Allow partial processing of multipart, JSON, and XML request body

Author: hnakamur

apache2/apache2_io.c

@@ -299,15 +299,16 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
 #endif
             }
 
+            if (msr->reqbody_length + buflen > (apr_size_t)msr->txcfg->reqbody_limit && msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL) {
+                buflen = (apr_size_t)msr->txcfg->reqbody_limit - msr->reqbody_length;
+                finished_reading = 1;
+                modsecurity_request_body_enable_partial_processing(msr);
+            }
+
             msr->reqbody_length += buflen;
 
             if (buflen != 0) {
                 int rcbs = modsecurity_request_body_store(msr, buf, buflen, error_msg);
-
-                if (msr->reqbody_length > (apr_size_t)msr->txcfg->reqbody_limit && msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL) {
-                    finished_reading = 1;
-                }
-
                 if (rcbs < 0) {
                     if (rcbs == -5) {
                         if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
@@ -351,11 +352,13 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
 
     msr->if_status = IF_STATUS_WANTS_TO_RUN;
 
-    if (rcbe == -5) {
-        return HTTP_REQUEST_ENTITY_TOO_LARGE;
-    }
-    if (rcbe < 0) {
-        return HTTP_INTERNAL_SERVER_ERROR;
+    if (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT) {
+        if (rcbe == -5) {
+            return HTTP_REQUEST_ENTITY_TOO_LARGE;
+        }
+        if (rcbe < 0) {
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
     }
     return APR_SUCCESS;
 }

apache2/modsecurity.h

@@ -736,6 +736,8 @@ apr_status_t DSOLOCAL modsecurity_request_body_start(modsec_rec *msr, char **err
 apr_status_t DSOLOCAL modsecurity_request_body_store(modsec_rec *msr,
     const char *data, apr_size_t length, char **error_msg);
 
+void DSOLOCAL modsecurity_request_body_enable_partial_processing(modsec_rec *msr);
+
 apr_status_t DSOLOCAL modsecurity_request_body_end(modsec_rec *msr, char **error_msg);
 
 apr_status_t DSOLOCAL modsecurity_request_body_to_stream(modsec_rec *msr, const char *buffer, int buflen, char **error_msg);

apache2/msc_json.c

@@ -367,6 +367,10 @@ int json_init(modsec_rec *msr, char **error_msg) {
     return 1;
 }
 
+void json_allow_partial_values(modsec_rec *msr) {
+    (void)yajl_config(msr->json->handle, yajl_allow_partial_values, 1);
+}
+
 /**
  * Feed one chunk of data to the JSON parser.
  */

apache2/msc_json.h

@@ -48,6 +48,8 @@ struct json_data {
 
 int DSOLOCAL json_init(modsec_rec *msr, char **error_msg);
 
+void DSOLOCAL json_allow_partial_values(modsec_rec *msr);
+
 int DSOLOCAL json_process(modsec_rec *msr, const char *buf,
     unsigned int size, char **error_msg);
 

apache2/msc_multipart.c

@@ -1054,7 +1054,7 @@ int multipart_complete(modsec_rec *msr, char **error_msg) {
                 }
             }
 
-            if (msr->mpd->is_complete == 0) {
+            if (msr->mpd->is_complete == 0 && msr->mpd->allow_process_partial == 0) {
                 *error_msg = apr_psprintf(msr->mp, "Multipart: Final boundary missing.");
                 return -1;
             }

apache2/msc_multipart.h

@@ -124,6 +124,7 @@ struct multipart_data {
 
     int                      seen_data;
     int                      is_complete;
+    int                      allow_process_partial;
 
     int                      flag_error;
     int                      flag_data_before;

apache2/msc_reqbody.c

@@ -413,12 +413,13 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
             msr_log(msr, 1, "%s", *error_msg);
         }
 
-        msr->msc_reqbody_error = 1;
+        if (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)
+            msr->msc_reqbody_error = 1;
 
-        if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT))   {
+        if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
             return -5;
-        } else if (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)  {
-            if(msr->txcfg->is_enabled == MODSEC_ENABLED)
+        } else if (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL) {
+            if (msr->txcfg->is_enabled == MODSEC_ENABLED)
                 return -5;
         }
     }
@@ -438,6 +439,24 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
     return -1;
 }
 
