From d17900f96cf6960266ec529ef73368c353bf5f80 Mon Sep 17 00:00:00 2001 From: Kit Chan Date: Tue, 11 Aug 2020 17:21:00 -0700 Subject: [PATCH 1/2] Add modsecurity lua script to example --- example/plugins/lua-api/modsecurity/C.lua | 26 ++ example/plugins/lua-api/modsecurity/README.md | 70 ++++++ .../modsecurity/ats-luajit-modsecurity.lua | 222 ++++++++++++++++++ .../plugins/lua-api/modsecurity/example.conf | 28 +++ example/plugins/lua-api/modsecurity/msc.lua | 60 +++++ .../lua-api/modsecurity/msc_config.lua | 25 ++ .../plugins/lua-api/modsecurity/owasp.conf | 64 +++++ 7 files changed, 495 insertions(+) create mode 100644 example/plugins/lua-api/modsecurity/C.lua create mode 100644 example/plugins/lua-api/modsecurity/README.md create mode 100644 example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua create mode 100644 example/plugins/lua-api/modsecurity/example.conf create mode 100644 example/plugins/lua-api/modsecurity/msc.lua create mode 100644 example/plugins/lua-api/modsecurity/msc_config.lua create mode 100644 example/plugins/lua-api/modsecurity/owasp.conf diff --git a/example/plugins/lua-api/modsecurity/C.lua b/example/plugins/lua-api/modsecurity/C.lua new file mode 100644 index 00000000000..7e0a27bb8ec --- /dev/null +++ b/example/plugins/lua-api/modsecurity/C.lua @@ -0,0 +1,26 @@ +-- Licensed to the Apache Software Foundation (ASF) under one +-- or more contributor license agreements. See the NOTICE file +-- distributed with this work for additional information +-- regarding copyright ownership. The ASF licenses this file +-- to you under the Apache License, Version 2.0 (the +-- "License"); you may not use this file except in compliance +-- with the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + + +-- module containing common C functions to be used + +local ffi = require("ffi") + +ffi.cdef[[ + void free(void *ptr); +]] + +return ffi.C diff --git a/example/plugins/lua-api/modsecurity/README.md b/example/plugins/lua-api/modsecurity/README.md new file mode 100644 index 00000000000..b563d018c43 --- /dev/null +++ b/example/plugins/lua-api/modsecurity/README.md @@ -0,0 +1,70 @@ +Integrating ATS with ModSecurity V3 using LuaJIT and FFI +==== + +Opensource WAF for [Apache Traffic Server](http://trafficserver.apache.org/). + +Requirement +==== + - ModSecurity v3.0.4 + - ATS 8.0.8 + +How to Use +==== + - Copy all lua files to `/usr/local/var/lua` + - Put the example modsecurity rule file (`example.conf`) to `/usr/local/var/modsecurity` , readable by the ATS process + - Add a line in `/usr/local/etc/trafficserver/plugin.config` and restart ats + +``` +tslua.so --enable-reload /usr/local/var/lua/ats-luajit-modsecurity.lua /usr/local/var/modsecurity/example.conf +``` + + - Changes can be made to example.conf and can be reloaded without restarting ATS. Just follow instructions [here](https://docs.trafficserver.apache.org/en/latest/appendices/command-line/traffic_ctl.en.html#cmdoption-traffic-ctl-config-arg-reload) + +Contents/Rules inside example.conf +==== + - deny any request with query parameter of `testparam=test2` with a 403 status response + - return any request with query parameter of `testparam=test1` with 301 redirect response to https://www.yahoo.com/ + - override any response with header `test` equal to `1` with a 403 status response + - override any response with header `test` equal to `2` with a 301 redirect response to https://www.yahoo.com/ + - write debug log out to `/tmp/debug.log` + +Working with CRS +==== + - Go to [here](https://github.com/SpiderLabs/owasp-modsecurity-crs) and get release v3.2.0 + - Uncompress the contents and copy `crs-setup.conf.example` to `/usr/local/var/modsecurity` and rename it to `crs-setup.conf` + - Copy all files in `rules` directory to `/usr/local/var/modsecurity/rules` + - Copy `owasp.conf` in this repository to `/usr/local/var/modsecurity` + - Change `/usr/local/etc/trafficserver/plugin.config` to add the following line and restart ats + +``` +tslua.so --enable-reload /usr/local/var/lua/ats-luajit-modsecurity.lua /usr/local/var/modsecurity/owasp.conf +``` + + - The following example curl command against your server should get a status 403 Forbidden response + + ``` + curl -v -H "User-Agent: Nikto" 'http:///' + ``` + +Extra Notes with CRS +==== + - Please check out this [link](https://github.com/SpiderLabs/ModSecurity/issues/1734) for performance related information + - To turn on debugging, you can uncomment the following inside `owasp.conf` + +``` +SecDebugLog /tmp/debug.log +SecDebugLogLevel 9 +``` + +- Rule ID 910100 in REQUEST-910-IP-REPUTATION.conf in `rules` directory requires GeoIP and have to be commented out if you do not built the modsecurity library with it. +- We use `SecRuleRemoveById` inside `owasp.conf` to remove rules checking for request and response body. This trick can be used to remove other rules that does not apply well in some situations. + + +TODOs/Limitations +==== + - No support for `REQUEST_BODY` examination (We need to buffer the request body for examination first before we send to origin.) + - No support for `RESPONSE BODY` examination (We need to uncompress the contents first if they are gzipped. And that will be expensive operation for proxy) + - How does this work with the lua engine inside ModSecurity V3? + - Unit Test using busted framework + - More functional testing needed + - Performance testing - impact to latency and capacity diff --git a/example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua b/example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua new file mode 100644 index 00000000000..caa42eae083 --- /dev/null +++ b/example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua @@ -0,0 +1,222 @@ +-- Licensed to the Apache Software Foundation (ASF) under one +-- or more contributor license agreements. See the NOTICE file +-- distributed with this work for additional information +-- regarding copyright ownership. The ASF licenses this file +-- to you under the Apache License, Version 2.0 (the +-- "License"); you may not use this file except in compliance +-- with the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + + +ts.add_package_path('/usr/local/var/lua/?.lua') + +local msc = require("msc") +local msc_config = require("msc_config") +local ffi = require("ffi") +local C = require("C") + +local mst = msc.msc_init() +msc.msc_set_connector_info(mst, "ModSecurity-ats") + +-- Initialization. Load the modsecurity configuration passed to this lua module +function __init__(argtb) + if (#argtb) < 1 then + ts.error("No ModSecurity Conf is given") + return -1 + end + + msc_config.rulesfile = argtb[1] + ts.debug("ModSecurity Conf file is " .. msc_config.rulesfile) + + msc_config.rules = msc.msc_create_rules_set() + local error = ffi.new("const char *[1]") + local result = msc.msc_rules_add_file(msc_config.rules, msc_config.rulesfile, error) + if(result < 0) then + ts.error("Problems loading the rules: ".. ffi.string(error[0])) + msc.msc_rules_cleanup(msc_config.rules) + msc_config.rules = nil + return -1 + end + +end + +-- Reload modsecurity configuration. Trigger by "traffic_ctl config reload" +function __reload__() + ts.debug("Reloading ModSecurity Conf: " .. msc_config.rulesfile) + + newrules = msc.msc_create_rules_set() + local error = ffi.new("const char *[1]") + local result = msc.msc_rules_add_file(newrules, msc_config.rulesfile, error) + if(result < 0) then + ts.error("Problems loading the rules during reload: ".. ffi.string(error[0])) + + msc.msc_rules_cleanup(newrules) + newrules = nil + else + -- TODO: we are not doing clean up on the old rules and thus leaking resources here + msc_config.rules = newrules + end + +end + +-- Entry point function run for each incoming request +function do_global_read_request() + if(msc_config.rules == nil) then + ts.debug("No rules loaded. Thus there is no processing done") + return 0 + end + local txn = msc.msc_new_transaction(mst, msc_config.rules ,nil) + + -- processing for the connection information + local client_ip, client_port, client_ip_family = ts.client_request.client_addr.get_addr() + local incoming_port = ts.client_request.client_addr.get_incoming_port() + msc.msc_process_connection(txn, client_ip, client_port, "127.0.0.1", incoming_port) + + -- processing for the uri information + local uri = ts.client_request.get_uri() + local query_params = ts.client_request.get_uri_args() or '' + if (query_params ~= '') then + uri = uri .. '?' .. query_params + end + msc.msc_process_uri(txn, uri, ts.client_request.get_method(), ts.client_request.get_version()) + + -- processing for the request headers + local hdrs = ts.client_request.get_headers() + for k, v in pairs(hdrs) do + msc.msc_add_request_header(txn, k, v) + end + msc.msc_process_request_headers(txn) + msc.msc_process_request_body(txn) + ts.debug("done with processing request") + + -- detect if intervention is needed + local iv = ffi.new("ModSecurityIntervention") + iv.status = 200 + iv.log = nil + iv.url = nil + iv.disruptive = 0 + local iv_res = msc.msc_intervention(txn, iv) + ts.debug("done with intervention ".. iv_res .. ' with status ' .. iv.status ) + + if(iv.log ~= nil) then + ts.debug("Intervention log: " .. ffi.string(iv.log)) + C.free(iv.log) + end + + -- if found an intervention url, trigger handler when sending response to client + if(iv.url ~= nil) then + ts.ctx['url'] = ffi.string(iv.url) + ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) + C.free(iv.url) + end + + -- intervention is needed if status is not 200 + if (iv.status ~= 200) then + ts.http.set_resp(iv.status) + msc.msc_process_logging(txn) + msc.msc_transaction_cleanup(txn) + ts.debug("done with setting custom response") + return 0 + end + + -- storing modsecurity object in context + ts.ctx["mst"] = txn + ts.debug("done with setting context") + + -- trigger handler to run when response is received + ts.hook(TS_LUA_HOOK_READ_RESPONSE_HDR, read_response) + + return 0 +end + +-- function run when response is received from origin +function read_response() + -- retriving modsecurity object + local txn = ts.ctx["mst"] + + if(txn == nil) then + ts.error("no transaction object") + return 0 + end + + -- processing for the response headers + local hdrs = ts.server_response.get_headers() + for k, v in pairs(hdrs) do + msc.msc_add_response_header(txn, k, v) + end + msc.msc_process_response_headers(txn, ts.server_response.get_status(), "HTTP/"..ts.server_response.get_version()) + msc.msc_process_response_body(txn) + ts.debug("done with processing response") + + -- determine if intervention is needed + local iv = ffi.new("ModSecurityIntervention") + iv.status = 200 + iv.log = nil + iv.url = nil + iv.disruptive = 0 + local iv_res = msc.msc_intervention(txn, iv) + ts.debug("done with intervention ".. iv_res .. ' with status ' .. iv.status ) + + if(iv.log ~= nil) then + ts.debug("Intervention log: " .. ffi.string(iv.log)) + C.free(iv.log) + end + + -- if found an intervention url, trigger handler when sending response to client + ts.ctx['url'] = '' + if(iv.url ~= nil) then + ts.ctx['url'] = ffi.string(iv.url) + C.free(iv.url) + end + + -- intervention needed when status is not 200 + ts.ctx['status'] = nil + if (iv.status ~= 200) then + ts.ctx['status'] = iv.status + end + + -- response needs to be modified? + if(ts.ctx['url'] ~= '' or ts.ctx['status'] ~= nil) then + ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) + end + + -- we need to return -1 for lua to reset response body with an error body + if(ts.ctx['status'] ~= nil) then + ts.ctx["mst"] = nil + msc.msc_process_logging(txn) + msc.msc_transaction_cleanup(txn) + ts.debug("done with cleaning up context and return error response") + return -1 + end + + -- cleaning up + ts.ctx["mst"] = nil + msc.msc_process_logging(txn) + msc.msc_transaction_cleanup(txn) + ts.debug("done with cleaning up context") + + return 0 +end + +-- function run when sending response to client +function send_response() + -- retrieve intervention url and add it as "Location" header on response to client + local location = ts.ctx['url'] + if (location ~= '') then + ts.debug('location: ' .. location) + ts.client_response.header['Location'] = location + end + + -- retrieve status and reset the response with it + local status = ts.ctx['status'] + if (status ~= nil) then + ts.client_response.set_error_resp(status, 'Contents Reset by ModSecurity\n') + end +end diff --git a/example/plugins/lua-api/modsecurity/example.conf b/example/plugins/lua-api/modsecurity/example.conf new file mode 100644 index 00000000000..c7df943adf6 --- /dev/null +++ b/example/plugins/lua-api/modsecurity/example.conf @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# Example Modsecurity Configuration file. See README.md for details + +SecRuleEngine On + +SecDebugLog /tmp/debug.log +SecDebugLogLevel 9 + +SecRule ARGS:testparam "@contains test2" "id:1234,deny,status:403" +SecRule ARGS:testparam "@contains