feat: improved XMLArgs processing

[airween]

what

This PR adds a new feature within XML processing. It's same as the #3358 but for v3.

why

See v2 patch.

references

See #3178 and #3358.

[fzipi]

I don't see this being the same patch as v2. Here you implemented the extra ctl:parseXMLintoArgs: it is not in v2. My bad, this is indeed implemented.

[fzipi]

17? 🤦 It looks like the lenght of the SecParseXMLIntoArgs, but alone is so arbitrary.

[airween]

You're definitely right, but I just wanted to follow the conventions (see other files) (even if it's not the prettiest solution). If we want to clean up the code, then we should do that as a sub project.

[fzipi]

Does the project want this? It is worth tracking then (e.g. creating a new issue with the subproject?)

[airween]

Does the project want this?

Not necessarily. But we can live together with this.

Just a few example:

• audit_engine.cc
• audit_log_parts.cc
• request_body_access.cc
• rule_egine.cc
• ...

It is worth tracking then (e.g. creating a new issue with the subproject?)

Sure, it's been like this for almost ten years. Nobody reported, you are the first, so I can't say this has a priority.

[fzipi]

Sounds perfect. But (simple) tickets like this might get additional people into the dev side ;)

[airween]

But (simple) tickets like this might get additional people into the dev side ;)

Amen! :)

[fzipi]

Same here on this declaration. Is this the new standard?

[airween]

Sorry, could you show a "reference"? What is the "standard"? What is the "old" standard?

[fzipi]

The signature of the function is just in the same line, normally.

[theseion]

As I had pointed out in the other PR, there are already several different ways of formatting long function signatures in the code base. This is one of them.

[fzipi]

Same here.

[airween]

Same as above.

[airween]

I don't see this being the same patch as v2. Here you implemented the extra ctl:parseXMLintoArgs: it is not in v2.

It's there.

[airween]

A few tests were failed after some commit - I have to check the reason.

[sonarqubecloud]

Quality Gate passed

Issues
74 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.3% Duplication on New Code

See analysis details on SonarQube Cloud

[airween]

I added a few new commits here as at #3358:

• bf707de - changed the directive SecXMLintoArgs to SecXmlIntoArgs
• e8dc60e - there is a small change in the node value's parsing: if the node value contains a multi-byte character the SAX calls the function multiple times, so we need to concatenate those sub-strings, not creating a new string every time
• 89442ed - changed the directives in tests and add a new test with a multibyte character

[fzipi]

Just out of curiosity, have you tried enabling this and sending a big xml file?

[airween]

Just out of curiosity, have you tried enabling this and sending a big xml file?

What do you mean "a big xml file"?

Btw the size of the file is just one thing... There are couple of limits in the engine when you're sending an XML payload and want to process it as ARGS, like:

• SecRequestBodyNoFilesLimit - the default value is 128kB
• SecArgumentsLimit - default value is 1000

I sent an XML with size > 400kB (I increased the SecRequestBodyNoFilesLimit), then I get:

ModSecurity: XML parsing error: More than 1000 ARGS (GET + XML) [hostname "localhost"] [uri "/post"] [
ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "78"] [id "200002"] [msg "Failed to parse request body."] [data "XML parsing error: More than 1000 ARGS (GET + XML)"] [severity "CRITICAL"] [hostname "localhost"] [uri "/post"]

Actually, the behavior of this function is exactly the same as that used for JSON. There is no difference. You could ask "have you tried enabling this and sending a big JSON file?". But the JSON works as is, and this feature is optional.

If you tell me what you're curious about, I'll try it - with an XML and a JSON too.

[fzipi]

Just out of curiosity, have you tried enabling this and sending a big xml file?

The sentence starts with Just out of curiosity. So yes, just curious.

[theseion]

Suggested change

	* The ConfigBoolean enumerator the states for configuration boolean values.
	* The ConfigBoolean enumerator defines the states for configuration boolean values.

[theseion]

Suggested change

	m_secXMLExternalEntity(PropertyNotSetConfigBoolean),
	m_secXMLParseXmlIntoArgs(PropertyNotSetConfigXMLParseXmlIntoArgs),
	m_secXmlExternalEntity(PropertyNotSetConfigBoolean),
	m_secXmlParseXmlIntoArgs(PropertyNotSetConfigXMLParseXmlIntoArgs),

[theseion]

Suggested change

	* The ConfigXMLParseXmlIntoArgs enumerator defines the states for the configuration
	* XMLParseXmlIntoArgs values.
	* The default value is PropertyNotSetConfigXMLParseXmlIntoArgs.
	*/
	enum ConfigXMLParseXmlIntoArgs {
	TrueConfigXMLParseXmlIntoArgs,
	FalseConfigXMLParseXmlIntoArgs,
	OnlyArgsConfigXMLParseXmlIntoArgs,
	PropertyNotSetConfigXMLParseXmlIntoArgs
	* The ConfigXmlParseXmlIntoArgs enumerator defines the states for the configuration
	* XmlParseXmlIntoArgs values.
	* The default value is PropertyNotSetConfigXmlParseXmlIntoArgs.
	*/
	enum ConfigXmlParseXmlIntoArgs {
	TrueConfigXmlParseXmlIntoArgs,
	FalseConfigXmlParseXmlIntoArgs,
	OnlyArgsConfigXmlParseXmlIntoArgs,
	PropertyNotSetConfigXmlParseXmlIntoArgs

[theseion]

Suggested change

	XMLNodes::XMLNodes(Transaction *transaction)
	XmlNodes::XmlNodes(Transaction *transaction)

[theseion]

Suggested change

	XML::XML(Transaction *transaction)
	Xml::Xml(Transaction *transaction)