From 02da85b09ef620a614f8631f14a2d9545b147de2 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Thu, 30 Oct 2025 15:37:13 +0100 Subject: [PATCH 01/11] Fix 17th test in 10-request-directives.t --- tests/regression/config/10-request-directives.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/regression/config/10-request-directives.t b/tests/regression/config/10-request-directives.t index d5c6f143b..def9f63c6 100644 --- a/tests/regression/config/10-request-directives.t +++ b/tests/regression/config/10-request-directives.t @@ -501,7 +501,7 @@ SecRequestBodyLimit 20 ), match_log => { - debug => [ qr/Request body is larger than the configured limit \(20\).. Deny with code \(413\)/, 1 ], + debug => [ qr/Request body is larger than the configured limit \(20\)./, 1 ], }, match_response => { status => qr/^413$/, From e0883f983af793295aebd4aad2f9e6feb176d184 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Thu, 30 Oct 2025 16:06:30 +0100 Subject: [PATCH 02/11] Add regression test to GH workflof --- .github/workflows/ci.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ba565f09..77ff36a5a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -110,3 +110,31 @@ jobs: run: sudo make install - name: run tests run: make test + + test-regression-linux: + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-22.04] + platform: [x32, x64] + compiler: [gcc, clang] + configure: + - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } + - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl + - uses: actions/checkout@v2 + - name: autogen.sh + run: ./autogen.sh + - name: configure ${{ matrix.configure.label }} + run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `nproc` + - name: install module + run: sudo make install + - name: run regression tests + run: make test-regression From 432299c60614293ff6ed3a3b9ef90d38af914ada Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Thu, 30 Oct 2025 21:19:57 +0100 Subject: [PATCH 03/11] Add necessary packages --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 77ff36a5a..bfc558ff8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -125,7 +125,7 @@ jobs: - name: Setup Dependencies run: | sudo apt-get update -y -qq - sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl + sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl ssdeep libfuzzy-dev libfuzzy2 - uses: actions/checkout@v2 - name: autogen.sh run: ./autogen.sh From 87df298cfad913c82cdadf4ea9d93742d1f40dbe Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Thu, 30 Oct 2025 21:55:47 +0100 Subject: [PATCH 04/11] Reduce number of regression test matrix size --- .github/workflows/ci.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bfc558ff8..55445ee53 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -115,12 +115,14 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-22.04] - platform: [x32, x64] - compiler: [gcc, clang] + os: [ubuntu-latest] + #platform: [x32, x64] + platform: [x64] + #compiler: [gcc, clang] + compiler: [gcc] configure: - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } + #- {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } steps: - name: Setup Dependencies run: | From 53fba164760cd8fb3fdde207892d79b6d8bdc881 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Thu, 30 Oct 2025 22:31:07 +0100 Subject: [PATCH 05/11] Bump OS version to ubuntu-release --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 55445ee53..0a1eceaa6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-22.04] + os: [ubuntu-latest] platform: [x32, x64] compiler: [gcc, clang] configure: @@ -79,7 +79,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-22.04] + os: [ubuntu-latest] platform: [x32, x64] compiler: [gcc, clang] configure: From b9b4de14b612d7ce4cb37503af39f90ba1e1f3a2 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Thu, 30 Oct 2025 22:37:53 +0100 Subject: [PATCH 06/11] Downgrade OS to ubuntu-24.04, install explicit old PCRE --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a1eceaa6..d0dbb4ffe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-latest] + os: [ubuntu-24.04] platform: [x32, x64] compiler: [gcc, clang] configure: @@ -27,7 +27,7 @@ jobs: - name: Setup Dependencies run: | sudo apt-get update -y -qq - sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data + sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data - uses: actions/checkout@v2 - name: autogen.sh run: ./autogen.sh @@ -79,7 +79,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-latest] + os: [ubuntu-24.04] platform: [x32, x64] compiler: [gcc, clang] configure: @@ -97,7 +97,7 @@ jobs: - name: Setup Dependencies run: | sudo apt-get update -y -qq - sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data + sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data - uses: actions/checkout@v2 - name: autogen.sh run: ./autogen.sh @@ -115,7 +115,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-latest] + os: [ubuntu-24.04] #platform: [x32, x64] platform: [x64] #compiler: [gcc, clang] @@ -127,7 +127,7 @@ jobs: - name: Setup Dependencies run: | sudo apt-get update -y -qq - sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl ssdeep libfuzzy-dev libfuzzy2 + sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl ssdeep libfuzzy-dev libfuzzy2 - uses: actions/checkout@v2 - name: autogen.sh run: ./autogen.sh From bbe5239d4d691de0d31309155e159ba8c324c2e1 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Fri, 7 Nov 2025 20:44:52 +0100 Subject: [PATCH 07/11] Try to improve script's performance; removed regression/misc/10-tfn-cache.t --- tests/regression/misc/10-tfn-cache.t | 187 --------------------------- tests/run-regression-tests.pl.in | 10 +- 2 files changed, 8 insertions(+), 189 deletions(-) delete mode 100644 tests/regression/misc/10-tfn-cache.t diff --git a/tests/regression/misc/10-tfn-cache.t b/tests/regression/misc/10-tfn-cache.t deleted file mode 100644 index f0a663e49..000000000 --- a/tests/regression/misc/10-tfn-cache.t +++ /dev/null @@ -1,187 +0,0 @@ -### Transformation Caching - -{ - type => "misc", - comment => "tfncache (simple fully cached)", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - - # We need to make this work no matter what the defaults may change to - SecCacheTransformations On "minlen:1,maxlen:0" - - # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500037" - - # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500038" - ), - match_log => { - debug => [ qr/removeWhiteSpace,lowercase: "foobar" .*cached/, 1 ], - -debug => [ qr/partially cached/, 1 ], - }, - match_response => { - status => qr/^403$/, - }, - request => new HTTP::Request( - GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html?test=Foo+Bar", - ), -}, -{ - type => "misc", - comment => "tfncache (simple partially cached)", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - - # We need to make this work no matter what the defaults may change to - SecCacheTransformations On "minlen:1,maxlen:0,incremental:off,maxitems:0" - - # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,pass,nolog,id:500039" - - # This should use the partially cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500040" - ), - match_log => { - debug => [ qr/removeWhiteSpace: "FooBar" .*partially cached/, 1 ], - }, - match_response => { - status => qr/^403$/, - }, - request => new HTTP::Request( - GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html?test=Foo+Bar", - ), -}, -{ - type => "misc", - comment => "tfncache (separate phases)", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - - # We need to make this work no matter what the defaults may change to - SecCacheTransformations On "minlen:1,maxlen:0" - - # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500041" - - # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500042" - ), - match_log => { - -debug => [ qr/removeWhiteSpace,lowercase: "foobar" .*cached/, 1 ], - }, - match_response => { - status => qr/^403$/, - }, - request => new HTTP::Request( - GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html?test=Foo+Bar", - ), -}, -{ - type => "misc", - comment => "tfncache (non-modifying tfns cached)", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - - # We need to make this work no matter what the defaults may change to - SecCacheTransformations On "minlen:1,maxlen:0" - - # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500043" - - # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500044" - ), - match_log => { - debug => [ qr/removeWhiteSpace,lowercase: "foobar" .*cached/, 1 ], - }, - match_response => { - status => qr/^403$/, - }, - request => new HTTP::Request( - GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html?test=foo+bar", - ), -}, -{ - type => "misc", - comment => "tfncache (unique keys)", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - SecRequestBodyAccess On - - # We need to make this work no matter what the defaults may change to - SecCacheTransformations On "minlen:1,maxlen:0" - - # This should cache it - SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,id:500045" - - # This should see cached versions of *both* ARGS_GET - SecRule ARGS:test "queryval" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,chain,id:500046" - SecRule ARGS:test "firstval" "t:none,t:removeWhiteSpace,t:lowercase,chain" - SecRule ARGS:test "secondval" "t:none,t:removeWhiteSpace,t:lowercase" - ), - match_log => { - debug => [ qr/removeWhiteSpace,lowercase: "queryval" .*removeWhiteSpace,lowercase: "firstval" .*cached.*removeWhiteSpace,lowercase: "secondval" .