test1" "id:1235,redirect:https://www.yahoo.com/" +SecRule RESPONSE_HEADERS:test "@contains 1" "id:1236,phase:3,deny,status:403" +SecRule RESPONSE_HEADERS:test "@contains 2" "id:1237,phase:3,redirect:https://www.yahoo.com/" diff --git a/example/plugins/lua-api/modsecurity/msc.lua b/example/plugins/lua-api/modsecurity/msc.lua new file mode 100644 index 00000000000..a080bf9574e --- /dev/null +++ b/example/plugins/lua-api/modsecurity/msc.lua @@ -0,0 +1,60 @@ +-- Licensed to the Apache Software Foundation (ASF) under one +-- or more contributor license agreements. See the NOTICE file +-- distributed with this work for additional information +-- regarding copyright ownership. The ASF licenses this file +-- to you under the Apache License, Version 2.0 (the +-- "License"); you may not use this file except in compliance +-- with the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + + +-- module containing modsecurity to be used + +local ffi = require("ffi") + +ffi.cdef[[ + +typedef struct ModSecurity ModSecurity; +ModSecurity* msc_init(); +void msc_set_connector_info(ModSecurity *msc, const char *connector); +void msc_cleanup(ModSecurity *msc); + +typedef struct Rules Rules; +Rules* msc_create_rules_set(); +int msc_rules_add_file(Rules *rules, const char *file, const char **error); +int msc_rules_cleanup(Rules *rules); + +typedef struct Transaction Transaction; +Transaction *msc_new_transaction(ModSecurity *ms, Rules *rules, void *logCbData); +int msc_process_connection(Transaction *transaction, const char *client, int cPort, const char *server, int sPort); +int msc_process_uri(Transaction *transaction, const char *uri, const char *protocol, const char *http_version); +int msc_add_request_header(Transaction *transaction, const unsigned char *key, const unsigned char *value); +int msc_process_request_headers(Transaction *transaction); +int msc_process_request_body(Transaction *transaction); +int msc_add_response_header(Transaction *transaction, const unsigned char *key, const unsigned char *value); +int msc_process_response_headers(Transaction *transaction, int code, const char* protocol); +int msc_process_response_body(Transaction *transaction); +int msc_process_logging(Transaction *transaction); +void msc_transaction_cleanup(Transaction *transaction); + +typedef struct ModSecurityIntervention_t { + int status; + int pause; + char *url; + char *log; + int disruptive; +} ModSecurityIntervention; +int msc_intervention(Transaction *transaction, ModSecurityIntervention *it); + +]] + +local msc = ffi.load("/usr/local/modsecurity/lib/libmodsecurity.so") + +return msc diff --git a/example/plugins/lua-api/modsecurity/msc_config.lua b/example/plugins/lua-api/modsecurity/msc_config.lua new file mode 100644 index 00000000000..45dab9ec29e --- /dev/null +++ b/example/plugins/lua-api/modsecurity/msc_config.lua @@ -0,0 +1,25 @@ +-- Licensed to the Apache Software Foundation (ASF) under one +-- or more contributor license agreements. See the NOTICE file +-- distributed with this work for additional information +-- regarding copyright ownership. The ASF licenses this file +-- to you under the Apache License, Version 2.0 (the +-- "License"); you may not use this file except in compliance +-- with the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + + +-- module containing values to be persisted across "traffic_ctl config reload" + +local msc_config = {} + +msc_config.rulesfile = "/usr/local/var/modsecurity/example.conf" +msc_config.rules = nil + +return msc_config diff --git a/example/plugins/lua-api/modsecurity/owasp.conf b/example/plugins/lua-api/modsecurity/owasp.conf new file mode 100644 index 00000000000..8eeb9e2c417 --- /dev/null +++ b/example/plugins/lua-api/modsecurity/owasp.conf @@ -0,0 +1,64 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +## Modsecurity Configuration file for CRS. See README.md for details + +SecRuleEngine On + +## Uncomment the following 2 lines to enable auditing and put audit logs in /tmp/audit.log +#SecAuditEngine On +#SecAuditLog /tmp/audit.log + +# Uncomment the following 2 lines to enable debuging and put debug logs in /tmp/debug.log +#SecDebugLog /tmp/debug.log +#SecDebugLogLevel 9 + +## include CRS setup configuration and rules +Include "crs-setup.conf" +Include "rules/*.conf" + +# Remove rules checking response body +SecRuleRemoveById 950130 +SecRuleRemoveById 950140 +SecRuleRemoveById 951100 +SecRuleRemoveById 951110 +SecRuleRemoveById 951120 +SecRuleRemoveById 951130 +SecRuleRemoveById 951140 +SecRuleRemoveById 951150 +SecRuleRemoveById 951160 +SecRuleRemoveById 951170 +SecRuleRemoveById 951180 +SecRuleRemoveById 951190 +SecRuleRemoveById 951200 +SecRuleRemoveById 951210 +SecRuleRemoveById 951220 +SecRuleRemoveById 951230 +SecRuleRemoveById 951240 +SecRuleRemoveById 951250 +SecRuleRemoveById 951260 +SecRuleRemoveById 952110 +SecRuleRemoveById 953100 +SecRuleRemoveById 953110 +SecRuleRemoveById 953120 +SecRuleRemoveById 954100 +SecRuleRemoveById 954110 +SecRuleRemoveById 954120 +SecRuleRemoveById 954130 + +# Remove rules checking request body +SecRuleRemoveById 920240 From cc22c9bf4d56fe750adf687cdadaf1b1ec3c85e6 Mon Sep 17 00:00:00 2001 From: Kit Chan Date: Wed, 12 Aug 2020 09:56:26 -0700 Subject: [PATCH 2/2] Remove trailing whitespaces and fix typos --- example/plugins/lua-api/modsecurity/README.md | 24 +++++----- .../modsecurity/ats-luajit-modsecurity.lua | 46 +++++++++---------- .../plugins/lua-api/modsecurity/owasp.conf | 2 +- 3 files changed, 36 insertions(+), 36 deletions(-) diff --git a/example/plugins/lua-api/modsecurity/README.md b/example/plugins/lua-api/modsecurity/README.md index b563d018c43..2d8eb3ee473 100644 --- a/example/plugins/lua-api/modsecurity/README.md +++ b/example/plugins/lua-api/modsecurity/README.md @@ -3,10 +3,10 @@ Integrating ATS with ModSecurity V3 using LuaJIT and FFI Opensource WAF for [Apache Traffic Server](http://trafficserver.apache.org/). -Requirement +Requirement ==== - - ModSecurity v3.0.4 - - ATS 8.0.8 + - ModSecurity v3.0.4 + - ATS 8.0.8 How to Use ==== @@ -22,7 +22,7 @@ tslua.so --enable-reload /usr/local/var/lua/ats-luajit-modsecurity.lua /usr/loca Contents/Rules inside example.conf ==== - - deny any request with query parameter of `testparam=test2` with a 403 status response + - deny any request with query parameter of `testparam=test2` with a 403 status response - return any request with query parameter of `testparam=test1` with 301 redirect response to https://www.yahoo.com/ - override any response with header `test` equal to `1` with a 403 status response - override any response with header `test` equal to `2` with a 301 redirect response to https://www.yahoo.com/ @@ -38,17 +38,17 @@ Working with CRS ``` tslua.so --enable-reload /usr/local/var/lua/ats-luajit-modsecurity.lua /usr/local/var/modsecurity/owasp.conf -``` +``` - The following example curl command against your server should get a status 403 Forbidden response - - ``` - curl -v -H "User-Agent: Nikto" 'http:///' - ``` + +``` +curl -v -H "User-Agent: Nikto" 'http:///' +``` Extra Notes with CRS ==== - - Please check out this [link](https://github.com/SpiderLabs/ModSecurity/issues/1734) for performance related information + - Please check out this [link](https://github.com/SpiderLabs/ModSecurity/issues/1734) for performance related information - To turn on debugging, you can uncomment the following inside `owasp.conf` ``` @@ -57,7 +57,7 @@ SecDebugLogLevel 9 ``` - Rule ID 910100 in REQUEST-910-IP-REPUTATION.conf in `rules` directory requires GeoIP and have to be commented out if you do not built the modsecurity library with it. -- We use `SecRuleRemoveById` inside `owasp.conf` to remove rules checking for request and response body. This trick can be used to remove other rules that does not apply well in some situations. +- We use `SecRuleRemoveById` inside `owasp.conf` to remove rules checking for request and response body. This trick can be used to remove other rules that does not apply well in some situations TODOs/Limitations @@ -67,4 +67,4 @@ TODOs/Limitations - How does this work with the lua engine inside ModSecurity V3? - Unit Test using busted framework - More functional testing needed - - Performance testing - impact to latency and capacity + - Performance testing - impact to latency and capacity diff --git a/example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua b/example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua index caa42eae083..92cfa75f1f4 100644 --- a/example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua +++ b/example/plugins/lua-api/modsecurity/ats-luajit-modsecurity.lua @@ -29,8 +29,8 @@ msc.msc_set_connector_info(mst, "ModSecurity-ats") function __init__(argtb) if (#argtb) < 1 then ts.error("No ModSecurity Conf is given") - return -1 - end + return -1 + end msc_config.rulesfile = argtb[1] ts.debug("ModSecurity Conf file is " .. msc_config.rulesfile) @@ -38,12 +38,12 @@ function __init__(argtb) msc_config.rules = msc.msc_create_rules_set() local error = ffi.new("const char *[1]") local result = msc.msc_rules_add_file(msc_config.rules, msc_config.rulesfile, error) - if(result < 0) then - ts.error("Problems loading the rules: ".. ffi.string(error[0])) + if(result < 0) then + ts.error("Problems loading the rules: ".. ffi.string(error[0])) msc.msc_rules_cleanup(msc_config.rules) msc_config.rules = nil return -1 - end + end end @@ -59,9 +59,9 @@ function __reload__() msc.msc_rules_cleanup(newrules) newrules = nil - else + else -- TODO: we are not doing clean up on the old rules and thus leaking resources here - msc_config.rules = newrules + msc_config.rules = newrules end end @@ -82,9 +82,9 @@ function do_global_read_request() -- processing for the uri information local uri = ts.client_request.get_uri() local query_params = ts.client_request.get_uri_args() or '' - if (query_params ~= '') then + if (query_params ~= '') then uri = uri .. '?' .. query_params - end + end msc.msc_process_uri(txn, uri, ts.client_request.get_method(), ts.client_request.get_version()) -- processing for the request headers @@ -115,16 +115,16 @@ function do_global_read_request() ts.ctx['url'] = ffi.string(iv.url) ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) C.free(iv.url) - end + end -- intervention is needed if status is not 200 - if (iv.status ~= 200) then + if (iv.status ~= 200) then ts.http.set_resp(iv.status) msc.msc_process_logging(txn) msc.msc_transaction_cleanup(txn) ts.debug("done with setting custom response") return 0 - end + end -- storing modsecurity object in context ts.ctx["mst"] = txn @@ -140,7 +140,7 @@ end function read_response() -- retriving modsecurity object local txn = ts.ctx["mst"] - + if(txn == nil) then ts.error("no transaction object") return 0 @@ -153,7 +153,7 @@ function read_response() end msc.msc_process_response_headers(txn, ts.server_response.get_status(), "HTTP/"..ts.server_response.get_version()) msc.msc_process_response_body(txn) - ts.debug("done with processing response") + ts.debug("done with processing response") -- determine if intervention is needed local iv = ffi.new("ModSecurityIntervention") @@ -174,20 +174,20 @@ function read_response() if(iv.url ~= nil) then ts.ctx['url'] = ffi.string(iv.url) C.free(iv.url) - end + end -- intervention needed when status is not 200 ts.ctx['status'] = nil if (iv.status ~= 200) then ts.ctx['status'] = iv.status - end + end -- response needs to be modified? if(ts.ctx['url'] ~= '' or ts.ctx['status'] ~= nil) then ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) - end - - -- we need to return -1 for lua to reset response body with an error body + end + + -- we need to return -1 for lua to reset response body with an error body if(ts.ctx['status'] ~= nil) then ts.ctx["mst"] = nil msc.msc_process_logging(txn) @@ -201,15 +201,15 @@ function read_response() msc.msc_process_logging(txn) msc.msc_transaction_cleanup(txn) ts.debug("done with cleaning up context") - + return 0 end --- function run when sending response to client +-- function run when sending response to client function send_response() -- retrieve intervention url and add it as "Location" header on response to client local location = ts.ctx['url'] - if (location ~= '') then + if (location ~= '') then ts.debug('location: ' .. location) ts.client_response.header['Location'] = location end @@ -218,5 +218,5 @@ function send_response() local status = ts.ctx['status'] if (status ~= nil) then ts.client_response.set_error_resp(status, 'Contents Reset by ModSecurity\n') - end + end end diff --git a/example/plugins/lua-api/modsecurity/owasp.conf b/example/plugins/lua-api/modsecurity/owasp.conf index 8eeb9e2c417..24bbfc8fdc5 100644 --- a/example/plugins/lua-api/modsecurity/owasp.conf +++ b/example/plugins/lua-api/modsecurity/owasp.conf @@ -60,5 +60,5 @@ SecRuleRemoveById 954110 SecRuleRemoveById 954120 SecRuleRemoveById 954130 -# Remove rules checking request body +# Remove rules checking request body SecRuleRemoveById 920240