fix error

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
corazawaf · Mar 13, 2022 · 76d2f61 · 76d2f61
1 parent 1758ec8
commit 76d2f61
Show file tree

Hide file tree

Showing 25 changed files with 240 additions and 91 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -57,9 +57,9 @@ jobs:
       - name: Install dependencies with apt
         run: |
           sudo add-apt-repository universe
-          sudo apt-get update
-          sudo apt-get -y \
-          --fix-missing install \
+          sudo apt-get -qq update
+          sudo apt-get -y -qq \
+          --fix-missing --no-install-recommends install \
           gcc make \
           libxml2-dev \
           libxslt-dev \
@@ -89,26 +89,28 @@ jobs:
 
       - name: Configure compilation of dynamic module
         run: |
-          ls -l
           cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }}
           ./configure \
           --with-compat \
           --add-dynamic-module=${{ github.workspace }}/ \
           --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \
           --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \
-          --prefix=/usr/share/nginx \
+          --prefix=/etc/nginx \
+          --sbin-path=/usr/sbin/nginx \
           --conf-path=/etc/nginx/nginx.conf \
           --http-log-path=/var/log/nginx/access.log \
           --error-log-path=/var/log/nginx/error.log \
           --lock-path=/var/lock/nginx.lock \
           --pid-path=/run/nginx.pid \
           --modules-path=/usr/lib/nginx/modules \
-          --http-client-body-temp-path=/var/lib/nginx/body \
-          --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
-          --http-proxy-temp-path=/var/lib/nginx/proxy \
-          --http-scgi-temp-path=/var/lib/nginx/scgi \
-          --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
+          --http-client-body-temp-path=/var/cache/nginx/client_temp \
+          --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+          --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+          --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+          --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
           --with-debug \
+          --with-file-aio \
+          --with-threads \
           --with-http_ssl_module \
           --with-http_stub_status_module \
           --with-http_realip_module \
@@ -126,10 +128,21 @@ jobs:
           --with-http_xslt_module=dynamic \
           --with-stream=dynamic
 
-      - name: Compile dynamic module  
-        run: |  
+      - name: Compile dynamic module and install nginx
+        run: |
           cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }}
           make modules
+          make
+          sudo make install
+
+      - name: Run tests
+        run: |
+          wget http://hg.nginx.org/nginx-tests/archive/tip.tar.gz
+          tar xzf tip.tar.gz
+          cd nginx-tests-*
+          cp ../tests/* .
+          export TEST_NGINX_BINARY=/usr/sbin/nginx
+          prove .
 
       - name: Upload a Build Artifact
         uses: actions/upload-artifact@v2

diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.vscode/
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,80 @@
+FROM golang as go-builder
+
+ARG libcoraza_version=master
+
+# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
+RUN set -eux; \
+  apt-get update -qq; \
+  apt-get install -qq --no-install-recommends \
+    autoconf \
+    automake \
+    libtool \
+    gcc \
+    bash \
+    make
+
+COPY ./libcoraza /tmp/master
+
+RUN set -eux; \
+    #wget https://github.com/corazawaf/libcoraza/tarball/master -O /tmp/master; \
+    #tar -xvf /tmp/master; \
+    #cd corazawaf-libcoraza-*; \
+    cd /tmp/master; \
+    ./build.sh; \
+    ./configure; \
+    make; \
+    make V=1 install
+
+FROM nginx:stable as ngx-coraza
+
+COPY --from=go-builder /usr/local/include/coraza /usr/local/include/coraza
+COPY --from=go-builder /usr/local/lib/libcorazacore.a /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazautils.a /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib
+
+# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
+RUN set -eux; \
+  apt-get update -qq; \
+  apt-get install -qq --no-install-recommends \
+  gcc \
+  gnupg1 \
+  ca-certificates  \
+  libc-dev \
+  make \
+  openssl \
+  curl \
+  gnupg \
+  wget \
+  libpcre3 libpcre3-dev \
+  zlib1g-dev
+
+COPY . /usr/src/coraza-nginx
+
+# Download sources
+RUN set -eux; \
+    curl "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o - | tar zxC /usr/src -f -;
+    # Reuse same cli arguments as the nginx:alpine image used to build
+
+RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\
+    cd /usr/src/nginx-$NGINX_VERSION; \
+    ./configure --with-compat "$CONFARGS" --add-dynamic-module=/usr/src/coraza-nginx; \
+    make modules; \
+    mkdir -p /usr/lib/nginx/modules; \
+    find objs/*.so -print; \    
+    cp objs/ngx_*.so /usr/lib/nginx/modules
+
+FROM nginx:stable
+
+RUN sed -i -e "s|events {|load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";\n\nevents {|" /etc/nginx/nginx.conf;
+
+COPY ./coraza.conf /etc/nginx/conf.d/coraza.conf
+COPY --from=ngx-coraza /usr/lib/nginx/modules/ /usr/lib/nginx/modules/
+COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib
+
+RUN ldconfig -v
+
+EXPOSE 80
+STOPSIGNAL SIGTERM
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/config b/config
@@ -10,40 +10,41 @@
 
