rodsec 0.0.1

data/lib/rodsec/rack.rb

@@ -0,0 +1,152 @@
+require_relative '../rodsec.rb'
+
+module Rodsec
+  # Thanks to rack-contrib/deflect for the basic idea, and some of the docs.
+  class Rack
+    # === Required Options:
+    #
+    #   :config   Proc, or the directory containing the ModSecurity config files
+    #             modsecurity.conf and crs-setup.conf. If it's a Proc, which
+    #             must return a Rodsec::Ruleset instance containing all the
+    #             rules you want.
+    #
+    # === Optional Options:
+    #
+    #   :rules    the directory containing the ModSecurity rules files.
+    #             Defaults to ${config}/rules. Ignored if you pass a proc to config
+    #
+    #   :logger   must respond_to #puts which takes a string. Defaults to a StringIO at #logger
+    #
+    #   :log_blk  a callable that takes |tag,string| Defaults to sending
+    #             only the string to logger. The ModSecurity logs are highly
+    #             structured and you might want to parse them, so the tag
+    #             helps disambiguate the source of the logs.
+    #
+    #   ? :msi_blk  called with [status, headers, body] if there's an intervention from ModSecurity.
+    #
+    #
+    # === Examples:
+    #
+    #  use Rodsec::Rack, config: 'your_config_path', log: (mylogger = StringIO.new)
+    #  use Rodsec::Rack, config: 'your_config_path', log_blk: -> src_class, str { my_funky_parse_msi_to_hash str }
+    def initialize app, config:, rules: nil, logger: nil, log_blk: nil
+      @app = app
+
+      @log_blk = log_blk || -> _tag, str{self.logger.puts str}
+      @msc = Rodsec::Modsec.new{|tag,str| @log_blk.call tag, str}
+
+      @logger = logger || StringIO.new
+
+      @log_blk.call self.class, "#{self.class} starting with #{@msc.version_info}"
+
+      set_rules config, rules
+    end
+
+    attr_reader :log_blk, :logger
+
+    include ReadConfig
+
+    protected def set_rules config, rules
+      case config
+      when Proc
+        @rules = config.call
+      else
+        @rules = read_config config, rules, &log_blk
+      end
+    end
+
+    REQUEST_URI = 'REQUEST_URI'.freeze
+    REMOTE_HOST = 'REMOTE_HOST'.freeze
+    REMOTE_ADDR = 'REMOTE_ADDR'.freeze
+    SERVER_NAME = 'SERVER_NAME'.freeze
+    HTTP_HOST = 'HTTP_HOST'.freeze
+    SERVER_PORT = 'SERVER_PORT'.freeze
+    HTTP_VERSION = 'HTTP_VERSION'.freeze
+    REQUEST_METHOD = 'REQUEST_METHOD'.freeze
+    SLASH = '/'.freeze
+    HTTP_HEADER_RX = /HTTP_(.*)|(CONTENT_.*)/.freeze
+    DASH = '-'.freeze
+    UNDERSCORE = '_'.freeze
+    EMPTY = String.new.freeze
+
+    RACK_INPUT = 'rack.input'.freeze
+
+    def call env
+      txn = Rodsec::Transaction.new @msc, @rules, txn_log_tag: env[REQUEST_URI]
+
+      ################
+      # incoming
+
+      # uri! scope for variables
+      lambda do
+        remote_addr = env[REMOTE_HOST] || env[REMOTE_ADDR]
+        server_addr = env[HTTP_HOST] || env[SERVER_NAME]
+        txn.connection! remote_addr, 0, server_addr, (env[SERVER_PORT] || 0)
+
+        _, version = env[HTTP_VERSION]&.split(SLASH)
+
+        txn.uri! env[REQUEST_URI], env[REQUEST_METHOD], version
+      end.call
+
+      # request_headers! - another scope for variables
+      lambda do
+        http_headers = env.map do |key,val|
+          key =~ HTTP_HEADER_RX or next
+          header_name = $1 || $2
+          dashified = header_name.split(UNDERSCORE).map(&:capitalize).join(DASH)
+          [dashified, val]
+        end.compact.to_h
+
+        txn.request_headers! http_headers
+      end.call
+
+      # request_body! MUST be called (even with an empty body is fine),
+      # otherwise ModSecurity never triggers the rules, even though ModSecurity
+      # can detect something dodgy in the headers. That needs what they call
+      # self-contained mode.
+      env[RACK_INPUT].tap do |rack_input|
+        # ruby-2.3 syntax :-|
+        begin
+          # What about a DOS from a very large body?
+          #
+          # Rack spec says rack.input must be rewindable at the http-server
+          # level, so it's all in memory by now anyway, nothing we can do to
+          # affect that here.
+          txn.request_body! rack_input
+        ensure
+          # Have to rewind input, otherwise other rack apps can't get the content
+          rack_input.rewind
+        end
+      end
+
+      ################
+      # rack chain
+      status, headers, body = @app.call env
+
+      ################
+      # outgoing
+      txn.response_headers! status, env[HTTP_VERSION], headers
+
+      # TODO handle hijacking? Not sure.
+      # body is an Enumerable, which response_body! will handle
+      txn.response_body! body
+
+      # Logging. From ModSecurity's point of view this could be in a separate
+      # thread. Dunno how rack will handle that though. Also, there's no way to
+      # wait for a thread doing that logging. So it would have to be spawned and
+      # then left to die. Alone. In the rain.
+      txn.logging
+
+      # all ok
+      return status, headers, body
+
+    rescue Rodsec::Intervention => iex
+      log_blk.call :intervention, iex.msi.log
+      # rack interface specification says we have to call close on the body, if
+      # it responds to close
+      body.respond_to?(:close) && body.close
+      # Intervention!
+      return iex.msi.status, {'Content-Type' => 'text/plain'}, [ ::Rack::Utils::HTTP_STATUS_CODES[iex.msi.status] ].compact
+    end
+  end
+end

