ModSecurity/src/operators/detect_sqli.cc at 84cdfddd86c2766bef02d27ef140254c2495128a · Easton97-Jens/ModSecurity · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
/*
 * ModSecurity, http://www.modsecurity.org/
 * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * If any of the files related to licensing are missing or if you have any
 * other questions related to licensing please contact Trustwave Holdings, Inc.
 * directly using the email address security@modsecurity.org.
 *
 */

#include "src/operators/detect_sqli.h"

#include <string>
#include <list>
#include <array>

#include "src/operators/operator.h"
#include "src/operators/libinjection_utils.h"
#include "libinjection/src/libinjection.h"
#include "libinjection/src/libinjection_error.h"

namespace modsecurity::operators {

bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
    const std::string& input, RuleMessage &ruleMessage) {

    std::array<char, 8> fingerprint{};

    const injection_result_t sqli_result =
        libinjection_sqli(input.c_str(), input.length(), fingerprint.data());

    if (t == nullptr) {
        return isMaliciousLibinjectionResult(sqli_result);
    }

    switch (sqli_result) {
        case LIBINJECTION_RESULT_TRUE:
            t->m_matched.emplace_back(fingerprint.data());

            ms_dbg_a(t, 4,
                std::string("detected SQLi using libinjection with fingerprint '")
                + fingerprint.data() + "' at: '" + input + "'")

            if (rule != nullptr && rule->hasCaptureAction()) {
                t->m_collections.m_tx_collection->storeOrUpdateFirst(
                    "0", std::string(fingerprint.data()));

                ms_dbg_a(t, 7,
                    std::string("Added DetectSQLi match TX.0: ")
                    + fingerprint.data())
            }
            break;

        case LIBINJECTION_RESULT_ERROR:
            ms_dbg_a(t, 4,
                std::string("libinjection parser error during SQLi analysis (")
                + libinjectionResultToString(sqli_result)
                + "); treating as match (fail-safe). Input: '"
                + input + "'")

            if (rule != nullptr && rule->hasCaptureAction()) {
                t->m_collections.m_tx_collection->storeOrUpdateFirst(
                    "0", input);

                ms_dbg_a(t, 7,
                    std::string("Added DetectSQLi error input TX.0: ")
                    + input)
            }
            break;

        case LIBINJECTION_RESULT_FALSE:
            ms_dbg_a(t, 9,
                std::string("libinjection was not able to find any SQLi in: ")
                + input)
            break;
    }

    return isMaliciousLibinjectionResult(sqli_result);
}

}  // namespace modsecurity::operators