From c4835ca1524e876873c4180caca851242124278a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 11:55:10 +0100 Subject: [PATCH 001/106] Add Dependabot configuration for updates --- .github/dependabot.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000000..647560dd85 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "Submodule Update" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "GitHub Actions Updates" From 4317e6cf627b9f6bb930bbcdd7821129c7a90e49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:37 +0000 Subject: [PATCH 002/106] GitHub Actions Updates: Bump actions/checkout from 4 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d6895b825d..42fc403531 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,7 +56,7 @@ jobs: run: | sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ libfuzzy-dev:${{ matrix.platform.arch }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 @@ -106,7 +106,7 @@ jobs: pcre \ bison \ flex - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 @@ -147,7 +147,7 @@ jobs: - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 @@ -195,7 +195,7 @@ jobs: automake \ libtool \ cppcheck - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 From 95ef56cfb85a414eeca3020929ca30ff46e44898 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:38 +0000 Subject: [PATCH 003/106] Submodule Update: Bump others/libinjection from `b9fcaaf` to `b2d46ec` Bumps [others/libinjection](https://github.com/libinjection/libinjection) from `b9fcaaf` to `b2d46ec`. - [Commits](https://github.com/libinjection/libinjection/compare/b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9...b2d46ec124d947d2f82560074e4a348cb15148fc) --- updated-dependencies: - dependency-name: others/libinjection dependency-version: b2d46ec124d947d2f82560074e4a348cb15148fc dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- others/libinjection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/libinjection b/others/libinjection index b9fcaaf9e5..b2d46ec124 160000 --- a/others/libinjection +++ b/others/libinjection @@ -1 +1 @@ -Subproject commit b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9 +Subproject commit b2d46ec124d947d2f82560074e4a348cb15148fc From 912d2da69b9a66f50860b028a2b6bb1e9967bdc2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:40 +0000 Subject: [PATCH 004/106] Submodule Update: Bump others/mbedtls from `2ca6c28` to `e5ba96c` Bumps [others/mbedtls](https://github.com/Mbed-TLS/mbedtls) from `2ca6c28` to `e5ba96c`. - [Release notes](https://github.com/Mbed-TLS/mbedtls/releases) - [Commits](https://github.com/Mbed-TLS/mbedtls/compare/2ca6c285a0dd3f33982dd57299012dacab1ff206...e5ba96c5c6c408cee7a05f3ab77417a94fe534fe) --- updated-dependencies: - dependency-name: others/mbedtls dependency-version: e5ba96c5c6c408cee7a05f3ab77417a94fe534fe dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- others/mbedtls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/mbedtls b/others/mbedtls index 2ca6c285a0..e5ba96c5c6 160000 --- a/others/mbedtls +++ b/others/mbedtls @@ -1 +1 @@ -Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206 +Subproject commit e5ba96c5c6c408cee7a05f3ab77417a94fe534fe From 9054c6dd696abb0f69ef5f3ec448aa0e307fafbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:41 +0000 Subject: [PATCH 005/106] Submodule Update: Bump bindings/python from `bc625d5` to `47a6925` Bumps [bindings/python](https://github.com/owasp-modsecurity/ModSecurity-Python-bindings) from `bc625d5` to `47a6925`. - [Commits](https://github.com/owasp-modsecurity/ModSecurity-Python-bindings/compare/bc625d5bb0bac6a64bcce8dc9902208612399348...47a6925df187f96e4593afab18dc92d5f22bd4d5) --- updated-dependencies: - dependency-name: bindings/python dependency-version: 47a6925df187f96e4593afab18dc92d5f22bd4d5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- bindings/python | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bindings/python b/bindings/python index bc625d5bb0..47a6925df1 160000 --- a/bindings/python +++ b/bindings/python @@ -1 +1 @@ -Subproject commit bc625d5bb0bac6a64bcce8dc9902208612399348 +Subproject commit 47a6925df187f96e4593afab18dc92d5f22bd4d5 From bf9c82d22f2da3f66c69dc6a4dad361ceb4fdc52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:42 +0000 Subject: [PATCH 006/106] Submodule Update: Bump test/test-cases/secrules-language-tests Bumps [test/test-cases/secrules-language-tests](https://github.com/owasp-modsecurity/secrules-language-tests) from `a3d4405` to `c6e8802`. - [Commits](https://github.com/owasp-modsecurity/secrules-language-tests/compare/a3d4405e5a2c90488c387e589c5534974575e35b...c6e8802366ec3182b8c2612e23d14e19e3545b47) --- updated-dependencies: - dependency-name: test/test-cases/secrules-language-tests dependency-version: c6e8802366ec3182b8c2612e23d14e19e3545b47 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- test/test-cases/secrules-language-tests | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index a3d4405e5a..c6e8802366 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b +Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 From b83dfb3276039fccdb9bf200ba6bcf2a453e34e0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 11:59:56 +0100 Subject: [PATCH 007/106] Add Dependabot auto-approve workflow --- .../workflows/dependabot-auto-approve.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/dependabot-auto-approve.yaml diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml new file mode 100644 index 0000000000..ae8bc032d5 --- /dev/null +++ b/.github/workflows/dependabot-auto-approve.yaml @@ -0,0 +1,27 @@ +name: Dependabot Auto-Approve +on: pull_request + +permissions: + pull-requests: write + contents: write + +jobs: + auto-approve: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Approve Pull Request + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + - name: Enable Auto-Merge + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From 30d1c591e5b40f93d0da4add80b8ee54c8f6c941 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 13:44:32 +0100 Subject: [PATCH 008/106] Update configure.ac --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 7a78bb6c76..d7a47a43b5 100644 --- a/configure.ac +++ b/configure.ac @@ -78,7 +78,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/src/base64.c"; then AC_MSG_ERROR([\ From a7e8deb2f5771a487ea6389a3783bf791128ec99 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 13:45:23 +0100 Subject: [PATCH 009/106] Update base64 header include path --- src/utils/base64.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/utils/base64.cc b/src/utils/base64.cc index e27cace943..7eb5c0edd2 100644 --- a/src/utils/base64.cc +++ b/src/utils/base64.cc @@ -10,7 +10,7 @@ * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. * directly using the email address security@modsecurity.org. - * + *#include "mbedtls/base64.h" */ #include "src/utils/base64.h" @@ -21,7 +21,8 @@ #include #include -#include "mbedtls/base64.h" +#include "mbedtls/include/mbedtls/tf-psa-crypto/include/mbedtls/base64.h" + template inline std::string base64Helper(const char *data, const unsigned int len, Operation op) { // cppcheck-suppress syntaxError ; false positive From 8ea7ec4b3d73a69cf6e764f20c347e812e41de90 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:12:21 +0100 Subject: [PATCH 010/106] Rename ci.yml to ci.yml.alt. --- .github/workflows/{ci.yml => ci.yml.alt.} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{ci.yml => ci.yml.alt.} (100%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml.alt. similarity index 100% rename from .github/workflows/ci.yml rename to .github/workflows/ci.yml.alt. From d65909c4085c8ca768a5e156cce5c5f412c86f2a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:12:50 +0100 Subject: [PATCH 011/106] Add CI workflow for quality assurance across platforms This workflow file sets up a CI pipeline for quality assurance on Linux, macOS, and Windows platforms. It includes jobs for building, checking dependencies, and running cppcheck for static analysis. --- .github/workflows/ci.yml | 229 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..46f5fcdd85 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,229 @@ +name: Quality Assurance + +on: + push: + pull_request: + +jobs: + build-linux: + name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-22.04] + platform: + - {label: "x64", arch: "amd64", configure: ""} + - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} + compiler: + - {label: "gcc", cc: "gcc", cxx: "g++"} + - {label: "clang", cc: "clang", cxx: "clang++"} + configure: + - {label: "with parser generation", opt: "--enable-parser-generation" } + - {label: "wo curl", opt: "--without-curl" } + - {label: "wo lua", opt: "--without-lua" } + - {label: "wo maxmind", opt: "--without-maxmind" } + - {label: "wo libxml", opt: "--without-libxml" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep" } + - {label: "with lmdb", opt: "--with-lmdb" } + - {label: "with pcre", opt: "--with-pcre" } + exclude: + - platform: {label: "x32"} + configure: {label: "wo geoip"} + - platform: {label: "x32"} + configure: {label: "wo ssdeep"} + steps: + - name: Setup Dependencies (common) + run: | + sudo dpkg --add-architecture ${{ matrix.platform.arch }} + sudo apt-get update -y -qq + sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ + libcurl4-openssl-dev:${{ matrix.platform.arch }} \ + liblmdb-dev:${{ matrix.platform.arch }} \ + liblua5.2-dev:${{ matrix.platform.arch }} \ + libmaxminddb-dev:${{ matrix.platform.arch }} \ + libpcre2-dev:${{ matrix.platform.arch }} \ + pcre2-utils:${{ matrix.platform.arch }} \ + bison flex + - name: Setup Dependencies (x32) + if: ${{ matrix.platform.label == 'x32' }} + run: | + sudo apt-get install g++-multilib + sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ + libpcre3-dev:${{ matrix.platform.arch }} + - name: Setup Dependencies (x64) + if: ${{ matrix.platform.label == 'x64' }} + run: | + sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ + libfuzzy-dev:${{ matrix.platform.arch }} + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + - name: configure + env: + CC: ${{ matrix.compiler.cc }} + CXX: ${{ matrix.compiler.cxx }} + run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `nproc` + - name: check + run: make check + + build-macos: + name: macOS (${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [macos-14] + configure: + - {label: "with parser generation", opt: "--enable-parser-generation" } + - {label: "wo curl", opt: "--without-curl" } + - {label: "wo lua", opt: "--without-lua" } + - {label: "wo maxmind", opt: "--without-maxmind" } + - {label: "wo libxml", opt: "--without-libxml" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep" } + - {label: "with lmdb", opt: "--with-lmdb" } + - {label: "with pcre", opt: "--with-pcre" } + steps: + - name: Setup Homebrew + run: | + echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV + echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV + - name: Install Dependencies + run: | + brew update + brew install \ + yajl \ + lmdb \ + lua@5.3 \ + libmaxminddb \ + pcre2 \ + geoip \ + ssdeep \ + pcre \ + bison \ + flex + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Build GeoIP + run: | + git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git + cd geoip-api-c + git fetch --tags + # Check out the last release, v1.6.12 + git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a + autoreconf --install + ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew + make install + - name: build.sh + run: ./build.sh + - name: configure + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `sysctl -n hw.logicalcpu` + - name: check + run: make check + + build-windows: + name: Windows (${{ matrix.configure.label }}) + runs-on: windows-latest + strategy: + matrix: + configure: + - {label: "default", opt: "" } + - {label: "wo curl", opt: "-DWITH_CURL=OFF" } + - {label: "wo lua", opt: "-DWITH_LUA=OFF" } + - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } + - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } + - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } + steps: + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Install Conan + run: | + pip3 install conan + - name: Configure Conan + run: | + conan profile detect + - name: Configure CMake + run: | + cmake -S . -B build ${{ matrix.configure.opt }} + - name: Build + run: | + cmake --build build --config Release + + cppcheck-linux: + name: cppcheck (Linux) + runs-on: ubuntu-22.04 + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + cppcheck \ + autoconf \ + automake \ + libtool + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: configure + run: | + ./build.sh + ./configure + - name: cppcheck + run: make check-static + + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + steps: + - name: Setup Dependencies + # curl, pcre2 not installed because they're from Apple + run: | + brew update + brew install autoconf \ + automake \ + libtool \ + cppcheck + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: configure + run: | + ./build.sh + ./configure + - name: cppcheck + run: make check-static From 7fe7f95821dfd8e9135b88a250a141a5de7e4e3a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:14:32 +0100 Subject: [PATCH 012/106] Rename .github/workflows/ci.yml.alt. to backup/ci.yml.alt --- .github/workflows/ci.yml.alt. => backup/ci.yml.alt | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/ci.yml.alt. => backup/ci.yml.alt (100%) diff --git a/.github/workflows/ci.yml.alt. b/backup/ci.yml.alt similarity index 100% rename from .github/workflows/ci.yml.alt. rename to backup/ci.yml.alt From d8d8d080e80aba48132d9eb5316cd1f36d30fcb7 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:20:45 +0100 Subject: [PATCH 013/106] Fix Mbed TLS file path in configure.ac --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index d7a47a43b5..bf2d2270e7 100644 --- a/configure.ac +++ b/configure.ac @@ -77,8 +77,8 @@ fi AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git describe && cd ../..)) AC_SUBST([LIBINJECTION_VERSION]) -# Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/src/base64.c"; then +# Check for Mbed TLS +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/mbedtls/src/base64.c"; then AC_MSG_ERROR([\ From b395579773a461471014288ddd71b4fe61bfca4d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:22:43 +0100 Subject: [PATCH 014/106] Change Lua version from 5.3 to 5.2 in CI --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46f5fcdd85..0442fc378d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -104,7 +104,7 @@ jobs: brew install \ yajl \ lmdb \ - lua@5.3 \ + lua@5.2 \ libmaxminddb \ pcre2 \ geoip \ From cab7d513b32d306342e60b4433bb64fad1aa39c1 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:30:47 +0100 Subject: [PATCH 015/106] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0442fc378d..910ffdaddf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -104,7 +104,7 @@ jobs: brew install \ yajl \ lmdb \ - lua@5.2 \ + lua \ libmaxminddb \ pcre2 \ geoip \ From 890d3730870d0ec2692f42f9392e03adec960f52 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:48:53 +0100 Subject: [PATCH 016/106] Update ci.yml --- .github/workflows/ci.yml | 60 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 910ffdaddf..62c13d256d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,11 +66,23 @@ jobs: git submodule update --init --recursive --force - name: build.sh run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + - name: configure env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master - name: make run: make -j `nproc` @@ -132,8 +144,20 @@ jobs: make install - name: build.sh run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + - name: configure run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master - name: make run: make -j `sysctl -n hw.logicalcpu` @@ -194,10 +218,22 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: configure + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout run: | - ./build.sh - ./configure + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure + - name: cppcheck run: make check-static @@ -221,9 +257,21 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: configure + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout run: | - ./build.sh - ./configure + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure + - name: cppcheck run: make check-static From 3cc1ee1287a24905dbe4899f20bffb157bb47e8e Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:51:49 +0100 Subject: [PATCH 017/106] Fix Mbed TLS base64 file path in configure.ac Update Mbed TLS base64 source file path check. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index bf2d2270e7..7763786e0a 100644 --- a/configure.ac +++ b/configure.ac @@ -78,7 +78,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/mbedtls/src/base64.c"; then +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ From 2fc73fc4a860a863e003e07bc4f059b28920fe71 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 15:04:04 +0100 Subject: [PATCH 018/106] Update Makefile.am --- others/Makefile.am | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/others/Makefile.am b/others/Makefile.am index b102a0330c..16d1eb9a4a 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -23,10 +23,10 @@ noinst_HEADERS = \ mbedtls/include/mbedtls/sha1.h libmbedtls_la_SOURCES = \ - mbedtls/library/base64.c \ - mbedtls/library/md5.c \ - mbedtls/library/sha1.c \ - mbedtls/library/platform_util.c + mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include libmbedtls_la_CPPFLAGS = From 67413c6c263488daddc23bdb73a0de4aee0e0f76 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 15:06:01 +0100 Subject: [PATCH 019/106] Update mbedtls include paths in Makefile.am --- others/Makefile.am | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/others/Makefile.am b/others/Makefile.am index 16d1eb9a4a..49d70d990f 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -15,12 +15,12 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli.h \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ - mbedtls/include/mbedtls/base64.h \ - mbedtls/include/mbedtls/check_config.h \ - mbedtls/include/mbedtls/mbedtls_config.h \ - mbedtls/include/mbedtls/md5.h \ - mbedtls/include/mbedtls/platform.h \ - mbedtls/include/mbedtls/sha1.h + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/base64.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/mbedtls_config.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/platform.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 4a480eb454042a7cbd455cceeb75faf1015a3f85 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 16:35:48 +0100 Subject: [PATCH 020/106] Update Makefile.am --- others/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/others/Makefile.am b/others/Makefile.am index 49d70d990f..ad57935053 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -15,11 +15,11 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli.h \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/base64.h \ + mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/mbedtls_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/platform.h \ + mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h libmbedtls_la_SOURCES = \ From e0b919de1a092e9fb6da2152b43a28ab32683e7c Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 16:41:41 +0100 Subject: [PATCH 021/106] Update mbedtls_config.h include path --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index ad57935053..dc4485ca30 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -17,7 +17,7 @@ noinst_HEADERS = \ libinjection/src/libinjection_xss.h \ mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/mbedtls_config.h \ + mbedtls/include/mbedtls/mbedtls_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h From ba80aa4c2c9b7e20763d1c725579e4436747c52b Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 16:49:52 +0100 Subject: [PATCH 022/106] Update include path for mbedtls in Makefile.am --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index dc4485ca30..8151d10630 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 26ffe965fdb5f0da5a25b92ea2978c9b2ceb3908 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:06:47 +0100 Subject: [PATCH 023/106] Update Makefile to reference check_crypto_config.h --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index 8151d10630..0488de8afc 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -16,7 +16,7 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ + mbedtls/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h \ mbedtls/include/mbedtls/mbedtls_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ From ed32c438e9b0735f8e71145963523dc2dfa8e1a0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:12:39 +0100 Subject: [PATCH 024/106] Update Makefile.am --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index 0488de8afc..dbfc5a48b8 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 9728a108b490a0d6e2b90d47978c94e0c6bf8613 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:13:37 +0100 Subject: [PATCH 025/106] Add include path for builtin drivers in Makefile --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index dbfc5a48b8..eec9d03fe0 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 3199b2951974d40bf30c31cfb8360ecbeadb538a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:14:16 +0100 Subject: [PATCH 026/106] Update Makefile.am --- others/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index eec9d03fe0..30d9c08729 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,7 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From ce21b15f9041bf1cb416884f0e2dbe1f824255e9 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:18:10 +0100 Subject: [PATCH 027/106] Update ci.yml --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62c13d256d..5357b8037b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -119,7 +119,6 @@ jobs: lua \ libmaxminddb \ pcre2 \ - geoip \ ssdeep \ pcre \ bison \ From 3b767ac73ff441c4011987a0684a77dff638089a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 19:06:47 +0100 Subject: [PATCH 028/106] Update Makefile.am --- others/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index 30d9c08729..b8be3af6eb 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -29,6 +29,7 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From daff882469b2647b90f11e2e75b91febe9923e93 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 7 Dec 2025 19:48:29 +0100 Subject: [PATCH 029/106] update --- backup/md5.h | 32 +++++++++++++++++++ backup/sha1.h | 75 +++++++++++++++++++++++++++++++++++++++++++++ src/utils/base64.cc | 2 +- src/utils/md5.h | 57 ++++++++++++++++++++++++---------- src/utils/sha1.h | 72 +++++++++++++++++++++++++++++-------------- 5 files changed, 198 insertions(+), 40 deletions(-) create mode 100644 backup/md5.h create mode 100644 backup/sha1.h diff --git a/backup/md5.h b/backup/md5.h new file mode 100644 index 0000000000..68f5d748e4 --- /dev/null +++ b/backup/md5.h @@ -0,0 +1,32 @@ +/* + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + +#ifndef SRC_UTILS_MD5_H_ +#define SRC_UTILS_MD5_H_ + +#include "src/utils/sha1.h" +#include "mbedtls/md5.h" +#include + +namespace modsecurity::Utils { + + +class Md5 : public DigestImpl<&mbedtls_md5, 16> { +}; + + +} // namespace modsecurity::Utils + +#endif // SRC_UTILS_MD5_H_ \ No newline at end of file diff --git a/backup/sha1.h b/backup/sha1.h new file mode 100644 index 0000000000..a40d7fa1c8 --- /dev/null +++ b/backup/sha1.h @@ -0,0 +1,75 @@ +/* + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + +#ifndef SRC_UTILS_SHA1_H_ +#define SRC_UTILS_SHA1_H_ + +#include +#include + +#include "src/utils/string.h" +#include "mbedtls/sha1.h" + +namespace modsecurity::Utils { + + +using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); + + +template +class DigestImpl { + public: + + static std::string digest(const std::string& input) { + return digestHelper(input, [](const auto digest) { + return std::string(digest); + }); + } + + static void digestReplace(std::string& value) { + digestHelper(value, [&value](const auto digest) mutable { + value = digest; + }); + } + + static std::string hexdigest(const std::string &input) { + return digestHelper(input, [](const auto digest) { + return utils::string::string_to_hex(digest); + }); + } + +private: + + template + static auto digestHelper(const std::string &input, + ConvertOp convertOp) -> auto { + char digest[DigestSize]; + + const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), + input.size(), reinterpret_cast(digest)); + assert(ret == 0); + + return convertOp(std::string_view(digest, DigestSize)); + } +}; + + +class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { +}; + + +} // namespace modsecurity::Utils + +#endif // SRC_UTILS_SHA1_H_ diff --git a/src/utils/base64.cc b/src/utils/base64.cc index 7eb5c0edd2..6fc1ec360b 100644 --- a/src/utils/base64.cc +++ b/src/utils/base64.cc @@ -21,7 +21,7 @@ #include #include -#include "mbedtls/include/mbedtls/tf-psa-crypto/include/mbedtls/base64.h" +#include "mbedtls/base64.h" template diff --git a/src/utils/md5.h b/src/utils/md5.h index 68f5d748e4..d77bde4fbf 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -1,32 +1,57 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_MD5_H_ #define SRC_UTILS_MD5_H_ -#include "src/utils/sha1.h" -#include "mbedtls/md5.h" +#include "src/utils/sha1.h" // bringt DigestImpl und psa/crypto.h rein #include namespace modsecurity::Utils { - -class Md5 : public DigestImpl<&mbedtls_md5, 16> { +// Wrapper mit gleicher Signatur wie mbedtls_md5, +// intern aber PSA-API. +inline int modsec_psa_md5(const unsigned char *input, + size_t ilen, + unsigned char output[16]) +{ + // sha1.h macht bereits ein lazy psa_crypto_init() in modsec_psa_sha1, + // aber falls MD5 vor SHA1 benutzt wird, sorgen wir hier auch nochmal vor. + static bool psa_initialized = false; + + if (!psa_initialized) { + psa_status_t init_status = psa_crypto_init(); + if (init_status != PSA_SUCCESS) { + return -1; + } + psa_initialized = true; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_MD5, + input, + ilen, + output, + 16, + &out_len + ); + + if (status != PSA_SUCCESS || out_len != 16) { + return -1; + } + + return 0; +} + +// Statt &mbedtls_md5 benutzen wir jetzt &modsec_psa_md5. +class Md5 : public DigestImpl<&modsec_psa_md5, 16> { }; - } // namespace modsecurity::Utils -#endif // SRC_UTILS_MD5_H_ \ No newline at end of file +#endif // SRC_UTILS_MD5_H_ diff --git a/src/utils/sha1.h b/src/utils/sha1.h index a40d7fa1c8..74cbad408f 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -1,29 +1,23 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_SHA1_H_ #define SRC_UTILS_SHA1_H_ #include +#include #include #include "src/utils/string.h" -#include "mbedtls/sha1.h" -namespace modsecurity::Utils { +// NEU: PSA statt mbedtls/sha1.h +#include +namespace modsecurity::Utils { using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); @@ -31,44 +25,76 @@ using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); template class DigestImpl { public: - static std::string digest(const std::string& input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](const auto digest) { return std::string(digest); }); } static void digestReplace(std::string& value) { - digestHelper(value, [&value](const auto digest) mutable { + digestHelper(value, [&value](const auto digest) mutable { value = digest; }); } static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](const auto digest) { return utils::string::string_to_hex(digest); }); } -private: - + private: template static auto digestHelper(const std::string &input, - ConvertOp convertOp) -> auto { + ConvertOp convertOp) -> auto { char digest[DigestSize]; - const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), - input.size(), reinterpret_cast(digest)); + const auto ret = (*digestOp)( + reinterpret_cast(input.c_str()), + input.size(), + reinterpret_cast(digest) + ); assert(ret == 0); return convertOp(std::string_view(digest, DigestSize)); } }; +// NEU: Wrapper, der die PSA-API in die alte Signatur presst. +inline int modsec_psa_sha1(const unsigned char *input, + size_t ilen, + unsigned char output[20]) +{ + static bool psa_initialized = false; + + if (!psa_initialized) { + psa_status_t init_status = psa_crypto_init(); + if (init_status != PSA_SUCCESS) { + return -1; + } + psa_initialized = true; + } -class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { -}; + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_SHA_1, + input, + ilen, + output, + 20, + &out_len + ); + + if (status != PSA_SUCCESS || out_len != 20) { + return -1; + } + + return 0; +} +// Statt &mbedtls_sha1 nehmen wir jetzt unseren PSA-Wrapper +class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> { +}; } // namespace modsecurity::Utils From 8385394dcf9673ef8f2983b1a62351fdb7afb822 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 19:53:55 +0100 Subject: [PATCH 030/106] Update Makefile.am --- src/Makefile.am | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index 14c26697b5..c2b146d38f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -296,6 +296,9 @@ libmodsecurity_la_CPPFLAGS = \ -g \ -I$(top_srcdir)/others \ -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ -fPIC \ -O3 \ -I$(top_srcdir)/headers \ From 06ebdafcbc07096dda9fa6e967e4077c4fb73e0f Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:09:21 +0100 Subject: [PATCH 031/106] Add mbedcrypto to Makefile dependencies --- src/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index c2b146d38f..413cfbd712 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -345,5 +345,5 @@ libmodsecurity_la_LIBADD = \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) - + $(YAJL_LDADD) \ + -lmbedcrypto From 9e1d5133ab3ac0fab3774c1dcd4bf9f4b81c16b3 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:19:01 +0100 Subject: [PATCH 032/106] Update ci.yml --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5357b8037b..c51f8a8e7e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,6 +45,7 @@ jobs: libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ bison flex + libmbedtls-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} run: | @@ -81,6 +82,7 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} + LDFLAGS: "-lmbedcrypto" run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes - uses: ammaraskar/gcc-problem-matcher@master @@ -122,7 +124,8 @@ jobs: ssdeep \ pcre \ bison \ - flex + flex \ + mbedtls - uses: actions/checkout@v6 with: submodules: true From 96217bdaee6e93eb8db679d708ae52479ca8ab85 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:19:50 +0100 Subject: [PATCH 033/106] Add mbedcrypto library to rules-check Makefile --- tools/rules-check/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index 8080411716..ecf82cabf5 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -17,7 +17,8 @@ modsec_rules_check_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + -lmbedcrypto modsec_rules_check_LDFLAGS = \ $(GEOIP_LDFLAGS) \ From 7108fff4e8083cc2404570b05a7ed688aa1256e4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:24:23 +0100 Subject: [PATCH 034/106] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c51f8a8e7e..8e1f523125 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ - bison flex + bison flex \ libmbedtls-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} From a7570b42f883c759eb96e6ed06968af6e760e6a4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:29:22 +0100 Subject: [PATCH 035/106] Update ci.yml --- .github/workflows/ci.