data/lib/rodsec/read_config.rb

@@ -0,0 +1,80 @@
+module Rodsec
+  module ReadConfig
+    # log_blk takes a tag and a string
+    module_function def read_config config, rules, &log_blk
+      config_dir = Pathname config
+      rules_dir = Pathname(rules || config_dir + 'rules')
+
+      # NOTE the first two config files MUST be loaded before the rules files
+      config_rules = RuleSet.new
+      config_rules.add_file config_dir + 'modsecurity.conf'
+      config_rules.add_file config_dir + 'crs-setup.conf'
+
+      # Now load the rules files
+      rules_files = rules_dir.children.select{|p| p.to_s =~ /.*conf$/}.sort
+
+      # merge rules files.
+      rules_files.reduce config_rules do |ax, fn|
+        # ruby 2.3.x syntax :-|
+        begin
+          log_blk&.call self.class, "loading rules file: #{fn}"
+          rules = RuleSet.new tag: fn
+          rules.add_file fn
+          ax.merge rules
+        rescue
+          log_blk&.call $!.class, "error loading rules file: #{$!}"
+          ax
+        end
+      end
+    end
+
+    # Hacky Workaround for the bug that's tickled by merging Rules.
+    #
+    # What we do is read all the files separately. Check each one to see that it
+    # has no syntax errors. If that works, append the file contents to one giant
+    # string containing all the rule files. When we've read all the rule files,
+    # create one RuleSet from the combined string. That way we don't need to
+    # merge rulesets.
+    module_function def read_combined_config config, rules, &log_blk
+      # part of the hacky workaround, so it's self-contained when we remove it.
+      require 'stringio'
+      config_dir = Pathname config
+      rules_dir = Pathname(rules || config_dir + 'rules')
+
+      # NOTE the first two config files MUST be loaded before the rules files
+      files = [(config_dir + 'modsecurity.conf'), (config_dir + 'crs-setup.conf')]
+
+      # Now add the rules files
+      files.concat rules_dir.children.select{|p| p.to_s =~ /.*conf$/}.sort
+
+      # merge rules files.
+      combined_rules = files.each_with_object StringIO.new do |fn, sio|
+        begin
+          log_blk&.call self.class, "loading rules file: #{fn}"
+
+          # syntax check rule set
+          RuleSet.new.add_file fn.to_s
+
+          File.open fn do |io| IO.copy_stream io, sio end
+        rescue
+          log_blk&.call $!.class, "error loading rules file: #{$!}"
+        end
+      end
+
+      # make sure the rules can access their *.data files - we lose the file
+      # location information when we use this approach.
+      save_dir = Dir.pwd
+      Dir.chdir rules_dir
+
+      # add the combined rules
+      log_blk&.call self.class, 'loading combined rules'
+      p size: combined_rules.string.length
+      rules = RuleSet.new
+      rules.add combined_rules.string
+      rules
+    ensure
+      # restore original directory
+      save_dir and Dir.chdir save_dir
+    end
+  end
+end

