nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

naxsi build fails with pcre*2*-enabled nginx-1.21.5: incorrect PCRE_MULTILINE usage #580

Closed pgnd closed 2 years ago

pgnd commented 2 years ago

Building/packaging latest nginx-1.21.5

On 12/28/21 10:33, Maxim Dounin wrote:
> details:   https://hg.nginx.org/nginx/rev/d986378168fd
> branches:
> changeset: 7989:d986378168fd
> user:      Maxim Dounin <mdounin@mdounin.ru>
> date:      Tue Dec 28 18:28:37 2021 +0300
> description:
> nginx-1.21.5-RELEASE

on Fedora 35, with PCRE2,

rpm -qa | grep pcre2 | sort
    pcre2-10.37-4.fc35.x86_64
    pcre2-devel-10.37-4.fc35.x86_64
    pcre2-syntax-10.37-4.fc35.noarch
    pcre2-utf16-10.37-4.fc35.x86_64
    pcre2-utf32-10.37-4.fc35.x86_64

and only PCRE2 enabled,

https://download.copr.fedorainfracloud.org/results/pgfed/nginx-mainline/fedora-35-x86_64/03084864-nginx/nginx.spec

fails,

https://download.copr.fedorainfracloud.org/results/pgfed/nginx-mainline/fedora-35-x86_64/03084864-nginx/builder-live.log.gz

at,

...
/usr/bin/gcc -c -fPIC -I/usr/local/lua-resty-luajit2/include/luajit-2.1 -O3 -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -march=x86-64 -mtune=generic -O3 -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -march=x86-64 -mtune=generic -DNDK_SET_VAR -Wno-deprecated-declarations -I src/core -I src/event -I src/event/modules -I src/os/unix -I src/http/modules/perl -I ../ngx_devel_kit-master/objs -I objs/addon/ndk -I ../ngx_devel_kit-master/src -I ../ngx_devel_kit-master/objs -I objs/addon/ndk -I /usr/local/lua-resty-luajit2/include/luajit-2.1 -I ../lua-nginx-module-master/src/api -I /usr/include -I ../njs-master/nginx/../src -I ../njs-master/nginx/../build -I ../njs-master/nginx/../src -I ../njs-master/nginx/../build -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I ../ngx_devel_kit-master/src -I src/mail -I src/stream \
    -o objs/addon/naxsi_src/naxsi_config.o \
    ../naxsi-master/naxsi_src/naxsi_config.c
../naxsi-master/naxsi_src/naxsi_runtime.c: In function 'ngx_http_process_basic_rule_buffer':
../naxsi-master/naxsi_src/naxsi_runtime.c:205:61: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  205 |       (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
      |                                                             ^~
../naxsi-master/naxsi_src/naxsi_runtime.c: In function 'ngx_http_naxsi_pcre_wrapper':
../naxsi-master/naxsi_src/naxsi_runtime.c:500:30: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  500 |   match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
      |                              ^~
make[1]: *** [objs/Makefile:1715: objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/builddir/build/BUILD/nginx-release-1.21.5'
make: *** [Makefile:10: build] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.hYoU7Y (%build)
petecooper commented 2 years ago

Possibly connected commits:

pgnd commented 2 years ago

@petecooper

from nginx-devel ML,

https://forum.nginx.org/read.php?29,293178,293179#msg-293179

the second issue, above, seems to be the relevant one here.

and,

"The NAXSI bug mentioned in the second commit needs to be fixed before it will be possible to build NAXSI with PCRE2."

"The" bug refers to incorrect usage of PCRE_MULTILINE.

but, afaict, is not yet filed/open as an existing issue here @ naxsi

icebluey commented 2 years ago

same issue. nginx: 1.21.5 pcre2: 10.39

    ../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c: In function 'ngx_http_process_basic_rule_buffer':
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c:205:61: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  205 |       (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
      |                                                             ^~
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c: In function 'ngx_http_naxsi_pcre_wrapper':
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c:500:30: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  500 |   match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
      |                              ^~
make[1]: *** [objs/Makefile:2297: objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make: *** [Makefile:10: build] Error 2
vndroid commented 2 years ago

same issue. nginx: 1.22.0 pcre2: 10.39

    -o objs/addon/naxsi_src/naxsi_runtime.o \
    /src/naxsi/naxsi_src/naxsi_runtime.c
/src/naxsi/naxsi_src/naxsi_runtime.c: In function 'ngx_http_process_basic_rule_buffer':
/src/naxsi/naxsi_src/naxsi_runtime.c:205:61: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  205 |       (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
      |                                                             ^~
/src/naxsi/naxsi_src/naxsi_runtime.c: In function 'ngx_http_naxsi_pcre_wrapper':
/src/naxsi/naxsi_src/naxsi_runtime.c:500:30: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  500 |   match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
      |                              ^~
make[1]: *** [objs/Makefile:3170: objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make: *** [Makefile:16: modules] Error 2
rickygm commented 2 years ago

same here:

make[1]: [objs/Makefile:2244: objs/addon/naxsi_src/naxsi_runtime.o] Error 1 make[1]: Waiting for unfinished jobs.... make[1]: Leaving directory '/rpm/nginx-1.22.0' make: *** [Makefile:10: build] Error 2

grazzolini commented 2 years ago

For what's worth, we are using this patch on Arch to build this module: https://github.com/archlinux/svntogit-community/blob/packages/nginx-mod-naxsi/trunk/587-pcre2.patch

wargio commented 2 years ago

I do not know why this is still open but it was fixed: https://github.com/wargio/naxsi/commit/9e06c5f53b2e393e40e9df7746a7b8bc4c2abfa4

saez0pub commented 2 years ago

Hello,

Could you please release this fix 👍 ?

wargio commented 2 years ago

Hello,

Could you please release this fix +1 ?

It is fixed: https://github.com/wargio/naxsi

saez0pub commented 2 years ago

Sorry, it wasn't clear enough. Thank you for fixing this 🙏 . My question is more about making a new release, version 1.4, including this fix. 🚀

wargio commented 2 years ago

Not going to happen in this repository. This repository is considered abandoned thus you should use mine.