nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Errors compile with nginx 1.23.0 #597

Closed lubomudr closed 2 years ago

lubomudr commented 2 years ago

Hi, when I try compile nginx 1.23.0 with naxsi (1.3) I get errors

[lubomudr@nginx-1 nginx-1.23.0]$ ./configure --add-dynamic-module=../naxsi/naxsi_src
...
[lubomudr@nginx-1 nginx-1.23.0]$ make
...
cc -c -fPIC -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g  -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules \
        -o objs/addon/naxsi_src/naxsi_runtime.o \
        ../naxsi/naxsi_src/naxsi_runtime.c
In file included from src/event/ngx_event.h:526:0,
                 from ../naxsi/naxsi_src/naxsi.h:18,
                 from ../naxsi/naxsi_src/naxsi_runtime.c:8:
src/event/ngx_event_udp.h:38:27: error: field ‘pkt6’ has incomplete type
     struct in6_pktinfo    pkt6;
                           ^
../naxsi/naxsi_src/naxsi_runtime.c: In function ‘ngx_http_naxsi_data_parse’:
../naxsi/naxsi_src/naxsi_runtime.c:2924:36: error: request for member ‘nelts’ in something not a structure or union
   if (r->headers_in.x_forwarded_for.nelts >= 1) {
                                    ^
../naxsi/naxsi_src/naxsi_runtime.c:2925:7: error: incompatible types when assigning to type ‘ngx_array_t’ from type ‘struct ngx_table_elt_t *’
     a = r->headers_in.x_forwarded_for;
       ^
../naxsi/naxsi_src/naxsi_runtime.c: In function ‘ngx_http_naxsi_update_current_ctx_status’:
../naxsi/naxsi_src/naxsi_runtime.c:2963:38: error: request for member ‘nelts’ in something not a structure or union
     if (r->headers_in.x_forwarded_for.nelts >= 1) {
                                      ^
../naxsi/naxsi_src/naxsi_runtime.c:2964:9: error: incompatible types when assigning to type ‘ngx_array_t’ from type ‘struct ngx_table_elt_t *’
       a = r->headers_in.x_forwarded_for;
         ^
make[1]: *** [objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make[1]: Leaving directory `/home/lubomudr/nginx-1.23.0'
make: *** [build] Error 2

CentOS 7.9

For two reasons:

  1. Development Guide requires "The following two #include statements must appear at the beginning of every nginx file"
  2. CHANGES say: "Change in internal API: now header lines are represented as linked lists.". Specifically, the structure ngx_http_headers_in_t has changed, x_forwarded_for is now of type ngx_table_elt_t*

Patches to fix:

--- naxsi.h.orig        2022-06-23 08:47:23.432976062 +1000
+++ naxsi.h     2022-06-23 09:01:38.000000000 +1000
@@ -9,12 +9,12 @@

 #define NAXSI_VERSION "1.3"

+#include <ngx_config.h>
+#include <ngx_core.h>
 #include "ext/libinjection/libinjection_sqli.h"
 #include "ext/libinjection/libinjection_xss.h"
 #include <ctype.h>
 #include <nginx.h>
-#include <ngx_config.h>
-#include <ngx_core.h>
 #include <ngx_event.h>
 #include <ngx_http.h>
 #include <ngx_http_core_module.h>
--- naxsi_runtime.c.orig        2022-06-23 09:07:51.137402137 +1000
+++ naxsi_runtime.c     2022-06-23 09:02:18.000000000 +1000
@@ -4,8 +4,8 @@
  * Licensed under GNU GPL v3.0 – See the LICENSE notice for details
  */

-#include "assert.h"
 #include "naxsi.h"
+#include "assert.h"
 #include "naxsi_macros.h"
 #include "naxsi_net.h"

@@ -2912,20 +2912,20 @@
       /* and the presence of data to parse */
       r->request_body && ((!ctx->block || ctx->learning) && !ctx->drop))
     ngx_http_naxsi_body_parse(ctx, r, cf, main_cf);
+#if (NGX_HTTP_X_FORWARDED_FOR)
   ngx_str_t tag;
   tag.len  = 15;
   tag.data = ngx_pcalloc(r->pool, tag.len + 1);
   if (tag.data)
     memcpy(tag.data, "x-forwarded-for", 15);
+#if (nginx_version < 1023000)
   unsigned int      n = 0;
   ngx_table_elt_t** h = NULL;
   ngx_array_t       a;
-#if (NGX_HTTP_X_FORWARDED_FOR)
   if (r->headers_in.x_forwarded_for.nelts >= 1) {
     a = r->headers_in.x_forwarded_for;
     n = a.nelts;
   }
-#endif
   if (n >= 1)
     h = a.elts;
   if (n >= 1) {
@@ -2933,6 +2933,16 @@

     ngx_http_naxsi_update_current_ctx_status(ctx, cf, r, &tag, (ngx_str_t*)h[0]->value.data);
   }
+#else
+  ngx_table_elt_t* xff = NULL;
+  if (r->headers_in.x_forwarded_for != NULL) {
+    xff = r->headers_in.x_forwarded_for;
+    ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "xfor %s", xff->value.data);
+
+    ngx_http_naxsi_update_current_ctx_status(ctx, cf, r, &tag, (ngx_str_t*)xff->value.data);
+  }
+#endif
+#endif
 }

 void
@@ -2947,19 +2957,19 @@
   ngx_http_check_rule_t* cr;

   ngx_http_special_score_t* sc;
-  unsigned int              n = 0;
-
   NX_DEBUG(_debug_custom_score, NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "XX-custom check rules");

   int               ignore = 0;
-  ngx_table_elt_t** h;
-  ngx_array_t       a;

   ctx->ignore = 0;

   /*cr, sc, cf, ctx*/
   if (cf->check_rules && ctx->special_scores) {
 #if (NGX_HTTP_X_FORWARDED_FOR)
+#if (nginx_version < 1023000)
+    unsigned int              n = 0;
+    ngx_table_elt_t** h;
+    ngx_array_t       a;
     if (r->headers_in.x_forwarded_for.nelts >= 1) {
       a = r->headers_in.x_forwarded_for;
       n = a.nelts;
@@ -2978,6 +2988,23 @@
         ignore = nx_can_ignore_ip(&ip, cf) || nx_can_ignore_cidr(&ip, cf);
       }
     } else
+#else
+    ngx_table_elt_t* xff;
+    if (r->headers_in.x_forwarded_for != NULL) {
+      xff = r->headers_in.x_forwarded_for;
+      NX_DEBUG(_debug_whitelist_ignore,
+                 NGX_LOG_DEBUG_HTTP,
+                 r->connection->log,
+                 0,
+                 "XX- lookup ignore X-Forwarded-For: %s",
+                 xff->value.data);
+      ngx_str_t ip;
+      ip.len  = strlen((char*)xff->value.data);
+      ip.data = ngx_pcalloc(r->pool, ip.len + 1);
+      memcpy(ip.data, xff->value.data, ip.len);
+      ignore = nx_can_ignore_ip(&ip, cf) || nx_can_ignore_cidr(&ip, cf);
+    } else
+#endif
 #endif
     {
       ngx_str_t* ip = &r->connection->addr_text;

Please excuse me if it's wrong This is my first post

dvershinin commented 2 years ago

@lubomudr IMHO much preferred if those patches are submitted as a pull request.

wargio commented 2 years ago

can you submit them as patch?