Fix Windows test include path and case-insensitive override matching

Author: Easton97-Jens

build/win32/CMakeLists.txt

@@ -164,7 +164,7 @@ project(libModSecurityTests)
 
 function(setTestTargetProperties executable)
   target_compile_definitions(${executable} PRIVATE WITH_PCRE2)
-  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
+  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others)
   target_link_libraries(${executable} PRIVATE libModSecurity pcre2::pcre2 dirent::dirent)
   add_package_dependency(${executable} WITH_YAJL yajl::yajl HAVE_YAJL)
 endfunction()
@@ -239,7 +239,7 @@ setTestTargetProperties(rules_optimization)
 project(libModSecurityExamples)
 
 function(setExampleTargetProperties executable)
-  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
+  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others)
   target_link_libraries(${executable} PRIVATE libModSecurity)
 endfunction()
 

src/Makefile.am

@@ -187,6 +187,7 @@ OPERATORS = \
 	operators/contains_word.cc \
 	operators/detect_sqli.cc \
 	operators/detect_xss.cc \
+	operators/libinjection_adapter.cc \
 	operators/ends_with.cc \
 	operators/eq.cc \
 	operators/fuzzy_hash.cc \

src/operators/detect_sqli.cc

@@ -21,7 +21,7 @@
 
 #include "src/operators/operator.h"
 #include "src/operators/libinjection_utils.h"
-#include "libinjection/src/libinjection.h"
+#include "src/operators/libinjection_adapter.h"
 #include "libinjection/src/libinjection_error.h"
 
 namespace modsecurity::operators {
@@ -32,7 +32,7 @@ bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
     std::array<char, 8> fingerprint{};
 
     const injection_result_t sqli_result =
-        libinjection_sqli(input.c_str(), input.length(), fingerprint.data());
+        runLibinjectionSQLi(input.c_str(), input.length(), fingerprint.data());
 
     if (t == nullptr) {
         return isMaliciousLibinjectionResult(sqli_result);
@@ -71,6 +71,9 @@ bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
                     std::string("Added DetectSQLi error input TX.0: ")
                     + input);
             }
+
+            // Keep m_matched untouched for parser-error paths to avoid
+            // introducing synthetic fingerprints for non-TRUE results.
             break;
 
         case LIBINJECTION_RESULT_FALSE:

src/operators/detect_xss.cc

@@ -19,7 +19,7 @@
 
 #include "src/operators/operator.h"
 #include "src/operators/libinjection_utils.h"
-#include "libinjection/src/libinjection.h"
+#include "src/operators/libinjection_adapter.h"
 #include "libinjection/src/libinjection_error.h"
 
 namespace modsecurity::operators {
@@ -28,7 +28,7 @@ bool DetectXSS::evaluate(Transaction *t, RuleWithActions *rule,
     const std::string& input, RuleMessage &ruleMessage) {
 
     const injection_result_t xss_result =
-        libinjection_xss(input.c_str(), input.length());
+        runLibinjectionXSS(input.c_str(), input.length());
 
     if (t == nullptr) {
         return isMaliciousLibinjectionResult(xss_result);

src/operators/libinjection_adapter.cc

@@ -0,0 +1,46 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ */
+
+#include "src/operators/libinjection_adapter.h"
+
+#include "libinjection/src/libinjection.h"
+
+namespace modsecurity::operators {
+namespace {
+// Per-thread overrides avoid cross-thread interference during mtstress tests.
+thread_local DetectSQLiFn g_sqli_override = nullptr;
+thread_local DetectXSSFn g_xss_override = nullptr;
+}
+
+injection_result_t runLibinjectionSQLi(const char *input, size_t len,
+    char *fingerprint) {
+    if (DetectSQLiFn fn = g_sqli_override) {
+        return fn(input, len, fingerprint);
+    }
+
+    return libinjection_sqli(input, len, fingerprint);
+}
+
+injection_result_t runLibinjectionXSS(const char *input, size_t len) {
+    if (DetectXSSFn fn = g_xss_override) {
+        return fn(input, len);
+    }
+
+    return libinjection_xss(input, len);
+}
+
+void setLibinjectionSQLiOverrideForTesting(DetectSQLiFn fn) {
+    g_sqli_override = fn;
+}
+
+void setLibinjectionXSSOverrideForTesting(DetectXSSFn fn) {
+    g_xss_override = fn;
+}
+
+void clearLibinjectionOverridesForTesting() {
+    g_sqli_override = nullptr;
+    g_xss_override = nullptr;
+}
+
+}  // namespace modsecurity::operators

src/operators/libinjection_adapter.h

@@ -0,0 +1,27 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ */
+
+#ifndef SRC_OPERATORS_LIBINJECTION_ADAPTER_H_
+#define SRC_OPERATORS_LIBINJECTION_ADAPTER_H_
+
+#include <cstddef>
+
+#include "libinjection/src/libinjection_error.h"  // matches detect_xss.cc, detect_sqli.cc, and libinjection_utils.h
+
+namespace modsecurity::operators {
+
+using DetectSQLiFn = injection_result_t (*)(const char *, size_t, char *);
+using DetectXSSFn = injection_result_t (*)(const char *, size_t);
+
+injection_result_t runLibinjectionSQLi(const char *input, size_t len,
+    char *fingerprint);
+injection_result_t runLibinjectionXSS(const char *input, size_t len);
+
+void setLibinjectionSQLiOverrideForTesting(DetectSQLiFn fn);
+void setLibinjectionXSSOverrideForTesting(DetectXSSFn fn);
+void clearLibinjectionOverridesForTesting();
+
+}  // namespace modsecurity::operators
+
+#endif  // SRC_OPERATORS_LIBINJECTION_ADAPTER_H_