+/**
+ * Enable partial processing of request body data.
+ */
+void modsecurity_request_body_enable_partial_processing(modsec_rec *msr) {
+    if (strcmp(msr->msc_reqbody_processor, "MULTIPART") == 0) {
+        msr->mpd->allow_process_partial = 1;
+        msr_log(msr, 4, "Multipart: Allow partial processing of request body");
+    }
+    else if (strcmp(msr->msc_reqbody_processor, "XML") == 0) {
+        msr->xml->allow_ill_formed = 1;
+        msr_log(msr, 4, "XML: Allow partial processing of request body");
+    }
+    else if (strcmp(msr->msc_reqbody_processor, "JSON") == 0) {
+        json_allow_partial_values(msr);
+        msr_log(msr, 4, "JSON: Allow partial processing of request body");
+    }
+}
+
 apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buffer, int buflen, char **error_msg) {
     assert(msr != NULL);
     assert(error_msg != NULL);

apache2/msc_xml.c

@@ -267,7 +267,7 @@ int xml_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char
         if (msr->xml->parsing_ctx != NULL &&
             msr->txcfg->parse_xml_into_args != MSC_XML_ARGS_ONLYARGS) {
             xmlParseChunk(msr->xml->parsing_ctx, buf, size, 0);
-            if (msr->xml->parsing_ctx->wellFormed != 1) {
+            if (!msr->xml->allow_ill_formed && msr->xml->parsing_ctx->wellFormed != 1) {
                 *error_msg = apr_psprintf(msr->mp, "XML: Failed to parse document.");
                 return -1;
             }
@@ -318,7 +318,7 @@ int xml_complete(modsec_rec *msr, char **error_msg) {
             msr->xml->parsing_ctx = NULL;
             msr_log(msr, 4, "XML: Parsing complete (well_formed %u).", msr->xml->well_formed);
 
-            if (msr->xml->well_formed != 1) {
+            if (!msr->xml->allow_ill_formed && msr->xml->well_formed != 1) {
                 *error_msg = apr_psprintf(msr->mp, "XML: Failed to parse document.");
                 return -1;
             }

apache2/msc_xml.h

@@ -43,6 +43,7 @@ struct xml_data {
     xmlDocPtr               doc;
 
     unsigned int            well_formed;
+    unsigned int            allow_ill_formed;
 
     /* error reporting and XML array flag */
     char                   *xml_error;

tests/regression/rule/10-xml.t

@@ -428,3 +428,96 @@
 		),
 	),
 },
+{
+	type => "rule",
+	comment => "xml ProcessPartial, bad value and whole body before limit",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 61
+		SecXmlExternalEntity Off
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" "id:500005, \\
+		        phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
+		SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500006
+		SecRule XML:/* "bad_value" "id:'500007',phase:2,t:none,deny"
+	),
+	match_log => {
+        error => [ qr/Access denied with code 403 \(phase 2\). Pattern match "bad_value" at XML\./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "text/xml",
+		],
+		normalize_raw_request_data(
+			q(<?xml version="1.0" encoding="utf-8"?><a><b>bad_value</b></a>),
+		),
+	),
+},
+{
+	type => "rule",
+	comment => "xml ProcessPartial, bad value before limit",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 61
+		SecXmlExternalEntity Off
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" "id:500005, \\
+		        phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
+		SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500006
+		SecRule XML:/* "bad_value" "id:'500007',phase:2,t:none,deny"
+	),
+	match_log => {
+        error => [ qr/Access denied with code 403 \(phase 2\). Pattern match "bad_value" at XML\./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "text/xml",
+		],
+		normalize_raw_request_data(
+			q(<?xml version="1.0" encoding="utf-8"?><a><b>bad_value</b><c>ok_value</c></a>),
+		),
+	),
+},
+{
+	type => "rule",
+	comment => "xml ProcessPartial, bad value after limit",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 61
+		SecXmlExternalEntity Off
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" "id:500005, \\
+		        phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
+		SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500006
+		SecRule XML:/* "bad_value" "id:'500007',phase:2,t:none,deny"
+	),
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "text/xml",
+		],
+		normalize_raw_request_data(
+			q(<?xml version="1.0" encoding="utf-8"?><a><b>12</b><c>bad_value</c></a>),
+		),
+	),
+},