data/lib/rodsec/rule_set.rb

@@ -0,0 +1,69 @@
+require 'pathname'
+
+require_relative 'wrapper'
+require_relative 'string_pointers'
+
+module Rodsec
+  class RuleSet
+    def initialize tag: nil
+      @tag = tag
+
+      @rules_ptr = Wrapper.msc_create_rules_set
+      @rules_ptr.free = Wrapper['msc_rules_cleanup']
+
+      # just mirroring the c-api, not sure if it's actually useful
+      @rule_count = 0
+    end
+
+    # srsly, don't mess with this
+    attr_reader :rules_ptr
+
+    attr_reader :tag, :rule_count
+
+    include StringPointers
+
+    # add rules from the given file
+    # return number of rules added? I think?
+    def add_file conf_pathname
+      conf_pathname = Pathname conf_pathname
+      err = Fiddle::Pointer[0]
+      rv = Wrapper.msc_rules_add_file rules_ptr, (strptr conf_pathname.realpath.to_s), err.ref
+
+      raise Error, [conf_pathname, err.to_s] if rv < 0
+      @rule_count += rv
+      self
+    end
+
+    # dump rules to stdout. No way to redirect that, from what I can see.
+    def dump
+      Wrapper.msc_rules_dump rules_ptr
+      self
+    end
+
+    def add rules_text
+      err = Fiddle::Pointer[0]
+      rv = Wrapper.msc_rules_add rules_ptr, (strptr rules_text.to_s), err.ref
+      raise Error, err.to_s if rv < 0
+      @rule_count += rv
+      self
+    end
+
+    def add_url key, url
+      err = Fiddle::Pointer[0]
+      rv = Wrapper.msc_rules_add_remote rules_ptr, (strptr key), (strptr uri), err.ref
+      raise Error, err.to_s if rv < 0
+      @rule_count += rv
+      self
+    end
+
+    # merge other rules with self
+    def merge other
+      raise "must be a #{self.class.name}" unless self.class === other
+      err = Fiddle::Pointer[0]
+      rv = Wrapper.msc_rules_merge rules_ptr, other.rules_ptr, err.ref
+      @rule_count += rv
+      raise Error, err.to_s if rv < 0
+      self
+    end
+  end
+end

data/lib/rodsec/string_pointers.rb

@@ -0,0 +1,10 @@
+module Rodsec
+  module StringPointers
+    EMPTY_STRING = String.new.freeze
+
+    def strptr str
+      # nil often causes ModSecurity to segfault
+      str || EMPTY_STRING
+    end
+  end
+end

