nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

PCRE2 constants and check errors from regexp compile #625

Closed lubomudr closed 1 year ago

lubomudr commented 1 year ago

Good day

nginx uses its own constants for compiling regular expressions (NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE), including for PCRE since version 1.21.5, rather than PCRE-library-specific ones When compiling, there was an error "regex \"%V\" compilation failed: invalid options" (regex.с:295), but it (like everyone else) was lost when parsing the configuration

diff here

``` diff --git a/naxsi_src/naxsi_config.c b/naxsi_src/naxsi_config.c index 6d2f0e2..e92b100 100644 --- a/naxsi_src/naxsi_config.c +++ b/naxsi_src/naxsi_config.c @@ -156,10 +156,10 @@ naxsi_score(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) } } #if defined(_debug_score) && _debug_score != 0 - unsigned int z; - ngx_http_special_score_t* scr; - scr = rule->sscores->elts; if (rule->sscores) { + unsigned int z; + ngx_http_special_score_t* scr; + scr = rule->sscores->elts; for (z = 0; z < rule->sscores->nelts; z++) { ngx_conf_log_error(NGX_LOG_EMERG, r, @@ -181,6 +181,7 @@ naxsi_zone(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) int tmp_len, has_zone = 0; ngx_http_custom_rule_location_t* custom_rule; char * tmp_ptr, *tmp_end; + u_char errstr[128]; return_value_if(!rule->br, NGX_CONF_ERROR); @@ -322,20 +323,27 @@ naxsi_zone(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) custom_rule->target_rx = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); return_value_if(!custom_rule->target_rx, NGX_CONF_ERROR); -#if (NGX_PCRE2) - custom_rule->target_rx->options = PCRE2_CASELESS | PCRE2_MULTILINE; + +#if defined nginx_version && (nginx_version >= 1021005) + custom_rule->target_rx->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else custom_rule->target_rx->options = PCRE_CASELESS | PCRE_MULTILINE; #endif custom_rule->target_rx->pattern = custom_rule->target; custom_rule->target_rx->pool = r->pool; - custom_rule->target_rx->err.len = 0; - custom_rule->target_rx->err.data = NULL; + ngx_memzero(errstr, 128); + custom_rule->target_rx->err.len = 128; + custom_rule->target_rx->err.data = errstr; if (ngx_regex_compile(custom_rule->target_rx) != NGX_OK) { - NX_LOG_DEBUG(_debug_rx, NGX_LOG_EMERG, r, 0, "XX-FAILED RX:%V", custom_rule->target); + ngx_conf_log_error(NGX_LOG_EMERG, r, 0, "XX-FAILED RX(naxsi_zone):%V (\"%V\")", + custom_rule->target, &(custom_rule->target_rx->err)); + custom_rule->target_rx->err.len = 0; + custom_rule->target_rx->err.data = NULL; return (NGX_CONF_ERROR); } + custom_rule->target_rx->err.len = 0; + custom_rule->target_rx->err.data = NULL; } custom_rule->hash = ngx_hash_key_lc(custom_rule->target.data, custom_rule->target.len); @@ -436,6 +444,7 @@ naxsi_rx(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) { ngx_regex_compile_t* rgc; ngx_str_t ha; + u_char errstr[128]; return_value_if(!rule->br, NGX_CONF_ERROR); @@ -445,20 +454,26 @@ naxsi_rx(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) ha.len = tmp->len - strlen(RX_T); rgc = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); return_value_if(!rgc, NGX_CONF_ERROR); -#if (NGX_PCRE2) - rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; + +#if defined nginx_version && (nginx_version >= 1021005) + rgc->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else rgc->options = PCRE_CASELESS | PCRE_MULTILINE; #endif rgc->pattern = ha; rgc->pool = r->pool; - rgc->err.len = 0; - rgc->err.data = NULL; + ngx_memzero(errstr, 128); + rgc->err.len = 128; + rgc->err.data = errstr; if (ngx_regex_compile(rgc) != NGX_OK) { - NX_LOG_DEBUG(_debug_rx, NGX_LOG_EMERG, r, 0, "XX-FAILED RX:%V", tmp); + ngx_conf_log_error(NGX_LOG_EMERG, r, 0, "XX-FAILED RX:%V (\"%V\")", tmp, &(rgc->err)); + rgc->err.len = 0; + rgc->err.data = NULL; return (NGX_CONF_ERROR); } + rgc->err.len = 0; + rgc->err.data = NULL; rule->br->rx = rgc; NX_LOG_DEBUG(_debug_rx, NGX_LOG_EMERG, r, 0, "XX- RX:[%V]", &(rule->br->rx->pattern)); return (NGX_CONF_OK); @@ -497,12 +512,11 @@ ngx_http_naxsi_cfg_parse_one_rule(ngx_conf_t* cf, current_rule->br = ngx_pcalloc(cf->pool, sizeof(ngx_http_basic_rule_t)); return_value_if(!current_rule->br, NGX_CONF_ERROR); } else { - NX_LOG_DEBUG(_debug_cfg_parse_one_rule, - NGX_LOG_EMERG, + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "Unknown start keyword in rule %V", - &(value[1])); + &(value[0])); return (NGX_CONF_ERROR); } @@ -515,8 +529,7 @@ ngx_http_naxsi_cfg_parse_one_rule(ngx_conf_t* cf, ret = np->pars(cf, &value[i], current_rule); if (ret != NGX_CONF_OK) { - NX_LOG_DEBUG(_debug_cfg_parse_one_rule, - NGX_LOG_EMERG, + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "XX-FAILED PARSING '%s'", diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c index 6b55d2b..40524b5 100644 --- a/naxsi_src/naxsi_runtime.c +++ b/naxsi_src/naxsi_runtime.c @@ -181,7 +181,7 @@ ngx_http_naxsi_rawbody_parse(ngx_http_request_ctx_t* ctx, unsigned char* ngx_utf8_check(ngx_str_t* str); -#if defined nginx_version && (nginx_version >= 1021005) +#if (NGX_PCRE2) /* * variables to use pcre2 */ diff --git a/naxsi_src/naxsi_utils.c b/naxsi_src/naxsi_utils.c index d2ecede..cc11a8f 100644 --- a/naxsi_src/naxsi_utils.c +++ b/naxsi_src/naxsi_utils.c @@ -800,8 +800,8 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); rgc = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target_rx; if (rgc) { -#if (NGX_PCRE2) - rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; +#if defined nginx_version && (nginx_version >= 1021005) + rgc->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else rgc->options = PCRE_CASELESS | PCRE_MULTILINE; #endif @@ -820,8 +820,8 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); rgc = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target_rx; if (rgc) { -#if (NGX_PCRE2) - rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; +#if defined nginx_version && (nginx_version >= 1021005) + rgc->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else rgc->options = PCRE_CASELESS | PCRE_MULTILINE; #endif ```

wargio commented 1 year ago

don't use this repository since it is abandoned, use mine directly (linke below). this has been fixed, along with other bugs. https://github.com/wargio/naxsi