - /** - * FIXME: We may want to use struct sockaddr instead of addr_text. - * - */ - ngx_str_t addr_text = connection->addr_text; + ngx_str_t addr_text = connection->addr_text; + ctx = ngx_http_coraza_create_ctx(r); dd("ctx was NULL, creating new context: %p", ctx); @@ -68,28 +71,31 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) */ int client_port = ngx_inet_get_port(connection->sockaddr); int server_port = ngx_inet_get_port(connection->local_sockaddr); - - const char *client_addr = ngx_str_to_char(addr_text, r->pool); - if (client_addr == (char*)-1) { + + u_char addr[NGX_SOCKADDR_STRLEN]; + ngx_server_addr.len = NGX_SOCKADDR_STRLEN; + ngx_server_addr.data = addr; + if (ngx_connection_local_sockaddr(r->connection, &ngx_server_addr, 0) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_str_t s; - u_char addr[NGX_SOCKADDR_STRLEN]; - s.len = NGX_SOCKADDR_STRLEN; - s.data = addr; - if (ngx_connection_local_sockaddr(r->connection, &s, 0) != NGX_OK) { + if (ngx_str_to_char(addr_text, client_addr, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } - const char *server_addr = ngx_str_to_char(s, r->pool); - if (server_addr == (char*)-1) { + if (ngx_str_to_char(ngx_server_addr, server_addr, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; - } + } + /* FIXME: addr_text here is an nginx str that might be a path if + * this is a unix socket. Because of this, using the socket + * structure might be better + */ ret = coraza_process_connection(ctx->coraza_transaction, - (char *)client_addr, client_port, - (char *)server_addr, server_port); + client_addr, + client_port, + server_addr, + server_port); if (ret != 1){ dd("Was not able to extract connection information."); } @@ -109,7 +115,6 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) return ret; } - const char *http_version; switch (r->http_version) { case NGX_HTTP_VERSION_9 : http_version = "0.9"; @@ -130,16 +135,15 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) break; } - const char *n_uri = ngx_str_to_char(r->unparsed_uri, r->pool); - const char *n_method = ngx_str_to_char(r->method_name, r->pool); - if (n_uri == (char*)-1 || n_method == (char*)-1) { + if (ngx_str_to_char(r->unparsed_uri, uri, r->pool) != NGX_OK) { + dd("uri is of length zero"); return NGX_HTTP_INTERNAL_SERVER_ERROR; } - if (n_uri == NULL) { - dd("uri is of length zero"); + if (ngx_str_to_char(r->method_name, method, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } - coraza_process_uri(ctx->coraza_transaction, (char *)n_uri, (char *)n_method, (char *)http_version); + + coraza_process_uri(ctx->coraza_transaction, uri, method, http_version); dd("Processing intervention with the transaction information filled in (uri, method and version)"); ret = ngx_http_coraza_process_intervention(ctx->coraza_transaction, r, 1); diff --git a/src/ngx_http_coraza_utils.c b/src/ngx_http_coraza_utils.c new file mode 100644 index 0000000..e9be865 --- /dev/null +++ b/src/ngx_http_coraza_utils.c @@ -0,0 +1,32 @@ +#include "ddebug.h" +#include "ngx_http_coraza_common.h" + +/* + * ngx_string's are not null-terminated in common case, so we need to convert + * them into null-terminated ones before passing to CORAZA + */ +ngx_int_t +ngx_str_to_char(ngx_str_t a, char *str, ngx_pool_t *p) +{ + if (str) { + free(str); + str = NULL; + } + + if (a.len == 0) + { + return NGX_OK; + } + + str = ngx_pnalloc(p, a.len + 1); + if (str == NULL) + { + dd("failed to allocate memory to convert space ngx_string to C string"); + /* We already returned NULL for an empty string, so return -1 here to indicate allocation error */ + return NGX_ERROR; + } + ngx_memcpy(str, a.data, a.len); + str[a.len] = '\0'; + + return NGX_OK; +} diff --git a/tests/README.md b/t/README.md similarity index 100% rename from tests/README.md rename to t/README.md diff --git a/tests/modsecurity-config-auditlog.t b/t/coraza-config-auditlog.t similarity index 100% rename from tests/modsecurity-config-auditlog.t rename to t/coraza-config-auditlog.t diff --git a/tests/modsecurity-config-custom-error-page.t b/t/coraza-config-custom-error-page.t similarity index 100% rename from tests/modsecurity-config-custom-error-page.t rename to t/coraza-config-custom-error-page.t diff --git a/tests/modsecurity-config-debuglog.t b/t/coraza-config-debuglog.t similarity index 100% rename from tests/modsecurity-config-debuglog.t rename to t/coraza-config-debuglog.t diff --git a/tests/modsecurity-config-merge.t b/t/coraza-config-merge.t similarity index 100% rename from tests/modsecurity-config-merge.t rename to t/coraza-config-merge.t diff --git a/tests/modsecurity-config.t b/t/coraza-config.t similarity index 100% rename from tests/modsecurity-config.t rename to t/coraza-config.t diff --git a/tests/modsecurity-h2.t b/t/coraza-h2.t similarity index 100% rename from tests/modsecurity-h2.t rename to t/coraza-h2.t diff --git a/tests/modsecurity-proxy-h2.t b/t/coraza-proxy-h2.t similarity index 100% rename from tests/modsecurity-proxy-h2.t rename to t/coraza-proxy-h2.t diff --git a/tests/modsecurity-proxy.t b/t/coraza-proxy.t similarity index 100% rename from tests/modsecurity-proxy.t rename to t/coraza-proxy.t diff --git a/tests/modsecurity-request-body-h2.t b/t/coraza-request-body-h2.t similarity index 100% rename from tests/modsecurity-request-body-h2.t rename to t/coraza-request-body-h2.t diff --git a/tests/modsecurity-request-body.t b/t/coraza-request-body.t similarity index 100% rename from tests/modsecurity-request-body.t rename to t/coraza-request-body.t diff --git a/tests/modsecurity-response-body.t b/t/coraza-response-body.t similarity index 100% rename from tests/modsecurity-response-body.t rename to t/coraza-response-body.t diff --git a/tests/modsecurity-scoring.t b/t/coraza-scoring.t similarity index 100% rename from tests/modsecurity-scoring.t rename to t/coraza-scoring.t diff --git a/tests/modsecurity-transaction-id.t b/t/coraza-transaction-id.t similarity index 100% rename from tests/modsecurity-transaction-id.t rename to t/coraza-transaction-id.t diff --git a/tests/modsecurity.t b/t/coraza.t similarity index 100% rename from tests/modsecurity.t rename to t/coraza.t diff --git a/tests/nginx-tests-cvt.pl b/t/nginx-tests-cvt.pl similarity index 100% rename from tests/nginx-tests-cvt.pl rename to t/nginx-tests-cvt.pl