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e1f523125..7b3321760d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,19 +44,20 @@ jobs: libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ - bison flex \ - libmbedtls-dev:${{ matrix.platform.arch }} + bison flex - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} run: | sudo apt-get install g++-multilib sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} + libpcre3-dev:${{ matrix.platform.arch }} \ + libmbedtls-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} + libfuzzy-dev:${{ matrix.platform.arch }} \ + libmbedtls-dev:${{ matrix.platform.arch }} - uses: actions/checkout@v6 with: submodules: true From 84a4eee7623d6365031e5f329d190149f3e343ad Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:33:27 +0100 Subject: [PATCH 036/106] Update ci.yml --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b3321760d..9d2f17d0c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,8 +50,7 @@ jobs: run: | sudo apt-get install g++-multilib sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} \ - libmbedtls-dev:${{ matrix.platform.arch }} + libpcre3-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | From 1e92fe9503454faa28d0d9e3590f0d97b19853a6 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:44:35 +0100 Subject: [PATCH 037/106] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9d2f17d0c6..85485d48fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,7 @@ jobs: sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ libcurl4-openssl-dev:${{ matrix.platform.arch }} \ liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.2-dev:${{ matrix.platform.arch }} \ + liblua5.3-dev:${{ matrix.platform.arch }} \ libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ From 42b38a569cda6dd22b50e778084f53f87e294283 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:51:21 +0100 Subject: [PATCH 038/106] Update CI workflow to remove libmbedtls-dev Removed installation of libmbedtls-dev from CI workflow. --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85485d48fe..2d9d5d66ff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,8 +55,7 @@ jobs: if: ${{ matrix.platform.label == 'x64' }} run: | sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} \ - libmbedtls-dev:${{ matrix.platform.arch }} + libfuzzy-dev:${{ matrix.platform.arch }} - uses: actions/checkout@v6 with: submodules: true From d8ad34b92e39a93e3b7564f4fa32ed51bbc37c40 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:51:42 +0100 Subject: [PATCH 039/106] Remove -lmbedcrypto from Makefile.am --- src/Makefile.am | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index 413cfbd712..b224d3f773 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -345,5 +345,4 @@ libmodsecurity_la_LIBADD = \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) \ - -lmbedcrypto + $(YAJL_LDADD) From e0986ac235def651a5c9377c3c0fbdcbf20533f7 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:51:59 +0100 Subject: [PATCH 040/106] Fix Makefile.am by adjusting YAJL_LDADD line --- tools/rules-check/Makefile.am | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index ecf82cabf5..8080411716 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -17,8 +17,7 @@ modsec_rules_check_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) \ - -lmbedcrypto + $(YAJL_LDADD) modsec_rules_check_LDFLAGS = \ $(GEOIP_LDFLAGS) \ From c3556c890b1af1579e674cd6b2bf13c1a42bd9ae Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:14:28 +0100 Subject: [PATCH 041/106] Update build.sh --- build.sh | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/build.sh b/build.sh index 7f47f03c04..78c73fc5d6 100755 --- a/build.sh +++ b/build.sh @@ -1,8 +1,13 @@ #!/bin/sh +set -e # bei Fehler abbrechen + rm -rf autom4te.cache rm -f aclocal.m4 +## +## 1. headers.mk erzeugen (wie bisher) +## cd src rm -f headers.mk echo "noinst_HEADERS = \\" > headers.mk @@ -22,14 +27,45 @@ ls -1 \ variables/*.h \ engine/*.h \ *.h | tr "\012" " " >> headers.mk -cd ../ +cd .. + +## +## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS +## +if [ -d "others/mbedtls" ]; then + echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." + ( + cd others/mbedtls + + mkdir -p build + + # Laut offizieller CMake-Options: + # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen + # - ENABLE_TESTING=ON -> Test-Binaries + CTest + cmake -S . -B build \ + -DENABLE_PROGRAMS=ON \ + -DENABLE_TESTING=ON + + cmake --build build --config Release + + echo "==> Running Mbed TLS tests..." + cd build + ctest --output-on-failure + ) +else + echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" +fi + +## +## 3. Autotools für ModSecurity initialisieren +## +case `uname` in + Darwin*) glibtoolize --force --copy ;; + *) libtoolize --force --copy ;; +esac -case `uname` in Darwin*) glibtoolize --force --copy ;; - *) libtoolize --force --copy ;; esac autoreconf --install autoheader automake --add-missing --foreign --copy --force-missing autoconf --force rm -rf autom4te.cache - - From 72d62fa5f98bab0fae13acddf64281fbba2edd7d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:16:12 +0100 Subject: [PATCH 042/106] Update Makefile.am --- src/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index b224d3f773..f77b9f3dc5 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -13,6 +13,8 @@ libmodsecurity_ladir = $(prefix)/include libmodsecurity_includesub_collectiondir = $(pkgincludedir)/collection/ libmodsecurity_includesub_actionsdir = $(pkgincludedir)/actions/ +MBEDTLS_CRYPTO_LIB = ../others/mbedtls/build/library/libmbedcrypto.a + # pregenerated parser + parser sources EXTRA_DIST = \ From fe8a464b284b61398c30897593d04c05bd7a6283 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:18:09 +0100 Subject: [PATCH 043/106] Add cmake to CI dependencies Added cmake to the list of dependencies in the CI workflow. --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2d9d5d66ff..90808a0de4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ - bison flex + bison flex cmake - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} run: | @@ -124,7 +124,8 @@ jobs: pcre \ bison \ flex \ - mbedtls + mbedtls\ + cmake - uses: actions/checkout@v6 with: submodules: true From 0db7cddc1894dde33147614352a570a712f3160e Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:36:13 +0100 Subject: [PATCH 044/106] Update ci.yml --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90808a0de4..c8b0040426 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,6 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} - LDFLAGS: "-lmbedcrypto" run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes - uses: ammaraskar/gcc-problem-matcher@master From 267507af0e92ccfc537322449ca6a489b6b18973 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:52:18 +0100 Subject: [PATCH 045/106] Update Makefile.am --- tools/rules-check/Makefile.am | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index 8080411716..0dc4002910 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -5,6 +5,8 @@ bin_PROGRAMS = modsec-rules-check modsec_rules_check_SOURCES = \ rules-check.cc +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a + modsec_rules_check_LDADD = \ $(top_builddir)/src/.libs/libmodsecurity.la \ $(CURL_LDADD) \ @@ -17,7 +19,8 @@ modsec_rules_check_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) modsec_rules_check_LDFLAGS = \ $(GEOIP_LDFLAGS) \ From 71baa33e7b0f6b111d787d0c16239905e58fd714 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:05:38 +0100 Subject: [PATCH 046/106] Update Makefile.am --- examples/multithread/Makefile.am | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/multithread/Makefile.am b/examples/multithread/Makefile.am index 0871efa1e1..33e3e20029 100644 --- a/examples/multithread/Makefile.am +++ b/examples/multithread/Makefile.am @@ -5,6 +5,8 @@ noinst_PROGRAMS = multithread multithread_SOURCES = \ multithread.cc +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a + multithread_LDADD = \ $(CURL_LDADD) \ $(GEOIP_LDADD) \ @@ -16,7 +18,8 @@ multithread_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB multithread_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From c91936c57fe96bde0d036f129c19022931cfc763 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:06:31 +0100 Subject: [PATCH 047/106] Update Makefile.am --- examples/multiprocess_c/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/multiprocess_c/Makefile.am b/examples/multiprocess_c/Makefile.am index 726d1d9057..59f675b601 100644 --- a/examples/multiprocess_c/Makefile.am +++ b/examples/multiprocess_c/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = multi @@ -9,7 +9,8 @@ multi_LDADD = \ $(SSDEEP_LDADD) \ $(LUA_LDADD) \ $(MAXMIND_LDADD) \ - $(GLOBAL_LDADD) + $(GLOBAL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) multi_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From d7a202736ee3e9a0c2f55aeceb10ae8f37bad40a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:07:36 +0100 Subject: [PATCH 048/106] Update Makefile.am --- examples/reading_logs_via_rule_message/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/reading_logs_via_rule_message/Makefile.am b/examples/reading_logs_via_rule_message/Makefile.am index 5a6ba74b2a..4db723bf14 100644 --- a/examples/reading_logs_via_rule_message/Makefile.am +++ b/examples/reading_logs_via_rule_message/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = simple_request @@ -16,7 +16,8 @@ simple_request_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) simple_request_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 054408a90803f1738ebf942eef84785fbad88af0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:08:47 +0100 Subject: [PATCH 049/106] Update Makefile.am --- examples/reading_logs_with_offset/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/reading_logs_with_offset/Makefile.am b/examples/reading_logs_with_offset/Makefile.am index a98ed48d0e..e28d4219fe 100644 --- a/examples/reading_logs_with_offset/Makefile.am +++ b/examples/reading_logs_with_offset/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = read @@ -16,7 +16,8 @@ read_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) read_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 711eae7918a7132174294421632924b38e6be864 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:09:37 +0100 Subject: [PATCH 050/106] Update Makefile.am --- examples/using_bodies_in_chunks/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/using_bodies_in_chunks/Makefile.am b/examples/using_bodies_in_chunks/Makefile.am index 9eb438f368..1024ccb588 100644 --- a/examples/using_bodies_in_chunks/Makefile.am +++ b/examples/using_bodies_in_chunks/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = simple_request @@ -16,7 +16,8 @@ simple_request_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) simple_request_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 18051fe17c643cf57a75a5de17adc070342c636e Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:11:06 +0100 Subject: [PATCH 051/106] Update Makefile.am --- examples/simple_example_using_c/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/simple_example_using_c/Makefile.am b/examples/simple_example_using_c/Makefile.am index b03ab96d48..cbb1145a26 100644 --- a/examples/simple_example_using_c/Makefile.am +++ b/examples/simple_example_using_c/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = test @@ -8,7 +8,8 @@ test_SOURCES = \ test_LDADD = \ $(GLOBAL_LDADD) \ $(LUA_LDADD) \ - $(SSDEEP_LDADD) + $(SSDEEP_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) test_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From bba944a126a6d5436a2d1f696025bf9b8ee73252 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 17:43:33 +0100 Subject: [PATCH 052/106] Update ci.yml --- .github/workflows/ci.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c8b0040426..2ea1911dbd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,7 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes + run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master - name: make @@ -96,15 +96,15 @@ jobs: matrix: os: [macos-14] configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } + - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } + - {label: "wo curl", opt: "--without-curl --without-geoip" } + - {label: "wo lua", opt: "--without-lua --without-geoip" } + - {label: "wo maxmind", opt: "--without-maxmind --without-geoip" } + - {label: "wo libxml", opt: "--without-libxml --without-geoip" } - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } + - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } + - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } + - {label: "with pcre", opt: "--with-pcre --without-geoip" } steps: - name: Setup Homebrew run: | @@ -157,7 +157,7 @@ jobs: find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master - name: make @@ -233,7 +233,7 @@ jobs: find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure - run: ./configure + run: ./configure --disable-dependency-tracking - name: cppcheck run: make check-static @@ -272,7 +272,7 @@ jobs: find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure - run: ./configure + run: ./configure --disable-dependency-tracking - name: cppcheck run: make check-static From 8471748dbc265d2f74ec6c636372a1364c30559b Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 17:47:45 +0100 Subject: [PATCH 053/106] Update ci.yml --- .github/workflows/ci.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2ea1911dbd..e6b7874ecb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -133,16 +133,6 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: Build GeoIP - run: | - git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git - cd geoip-api-c - git fetch --tags - # Check out the last release, v1.6.12 - git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a - autoreconf --install - ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew - make install - name: build.sh run: ./build.sh From 5dc7b1ba3d163eb3372f57c23372741ae83545c0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:04:46 +0100 Subject: [PATCH 054/106] Update Makefile.am --- examples/multithread/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/multithread/Makefile.am b/examples/multithread/Makefile.am index 33e3e20029..795b15047b 100644 --- a/examples/multithread/Makefile.am +++ b/examples/multithread/Makefile.am @@ -19,7 +19,7 @@ multithread_LDADD = \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ $(YAJL_LDADD) \ - $(MBEDTLS_CRYPTO_LIB + $(MBEDTLS_CRYPTO_LIB) multithread_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 44261aabf6317aea9ccb611156d52538abcdb23f Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:20:34 +0100 Subject: [PATCH 055/106] a --- .github/workflows/ci.yml | 36 +++++++++++++++++++++++++----------- test/benchmark/Makefile.am | 5 +++-- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e6b7874ecb..f3d636880b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -110,29 +110,41 @@ jobs: run: | echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV + - name: Install Dependencies run: | brew update brew install \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - pcre2 \ - ssdeep \ - pcre \ - bison \ - flex \ - mbedtls\ - cmake + yajl \ + lmdb \ + lua \ + libmaxminddb \ + pcre2 \ + ssdeep \ + pcre \ + bison \ + flex \ + mbedtls \ + cmake + + # 🔧 NEU: Python-Dependency für mbedtls-Skripte + - name: Install Python dependencies (jinja2) + run: | + python3 -m pip install --upgrade pip + python3 -m pip install jinja2 + # falls das Skript "python" statt "python3" nutzt: + python -m pip install jinja2 || true + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 + - name: Init git submodules run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: build.sh run: ./build.sh @@ -150,8 +162,10 @@ jobs: run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master + - name: make run: make -j `sysctl -n hw.logicalcpu` + - name: check run: make check diff --git a/test/benchmark/Makefile.am b/test/benchmark/Makefile.am index 2ac9d92111..d2bcb57f44 100644 --- a/test/benchmark/Makefile.am +++ b/test/benchmark/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = benchmark @@ -16,7 +16,8 @@ benchmark_LDADD = \ $(SSDEEP_LDADD) \ $(LUA_LDADD) \ $(LIBXML2_LDADD) \ - $(GLOBAL_LDADD) + $(GLOBAL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) benchmark_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From ab564fa83af32ca68997bc57936d502c0e4c166a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:32:53 +0100 Subject: [PATCH 056/106] update --- .github/workflows/ci.yml | 14 ++++++++++---- test/Makefile.am | 10 +++++++--- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3d636880b..6ee42da0d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -130,10 +130,16 @@ jobs: # 🔧 NEU: Python-Dependency für mbedtls-Skripte - name: Install Python dependencies (jinja2) run: | - python3 -m pip install --upgrade pip - python3 -m pip install jinja2 - # falls das Skript "python" statt "python3" nutzt: - python -m pip install jinja2 || true + # Nur im User-Space installieren, das ist mit PEP 668 erlaubt + python3 -m pip install --user jinja2 + + # Debug-Ausgabe, um sicher zu sein, dass es klappt + python3 - << 'EOF' + import jinja2, sys + print("Python:", sys.executable) + print("jinja2:", jinja2.