*cached/s, 1 ], - }, - match_response => { - status => qr/^403$/, - }, - request => new HTTP::Request( - POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html?test=Query+Val", - [ - "Content-Type" => "application/x-www-form-urlencoded", - ], - # Args - "test=First+Val&test=Second+Val", - ), -}, -{ - type => "misc", - comment => "tfncache (large cache)", - conf => qq( - SecRuleEngine On - SecDebugLog $ENV{DEBUG_LOG} - SecDebugLogLevel 9 - SecRequestBodyAccess On - - SecRequestBodyNoFilesLimit 1048576 - SecRequestBodyInMemoryLimit 131072 - SecResponseBodyLimit 1048576 - - # We need to make this work no matter what the defaults may change to - SecCacheTransformations On "minlen:1,maxlen:0,maxitems:0" - - # This should cache it in all phases - SecRule ARGS "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500048" - SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500049" - SecRule ARGS "WillNotMatch" "phase:3,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500050" - SecRule ARGS "WillNotMatch" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500051" - - # This should use the cached value - SecRule ARGS "foobar" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500052" - ), - match_log => { - debug => [ qr/Adding request argument \(BODY\): name "test", value "Foo Bar"/, 60, "Waiting for httpd to process request: "], - -error => [ qr/segmentation fault/i, 60 ], - }, - match_response => { - status => qr/^403$/, - }, - request => new HTTP::Request( - POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html", - [ - "Content-Type" => "application/x-www-form-urlencoded", - ], - # 1000 Args - join("&", map { sprintf "arg%08d=0123456789abcdef+0123456789ABCDEF+0123456789abcdef", $_ } (1 .. 999))."&test=Foo+Bar", - ), -}, diff --git a/tests/run-regression-tests.pl.in b/tests/run-regression-tests.pl.in index d8db03304..74a4c038c 100755 --- a/tests/run-regression-tests.pl.in +++ b/tests/run-regression-tests.pl.in @@ -474,10 +474,16 @@ sub match_log { #dbg("Match \"$re\" in $name \"$$rbuf\" ($n)"); if ($$rbuf =~ m/$re/m) { $rc = $&; + # clear buffer + $$rbuf =~ s/.*$re//sm; last; } - # TODO: Use select()/poll() - sleep 0.1 unless ($nbytes == $BUFSIZ); + unless ($nbytes == $BUFSIZ) { + # wait until we can read from the file but max 0.1 secs + my $rin = ''; + vec($rin, fileno($fh), 1) = 1; + select($rin, undef, undef, 0.1); + } if ($graph and $opt{d}) { $i++; if ($i == 10) { From eb33fc161176569bf961202c1032247f5aac2d54 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Fri, 7 Nov 2025 20:53:01 +0100 Subject: [PATCH 08/11] Remove buffer cleaning --- tests/run-regression-tests.pl.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/run-regression-tests.pl.in b/tests/run-regression-tests.pl.in index 74a4c038c..008767793 100755 --- a/tests/run-regression-tests.pl.in +++ b/tests/run-regression-tests.pl.in @@ -474,8 +474,6 @@ sub match_log { #dbg("Match \"$re\" in $name \"$$rbuf\" ($n)"); if ($$rbuf =~ m/$re/m) { $rc = $&; - # clear buffer - $$rbuf =~ s/.*$re//sm; last; } unless ($nbytes == $BUFSIZ) { From 4aec5bfd9a95acead53849aed4a16bcbba26ef82 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Fri, 7 Nov 2025 21:01:46 +0100 Subject: [PATCH 09/11] Run tests by files --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d0dbb4ffe..300171fdb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -139,4 +139,4 @@ jobs: - name: install module run: sudo make install - name: run regression tests - run: make test-regression + run: cd tests; time for f in `find regression/ -maxdepth 2 -mindepth 2 -name "*.t" | tr "\012" " "`; do time ./run-regression-tests.pl -S . ${f}; done From ccec3a737a4270e02f365a084a03b78ef90d04ee Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Fri, 7 Nov 2025 21:09:53 +0100 Subject: [PATCH 10/11] Add timestamp to DBG output; Run tests in debug mode --- .github/workflows/ci.yml | 2 +- tests/run-regression-tests.pl.in | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 300171fdb..5940767da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -139,4 +139,4 @@ jobs: - name: install module run: sudo make install - name: run regression tests - run: cd tests; time for f in `find regression/ -maxdepth 2 -mindepth 2 -name "*.t" | tr "\012" " "`; do time ./run-regression-tests.pl -S . ${f}; done + run: cd tests; time for f in `find regression/ -maxdepth 2 -mindepth 2 -name "*.t" | tr "\012" " "`; do time ./run-regression-tests.pl -S . -d ${f}; done diff --git a/tests/run-regression-tests.pl.in b/tests/run-regression-tests.pl.in index 008767793..ca4e90fa7 100755 --- a/tests/run-regression-tests.pl.in +++ b/tests/run-regression-tests.pl.in @@ -536,7 +536,8 @@ sub dbg { my $out = join "", map { (ref $_ ne "" ? Dumper($_) : $_) } @_; - $out =~ s/^/DBG: /mg; + my $t = gettimeofday; + $out =~ s/^/DBG\[$t\]: /mg; print STDOUT "$out\n"; } From f33e2ccabedc4b249d9cfff9295284d65057e9c6 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Sat, 8 Nov 2025 13:28:51 +0100 Subject: [PATCH 11/11] Decrease number of printed dots during match_log execution --- tests/run-regression-tests.pl.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/run-regression-tests.pl.in b/tests/run-regression-tests.pl.in index ca4e90fa7..a2979e08e 100755 --- a/tests/run-regression-tests.pl.in +++ b/tests/run-regression-tests.pl.in @@ -484,7 +484,7 @@ sub match_log { } if ($graph and $opt{d}) { $i++; - if ($i == 10) { + if ($i == 1000) { $graphed++; $i=0; print STDERR $graph if ($graphed == 1);