forked from owasp-modsecurity/ModSecurity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalidate_url_encoding.cc
122 lines (105 loc) · 3.56 KB
/
validate_url_encoding.cc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address [email protected].
*
*/
#include "src/operators/validate_url_encoding.h"
#include <string>
#include "src/operators/operator.h"
namespace modsecurity {
namespace operators {
int ValidateUrlEncoding::validate_url_encoding(const char *input,
uint64_t input_length, size_t *offset) {
int i;
*offset = 0;
if ((input == NULL) || (input_length == 0)) {
return -1;
}
i = 0;
while (i < input_length) {
if (input[i] == '%') {
if (i + 2 >= input_length) {
*offset = i;
/* Not enough bytes. */
return -3;
} else {
/* Here we only decode a %xx combination if it is valid,
* leaving it as is otherwise.
*/
char c1 = input[i + 1];
char c2 = input[i + 2];
if ( (((c1 >= '0') && (c1 <= '9'))
|| ((c1 >= 'a') && (c1 <= 'f'))
|| ((c1 >= 'A') && (c1 <= 'F')))
&& (((c2 >= '0') && (c2 <= '9'))
|| ((c2 >= 'a') && (c2 <= 'f'))
|| ((c2 >= 'A') && (c2 <= 'F'))) ) {
i += 3;
} else {
/* Non-hexadecimal characters used in encoding. */
*offset = i;
return -2;
}
}
} else {
i++;
}
}
return 1;
}
bool ValidateUrlEncoding::evaluate(Transaction *transaction, RuleWithActions *rule,
const std::string &input, std::shared_ptr<RuleMessage> ruleMessage) {
size_t offset = 0;
bool res = false;
if (input.empty() == true) {
return res;
}
int rc = validate_url_encoding(input.c_str(), input.size(), &offset);
switch (rc) {
case 1 :
/* Encoding is valid */
if (transaction) {
ms_dbg_a(transaction, 7, "Valid URL Encoding at '" +input + "'");
}
res = false;
break;
case -2 :
if (transaction) {
ms_dbg_a(transaction, 7, "Invalid URL Encoding: Non-hexadecimal "
"digits used at '" + input + "'");
logOffset(ruleMessage, offset, input.size());
}
res = true; /* Invalid match. */
break;
case -3 :
if (transaction) {
ms_dbg_a(transaction, 7, "Invalid URL Encoding: Not enough " \
"characters at the end of input at '" + input + "'");
logOffset(ruleMessage, offset, input.size());
}
res = true; /* Invalid match. */
break;
case -1 :
default :
if (transaction) {
ms_dbg_a(transaction, 7, "Invalid URL Encoding: Internal " \
"Error (rc = " + std::to_string(rc) + ") at '" +
input + "'");
logOffset(ruleMessage, offset, input.size());
}
res = true;
break;
}
return res;
}
} // namespace operators
} // namespace modsecurity