__version__, "from", jinja2.__file__) + EOF + - uses: actions/checkout@v6 with: diff --git a/test/Makefile.am b/test/Makefile.am index 2e7e05d614..467386a3de 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -41,6 +41,7 @@ noinst_HEADERS = \ unit/*.h \ regression/*.h +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a unit_tests_LDADD = \ $(CURL_LDADD) \ @@ -53,7 +54,8 @@ unit_tests_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) unit_tests_LDFLAGS = \ @@ -108,7 +110,8 @@ regression_tests_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) regression_tests_LDFLAGS = \ @@ -162,7 +165,8 @@ rules_optimization_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) rules_optimization_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 6de1f14b46e11ba3091cabd373aa740a31f5144f Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:56:45 +0100 Subject: [PATCH 057/106] update --- .github/workflows/ci.yml | 56 ++++---- backup/ci.yml | 289 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 318 insertions(+), 27 deletions(-) create mode 100644 backup/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6ee42da0d0..de73a1dd60 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,10 +10,9 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-22.04] + os: [ubuntu-24.04] platform: - - {label: "x64", arch: "amd64", configure: ""} - - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} + - {label: "x64", arch: "amd64", configure: ""} # nur noch x64 compiler: - {label: "gcc", cc: "gcc", cxx: "g++"} - {label: "clang", cc: "clang", cxx: "clang++"} @@ -27,43 +26,42 @@ jobs: - {label: "wo ssdeep", opt: "--without-ssdeep" } - {label: "with lmdb", opt: "--with-lmdb" } - {label: "with pcre", opt: "--with-pcre" } - exclude: - - platform: {label: "x32"} - configure: {label: "wo geoip"} - - platform: {label: "x32"} - configure: {label: "wo ssdeep"} + # keine excludes mehr nötig – es gibt kein x32 + steps: - name: Setup Dependencies (common) + # kein dpkg --add-architecture mehr, nur native amd64-Pakete run: | - sudo dpkg --add-architecture ${{ matrix.platform.arch }} sudo apt-get update -y -qq - sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ - libcurl4-openssl-dev:${{ matrix.platform.arch }} \ - liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.3-dev:${{ matrix.platform.arch }} \ - libmaxminddb-dev:${{ matrix.platform.arch }} \ - libpcre2-dev:${{ matrix.platform.arch }} \ - pcre2-utils:${{ matrix.platform.arch }} \ - bison flex cmake - - name: Setup Dependencies (x32) - if: ${{ matrix.platform.label == 'x32' }} - run: | - sudo apt-get install g++-multilib - sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} + sudo apt-get install -y \ + libyajl-dev \ + libcurl4-openssl-dev \ + liblmdb-dev \ + liblua5.3-dev \ + libmaxminddb-dev \ + libpcre2-dev \ + pcre2-utils \ + bison flex cmake + + # x32-Setup fällt komplett weg + - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | - sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} + sudo apt-get install -y \ + libgeoip-dev \ + libfuzzy-dev + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 + - name: Init git submodules run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: build.sh run: ./build.sh @@ -81,14 +79,17 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master + - name: make run: make -j `nproc` + - name: check run: make check + build-macos: name: macOS (${{ matrix.configure.label }}) runs-on: ${{ matrix.os }} @@ -125,7 +126,8 @@ jobs: bison \ flex \ mbedtls \ - cmake + cmake \ + pipx # 🔧 NEU: Python-Dependency für mbedtls-Skripte - name: Install Python dependencies (jinja2) diff --git a/backup/ci.yml b/backup/ci.yml new file mode 100644 index 0000000000..b99ceb047c --- /dev/null +++ b/backup/ci.yml @@ -0,0 +1,289 @@ +name: Quality Assurance + +on: + push: + pull_request: + +jobs: + build-linux: + name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-22.04] + platform: + - {label: "x64", arch: "amd64", configure: ""} + - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} + compiler: + - {label: "gcc", cc: "gcc", cxx: "g++"} + - {label: "clang", cc: "clang", cxx: "clang++"} + configure: + - {label: "with parser generation", opt: "--enable-parser-generation" } + - {label: "wo curl", opt: "--without-curl" } + - {label: "wo lua", opt: "--without-lua" } + - {label: "wo maxmind", opt: "--without-maxmind" } + - {label: "wo libxml", opt: "--without-libxml" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep" } + - {label: "with lmdb", opt: "--with-lmdb" } + - {label: "with pcre", opt: "--with-pcre" } + exclude: + - platform: {label: "x32"} + configure: {label: "wo geoip"} + - platform: {label: "x32"} + configure: {label: "wo ssdeep"} + steps: + - name: Setup Dependencies (common) + run: | + sudo dpkg --add-architecture ${{ matrix.platform.arch }} + sudo apt-get update -y -qq + sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ + libcurl4-openssl-dev:${{ matrix.platform.arch }} \ + liblmdb-dev:${{ matrix.platform.arch }} \ + liblua5.3-dev:${{ matrix.platform.arch }} \ + libmaxminddb-dev:${{ matrix.platform.arch }} \ + libpcre2-dev:${{ matrix.platform.arch }} \ + pcre2-utils:${{ matrix.platform.arch }} \ + bison flex cmake + - name: Setup Dependencies (x32) + if: ${{ matrix.platform.label == 'x32' }} + run: | + sudo apt-get install g++-multilib + sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ + libpcre3-dev:${{ matrix.platform.arch }} + - name: Setup Dependencies (x64) + if: ${{ matrix.platform.label == 'x64' }} + run: | + sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ + libfuzzy-dev:${{ matrix.platform.arch }} + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + env: + CC: ${{ matrix.compiler.cc }} + CXX: ${{ matrix.compiler.cxx }} + run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking + + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `nproc` + - name: check + run: make check + + build-macos: + name: macOS (${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [macos-14] + configure: + - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } + - {label: "wo curl", opt: "--without-curl --without-geoip" } + - {label: "wo lua", opt: "--without-lua --without-geoip" } + - {label: "wo maxmind", opt: "--without-maxmind --without-geoip" } + - {label: "wo libxml", opt: "--without-libxml --without-geoip" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } + - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } + - {label: "with pcre", opt: "--with-pcre --without-geoip" } + steps: + - name: Setup Homebrew + run: | + echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV + echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV + + - name: Install Dependencies + run: | + brew update + brew install \ + yajl \ + lmdb \ + lua \ + libmaxminddb \ + pcre2 \ + ssdeep \ + pcre \ + bison \ + flex \ + mbedtls \ + cmake \ + pipx + + # 🔧 NEU: Python-Dependency für mbedtls-Skripte + - name: Install Python dependencies (jinja2) + run: | + # Nur im User-Space installieren, das ist mit PEP 668 erlaubt + python3 -m pip install --user jinja2 + + # Debug-Ausgabe, um sicher zu sein, dass es klappt + python3 - << 'EOF' + import jinja2, sys + print("Python:", sys.executable) + print("jinja2:", jinja2.__version__, "from", jinja2.__file__) + EOF + + + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking + + - uses: ammaraskar/gcc-problem-matcher@master + + - name: make + run: make -j `sysctl -n hw.logicalcpu` + + - name: check + run: make check + + build-windows: + name: Windows (${{ matrix.configure.label }}) + runs-on: windows-latest + strategy: + matrix: + configure: + - {label: "default", opt: "" } + - {label: "wo curl", opt: "-DWITH_CURL=OFF" } + - {label: "wo lua", opt: "-DWITH_LUA=OFF" } + - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } + - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } + - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } + steps: + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Install Conan + run: | + pip3 install conan + - name: Configure Conan + run: | + conan profile detect + - name: Configure CMake + run: | + cmake -S . -B build ${{ matrix.configure.opt }} + - name: Build + run: | + cmake --build build --config Release + + cppcheck-linux: + name: cppcheck (Linux) + runs-on: ubuntu-22.04 + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + cppcheck \ + autoconf \ + automake \ + libtool + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure --disable-dependency-tracking + + - name: cppcheck + run: make check-static + + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + steps: + - name: Setup Dependencies + # curl, pcre2 not installed because they're from Apple + run: | + brew update + brew install autoconf \ + automake \ + libtool \ + cppcheck + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure --disable-dependency-tracking + + - name: cppcheck + run: make check-static From 1c40ec0d6f3f49171984f36d5afd3d22ffdfa2e5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 19:08:56 +0100 Subject: [PATCH 058/106] Update ci.yml --- .github/workflows/ci.yml | 49 +++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index de73a1dd60..7d67d852e1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,27 +30,25 @@ jobs: steps: - name: Setup Dependencies (common) - # kein dpkg --add-architecture mehr, nur native amd64-Pakete run: | + sudo dpkg --add-architecture ${{ matrix.platform.arch }} sudo apt-get update -y -qq - sudo apt-get install -y \ - libyajl-dev \ - libcurl4-openssl-dev \ - liblmdb-dev \ - liblua5.3-dev \ - libmaxminddb-dev \ - libpcre2-dev \ - pcre2-utils \ - bison flex cmake - + sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ + libcurl4-openssl-dev:${{ matrix.platform.arch }} \ + liblmdb-dev:${{ matrix.platform.arch }} \ + liblua5.3-dev:${{ matrix.platform.arch }} \ + libmaxminddb-dev:${{ matrix.platform.arch }} \ + libpcre2-dev:${{ matrix.platform.arch }} \ + pcre2-utils:${{ matrix.platform.arch }} \ + libpcre3-dev:${{ matrix.platform.arch }} \ + bison flex cmake # x32-Setup fällt komplett weg - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | - sudo apt-get install -y \ - libgeoip-dev \ - libfuzzy-dev + sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ + libfuzzy-dev:${{ matrix.platform.arch }} - uses: actions/checkout@v6 with: @@ -89,7 +87,6 @@ jobs: - name: check run: make check - build-macos: name: macOS (${{ matrix.configure.label }}) runs-on: ${{ matrix.os }} @@ -106,6 +103,7 @@ jobs: - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } - {label: "with pcre", opt: "--with-pcre --without-geoip" } + steps: - name: Setup Homebrew run: | @@ -126,23 +124,21 @@ jobs: bison \ flex \ mbedtls \ - cmake \ - pipx + cmake - # 🔧 NEU: Python-Dependency für mbedtls-Skripte - - name: Install Python dependencies (jinja2) + - name: Setup Python venv with jinja2 run: | - # Nur im User-Space installieren, das ist mit PEP 668 erlaubt - python3 -m pip install --user jinja2 - - # Debug-Ausgabe, um sicher zu sein, dass es klappt - python3 - << 'EOF' - import jinja2, sys + python3 -m venv .venv + . .venv/bin/activate + pip install jinja2 + echo "VIRTUAL_ENV=$PWD/.venv" >> $GITHUB_ENV + echo "PATH=$PWD/.venv/bin:$PATH" >> $GITHUB_ENV + python - << 'EOF' + import sys, jinja2 print("Python:", sys.executable) print("jinja2:", jinja2.__version__, "from", jinja2.__file__) EOF - - uses: actions/checkout@v6 with: submodules: true @@ -177,6 +173,7 @@ jobs: - name: check run: make check + build-windows: name: Windows (${{ matrix.configure.label }}) runs-on: windows-latest From ea0658f9f293ced609a3eb13f874611de86a1706 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 19:44:03 +0100 Subject: [PATCH 059/106] update make und ci --- .github/workflows/ci.yml | 6 ++-- configure.ac | 28 +++++++++++++++++++ examples/multiprocess_c/Makefile.am | 2 +- examples/multithread/Makefile.am | 2 +- .../reading_logs_via_rule_message/Makefile.am | 2 +- examples/reading_logs_with_offset/Makefile.am | 2 +- examples/simple_example_using_c/Makefile.am | 2 +- examples/using_bodies_in_chunks/Makefile.am | 2 +- test/Makefile.am | 2 +- test/benchmark/Makefile.am | 2 +- tools/rules-check/Makefile.am | 2 +- 11 files changed, 41 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d67d852e1..480ed2f7e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,8 @@ jobs: libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ libpcre3-dev:${{ matrix.platform.arch }} \ - bison flex cmake + bison flex cmake \ + libmbedtls-dev:${{ matrix.platform.arch }} # x32-Setup fällt komplett weg - name: Setup Dependencies (x64) @@ -124,7 +125,8 @@ jobs: bison \ flex \ mbedtls \ - cmake + cmake \ + mbedtls - name: Setup Python venv with jinja2 run: | diff --git a/configure.ac b/configure.ac index 7763786e0a..723a8608a8 100644 --- a/configure.ac +++ b/configure.ac @@ -77,6 +77,34 @@ fi AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git describe && cd ../..)) AC_SUBST([LIBINJECTION_VERSION]) +# ============================================================ +# Check for Mbed TLS / mbedcrypto (PSA) +# ============================================================ + +AC_MSG_CHECKING([for mbedcrypto (PSA crypto library)]) + +MBEDTLS_CRYPTO_LIB="" + +# 1. Erst versuchen wir die System-Lib: -lmbedcrypto +AC_CHECK_LIB([mbedcrypto], [psa_crypto_init], + [MBEDTLS_CRYPTO_LIB="-lmbedcrypto" + AC_MSG_RESULT([using system libmbedcrypto (-lmbedcrypto)])], + [ + # 2. Fallback: vendored libmbedcrypto.a aus others/mbedtls + AC_MSG_RESULT([system libmbedcrypto not found, trying vendored mbedtls]) + + AC_CHECK_FILE([others/mbedtls/build/library/libmbedcrypto.a], + [MBEDTLS_CRYPTO_LIB='$(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a' + AC_MSG_RESULT([using vendored libmbedcrypto.a])], + [AC_MSG_ERROR([Could not find mbedcrypto: + - install libmbedtls-dev / Homebrew mbedtls (libmbedcrypto), + or + - build others/mbedtls before running configure])]) + ]) + +AC_SUBST([MBEDTLS_CRYPTO_LIB]) + + # Check for Mbed TLS if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ diff --git a/examples/multiprocess_c/Makefile.am b/examples/multiprocess_c/Makefile.am index 59f675b601..59aa448545 100644 --- a/examples/multiprocess_c/Makefile.am +++ b/examples/multiprocess_c/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = multi diff --git a/examples/multithread/Makefile.am b/examples/multithread/Makefile.am index 795b15047b..1465749193 100644 --- a/examples/multithread/Makefile.am +++ b/examples/multithread/Makefile.am @@ -5,7 +5,7 @@ noinst_PROGRAMS = multithread multithread_SOURCES = \ multithread.cc -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ multithread_LDADD = \ $(CURL_LDADD) \ diff --git a/examples/reading_logs_via_rule_message/Makefile.am b/examples/reading_logs_via_rule_message/Makefile.am index 4db723bf14..7e1723e920 100644 --- a/examples/reading_logs_via_rule_message/Makefile.am +++ b/examples/reading_logs_via_rule_message/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = simple_request diff --git a/examples/reading_logs_with_offset/Makefile.am b/examples/reading_logs_with_offset/Makefile.am index e28d4219fe..ba021a5203 100644 --- a/examples/reading_logs_with_offset/Makefile.am +++ b/examples/reading_logs_with_offset/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = read diff --git a/examples/simple_example_using_c/Makefile.am b/examples/simple_example_using_c/Makefile.am index cbb1145a26..a1ddb38692 100644 --- a/examples/simple_example_using_c/Makefile.am +++ b/examples/simple_example_using_c/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = test diff --git a/examples/using_bodies_in_chunks/Makefile.am b/examples/using_bodies_in_chunks/Makefile.am index 1024ccb588..bb5376ebbf 100644 --- a/examples/using_bodies_in_chunks/Makefile.am +++ b/examples/using_bodies_in_chunks/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = simple_request diff --git a/test/Makefile.am b/test/Makefile.am index 467386a3de..f670c754f6 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -41,7 +41,7 @@ noinst_HEADERS = \ unit/*.h \ regression/*.h -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ unit_tests_LDADD = \ $(CURL_LDADD) \ diff --git a/test/benchmark/Makefile.am b/test/benchmark/Makefile.am index d2bcb57f44..c89e42234e 100644 --- a/test/benchmark/Makefile.am +++ b/test/benchmark/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = benchmark diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index 0dc4002910..95da5773d2 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -5,7 +5,7 @@ bin_PROGRAMS = modsec-rules-check modsec_rules_check_SOURCES = \ rules-check.cc -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ modsec_rules_check_LDADD = \ $(top_builddir)/src/.libs/libmodsecurity.la \ From 37a9885ab24d896a6e32632172d5c160fc5f9c13 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:02:10 +0100 Subject: [PATCH 060/106] update build.sh --- .github/workflows/ci.yml | 16 ++++++++-------- build.sh => build_on_linux.sh | 0 build_on_macos.sh | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 8 deletions(-) rename build.sh => build_on_linux.sh (100%) mode change 100755 => 100644 create mode 100644 build_on_macos.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 480ed2f7e5..0369a4a647 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,8 +61,8 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_linux.sh + run: ./build_on_linux.sh - name: Debug mbedtls layout run: | @@ -151,8 +151,8 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_macos.sh + run: ./build_on_macos.sh - name: Debug mbedtls layout run: | @@ -230,8 +230,8 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_linux.sh + run: ./build_on_linux.sh - name: Debug mbedtls layout run: | @@ -269,8 +269,8 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_macos.sh + run: ./build_on_macos.sh - name: Debug mbedtls layout run: | diff --git a/build.sh b/build_on_linux.sh old mode 100755 new mode 100644 similarity index 100% rename from build.sh rename to build_on_linux.sh diff --git a/build_on_macos.sh b/build_on_macos.sh new file mode 100644 index 0000000000..24ab1d90a9 --- /dev/null +++ b/build_on_macos.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +rm -rf autom4te.cache +rm -f aclocal.m4 + +cd src +rm -f headers.mk +echo "noinst_HEADERS = \\" > headers.mk +ls -1 \ + actions/*.h \ + actions/ctl/*.h \ + actions/data/*.h \ + actions/disruptive/*.h \ + actions/transformations/*.h \ + debug_log/*.h \ + audit_log/writer/*.h \ + collection/backend/*.h \ + operators/*.h \ + parser/*.h \ + request_body_processor/*.h \ + utils/*.h \ + variables/*.h \ + engine/*.h \ + *.h | tr "\012" " " >> headers.mk +cd ../ + +case `uname` in Darwin*) glibtoolize --force --copy ;; + *) libtoolize --force --copy ;; esac +autoreconf --install +autoheader +automake --add-missing --foreign --copy --force-missing +autoconf --force +rm -rf autom4te.cache \ No newline at end of file From dccbb4e39f77dd9603f257b7bb57dbb8d96c2d87 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:08:15 +0100 Subject: [PATCH 061/106] Update ci.yml --- .github/workflows/ci.yml | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0369a4a647..58920c0faf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,6 +61,9 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_linux.sh + - name: build_on_linux.sh run: ./build_on_linux.sh @@ -128,19 +131,6 @@ jobs: cmake \ mbedtls - - name: Setup Python venv with jinja2 - run: | - python3 -m venv .venv - . .venv/bin/activate - pip install jinja2 - echo "VIRTUAL_ENV=$PWD/.venv" >> $GITHUB_ENV - echo "PATH=$PWD/.venv/bin:$PATH" >> $GITHUB_ENV - python - << 'EOF' - import sys, jinja2 - print("Python:", sys.executable) - print("jinja2:", jinja2.__version__, "from", jinja2.__file__) - EOF - - uses: actions/checkout@v6 with: submodules: true @@ -151,6 +141,8 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh - name: build_on_macos.sh run: ./build_on_macos.sh @@ -212,7 +204,7 @@ jobs: cppcheck-linux: name: cppcheck (Linux) - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Setup Dependencies run: | @@ -230,6 +222,9 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_linux.sh + - name: build_on_linux.sh run: ./build_on_linux.sh @@ -269,6 +264,8 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh - name: build_on_macos.sh run: ./build_on_macos.sh From 163c23d57fbb7101d2555ae37f33f17a612d66b4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:21:33 +0100 Subject: [PATCH 062/106] Update ci.yml --- .github/workflows/ci.yml | 39 --------------------------------------- 1 file changed, 39 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58920c0faf..b297c46355 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,16 +67,6 @@ jobs: - name: build_on_linux.sh run: ./build_on_linux.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - name: configure env: CC: ${{ matrix.compiler.cc }} @@ -146,16 +136,6 @@ jobs: - name: build_on_macos.sh run: ./build_on_macos.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - name: configure run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking @@ -228,15 +208,6 @@ jobs: - name: build_on_linux.sh run: ./build_on_linux.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure run: ./configure --disable-dependency-tracking @@ -269,16 +240,6 @@ jobs: - name: build_on_macos.sh run: ./build_on_macos.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - name: configure run: ./configure --disable-dependency-tracking From b58ebf982252b47067ca581af98000b1079a01bc Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:26:31 +0100 Subject: [PATCH 063/106] Update ci.yml --- .github/workflows/ci.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b297c46355..afa2deabec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,19 +107,19 @@ jobs: - name: Install Dependencies run: | brew update - brew install \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - pcre2 \ - ssdeep \ - pcre \ - bison \ - flex \ - mbedtls \ - cmake \ - mbedtls + brew install autoconf \ + automake \ + libtool \ + yajl \ + lmdb \ + lua \ + libmaxminddb \ + libxml2 \ + ssdeep \ + pcre \ + bison \ + flex \ + mbedtls - uses: actions/checkout@v6 with: From 41fa370a503f3c1492893cf7b38837b00b4b4ba4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 21:01:08 +0100 Subject: [PATCH 064/106] Update configure.ac --- configure.ac | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index 723a8608a8..48b5e0bd7e 100644 --- a/configure.ac +++ b/configure.ac @@ -78,33 +78,40 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # ============================================================ -# Check for Mbed TLS / mbedcrypto (PSA) +# Check for PSA crypto lib (Mbed TLS / TF-PSA-Crypto) # ============================================================ -AC_MSG_CHECKING([for mbedcrypto (PSA crypto library)]) +AC_MSG_CHECKING([for PSA crypto library (Mbed TLS / TF-PSA-Crypto)]) MBEDTLS_CRYPTO_LIB="" -# 1. Erst versuchen wir die System-Lib: -lmbedcrypto -AC_CHECK_LIB([mbedcrypto], [psa_crypto_init], - [MBEDTLS_CRYPTO_LIB="-lmbedcrypto" - AC_MSG_RESULT([using system libmbedcrypto (-lmbedcrypto)])], +# 1. Mbed TLS 4 / TF-PSA-Crypto: libtfpsacrypto +AC_CHECK_LIB([tfpsacrypto], [psa_crypto_init], + [MBEDTLS_CRYPTO_LIB="-ltfpsacrypto" + AC_MSG_RESULT([using system libtfpsacrypto (-ltfpsacrypto)])], [ - # 2. Fallback: vendored libmbedcrypto.a aus others/mbedtls - AC_MSG_RESULT([system libmbedcrypto not found, trying vendored mbedtls]) - - AC_CHECK_FILE([others/mbedtls/build/library/libmbedcrypto.a], - [MBEDTLS_CRYPTO_LIB='$(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a' - AC_MSG_RESULT([using vendored libmbedcrypto.a])], - [AC_MSG_ERROR([Could not find mbedcrypto: - - install libmbedtls-dev / Homebrew mbedtls (libmbedcrypto), + # 2. Legacy-Name: libmbedcrypto (Mbed TLS <= 3 oder Distros, die das so bereitstellen) + AC_CHECK_LIB([mbedcrypto], [psa_crypto_init], + [MBEDTLS_CRYPTO_LIB="-lmbedcrypto" + AC_MSG_RESULT([using system libmbedcrypto (-lmbedcrypto)])], + [ + # 3. Fallback: vendored libmbedcrypto.a aus others/mbedtls + AC_MSG_RESULT([no system PSA crypto lib found, trying vendored mbedtls]) + + AC_CHECK_FILE([others/mbedtls/build/library/libmbedcrypto.a], + [MBEDTLS_CRYPTO_LIB='$(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a' + AC_MSG_RESULT([using vendored libmbedcrypto.a])], + [AC_MSG_ERROR([Could not find PSA crypto library: + - install Mbed TLS / TF-PSA-Crypto (providing libtfpsacrypto or libmbedcrypto), or - build others/mbedtls before running configure])]) + ]) ]) AC_SUBST([MBEDTLS_CRYPTO_LIB]) + # Check for Mbed TLS if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ From b9cb9b9ba6760d9f5966d5a78245e313b3e93905 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 9 Dec 2025 05:45:16 +0100 Subject: [PATCH 065/106] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index afa2deabec..6ec236a4f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -213,7 +213,7 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static + run: make check-static -j$(nproc) cppcheck-macos: name: cppcheck (macOS) From 62b14567d0bb2459643b2cb2f9279bb7dc1ac3e3 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 9 Dec 2025 05:54:04 +0100 Subject: [PATCH 066/106] Add files via upload --- backup/build_on_linux.sh | 71 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 backup/build_on_linux.sh diff --git a/backup/build_on_linux.sh b/backup/build_on_linux.sh new file mode 100644 index 0000000000..78c73fc5d6 --- /dev/null +++ b/backup/build_on_linux.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +set -e # bei Fehler abbrechen + +rm -rf autom4te.cache +rm -f aclocal.m4 + +## +## 1. headers.mk erzeugen (wie bisher) +## +cd src +rm -f headers.mk +echo "noinst_HEADERS = \\" > headers.mk +ls -1 \ + actions/*.h \ + actions/ctl/*.h \ + actions/data/*.h \ + actions/disruptive/*.h \ + actions/transformations/*.h \ + debug_log/*.h \ + audit_log/writer/*.h \ + collection/backend/*.h \ + operators/*.h \ + parser/*.h \ + request_body_processor/*.h \ + utils/*.h \ + variables/*.h \ + engine/*.h \ + *.h | tr "\012" " " >> headers.mk +cd .. + +## +## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS +## +if [ -d "others/mbedtls" ]; then + echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." + ( + cd others/mbedtls + + mkdir -p build + + # Laut offizieller CMake-Options: + # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen + # - ENABLE_TESTING=ON -> Test-Binaries + CTest + cmake -S . -B build \ + -DENABLE_PROGRAMS=ON \ + -DENABLE_TESTING=ON + + cmake --build build --config Release + + echo "==> Running Mbed TLS tests..." + cd build + ctest --output-on-failure + ) +else + echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" +fi + +## +## 3. Autotools für ModSecurity initialisieren +## +case `uname` in + Darwin*) glibtoolize --force --copy ;; + *) libtoolize --force --copy ;; +esac + +autoreconf --install +autoheader +automake --add-missing --foreign --copy --force-missing +autoconf --force +rm -rf autom4te.cache From 8c2d60616b62bb6013c96885073becaae8f58e19 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 9 Dec 2025 05:55:36 +0100 Subject: [PATCH 067/106] Update build_on_linux.sh --- build_on_linux.sh | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/build_on_linux.sh b/build_on_linux.sh index 78c73fc5d6..dde78d0798 100644 --- a/build_on_linux.sh +++ b/build_on_linux.sh @@ -2,11 +2,20 @@ set -e # bei Fehler abbrechen +## +## Parallel-Jobs bestimmen (nur Linux) +## Überschreibbar mit: JOBS=4 ./bootstrap.sh +## +if [ -z "$JOBS" ]; then + JOBS=$(nproc) +fi +echo "==> Using $JOBS parallel build jobs" + rm -rf autom4te.cache rm -f aclocal.m4 ## -## 1. headers.mk erzeugen (wie bisher) +## 1. headers.mk erzeugen ## cd src rm -f headers.mk @@ -39,31 +48,25 @@ if [ -d "others/mbedtls" ]; then mkdir -p build - # Laut offizieller CMake-Options: - # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen - # - ENABLE_TESTING=ON -> Test-Binaries + CTest cmake -S . -B build \ -DENABLE_PROGRAMS=ON \ -DENABLE_TESTING=ON - cmake --build build --config Release + # Parallel bauen + cmake --build build --config Release --parallel "$JOBS" echo "==> Running Mbed TLS tests..." cd build - ctest --output-on-failure + ctest --output-on-failure -j"$JOBS" ) else echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" fi ## -## 3. Autotools für ModSecurity initialisieren +## 3. Autotools für ModSecurity initialisieren (nur Linux) ## -case `uname` in - Darwin*) glibtoolize --force --copy ;; - *) libtoolize --force --copy ;; -esac - +libtoolize --force --copy autoreconf --install autoheader automake --add-missing --foreign --copy --force-missing From 181ede7443625a6ce2b4dbd58401673b914f4145 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 17:40:13 +0100 Subject: [PATCH 068/106] Update ci.yml --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6ec236a4f8..8ae1bfc0b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,6 +137,8 @@ jobs: run: ./build_on_macos.sh - name: configure + export CPPFLAGS="-I/opt/homebrew/opt/mbedtls/include" + export LDFLAGS="-L/opt/homebrew/opt/mbedtls/lib" run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master From 37b2b773eaf566f6777620e68460f4ca0a53d6da Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 17:46:29 +0100 Subject: [PATCH 069/106] Update ci.yml --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ae1bfc0b3..8b41f1706d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,8 +137,9 @@ jobs: run: ./build_on_macos.sh - name: configure - export CPPFLAGS="-I/opt/homebrew/opt/mbedtls/include" - export LDFLAGS="-L/opt/homebrew/opt/mbedtls/lib" + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master From 3d6c94c7b7b52df2c0cfaa57928aa448744eab9e Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 17:58:14 +0100 Subject: [PATCH 070/106] update --- .github/workflows/ci.yml | 3 ++- Makefile.am | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b41f1706d..57dbeb8594 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -188,6 +188,7 @@ jobs: cppcheck-linux: name: cppcheck (Linux) runs-on: ubuntu-24.04 + timeout-minutes: 120 steps: - name: Setup Dependencies run: | @@ -216,7 +217,7 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static -j$(nproc) + run: make check-static JOBS=$(nproc) cppcheck-macos: name: cppcheck (macOS) diff --git a/Makefile.am b/Makefile.am index 7ac184b504..56ebdb0000 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,8 +55,13 @@ parser: +# Anzahl der cppcheck-Jobs, von außen überschreibbar: JOBS=8 make check-static +JOBS ?