data/lib/rodsec/transaction.rb

@@ -0,0 +1,168 @@
+require_relative 'wrapper'
+require_relative 'string_pointers'
+
+module Rodsec
+  class Transaction
+    # txn_log_tag must be convertible to a string. Defaults to self.object_id.to_s
+    # it shows up in as the first argument passed to Modsec's log_blk.
+    def initialize msc, ruleset, txn_log_tag: nil
+      raise Error, "msc must be a #{Modsec}" unless Modsec === msc
+      raise Error, "ruleset must be a #{RuleSet}" unless RuleSet === ruleset
+
+      @msc, @ruleset = msc, ruleset
+      @txn_log_tag = Fiddle::Pointer[(txn_log_tag || object_id).to_s]
+      @txn_ptr = Wrapper.msc_new_transaction msc.msc_ptr, ruleset.rules_ptr, @txn_log_tag
+      @txn_ptr.free = Wrapper['msc_transaction_cleanup']
+    end
+
+    attr_reader :txn_ptr
+
+    attr_reader :msc, :ruleset
+
+    include StringPointers
+
+    # Raise an Intervention(ModSecurityIntervention) if necessary, or return self.
+    #
+    # ModSecurity will only populate the intervention structure if it detects
+    # something 'disruptive' in the SecRules.
+    protected def intervention!
+      # Check for Intervention
+      msi = Wrapper::ModSecurityIntervention.new Wrapper.msc_new_intervention
+      rv = Wrapper.msc_intervention txn_ptr, msi
+      raise Intervention, msi if rv > 0
+      self
+    end
+
+    ##################################
+    # Phase CONNECTION / SecRules  0
+    # check for intervention afterwards
+    def connection! client_host, client_port, server_host, server_port
+      rv = Wrapper.msc_process_connection \
+        txn_ptr,
+        (strptr client_host), (Integer client_port),
+        (strptr server_host), (Integer server_port)
+
+      rv == 1 or raise Error, "msc_process_connection failed for #{[client_host, client_port, server_host, server_port].inspect}"
+
+      intervention!
+    end
+
+    ##################################
+    # Phase URI / 1.5
+    # check for intervention afterwards
+    # verb is GET POST etc
+    # http_version is '1.1', '1.2' etc
+    def uri! uri, verb, http_version
+      rv = Wrapper.msc_process_uri txn_ptr, (strptr uri), (strptr verb), (strptr http_version)
+      rv == 1 or raise Error "msc_process_uri failed for #{[uri, verb, http_version].inspect}"
+
+      intervention!
+    end
+
+    ##################################
+    # Phase REQUEST_HEADERS.  SecRules 1
+    def request_headers! header_hash
+      errors = header_hash.each_with_object [] do |(key, val), errors|
+        key = key.to_s; val = val.to_s
+        rv = Wrapper.msc_add_n_request_header txn_ptr, (strptr key), key.bytesize, (strptr val), val.bytesize
+        rv == 1 or errors << "msc_add_n_request_header failed adding #{[key,val].inspect}"
+      end
+
+      raise Error errors if errors.any?
+
+      rv = Wrapper.msc_process_request_headers txn_ptr
+      rv == 1 or raise "msc_process_request_headers failed"
+
+      intervention!
+    end
+
+    protected def enum_of_body body
+      case
+      when NilClass === body
+        ['']
+      when String === body
+        [body]
+      when body.respond_to?(:each)
+        body
+      else
+        raise "dunno about #{body}"
+      end
+    end
+
+    ##################################
+    # Phase REQUEST_BODY.  SecRules 2
+    #
+    # body can be a String, or an Enumerable of strings
+    def request_body! body
+      enum_of_body(body).each do |body_part|
+        body_part = body_part.to_s
+        rv = Wrapper.msc_append_request_body txn_ptr, (strptr body_part), body_part.bytesize
+        rv == 1 or raise Error, "msc_append_request_body failed"
+      end
+
+      # This MUST be called, otherwise rules aren't triggered.
+      rv = Wrapper.msc_process_request_body txn_ptr
+      rv == 1 or raise Error, "msc_process_request_body failed"
+
+      intervention!
+    end
+
+    # This is probably only used when appending a body in chunks. We don't use it.
+    # extern 'size_t msc_get_request_body_length(Transaction *transaction)'
+
+    ##################################
+    # Phase RESPONSE_HEADERS. SecRules 3
+    # http_status_code is one of the 200, 401, 404 etc codes
+    # http_with_version seems to be things like 'HTTP 1.2', not entirely sure.
+    def response_headers! http_status_code = 200, http_with_version = 'HTTP 1.1', header_hash
+      errors = header_hash.each_with_object [] do |(key, val), errors|
+        key = key.to_s; val = val.to_s
+        rv = Wrapper.msc_add_n_response_header txn_ptr, (strptr key), key.bytesize, (strptr val), val.bytesize
+        rv == 1 or errors << "msc_add_n_response_header failed adding #{[key,val].inspect}"
+      end
+
+      raise Error, errors if errors.any?
+
+      rv = Wrapper.msc_process_response_headers txn_ptr, (Integer http_status_code), (strptr http_with_version)
+      rv == 1 or raise "msc_process_response_headers failed"
+
+      intervention!
+    end
+
+    # Called after msc_process_response_headers "to inform a new response code"
+    # Not mandatory. Not sure what it means really. Maybe it affects the intervention values?
+    # extern 'int msc_update_status_code(Transaction *transaction, int status)'
+
+    ##################################
+    # Phase RESPONSE_BODY. SecRules 4
+    #
+    # body can be a String, or an Enumerable of strings
+    def response_body! body
+      enum_of_body(body).each do |body_part|
+        body_part = body_part.to_s
+        rv = Wrapper.msc_append_response_body txn_ptr, (strptr body_part), body_part.bytesize
+        rv == 1 or raise Error, 'msc_append_response_body failed'
+      end
+
+      # This MUST be called, otherwise rules aren't triggered
+      rv = Wrapper.msc_process_response_body txn_ptr
+      rv == 1 or raise Error, "msc_process_response_body failed"
+
+      intervention!
+    end
+
+    # Needed if ModSecurity modifies the outgoing body. We don't make use of that.
+    # extern 'const char *msc_get_response_body(Transaction *transaction)'
+    # extern 'size_t msc_get_response_body_length(Transaction *transaction)'
+
+    ##################################
+    # Phase LOGGING. SecRules 5.
+    # just logs all information. Response can be sent prior to this, or concurrently.
+    def logging
+      rv = Wrapper.msc_process_logging txn_ptr
+      rv == 1 or raise 'msc_process_logging failed'
+
+      self
+    end
+  end
+end