test/Makefile.am

@@ -73,6 +73,7 @@ unit_tests_LDFLAGS = \
 unit_tests_CPPFLAGS = \
 	-Icommon \
 	-I$(top_srcdir)/ \
+	-I$(top_srcdir)/others \
 	-g \
 	-I$(top_builddir)/headers \
 	$(CURL_CFLAGS) \

test/test-cases/unit/operator-libinjection-error.json

@@ -0,0 +1,40 @@
+[
+  {
+    "type": "op",
+    "name": "detectXSS",
+    "param": "",
+    "input": "<div<div>",
+    "ret": 1,
+    "capture": 1,
+    "libinjection_override": "error",
+    "output": "<div<div>"
+  },
+  {
+    "type": "op",
+    "name": "detectSQLi",
+    "param": "",
+    "input": "''''''",
+    "ret": 1,
+    "capture": 1,
+    "libinjection_override": "error",
+    "output": "''''''"
+  },
+  {
+    "type": "op",
+    "name": "detectXSS",
+    "param": "",
+    "input": "<script>alert(1)</script>",
+    "ret": 1,
+    "capture": 1,
+    "output": "<script>alert(1)</script>"
+  },
+  {
+    "type": "op",
+    "name": "detectSQLi",
+    "param": "",
+    "input": "ascii(substring(version() from 1 for 1))",
+    "ret": 1,
+    "capture": 1,
+    "output": "f(f(f"
+  }
+]

test/test-suite.in

@@ -198,6 +198,7 @@ TESTS+=test/test-cases/secrules-language-tests/operators/contains.json
 TESTS+=test/test-cases/secrules-language-tests/operators/containsWord.json
 TESTS+=test/test-cases/secrules-language-tests/operators/detectSQLi.json
 TESTS+=test/test-cases/secrules-language-tests/operators/detectXSS.json
+TESTS+=test/test-cases/unit/operator-libinjection-error.json
 TESTS+=test/test-cases/secrules-language-tests/operators/endsWith.json
 TESTS+=test/test-cases/secrules-language-tests/operators/eq.json
 TESTS+=test/test-cases/secrules-language-tests/operators/ge.json

test/unit/unit.cc

@@ -28,6 +28,8 @@
 #include "src/actions/transformations/transformation.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/actions/action.h"
+#include "src/actions/capture.h"
+#include "src/operators/libinjection_adapter.h"
 
 
 #include "test/common/modsecurity_test.h"
@@ -57,6 +59,34 @@ void print_help() {
 }
 
 
+namespace {
+injection_result_t sqli_force_error(const char *, size_t, char *) {
+    return LIBINJECTION_RESULT_ERROR;
+}
+
+injection_result_t xss_force_error(const char *, size_t) {
+    return LIBINJECTION_RESULT_ERROR;
+}
+
+void configure_libinjection_override(const UnitTest &t) {
+    modsecurity::operators::clearLibinjectionOverridesForTesting();
+
+    if (t.libinjection_override != "error") {
+        return;
+    }
+
+    const std::string operator_name = modsecurity::utils::string::tolower(t.name);
+
+    if (operator_name == "detectsqli") {
+        modsecurity::operators::setLibinjectionSQLiOverrideForTesting(
+            sqli_force_error);
+    } else if (operator_name == "detectxss") {
+        modsecurity::operators::setLibinjectionXSSOverrideForTesting(
+            xss_force_error);
+    }
+}
+}  // namespace
+
 struct OperatorTest {
     using ItemType = Operator;
 
@@ -71,13 +101,42 @@ struct OperatorTest {
     }
 
     static UnitTestResult eval(ItemType &op, const UnitTest &t, modsecurity::Transaction &transaction) {
-        modsecurity::RuleWithActions rule{nullptr, nullptr, "dummy.conf", -1};
+        configure_libinjection_override(t);
+
+        std::unique_ptr<modsecurity::Actions> actions;
+        if (t.capture) {
+            actions = std::make_unique<modsecurity::Actions>();
+            actions->push_back(new modsecurity::actions::Capture("capture"));
+        }
+
+        modsecurity::RuleWithActions rule{actions.release(), nullptr, "dummy.conf", -1};
         modsecurity::RuleMessage ruleMessage{rule, transaction};
-        return {op.evaluate(&transaction, &rule, t.input, ruleMessage), {}};
+
+        const bool matched = op.evaluate(&transaction, &rule, t.input, ruleMessage);
+
+        UnitTestResult result;
+        result.ret = matched;
+        if (t.capture) {
+            auto tx0 = transaction.m_collections.m_tx_collection->resolveFirst("0");
+            if (tx0 != nullptr) {
+                result.output = *tx0;
+            }
+        }
+
+        modsecurity::operators::clearLibinjectionOverridesForTesting();
+        return result;
     }
 
     static bool check(const UnitTestResult &result, const UnitTest &t) {
-        return result.ret != t.ret;
+        if (result.ret != t.ret) {
+            return true;
+        }
+
+        if (t.capture || t.output.empty() == false) {
+            return result.output != t.output;
+        }
+
+        return false;
     }
 };