= 1 + cppcheck: - @cppcheck -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \ + @echo "Running cppcheck with $(JOBS) jobs..." + @cppcheck -j $(JOBS) \ + -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \ -D MS_CPPCHECK_DISABLED_FOR_PARSER -U YY_USER_INIT \ --suppressions-list=./test/cppcheck_suppressions.txt \ --inline-suppr \ @@ -70,7 +75,6 @@ cppcheck: --std=c++17 \ --force --verbose . - check-static: cppcheck check-style: check-coding-style From f1ec16e6d74553c304aa1cfc2b11a99326f8cb99 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 18:11:42 +0100 Subject: [PATCH 071/106] Update ci.yml --- .github/workflows/ci.yml | 77 +++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57dbeb8594..c1725f1395 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -86,7 +86,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [macos-14] + os: [macos-14, macos-15, macos-26] configure: - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } - {label: "wo curl", opt: "--without-curl --without-geoip" } @@ -151,39 +151,39 @@ jobs: run: make check - build-windows: - name: Windows (${{ matrix.configure.label }}) - runs-on: windows-latest - strategy: - matrix: - configure: - - {label: "default", opt: "" } - - {label: "wo curl", opt: "-DWITH_CURL=OFF" } - - {label: "wo lua", opt: "-DWITH_LUA=OFF" } - - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } - - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } - steps: - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Install Conan - run: | - pip3 install conan - - name: Configure Conan - run: | - conan profile detect - - name: Configure CMake - run: | - cmake -S . -B build ${{ matrix.configure.opt }} - - name: Build - run: | - cmake --build build --config Release + # build-windows: + # name: Windows (${{ matrix.configure.label }}) + # runs-on: windows-latest + # strategy: + # matrix: + # configure: + # - {label: "default", opt: "" } + # - {label: "wo curl", opt: "-DWITH_CURL=OFF" } + # - {label: "wo lua", opt: "-DWITH_LUA=OFF" } + # - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } + # - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } + # - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } + # steps: + # - uses: actions/checkout@v6 + # with: + # submodules: true + # fetch-depth: 0 + # - name: Init git submodules + # run: | + # git submodule sync --recursive + # git submodule update --init --recursive --force + # - name: Install Conan + # run: | + # pip3 install conan + # - name: Configure Conan + # run: | + # conan profile detect + # - name: Configure CMake + # run: | + # cmake -S . -B build ${{ matrix.configure.opt }} + # - name: Build + # run: | + # cmake --build build --config Release cppcheck-linux: name: cppcheck (Linux) @@ -212,7 +212,6 @@ jobs: - name: build_on_linux.sh run: ./build_on_linux.sh - - name: configure run: ./configure --disable-dependency-tracking @@ -230,7 +229,8 @@ jobs: brew install autoconf \ automake \ libtool \ - cppcheck + cppcheck \ + mbedtls - uses: actions/checkout@v6 with: submodules: true @@ -245,7 +245,10 @@ jobs: run: ./build_on_macos.sh - name: configure + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static + run: make check-static JOBS=$(nproc) From 0702c36ed33f3bba892a246b5e278c9d88850b53 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 18:25:43 +0100 Subject: [PATCH 072/106] =?UTF-8?q?aufr=C3=A4umen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/dependabot.yaml | 15 - .github/workflows/ci.yml | 6 +- .../workflows/dependabot-auto-approve.yaml | 27 -- backup/build_on_linux.sh | 71 ----- backup/ci.yml | 289 ------------------ backup/ci.yml.alt | 207 ------------- backup/md5.h | 32 -- backup/sha1.h | 75 ----- 8 files changed, 3 insertions(+), 719 deletions(-) delete mode 100644 .github/dependabot.yaml delete mode 100644 .github/workflows/dependabot-auto-approve.yaml delete mode 100644 backup/build_on_linux.sh delete mode 100644 backup/ci.yml delete mode 100644 backup/ci.yml.alt delete mode 100644 backup/md5.h delete mode 100644 backup/sha1.h diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml deleted file mode 100644 index 647560dd85..0000000000 --- a/.github/dependabot.yaml +++ /dev/null @@ -1,15 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "gitsubmodule" - directory: "/" - schedule: - interval: "daily" - commit-message: - prefix: "Submodule Update" - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - commit-message: - prefix: "GitHub Actions Updates" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c1725f1395..4fa38fe9f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,8 +216,8 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static JOBS=$(nproc) - + run: make check-static -j$(nproc) + cppcheck-macos: name: cppcheck (macOS) runs-on: macos-14 @@ -251,4 +251,4 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static JOBS=$(nproc) + run: make check-static -j$(nproc) \ No newline at end of file diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml deleted file mode 100644 index ae8bc032d5..0000000000 --- a/.github/workflows/dependabot-auto-approve.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Dependabot Auto-Approve -on: pull_request - -permissions: - pull-requests: write - contents: write - -jobs: - auto-approve: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Fetch Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v2 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Approve Pull Request - run: gh pr review --approve "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - name: Enable Auto-Merge - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/backup/build_on_linux.sh b/backup/build_on_linux.sh deleted file mode 100644 index 78c73fc5d6..0000000000 --- a/backup/build_on_linux.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/sh - -set -e # bei Fehler abbrechen - -rm -rf autom4te.cache -rm -f aclocal.m4 - -## -## 1. headers.mk erzeugen (wie bisher) -## -cd src -rm -f headers.mk -echo "noinst_HEADERS = \\" > headers.mk -ls -1 \ - actions/*.h \ - actions/ctl/*.h \ - actions/data/*.h \ - actions/disruptive/*.h \ - actions/transformations/*.h \ - debug_log/*.h \ - audit_log/writer/*.h \ - collection/backend/*.h \ - operators/*.h \ - parser/*.h \ - request_body_processor/*.h \ - utils/*.h \ - variables/*.h \ - engine/*.h \ - *.h | tr "\012" " " >> headers.mk -cd .. - -## -## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS -## -if [ -d "others/mbedtls" ]; then - echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." - ( - cd others/mbedtls - - mkdir -p build - - # Laut offizieller CMake-Options: - # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen - # - ENABLE_TESTING=ON -> Test-Binaries + CTest - cmake -S . -B build \ - -DENABLE_PROGRAMS=ON \ - -DENABLE_TESTING=ON - - cmake --build build --config Release - - echo "==> Running Mbed TLS tests..." - cd build - ctest --output-on-failure - ) -else - echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" -fi - -## -## 3. Autotools für ModSecurity initialisieren -## -case `uname` in - Darwin*) glibtoolize --force --copy ;; - *) libtoolize --force --copy ;; -esac - -autoreconf --install -autoheader -automake --add-missing --foreign --copy --force-missing -autoconf --force -rm -rf autom4te.cache diff --git a/backup/ci.yml b/backup/ci.yml deleted file mode 100644 index b99ceb047c..0000000000 --- a/backup/ci.yml +++ /dev/null @@ -1,289 +0,0 @@ -name: Quality Assurance - -on: - push: - pull_request: - -jobs: - build-linux: - name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-22.04] - platform: - - {label: "x64", arch: "amd64", configure: ""} - - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} - compiler: - - {label: "gcc", cc: "gcc", cxx: "g++"} - - {label: "clang", cc: "clang", cxx: "clang++"} - configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } - exclude: - - platform: {label: "x32"} - configure: {label: "wo geoip"} - - platform: {label: "x32"} - configure: {label: "wo ssdeep"} - steps: - - name: Setup Dependencies (common) - run: | - sudo dpkg --add-architecture ${{ matrix.platform.arch }} - sudo apt-get update -y -qq - sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ - libcurl4-openssl-dev:${{ matrix.platform.arch }} \ - liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.3-dev:${{ matrix.platform.arch }} \ - libmaxminddb-dev:${{ matrix.platform.arch }} \ - libpcre2-dev:${{ matrix.platform.arch }} \ - pcre2-utils:${{ matrix.platform.arch }} \ - bison flex cmake - - name: Setup Dependencies (x32) - if: ${{ matrix.platform.label == 'x32' }} - run: | - sudo apt-get install g++-multilib - sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} - - name: Setup Dependencies (x64) - if: ${{ matrix.platform.label == 'x64' }} - run: | - sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - env: - CC: ${{ matrix.compiler.cc }} - CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: check - run: make check - - build-macos: - name: macOS (${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [macos-14] - configure: - - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } - - {label: "wo curl", opt: "--without-curl --without-geoip" } - - {label: "wo lua", opt: "--without-lua --without-geoip" } - - {label: "wo maxmind", opt: "--without-maxmind --without-geoip" } - - {label: "wo libxml", opt: "--without-libxml --without-geoip" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } - - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } - - {label: "with pcre", opt: "--with-pcre --without-geoip" } - steps: - - name: Setup Homebrew - run: | - echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV - echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV - - - name: Install Dependencies - run: | - brew update - brew install \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - pcre2 \ - ssdeep \ - pcre \ - bison \ - flex \ - mbedtls \ - cmake \ - pipx - - # 🔧 NEU: Python-Dependency für mbedtls-Skripte - - name: Install Python dependencies (jinja2) - run: | - # Nur im User-Space installieren, das ist mit PEP 668 erlaubt - python3 -m pip install --user jinja2 - - # Debug-Ausgabe, um sicher zu sein, dass es klappt - python3 - << 'EOF' - import jinja2, sys - print("Python:", sys.executable) - print("jinja2:", jinja2.__version__, "from", jinja2.__file__) - EOF - - - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - - - uses: ammaraskar/gcc-problem-matcher@master - - - name: make - run: make -j `sysctl -n hw.logicalcpu` - - - name: check - run: make check - - build-windows: - name: Windows (${{ matrix.configure.label }}) - runs-on: windows-latest - strategy: - matrix: - configure: - - {label: "default", opt: "" } - - {label: "wo curl", opt: "-DWITH_CURL=OFF" } - - {label: "wo lua", opt: "-DWITH_LUA=OFF" } - - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } - - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } - steps: - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Install Conan - run: | - pip3 install conan - - name: Configure Conan - run: | - conan profile detect - - name: Configure CMake - run: | - cmake -S . -B build ${{ matrix.configure.opt }} - - name: Build - run: | - cmake --build build --config Release - - cppcheck-linux: - name: cppcheck (Linux) - runs-on: ubuntu-22.04 - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y \ - cppcheck \ - autoconf \ - automake \ - libtool - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static - - cppcheck-macos: - name: cppcheck (macOS) - runs-on: macos-14 - steps: - - name: Setup Dependencies - # curl, pcre2 not installed because they're from Apple - run: | - brew update - brew install autoconf \ - automake \ - libtool \ - cppcheck - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static diff --git a/backup/ci.yml.alt b/backup/ci.yml.alt deleted file mode 100644 index 42fc403531..0000000000 --- a/backup/ci.yml.alt +++ /dev/null @@ -1,207 +0,0 @@ -name: Quality Assurance - -on: - push: - pull_request: - -jobs: - build-linux: - name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-22.04] - platform: - - {label: "x64", arch: "amd64", configure: ""} - - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} - compiler: - - {label: "gcc", cc: "gcc", cxx: "g++"} - - {label: "clang", cc: "clang", cxx: "clang++"} - configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } - exclude: - - platform: {label: "x32"} - configure: {label: "wo geoip"} - - platform: {label: "x32"} - configure: {label: "wo ssdeep"} - steps: - - name: Setup Dependencies (common) - run: | - sudo dpkg --add-architecture ${{ matrix.platform.arch }} - sudo apt-get update -y -qq - sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ - libcurl4-openssl-dev:${{ matrix.platform.arch }} \ - liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.2-dev:${{ matrix.platform.arch }} \ - libmaxminddb-dev:${{ matrix.platform.arch }} \ - libpcre2-dev:${{ matrix.platform.arch }} \ - pcre2-utils:${{ matrix.platform.arch }} \ - bison flex - - name: Setup Dependencies (x32) - if: ${{ matrix.platform.label == 'x32' }} - run: | - sudo apt-get install g++-multilib - sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} - - name: Setup Dependencies (x64) - if: ${{ matrix.platform.label == 'x64' }} - run: | - sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: build.sh - run: ./build.sh - - name: configure - env: - CC: ${{ matrix.compiler.cc }} - CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: check - run: make check - - build-macos: - name: macOS (${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [macos-14] - configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } - steps: - - name: Setup Dependencies - # curl, pcre2 not installed because they're already - # included in the image - run: | - brew install autoconf \ - automake \ - libtool \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - libxml2 \ - ssdeep \ - pcre \ - bison \ - flex - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Build GeoIP - run: | - git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git - cd geoip-api-c - git fetch --tags - # Check out the last release, v1.6.12 - git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a - autoreconf --install - ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew - make install - - name: build.sh - run: ./build.sh - - name: configure - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `sysctl -n hw.logicalcpu` - - name: check - run: make check - - build-windows: - name: Windows (${{ matrix.platform.label }}, ${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [windows-2022] - platform: - - {label: "x64", arch: "x86_64"} - configuration: [Release] - configure: - - {label: "full", opt: "" } - - {label: "wo curl", opt: "-DWITH_CURL=OFF" } - - {label: "wo lua", opt: "-DWITH_LUA=OFF" } - - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } - - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } - steps: - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Install Conan - run: | - pip3 install conan --upgrade - conan profile detect - - uses: ammaraskar/msvc-problem-matcher@master - - name: Build ${{ matrix.configuration }} ${{ matrix.platform.arch }} ${{ matrix.configure.label }} - shell: cmd - run: vcbuild.bat ${{ matrix.configuration }} ${{ matrix.platform.arch }} NO_ASAN "${{ matrix.configure.opt }}" - - name: Set up test environment - working-directory: build\win32\build\${{ matrix.configuration }} - env: - BASE_DIR: ..\..\..