 ngx_addon_name="ngx_http_coraza_module"
 coraza_dependency="ngx_http_postpone_filter_module \
-                        ngx_http_ssi_filter_module \
-                        ngx_http_charset_filter_module \
-                        ngx_http_xslt_filter_module \
-                        ngx_http_image_filter_module \
-                        ngx_http_sub_filter_module \
-                        ngx_http_addition_filter_module \
-                        ngx_http_gunzip_filter_module \
-                        ngx_http_userid_filter_module \
-                        ngx_http_headers_filter_module \
-                        ngx_http_copy_filter_module"
+                   ngx_http_ssi_filter_module \
+                   ngx_http_charset_filter_module \
+                   ngx_http_xslt_filter_module \
+                   ngx_http_image_filter_module \
+                   ngx_http_sub_filter_module \
+                   ngx_http_addition_filter_module \
+                   ngx_http_gunzip_filter_module \
+                   ngx_http_userid_filter_module \
+                   ngx_http_headers_filter_module \
+                   ngx_http_copy_filter_module"
 
 
 if test -n "$ngx_module_link"; then
 	ngx_module_type=HTTP_FILTER
 	ngx_module_name="$ngx_addon_name"
 	ngx_module_srcs="$ngx_addon_dir/src/ngx_http_coraza_module.c \
-            $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
-            $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
-            $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
-            $ngx_addon_dir/src/ngx_http_coraza_log.c \
-            $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
-            "
+                     $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_log.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_utils.c \
+                     "
 	ngx_module_deps="$ngx_addon_dir/src/ddebug.h \
-            $ngx_addon_dir/src/ngx_http_coraza_common.h \
-            "
-        ngx_module_libs="-lcorazacore"
-        ngx_module_incs="-I /usr/local/coraza/include"
+                     $ngx_addon_dir/src/ngx_http_coraza_common.h \
+                     "
+    ngx_module_libs="-lcorazacore"
+    ngx_module_incs="-I /usr/local/coraza/include"
 
-        ngx_module_order="ngx_http_chunked_filter_module \
-                          ngx_http_v2_filter_module \
-                          ngx_http_range_header_filter_module \
-                          ngx_http_gzip_filter_module \
-                          $ngx_module_name \
-                          $coraza_dependency";
+    ngx_module_order="ngx_http_chunked_filter_module \
+                      ngx_http_v2_filter_module \
+                      ngx_http_range_header_filter_module \
+                      ngx_http_gzip_filter_module \
+                      $ngx_module_name \
+                      $coraza_dependency";
 
 	. auto/module
 else
@@ -54,19 +55,18 @@ else
 	CORE_LIBS="$CORE_LIBS $ngx_feature_libs"
 
 	HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES ngx_http_coraza_module"
-	NGX_ADDON_SRCS="\
-	    $NGX_ADDON_SRCS \
-	    $ngx_addon_dir/src/ngx_http_coraza_module.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_log.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
-	    "
+	NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
+                    $ngx_addon_dir/src/ngx_http_coraza_module.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_log.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_utils.c \
+                    "
 
-	NGX_ADDON_DEPS="\
-	    $NGX_ADDON_DEPS \
-	    $ngx_addon_dir/src/ddebug.h \
-	    $ngx_addon_dir/src/ngx_http_coraza_common.h \
-	    "
+	NGX_ADDON_DEPS="$NGX_ADDON_DEPS \
+                    $ngx_addon_dir/src/ddebug.h \
+                    $ngx_addon_dir/src/ngx_http_coraza_common.h \
+                    "
 fi
diff --git a/coraza.conf b/coraza.conf
@@ -0,0 +1,5 @@
+coraza on;
+coraza_rules 'SecRuleEngine On
+              SecRule ARGS "@streq whee" "id:10,phase:2"
+              SecRule ARGS "@streq whee" "id:11,phase:2"
+              ';
diff --git a/ngx-modsec.stp → ngx-coraza.stp b/ngx-modsec.stp → ngx-coraza.stp
@@ -6,12 +6,12 @@ global rules_phase
 
