feat: improved XMLArgs processing

[airween]

what

This PR adds a new feature within XML processing. It's same as the #3358 but for v3.

why

See v2 patch.

references

See #3178 and #3358.

[fzipi]

I don't see this being the same patch as v2. Here you implemented the extra ctl:parseXMLintoArgs: it is not in v2. My bad, this is indeed implemented.

[fzipi]

17? 🤦 It looks like the lenght of the SecParseXMLIntoArgs, but alone is so arbitrary.

[airween]

You're definitely right, but I just wanted to follow the conventions (see other files) (even if it's not the prettiest solution). If we want to clean up the code, then we should do that as a sub project.

[fzipi]

Does the project want this? It is worth tracking then (e.g. creating a new issue with the subproject?)

[airween]

Does the project want this?

Not necessarily. But we can live together with this.

Just a few example:

• audit_engine.cc
• audit_log_parts.cc
• request_body_access.cc
• rule_egine.cc
• ...

It is worth tracking then (e.g. creating a new issue with the subproject?)

Sure, it's been like this for almost ten years. Nobody reported, you are the first, so I can't say this has a priority.

[fzipi]

Sounds perfect. But (simple) tickets like this might get additional people into the dev side ;)

[airween]

But (simple) tickets like this might get additional people into the dev side ;)

Amen! :)

[fzipi]

Same here on this declaration. Is this the new standard?

[airween]

Sorry, could you show a "reference"? What is the "standard"? What is the "old" standard?

[fzipi]

The signature of the function is just in the same line, normally.

[theseion]

As I had pointed out in the other PR, there are already several different ways of formatting long function signatures in the code base. This is one of them.

[fzipi]

Same here.

[airween]

Same as above.

[airween]

I don't see this being the same patch as v2. Here you implemented the extra ctl:parseXMLintoArgs: it is not in v2.

It's there.

[airween]

A few tests were failed after some commit - I have to check the reason.

[airween]

I added a few new commits here as at #3358:

• bf707de - changed the directive SecXMLintoArgs to SecXmlIntoArgs
• e8dc60e - there is a small change in the node value's parsing: if the node value contains a multi-byte character the SAX calls the function multiple times, so we need to concatenate those sub-strings, not creating a new string every time
• 89442ed - changed the directives in tests and add a new test with a multibyte character

[fzipi]

Just out of curiosity, have you tried enabling this and sending a big xml file?

[airween]

Just out of curiosity, have you tried enabling this and sending a big xml file?

What do you mean "a big xml file"?

Btw the size of the file is just one thing... There are couple of limits in the engine when you're sending an XML payload and want to process it as ARGS, like:

• SecRequestBodyNoFilesLimit - the default value is 128kB
• SecArgumentsLimit - default value is 1000

I sent an XML with size > 400kB (I increased the SecRequestBodyNoFilesLimit), then I get:

ModSecurity: XML parsing error: More than 1000 ARGS (GET + XML) [hostname "localhost"] [uri "/post"] [
ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "78"] [id "200002"] [msg "Failed to parse request body."] [data "XML parsing error: More than 1000 ARGS (GET + XML)"] [severity "CRITICAL"] [hostname "localhost"] [uri "/post"]

Actually, the behavior of this function is exactly the same as that used for JSON. There is no difference. You could ask "have you tried enabling this and sending a big JSON file?". But the JSON works as is, and this feature is optional.

If you tell me what you're curious about, I'll try it - with an XML and a JSON too.

[fzipi]

Just out of curiosity, have you tried enabling this and sending a big xml file?

The sentence starts with Just out of curiosity. So yes, just curious.

[theseion]

Suggested change

	m_secXMLExternalEntity(PropertyNotSetConfigBoolean),
	m_secXMLParseXmlIntoArgs(PropertyNotSetConfigXMLParseXmlIntoArgs),
	m_secXmlExternalEntity(PropertyNotSetConfigBoolean),
	m_secXmlParseXmlIntoArgs(PropertyNotSetConfigXMLParseXmlIntoArgs),

[airween]

m_secXMLExternalEntity property is already a member of RulesSetProperties class. If we change here the format, then we must change that every place, eg. in seclang-parser.yy (and other line in the same file), and in few other files.

We could do this, but I'm afraid this wouldn't be a fair to those who use the project in some forked form.

(Consider a company uses libmodsecurity3 with their own modifications, and they follow the mainline source tree from our repository. Consider they uses these (modified) class members, functions that we changed their names. I think this is a modification at a level where at least a subversion number should be changed, I mean 3.0.XX to 3.1.XX - but I'm not sure we have any (other) strict reason to do that).

But because the old syntax is m_SecXML... therefore I followed that syntax in case of new members and functions, so I would keep this (unless we can change Xml to XML in case of second occurrence).

[theseion]

That's fine. I just marked all occurrences for consistency.

[theseion]

Suggested change

	* The ConfigXMLParseXmlIntoArgs enumerator defines the states for the configuration
	* XMLParseXmlIntoArgs values.
	* The default value is PropertyNotSetConfigXMLParseXmlIntoArgs.
	*/
	enum ConfigXMLParseXmlIntoArgs {
	TrueConfigXMLParseXmlIntoArgs,
	FalseConfigXMLParseXmlIntoArgs,
	OnlyArgsConfigXMLParseXmlIntoArgs,
	PropertyNotSetConfigXMLParseXmlIntoArgs
	* The ConfigXmlParseXmlIntoArgs enumerator defines the states for the configuration
	* XmlParseXmlIntoArgs values.
	* The default value is PropertyNotSetConfigXmlParseXmlIntoArgs.
	*/
	enum ConfigXmlParseXmlIntoArgs {
	TrueConfigXmlParseXmlIntoArgs,
	FalseConfigXmlParseXmlIntoArgs,
	OnlyArgsConfigXmlParseXmlIntoArgs,
	PropertyNotSetConfigXmlParseXmlIntoArgs

[airween]

I can change this, because this enum type is new, but in this case we will deviate from the above-mentioned syntax (m_SecXML...). What do you think?

[theseion]

Personally, I'd use the "new" spelling. I don't think it matters here.

[theseion]

Suggested change

	XMLNodes::XMLNodes(Transaction *transaction)
	XmlNodes::XmlNodes(Transaction *transaction)

[airween]

I can change this syntax too because it's new, but the existing code uses XML everywhere. I think my syntax matches with that better.

[theseion]

Suggested change

	XML::XML(Transaction *transaction)
	Xml::Xml(Transaction *transaction)

[airween]

Same as I wrote here. This is an existing code, the XML class and its constructor is already exists. It wouldn't be fair to change (and if we change we must align all places in the code).

[airween]

The sentence starts with Just out of curiosity. So yes, just curious.

I saw, but honestly: your question is absolutely legitimate. That's why I'm asking you: what should we expect with what size of XML, and/or how many nodes of XML?

I wrote a small script which helps to generate different payloads in XML and JSON - but with same content. I tried them, and the problem is not in the conversion (JSON to ARGS and XML to ARGS), but in the rules' processing. With the same structure in XML and JSON, I got the same ARGS list in the engine, but above 1000 of built ARGS performance deteriorates sharply, and rules which check ARGS and ARGS_NAMES will be very slow. Now I want to add some other features to that script, eg. generate x-www-form-urlencoded payload, and try that too.

Which is clearly visible: the critical value is not the size of the file, but number of nodes (both in XML and in JSON).

And of course: without any rules there is no any performance issue even with a huge number of node JSON/XML file - indeed the aim is not to forget the rules, but that's also a good question with which rules should we test?

[sonarqubecloud]

Quality Gate passed

Issues
74 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.3% Duplication on New Code

See analysis details on SonarQube Cloud

[theseion]

I saw, but honestly: your question is absolutely legitimate. That's why I'm asking you: what should we expect with what size of XML, and/or how many nodes of XML?

Unfortunately, this depends heavily on the installation. With SOAP, for example, you'll probably process 50-100 nodes per request, with some requests sending much larger XMLs. I don't know whether we can do much more than document the performance given different numbers of nodes and let users decide how to configure the engine.

And of course: without any rules there is no any performance issue even with a huge number of node JSON/XML file - indeed the aim is not to forget the rules, but that's also a good question with which rules should we test?

You could use rules with @unconditionalMatch and multiMatch, one each for ARGS, ARGS_NAMES, and XML. This should give you worst case performance for each target.