\.. - shell: cmd - run: | - copy unit_tests.exe %BASE_DIR%\test - copy regression_tests.exe %BASE_DIR%\test - copy libModSecurity.dll %BASE_DIR%\test - copy %BASE_DIR%\unicode.mapping %BASE_DIR%\test - md \tmp - md \bin - copy "C:\Program Files\Git\usr\bin\echo.exe" \bin - copy "C:\Program Files\Git\usr\bin\echo.exe" \bin\echo - - name: Disable tests that don't work on Windows - working-directory: test\test-cases\regression - shell: cmd - run: | - jq "map(if .title == \"Test match variable (1/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json - jq "map(if .title == \"Test match variable (2/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json - jq "map(if .title == \"Test match variable (3/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json - jq "map(if .title == \"Variable offset - FILES_NAMES\" then .enabled = 0 else . end)" offset-variable.json > tmp.json && move /Y tmp.json offset-variable.json - - name: Run tests - working-directory: build\win32\build - run: | - ctest -C ${{ matrix.configuration }} --output-on-failure - - cppcheck: - runs-on: [macos-14] - steps: - - name: Setup Dependencies - run: | - brew install autoconf \ - automake \ - libtool \ - cppcheck - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: configure - run: | - ./build.sh - ./configure - - name: cppcheck - run: make check-static diff --git a/backup/md5.h b/backup/md5.h deleted file mode 100644 index 68f5d748e4..0000000000 --- a/backup/md5.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. - * - */ - -#ifndef SRC_UTILS_MD5_H_ -#define SRC_UTILS_MD5_H_ - -#include "src/utils/sha1.h" -#include "mbedtls/md5.h" -#include - -namespace modsecurity::Utils { - - -class Md5 : public DigestImpl<&mbedtls_md5, 16> { -}; - - -} // namespace modsecurity::Utils - -#endif // SRC_UTILS_MD5_H_ \ No newline at end of file diff --git a/backup/sha1.h b/backup/sha1.h deleted file mode 100644 index a40d7fa1c8..0000000000 --- a/backup/sha1.h +++ /dev/null @@ -1,75 +0,0 @@ -/* - * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. - * - */ - -#ifndef SRC_UTILS_SHA1_H_ -#define SRC_UTILS_SHA1_H_ - -#include -#include - -#include "src/utils/string.h" -#include "mbedtls/sha1.h" - -namespace modsecurity::Utils { - - -using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); - - -template -class DigestImpl { - public: - - static std::string digest(const std::string& input) { - return digestHelper(input, [](const auto digest) { - return std::string(digest); - }); - } - - static void digestReplace(std::string& value) { - digestHelper(value, [&value](const auto digest) mutable { - value = digest; - }); - } - - static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](const auto digest) { - return utils::string::string_to_hex(digest); - }); - } - -private: - - template - static auto digestHelper(const std::string &input, - ConvertOp convertOp) -> auto { - char digest[DigestSize]; - - const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), - input.size(), reinterpret_cast(digest)); - assert(ret == 0); - - return convertOp(std::string_view(digest, DigestSize)); - } -}; - - -class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { -}; - - -} // namespace modsecurity::Utils - -#endif // SRC_UTILS_SHA1_H_ From 9f5ace3054779694210bb2e225cf38cf8ea2966b Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 18:31:05 +0100 Subject: [PATCH 073/106] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4fa38fe9f3..c435c9e3ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,7 +216,7 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static -j$(nproc) + run: make check-static JOBS=$(nproc) cppcheck-macos: name: cppcheck (macOS) From b96a0a520ca2043b418991c8b0e36ea335537eab Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 16:32:28 +0100 Subject: [PATCH 074/106] update --- .github/dependabot.yaml | 15 ++ .github/workflows/ci.yml | 70 +--------- .github/workflows/codeql.yml | 56 ++++++++ .github/workflows/cppcheck.yml | 132 ++++++++++++++++++ .../workflows/dependabot-auto-approve.yaml | 27 ++++ 5 files changed, 231 insertions(+), 69 deletions(-) create mode 100644 .github/dependabot.yaml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/cppcheck.yml create mode 100644 .github/workflows/dependabot-auto-approve.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000000..16d9dd8134 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "Submodule Update" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "GitHub Actions Updates" \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c435c9e3ac..1dbe104a29 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -183,72 +183,4 @@ jobs: # cmake -S . -B build ${{ matrix.configure.opt }} # - name: Build # run: | - # cmake --build build --config Release - - cppcheck-linux: - name: cppcheck (Linux) - runs-on: ubuntu-24.04 - timeout-minutes: 120 - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y \ - cppcheck \ - autoconf \ - automake \ - libtool - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Build-Script ausführbar machen - run: chmod +x build_on_linux.sh - - - name: build_on_linux.sh - run: ./build_on_linux.sh - - - name: configure - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static JOBS=$(nproc) - - cppcheck-macos: - name: cppcheck (macOS) - runs-on: macos-14 - steps: - - name: Setup Dependencies - # curl, pcre2 not installed because they're from Apple - run: | - brew update - brew install autoconf \ - automake \ - libtool \ - cppcheck \ - mbedtls - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Build-Script ausführbar machen - run: chmod +x build_on_macos.sh - - name: build_on_macos.sh - run: ./build_on_macos.sh - - - name: configure - env: - CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include - LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static -j$(nproc) \ No newline at end of file + # cmake --build build --config Release \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..3a3712eeda --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,56 @@ +name: CodeQL + +on: + push: + branches: ["master", "main"] + pull_request: + branches: ["master", "main"] + schedule: + - cron: "19 3 * * 1" # montags + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: CodeQL (C/C++) + runs-on: ubuntu-24.04 + + steps: + - name: Checkout (with submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 0 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: c-cpp + build-mode: manual + query-suite: security-extended + + - name: Install build dependencies + run: | + sudo apt-get update + sudo apt-get install -y \ + build-essential pkg-config \ + autoconf automake libtool \ + flex bison \ + libyajl-dev \ + libxml2-dev \ + libpcre2-dev \ + libcurl4-openssl-dev \ + zlib1g-dev \ + ca-certificates + + - name: Build (required for CodeQL C/C++) + run: | + ./build.sh + ./configure --disable-dependency-tracking + make -j"$(nproc)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 \ No newline at end of file diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml new file mode 100644 index 0000000000..660264c242 --- /dev/null +++ b/.github/workflows/cppcheck.yml @@ -0,0 +1,132 @@ +name: Quality Assurance - cppcheck + +on: + push: + branches: ["master", "main"] + pull_request: + branches: ["master", "main"] + schedule: + # z.B. täglich nachts (kannst du auch wöchentlich machen) + #- cron: "15 2 * * *" + - cron: "15 2 * * 1" # montags + +jobs: + cppcheck-linux: + name: cppcheck (Linux) + runs-on: ubuntu-24.04 + timeout-minutes: 120 + + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + cppcheck \ + autoconf \ + automake \ + libtool + + - name: Checkout (with submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 0 + + - name: Ensure submodules are up to date + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + + - name: Build-Script ausführbar machen + run: chmod +x build_on_linux.sh + + - name: build_on_linux.sh + run: ./build_on_linux.sh + + - name: configure + run: ./configure --disable-dependency-tracking + + # Full scan nur im scheduled run + - name: cppcheck (full - scheduled) + if: github.event_name == 'schedule' + run: make check-static JOBS=$(nproc) + + # PR/Push: schneller Scan nur für geänderte Dateien + - name: cppcheck (changed files - PR/Push) + if: github.event_name != 'schedule' + run: | + BASE_REF="${{ github.base_ref }}" + if [ -z "$BASE_REF" ]; then + BASE_REF="master" + fi + + git fetch origin "$BASE_REF" --depth=1 || true + CHANGED="$(git diff --name-only "origin/$BASE_REF"...HEAD -- \ + '*.c' '*.cc' '*.cpp' '*.cxx' '*.h' '*.hh' '*.hpp' '*.hxx' | tr '\n' ' ')" + + if [ -z "$CHANGED" ]; then + echo "No changed C/C++ files detected." + exit 0 + fi + + cppcheck --enable=warning,style,performance,portability \ + --inline-suppr --error-exitcode=1 \ + $CHANGED + + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + + steps: + - name: Setup Dependencies + run: | + brew update + brew install autoconf automake libtool cppcheck mbedtls + + - name: Checkout (with submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 0 + + - name: Ensure submodules are up to date + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh + + - name: build_on_macos.sh + run: ./build_on_macos.sh + + - name: configure + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib + run: ./configure --disable-dependency-tracking + + - name: cppcheck (full - scheduled) + if: github.event_name == 'schedule' + run: make check-static JOBS=$(sysctl -n hw.ncpu) + + - name: cppcheck (changed files - PR/Push) + if: github.event_name != 'schedule' + run: | + BASE_REF="${{ github.base_ref }}" + if [ -z "$BASE_REF" ]; then + BASE_REF="master" + fi + + git fetch origin "$BASE_REF" --depth=1 || true + CHANGED="$(git diff --name-only "origin/$BASE_REF"...HEAD -- \ + '*.c' '*.cc' '*.cpp' '*.cxx' '*.h' '*.hh' '*.hpp' '*.hxx' | tr '\n' ' ')" + + if [ -z "$CHANGED" ]; then + echo "No changed C/C++ files detected." + exit 0 + fi + + cppcheck --enable=warning,style,performance,portability \ + --inline-suppr --error-exitcode=1 \ + $CHANGED \ No newline at end of file diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml new file mode 100644 index 0000000000..c1ba6975f1 --- /dev/null +++ b/.github/workflows/dependabot-auto-approve.yaml @@ -0,0 +1,27 @@ +name: Dependabot Auto-Approve +on: pull_request + +permissions: + pull-requests: write + contents: write + +jobs: + auto-approve: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Approve Pull Request + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + - name: Enable Auto-Merge + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file From 07807345d0b12dff32c361397027ebb0e77ed7f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Dec 2025 15:33:39 +0000 Subject: [PATCH 075/106] Submodule Update: Bump others/mbedtls from `e5ba96c` to `abb0b22` Bumps [others/mbedtls](https://github.com/Mbed-TLS/mbedtls) from `e5ba96c` to `abb0b22`. - [Release notes](https://github.com/Mbed-TLS/mbedtls/releases) - [Commits](https://github.com/Mbed-TLS/mbedtls/compare/e5ba96c5c6c408cee7a05f3ab77417a94fe534fe...abb0b22954922cc0a28fda4ccf541273c882e171) --- updated-dependencies: - dependency-name: others/mbedtls dependency-version: abb0b22954922cc0a28fda4ccf541273c882e171 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- others/mbedtls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/mbedtls b/others/mbedtls index e5ba96c5c6..abb0b22954 160000 --- a/others/mbedtls +++ b/others/mbedtls @@ -1 +1 @@ -Subproject commit e5ba96c5c6c408cee7a05f3ab77417a94fe534fe +Subproject commit abb0b22954922cc0a28fda4ccf541273c882e171 From 555ad387eb06e27ae74192b0bb58815043a344d9 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 17:17:49 +0100 Subject: [PATCH 076/106] Update codeql.yml --- .github/workflows/codeql.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3a3712eeda..3cf5786880 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,13 +1,14 @@ name: CodeQL on: + workflow_dispatch: push: branches: ["master", "main"] pull_request: branches: ["master", "main"] schedule: - - cron: "19 3 * * 1" # montags - + - cron: "19 3 * * 1" + permissions: actions: read contents: read @@ -53,4 +54,4 @@ jobs: make -j"$(nproc)" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 \ No newline at end of file + uses: github/codeql-action/analyze@v4 From fc2a3349714dda872949ab2cc616a14579824e93 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 17:53:33 +0100 Subject: [PATCH 077/106] Update codeql.yml --- .github/workflows/codeql.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3cf5786880..a40b38ff42 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: CodeQL +name: CodeQL_on_linux on: workflow_dispatch: @@ -45,11 +45,12 @@ jobs: libpcre2-dev \ libcurl4-openssl-dev \ zlib1g-dev \ + libmbedtls-dev \ ca-certificates - name: Build (required for CodeQL C/C++) run: | - ./build.sh + ./build_on_linux.sh ./configure --disable-dependency-tracking make -j"$(nproc)" From c522618fe4ae50c6cab402a167ead1235ea2220e Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:00:26 +0100 Subject: [PATCH 078/106] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a40b38ff42..5ca80195c9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,7 +31,7 @@ jobs: with: languages: c-cpp build-mode: manual - query-suite: security-extended + queries: security-extended - name: Install build dependencies run: | From 187e1ee4afbb1dd5bdbf355d6cdbc8bc21cbca48 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:01:11 +0100 Subject: [PATCH 079/106] Update cppcheck.yml --- .github/workflows/cppcheck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml index 660264c242..8c377aee14 100644 --- a/.github/workflows/cppcheck.yml +++ b/.github/workflows/cppcheck.yml @@ -1,6 +1,7 @@ name: Quality Assurance - cppcheck on: + workflow_dispatch: push: branches: ["master", "main"] pull_request: From f86a33d04fbe91d681421320acb7c2a23ccf1c06 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:15:55 +0100 Subject: [PATCH 080/106] Update cppcheck.yml --- .github/workflows/cppcheck.yml | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml index 8c377aee14..1fa8642ba1 100644 --- a/.github/workflows/cppcheck.yml +++ b/.github/workflows/cppcheck.yml @@ -2,14 +2,18 @@ name: Quality Assurance - cppcheck on: workflow_dispatch: + inputs: + full: + description: "Run FULL cppcheck (make check-static). If false: only changed files." + required: true + default: "false" push: branches: ["master", "main"] pull_request: branches: ["master", "main"] schedule: - # z.B. täglich nachts (kannst du auch wöchentlich machen) - #- cron: "15 2 * * *" - - cron: "15 2 * * 1" # montags + #- cron: "15 2 * * 1" # montags 02:15 UTC (anpassen wenn du willst) + - cron: "15 2 * * 1" # montags jobs: cppcheck-linux: @@ -47,14 +51,14 @@ jobs: - name: configure run: ./configure --disable-dependency-tracking - # Full scan nur im scheduled run - - name: cppcheck (full - scheduled) - if: github.event_name == 'schedule' + # FULL scan: scheduled ODER workflow_dispatch(full=true) + - name: cppcheck (full) + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: make check-static JOBS=$(nproc) - # PR/Push: schneller Scan nur für geänderte Dateien - - name: cppcheck (changed files - PR/Push) - if: github.event_name != 'schedule' + # FAST scan: Push/PR oder workflow_dispatch(full=false) + - name: cppcheck (changed files) + if: github.event_name != 'schedule' && !(github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: | BASE_REF="${{ github.base_ref }}" if [ -z "$BASE_REF" ]; then @@ -107,12 +111,14 @@ jobs: LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib run: ./configure --disable-dependency-tracking - - name: cppcheck (full - scheduled) - if: github.event_name == 'schedule' + # FULL scan: scheduled ODER workflow_dispatch(full=true) + - name: cppcheck (full) + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: make check-static JOBS=$(sysctl -n hw.ncpu) - - name: cppcheck (changed files - PR/Push) - if: github.event_name != 'schedule' + # FAST scan: Push/PR oder workflow_dispatch(full=false) + - name: cppcheck (changed files) + if: github.event_name != 'schedule' && !