 
 # Rules
-probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*")
+probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*")
 {
     begin_rule = gettimeofday_us();
 }
 
-probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*").return
+probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*").return
 {
     elapsed_rule = gettimeofday_us() - begin_rule
     rules[$this->m_ruleId] <<< elapsed_rule

diff --git a/src/ngx_http_coraza_common.h b/src/ngx_http_coraza_common.h
@@ -126,5 +126,7 @@ ngx_int_t ngx_http_coraza_pre_access_handler(ngx_http_request_t *r);
 /* ngx_http_coraza_rewrite.c */
 ngx_int_t ngx_http_coraza_rewrite_handler(ngx_http_request_t *r);
 
+/* ngx_http_coraza_utils.c */
+ngx_int_t ngx_str_to_char(ngx_str_t a, char *str, ngx_pool_t *p);
 
 #endif /* _ngx_http_coraza_COMMON_H_INCLUDED_ */
diff --git a/src/ngx_http_coraza_module.c b/src/ngx_http_coraza_module.c
@@ -142,7 +142,9 @@ void ngx_http_coraza_cleanup(void *data)
 
 	ctx = (ngx_http_coraza_ctx_t *)data;
 
-	coraza_transaction_free(ctx->coraza_transaction);
+	if (coraza_free_transaction(ctx->coraza_transaction) != NGX_OK) {
+		dd("cleanup -- transaction free failed: %d", res);
+	};
 }
 
 ngx_inline ngx_http_coraza_ctx_t *
@@ -199,15 +201,20 @@ char *
 ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {
 	int res;
-	char *rules;
+	char *rules = NULL;
 	ngx_str_t *value;
-	char *error;
+	char *error = NULL;
 	ngx_http_coraza_conf_t *mcf = conf;
 	ngx_http_coraza_main_conf_t *mmcf;
 
 	value = cf->args->elts;
 
-	res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error);
+	if (ngx_str_to_char(value[1], rules, cf->pool) != NGX_OK) {
+		dd("Failed to get the rules");
+		return NGX_CONF_ERROR;
+	}
+
+	res = coraza_rules_add(mcf->waf, rules, &error);
 
 	if (res < 0)
 	{
@@ -225,15 +232,20 @@ char *
 ngx_conf_set_rules_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {
 	int res;
-	char *rules_set;
+	char *rules_set = NULL;
 	ngx_str_t *value;
-	char **error;
+	char **error = NULL;
 	ngx_http_coraza_conf_t *mcf = conf;
 	ngx_http_coraza_main_conf_t *mmcf;
 
 	value = cf->args->elts;
 
-	res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error);
+	if (ngx_str_to_char(value[1], rules_set, cf->pool) != NGX_OK) {
+		dd("Failed to get the rules_file");
+		return NGX_CONF_ERROR;
+	}
+
+	res = coraza_rules_add(mcf->waf, rules_set, error);
 
 	if (res < 0)
 	{
@@ -555,11 +567,11 @@ ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *child)
 	dd("CHILD RULES");
 	coraza_rules_dump(c->rules_set);
 #endif
-	rules = coraza_rules_merge(c->waf, p->waf, &error);
+	rules = coraza_rules_merge(c->waf, p->waf, error);
 
 	if (rules < 0)
 	{
-		return error;
+		return *error;
 	}
 
 #if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG)

diff --git a/src/ngx_http_coraza_pre_access.c b/src/ngx_http_coraza_pre_access.c
@@ -138,6 +138,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r)
     {
         int ret = 0;
         int already_inspected = 0;
+        char *file_name = NULL;
 
         dd("request body is ready to be processed");
 
@@ -156,8 +157,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r)
 
         if (r->request_body->temp_file != NULL) {
             ngx_str_t file_path = r->request_body->temp_file->file.name;
-            const char *file_name = ngx_str_to_char(file_path, r->pool);
-            if (file_name == (char*)-1) {
+            if (ngx_str_to_char(file_path, file_name, r->pool) != NGX_OK) {
                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
             }
             /*
@@ -166,7 +166,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r)
              */
             dd("request body inspection: file -- %s", file_name);
 
-            coraza_request_body_from_file(ctx->coraza_transaction, (char*)file_name);
+            coraza_request_body_from_file(ctx->coraza_transaction, file_name);
 
             already_inspected = 1;
         } else {