Skip to content

v3/master: ruleRemoveTargetById doesn't work with range id #2110

New issue
New issue
Closed
Closed
v3/master: ruleRemoveTargetById doesn't work with range id#2110
Assignees
zimmerlevictorhoramartinhsv
Labels
3.xRelated to ModSecurity version 3.x
Milestone
v3.1.0
@theMiddleBlue

Description

@theMiddleBlue
theMiddleBlue
opened on Jun 4, 2019

Hi,

it seems that a "range id" can't be used on ctl:ruleRemoveTargetById=<range>;ARGS:foo, it works only by using a specific rule id.

regression test

[
  {
    "enabled":1,
    "version_min":300000,
    "title":"Testing ctl:ruleRemoveTargetById - issue 1444",
    "expected":{
      "http_code":200
    },
    "client":{
      "ip":"127.0.0.1",
      "port":123
    },
    "request":{
      "headers":{
        "Host":"localhost",
        "User-Agent":"curl/7.38.0",
        "Accept":"*/*"
      },
      "uri":"index.php?foo=bar&z=xxx",
      "method":"GET",
      "body": ""
    },
    "server":{
      "ip":"127.0.0.1",
      "port":80
    },
    "rules":[
        "SecRuleEngine On",
        "SecRule ARGS:foo \"@rx ^bar$\" \"id:100,phase:1,ctl:ruleRemoveTargetById=1000-1999;ARGS:z\"",
        "SecRule ARGS:z \"@rx ^xxx$\" \"id:1010,phase:1,deny,status:403\""
    ]
  }
]

executing test

ModSecurity 3.0.3 - tests
(options are not available -- missing GetOpt)

  # File Name                                         Test Name                                                             Passed?   
--- ---------                                         ---------                                                             -------   
  1 issue-1444.json                                   Testing ctl:ruleRemoveTargetById - issue 1444                         failed!

Test failed. From: test/test-cases/regression/issue-1444.json.
Test name: Testing ctl:ruleRemoveTargetById - issue 1444.
Reason: 
HTTP code mismatch. expecting: 200 got: 403

Debug log:
[15596415139.550631] [] [4] Initializing transaction
[15596415139.550631] [] [4] Transaction context created.
[15596415139.550631] [] [4] Starting phase CONNECTION. (SecRules 0)
[15596415139.550631] [] [9] This phase consists of 0 rule(s).
[15596415139.550631] [] [4] Starting phase URI. (SecRules 0 + 1/2)
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Adding request argument (GET): name "foo", value "bar"
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Adding request argument (GET): name "z", value "xxx"
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Starting phase REQUEST_HEADERS.  (SecRules 1)
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] This phase consists of 2 rule(s).
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] (Rule: 100) Executing operator "Rx" with param "^bar$" against ARGS:foo.
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Target value: "bar" (Variable: ARGS:foo)
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Matched vars updated.
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Rule returned 1.
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Running action: ctl
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] (Rule: 1010) Executing operator "Rx" with param "^xxx$" against ARGS:z.
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Target value: "xxx" (Variable: ARGS:z)
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Matched vars updated.
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Rule returned 1.
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Running action: status
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Running (disruptive)     action: deny.
[15596415139.550631] [index.php?foo=bar&z=xxx] [8] Running action deny
[15596415139.550631] [index.php?foo=bar&z=xxx] [8] Skipping this phase as this request was already intercepted.
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Appending request body: 0 bytes. Limit set to: 0.000000
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Starting phase REQUEST_BODY. (SecRules 2)
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] This phase consists of 0 rule(s).
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Starting phase RESPONSE_HEADERS. (SecRules 3)
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] This phase consists of 0 rule(s).
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] Appending response body: 0 bytes. Limit set to: 0.000000
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Starting phase RESPONSE_BODY. (SecRules 4)
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Response body is disabled, returning... 2
[15596415139.550631] [index.php?foo=bar&z=xxx] [4] Starting phase LOGGING. (SecRules 5)
[15596415139.550631] [index.php?foo=bar&z=xxx] [9] This phase consists of 0 rule(s).
[15596415139.550631] [index.php?foo=bar&z=xxx] [8] Checking if this request is suitable to be saved as an audit log.
[15596415139.550631] [index.php?foo=bar&z=xxx] [8] Checking if this request is relevant to be part of the audit logs.
[15596415139.550631] [index.php?foo=bar&z=xxx] [5] Audit log engine was not set.
[15596415139.550631] [index.php?foo=bar&z=xxx] [8] Request was relevant to be saved. Parts: 4430

Error log:
[client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Rx' with parameter `^xxx$' against variable `ARGS:z' (Value: `xxx' ) [file "issue-1444.json"] [line "3"] [id "1010"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "index.php"] [unique_id "15596415139.550631"] [ref "o0,3v24,3"]

Ran a total of: 1 regression tests - 1 failed. 0 skipped test(s). 0 disabled test(s).

I can't find the relative documentation, but in v2 it works as expected.

Thanks!

Metadata

Metadata

Assignees

Labels

3.xRelated to ModSecurity version 3.x

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions