From abc84bc37fbe5ade725dea978ada143600d817fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ervin=20Heged=C3=BCs?= Date: Mon, 22 May 2023 11:42:16 +0200 Subject: [PATCH] Add 'Host' header value to 'hostname' in rule message field, if exists --- headers/modsecurity/rule_message.h | 5 +++ headers/modsecurity/transaction.h | 5 +++ src/rule_message.cc | 4 +- src/transaction.cc | 4 ++ .../regression/rulemessage_host.json | 42 +++++++++++++++++++ 5 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 test/test-cases/regression/rulemessage_host.json diff --git a/headers/modsecurity/rule_message.h b/headers/modsecurity/rule_message.h index 51eca0e8ef..9e1ef556a6 100644 --- a/headers/modsecurity/rule_message.h +++ b/headers/modsecurity/rule_message.h @@ -67,6 +67,7 @@ class RuleMessage { m_ruleLine(rule->getLineNumber()), m_saveMessage(true), m_serverIpAddress(trans->m_serverIpAddress), + m_requestHostName(trans->m_requestHostName), m_severity(0), m_uriNoQueryStringDecoded(trans->m_uri_no_query_string_decoded), m_ver(rule->m_ver), @@ -92,6 +93,7 @@ class RuleMessage { m_ruleLine(rule->m_ruleLine), m_saveMessage(rule->m_saveMessage), m_serverIpAddress(rule->m_serverIpAddress), + m_requestHostName(rule->m_requestHostName), m_severity(rule->m_severity), m_uriNoQueryStringDecoded(rule->m_uriNoQueryStringDecoded), m_ver(rule->m_ver), @@ -117,6 +119,7 @@ class RuleMessage { m_ruleLine(ruleMessage.m_ruleLine), m_saveMessage(ruleMessage.m_saveMessage), m_serverIpAddress(ruleMessage.m_serverIpAddress), + m_requestHostName(ruleMessage.m_requestHostName), m_severity(ruleMessage.m_severity), m_uriNoQueryStringDecoded(ruleMessage.m_uriNoQueryStringDecoded), m_ver(ruleMessage.m_ver), @@ -142,6 +145,7 @@ class RuleMessage { m_ruleLine = ruleMessage.m_ruleLine; m_saveMessage = ruleMessage.m_saveMessage; m_serverIpAddress = ruleMessage.m_serverIpAddress; + m_requestHostName = ruleMessage.m_requestHostName; m_severity = ruleMessage.m_severity; m_uriNoQueryStringDecoded = ruleMessage.m_uriNoQueryStringDecoded; m_ver = ruleMessage.m_ver; @@ -201,6 +205,7 @@ class RuleMessage { int m_ruleLine; bool m_saveMessage; std::shared_ptr m_serverIpAddress; + std::shared_ptr m_requestHostName; int m_severity; std::shared_ptr m_uriNoQueryStringDecoded; std::string m_ver; diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h index b0dc4b7145..1099741f72 100644 --- a/headers/modsecurity/transaction.h +++ b/headers/modsecurity/transaction.h @@ -443,6 +443,11 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa */ std::shared_ptr m_serverIpAddress; + /** + * Holds the request's hostname + */ + std::shared_ptr m_requestHostName; + /** * Holds the raw URI that was requested. */ diff --git a/src/rule_message.cc b/src/rule_message.cc index 496fe7caab..80731a7bb9 100644 --- a/src/rule_message.cc +++ b/src/rule_message.cc @@ -42,8 +42,8 @@ std::string RuleMessage::_details(const RuleMessage *rm) { msg.append(" [tag \"" + utils::string::toHexIfNeeded(a, true) + "\"]"); } - msg.append(" [hostname \"" + *rm->m_serverIpAddress.get() \ - + "\"]"); + msg.append(" [hostname \"" + *rm->m_requestHostName.get() + "\"]"); + msg.append(" [uri \"" + utils::string::limitTo(200, *rm->m_uriNoQueryStringDecoded.get()) + "\"]"); msg.append(" [unique_id \"" + *rm->m_id + "\"]"); msg.append(" [ref \"" + utils::string::limitTo(200, rm->m_reference) + "\"]"); diff --git a/src/transaction.cc b/src/transaction.cc index c294d7f33c..718a20d081 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -104,6 +104,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData) m_clientIpAddress(std::make_shared("")), m_httpVersion(""), m_serverIpAddress(std::make_shared("")), + m_requestHostName(std::make_shared("")), m_uri(""), m_uri_no_query_string_decoded(std::make_shared("")), m_ARGScombinedSizeDouble(0), @@ -180,6 +181,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCb m_clientIpAddress(std::make_shared("")), m_httpVersion(""), m_serverIpAddress(std::make_shared("")), + m_requestHostName(std::make_shared("")), m_uri(""), m_uri_no_query_string_decoded(std::make_shared("")), m_ARGScombinedSizeDouble(0), @@ -316,6 +318,7 @@ int Transaction::processConnection(const char *client, int cPort, const char *server, int sPort) { m_clientIpAddress = std::unique_ptr(new std::string(client)); m_serverIpAddress = std::unique_ptr(new std::string(server)); + m_requestHostName = std::unique_ptr(new std::string(server)); this->m_clientPort = cPort; this->m_serverPort = sPort; ms_dbg(4, "Transaction context created."); @@ -706,6 +709,7 @@ int Transaction::addRequestHeader(const std::string& key, if (keyl == "host") { std::vector host = utils::string::split(value, ':'); m_variableServerName.set(host[0], m_variableOffset); + m_requestHostName = std::unique_ptr(new std::string(host[0])); } m_variableOffset = m_variableOffset + value.size() + 1; diff --git a/test/test-cases/regression/rulemessage_host.json b/test/test-cases/regression/rulemessage_host.json new file mode 100644 index 0000000000..0298d172c1 --- /dev/null +++ b/test/test-cases/regression/rulemessage_host.json @@ -0,0 +1,42 @@ +[ + { + "enabled":1, + "version_min":300000, + "version_max":0, + "title":"Testing 'hostname' field in rule message", + "client":{ + "ip":"200.249.12.31", + "port":2313 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"host.modsecurity.org" + }, + "uri":"\/?q=/bin/bash", + "method":"GET", + "http_version":1.1, + "body":"" + }, + "response":{ + "headers":{ + "Content-Type":"text\/html; charset=utf-8\n\r", + "Content-Length":"10\n\r" + }, + "body":[ + "No answer." + ] + }, + "expected":{ + "http_code":403, + "error_log":"hostname \"host.modsecurity.org\"" + }, + "rules":[ + "SecRuleEngine On", + "SecRule ARGS \"@rx bash\" \"id:1,t:none,deny\"" + ] + } +]