(github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: | BASE_REF="${{ github.base_ref }}" if [ -z "$BASE_REF" ]; then @@ -130,4 +136,4 @@ jobs: cppcheck --enable=warning,style,performance,portability \ --inline-suppr --error-exitcode=1 \ - $CHANGED \ No newline at end of file + $CHANGED From 46006bfb6e2300e537a4e47bc7c8070391cb965d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 18:18:17 +0100 Subject: [PATCH 081/106] Update build_on_linux.sh --- build_on_linux.sh | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/build_on_linux.sh b/build_on_linux.sh index dde78d0798..1b8576bee5 100644 --- a/build_on_linux.sh +++ b/build_on_linux.sh @@ -41,27 +41,27 @@ cd .. ## ## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS ## -if [ -d "others/mbedtls" ]; then - echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." - ( - cd others/mbedtls - - mkdir -p build - - cmake -S . -B build \ - -DENABLE_PROGRAMS=ON \ - -DENABLE_TESTING=ON - - # Parallel bauen - cmake --build build --config Release --parallel "$JOBS" - - echo "==> Running Mbed TLS tests..." - cd build - ctest --output-on-failure -j"$JOBS" - ) -else - echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" -fi +##if [ -d "others/mbedtls" ]; then +## echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." +## ( +## cd others/mbedtls +## +## mkdir -p build +## +## cmake -S . -B build \ +## -DENABLE_PROGRAMS=ON \ +## -DENABLE_TESTING=ON +## +## # Parallel bauen +## cmake --build build --config Release --parallel "$JOBS" +## +## echo "==> Running Mbed TLS tests..." +## cd build +## ctest --output-on-failure -j"$JOBS" +## ) +##else +## echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" +##fi ## ## 3. Autotools für ModSecurity initialisieren (nur Linux) From 3a3f74d60c341a7fbda66de1782ec9e83c15db8f Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:37:12 +0100 Subject: [PATCH 082/106] update --- .github/codeql/codeql-config.yml | 20 ++++++++++++++++++++ .github/workflows/codeql.yml | 4 +++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..4010ab26ab --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,20 @@ +name: "CodeQL config" + +queries: + - uses: security-extended + +paths-ignore: + - tests/** + - test/** + - **/*test* + + # Third-party / submodules + - others/** + - bindings/** + - examples/** + - doc/** + + # Build & generated files + - build/** + - **/*.png + - **/*.md diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5ca80195c9..7023b792eb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,6 @@ name: CodeQL_on_linux + on: workflow_dispatch: push: @@ -9,6 +10,7 @@ on: schedule: - cron: "19 3 * * 1" + permissions: actions: read contents: read @@ -31,7 +33,7 @@ jobs: with: languages: c-cpp build-mode: manual - queries: security-extended + config-file: ./.github/codeql/codeql-config.yml - name: Install build dependencies run: | From 624fc8fbde830433e70cec7f2bf327b957239bcf Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:46:15 +0100 Subject: [PATCH 083/106] Update ci.yml --- .github/workflows/ci.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1dbe104a29..0c8722d39c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -183,4 +183,25 @@ jobs: # cmake -S . -B build ${{ matrix.configure.opt }} # - name: Build # run: | - # cmake --build build --config Release \ No newline at end of file + # cmake --build build --config Release + + + cppcheck: + runs-on: [macos-14] + steps: + - name: Setup Dependencies + run: | + brew install autoconf \ + automake \ + libtool \ + cppcheck + - uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 + - name: configure + run: | + ./build.sh + ./configure + - name: cppcheck + run: make check-static \ No newline at end of file From c17aa793e34f56d54510837dd2a132bd347db0bf Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 19:07:11 +0100 Subject: [PATCH 084/106] Update codeql-config.yml --- .github/codeql/codeql-config.yml | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 4010ab26ab..a10be7a00e 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,20 +1,21 @@ -name: "CodeQL config" +name: "CodeQL config for ModSecurity" queries: - uses: security-extended paths-ignore: - - tests/** - - test/** - - **/*test* + # Tests + - "tests/**" + - "test/**" + - "**/*test*" # Third-party / submodules - - others/** - - bindings/** - - examples/** - - doc/** + - "others/**" + - "bindings/**" + - "examples/**" + - "doc/**" # Build & generated files - - build/** - - **/*.png - - **/*.md + - "build/**" + - "**/*.png" + - "**/*.md" From 1cdf8e065939b55f5b5646b775ea4b7dfef4ea9c Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 19:19:17 +0100 Subject: [PATCH 085/106] Update dependabot-auto-approve.yaml --- .github/workflows/dependabot-auto-approve.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml index c1ba6975f1..2b467fa367 100644 --- a/.github/workflows/dependabot-auto-approve.yaml +++ b/.github/workflows/dependabot-auto-approve.yaml @@ -12,7 +12,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Approve Pull Request @@ -24,4 +24,4 @@ jobs: run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From 69c2344a6fd99808fd4d3bd51b7c43e533329156 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:11:27 +0100 Subject: [PATCH 086/106] Code scanning --- .github/security-scan-excludes.txt | 28 +++++++++++++ .github/workflows/flawfinder.yml | 44 ++++++++++++++++++++ .github/workflows/ossar.yml | 32 ++++++++++++++ .github/workflows/osv-scanner-pr.yml | 15 +++++++ .github/workflows/osv-scanner-scheduled.yml | 17 ++++++++ .github/workflows/scorecard.yml | 43 +++++++++++++++++++ .github/workflows/semgrep.yml | 46 +++++++++++++++++++++ 7 files changed, 225 insertions(+) create mode 100644 .github/security-scan-excludes.txt create mode 100644 .github/workflows/flawfinder.yml create mode 100644 .github/workflows/ossar.yml create mode 100644 .github/workflows/osv-scanner-pr.yml create mode 100644 .github/workflows/osv-scanner-scheduled.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/security-scan-excludes.txt b/.github/security-scan-excludes.txt new file mode 100644 index 0000000000..0296389830 --- /dev/null +++ b/.github/security-scan-excludes.txt @@ -0,0 +1,28 @@ +# Build & Output +build +build/* +out +out/* +dist +dist/* + +# Dependencies / Vendored +vendor +vendor/* +third_party +third_party/* +deps +deps/* +external +external/* + +# VCS / CI +.git +.github + +# Docs & misc +docs +examples +tests +test +benchmarks diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml new file mode 100644 index 0000000000..b799a11812 --- /dev/null +++ b/.github/workflows/flawfinder.yml @@ -0,0 +1,44 @@ +name: Flawfinder (C/C++) + +on: + workflow_dispatch: + pull_request: + push: + branches: [ "main", "master" ] + schedule: + - cron: "20 2 * * 1" # Weekly (reduziert PR-Noise) + +permissions: + contents: read + security-events: write + +jobs: + flawfinder: + runs-on: ubuntu-latest + + steps: + - name: Checkout (inkl. Submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + + - name: Install Flawfinder + run: | + sudo apt-get update + sudo apt-get install -y flawfinder + + - name: Run Flawfinder (SARIF) + run: | + EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') + flawfinder \ + --sarif \ + --output flawfinder.sarif \ + $EXCLUDES \ + . + + - name: Upload SARIF + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: flawfinder.sarif + category: flawfinder diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml new file mode 100644 index 0000000000..18f47bc6da --- /dev/null +++ b/.github/workflows/ossar.yml @@ -0,0 +1,32 @@ +name: OSSAR + +on: + workflow_dispatch: + pull_request: + push: + branches: [ "main", "master" ] + +permissions: + contents: read + security-events: write + +jobs: + ossar: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 2 + + - name: Run OSSAR + id: ossar + uses: github/ossar-action@v1 + + - name: Upload SARIF + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} + category: ossar diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml new file mode 100644 index 0000000000..7332e27e5a --- /dev/null +++ b/.github/workflows/osv-scanner-pr.yml @@ -0,0 +1,15 @@ +name: OSV Scanner (PR) + +on: + workflow_dispatch: + pull_request: + merge_group: + +permissions: + contents: read + security-events: write + actions: read + +jobs: + scan-pr: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml new file mode 100644 index 0000000000..a3162c712f --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -0,0 +1,17 @@ +name: OSV Scanner (Scheduled) + +on: + workflow_dispatch: + schedule: + - cron: "30 3 * * 1" + push: + branches: [ "main", "master" ] + +permissions: + contents: read + security-events: write + actions: read + +jobs: + scan: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000000..5abc550c1c --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,43 @@ +name: OSSF Scorecard + +on: + workflow_dispatch: + branch_protection_rule: + push: + branches: [ "main", "master" ] + schedule: + - cron: "10 1 * * 0" + +permissions: + contents: read + +jobs: + analysis: + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + issues: read + pull-requests: read + checks: read + + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + submodules: recursive + persist-credentials: false + + - name: Run Scorecard + uses: ossf/scorecard-action@v2 + with: + results_file: scorecard.sarif + results_format: sarif + publish_results: false + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: scorecard.sarif + category: scorecard diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000000..e2ff49b860 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,46 @@ +name: Semgrep (C/C++ SAST) + +on: + workflow_dispatch: + pull_request: + push: + branches: [ "main", "master" ] + +permissions: + contents: read + security-events: write + +jobs: + semgrep: + runs-on: ubuntu-latest + + steps: + - name: Checkout (inkl. Submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + + - name: Install Semgrep + run: | + python3 -m pip install --upgrade pip + pip install semgrep + + - name: Fetch OSS C/C++ rules + run: | + git clone --depth 1 https://github.com/0xdea/semgrep-rules .semgrep-rules + + - name: Run Semgrep (SARIF) + run: | + EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') + semgrep scan \ + --config .semgrep-rules \ + $EXCLUDES \ + --sarif -o semgrep.sarif \ + . + + - name: Upload SARIF + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + category: semgrep From db7bf55a3a1323c069e69cae3936892430fc4c0d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 20:13:46 +0100 Subject: [PATCH 087/106] Update ci.yml --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c8722d39c..f20a3e8f10 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -199,9 +199,11 @@ jobs: with: submodules: true fetch-depth: 0 + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh - name: configure run: | - ./build.sh + ./build_on_macos.sh ./configure - name: cppcheck - run: make check-static \ No newline at end of file + run: make check-static From e2e5a9a408756868fa1d083507f48ee9eca53896 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 20:17:36 +0100 Subject: [PATCH 088/106] Update scorecard.yml --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5abc550c1c..fb0a30ae61 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: Run Scorecard - uses: ossf/scorecard-action@v2 + uses: ossf/scorecard-action@vf49aabe0b5af0936a0987cfb85d86b75731b0186 with: results_file: scorecard.sarif results_format: sarif From d4e2702ef3b9cc456e052bd6ecfdfc2dd61da90a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:23:34 +0100 Subject: [PATCH 089/106] Code scanning update --- .github/workflows/flawfinder.yml | 21 ++++++++++++++++----- .github/workflows/ossar.yml | 18 +++++++++--------- .github/workflows/scorecard.yml | 2 +- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index b799a11812..5deac8fb2a 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -6,7 +6,7 @@ on: push: branches: [ "main", "master" ] schedule: - - cron: "20 2 * * 1" # Weekly (reduziert PR-Noise) + - cron: "20 2 * * 1" # Weekly permissions: contents: read @@ -27,14 +27,25 @@ jobs: sudo apt-get update sudo apt-get install -y flawfinder + - name: Build source file list (with excludes) + run: | + grep -v '^\s*#' .github/security-scan-excludes.txt \ + | sed 's|^|./|' > /tmp/excludes.txt + + find . \ + \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.h' -o -name '*.hpp' \) \ + -type f \ + | grep -v -F -f /tmp/excludes.txt \ + > /tmp/flawfinder-files.txt + - name: Run Flawfinder (SARIF) run: | - EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') flawfinder \ --sarif \ - --output flawfinder.sarif \ - $EXCLUDES \ - . + --quiet \ + --minlevel=1 \ + $(cat /tmp/flawfinder-files.txt) \ + > flawfinder.sarif - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index 18f47bc6da..f9ce555304 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -1,10 +1,9 @@ -name: OSSAR +name: OSSAR (best-effort) on: + schedule: + - cron: "15 4 * * 1" # Weekly, nicht auf PRs workflow_dispatch: - pull_request: - push: - branches: [ "main", "master" ] permissions: contents: read @@ -13,20 +12,21 @@ permissions: jobs: ossar: runs-on: ubuntu-latest + continue-on-error: true steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: submodules: recursive - fetch-depth: 2 - name: Run OSSAR id: ossar + continue-on-error: true uses: github/ossar-action@v1 - - name: Upload SARIF - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + - name: Upload SARIF (if present) + if: always() uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} + sarif_file: .gdn/msdo.sarif category: ossar diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fb0a30ae61..b3b3b5f533 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: Run Scorecard - uses: ossf/scorecard-action@vf49aabe0b5af0936a0987cfb85d86b75731b0186 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 with: results_file: scorecard.sarif results_format: sarif From 338ab1549ceb1c5bf642815f828ad38e7fa836b1 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:30:09 +0100 Subject: [PATCH 090/106] Code scanning update 2 --- .github/workflows/flawfinder.yml | 52 ++++++++++++++++++++++++-------- .github/workflows/semgrep.yml | 19 ++++++++++-- 2 files changed, 57 insertions(+), 14 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 5deac8fb2a..5564ab7469 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -27,25 +27,53 @@ jobs: sudo apt-get update sudo apt-get install -y flawfinder - - name: Build source file list (with excludes) + - name: Build source file list (robust excludes) + shell: bash run: | - grep -v '^\s*#' .github/security-scan-excludes.txt \ - | sed 's|^|./|' > /tmp/excludes.txt + set -euo pipefail + EXCLUDE_FILE=".github/security-scan-excludes.txt" + EXCLUDE_TMP="/tmp/excludes.txt" + + # 1) Excludes vorbereiten (falls Datei fehlt/leer ist -> leere exclude list) + if [[ -f "$EXCLUDE_FILE" ]]; then + # Kommentare/Leerzeilen entfernen, "./" davor setzen + grep -vE '^\s*#|^\s*$' "$EXCLUDE_FILE" | sed 's|^|./|' > "$EXCLUDE_TMP" || true + else + : > "$EXCLUDE_TMP" + fi + + # 2) Relevante Quellfiles finden find . \ - \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.h' -o -name '*.hpp' \) \ -type f \ - | grep -v -F -f /tmp/excludes.txt \ - > /tmp/flawfinder-files.txt + \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.cxx' -o -name '*.h' -o -name '*.hh' -o -name '*.hpp' -o -name '*.hxx' \) \ + > /tmp/all-src.txt + + # 3) Excludes anwenden (wenn exclude list leer -> einfach alles nehmen) + if [[ -s "$EXCLUDE_TMP" ]]; then + grep -v -F -f "$EXCLUDE_TMP" /tmp/all-src.txt > /tmp/flawfinder-files.txt || true + else + cp /tmp/all-src.txt /tmp/flawfinder-files.txt + fi + + # 4) Falls nix übrig bleibt, nicht failen – nur warnen + if [[ ! -s /tmp/flawfinder-files.txt ]]; then + echo "No source files to scan after excludes." + else + echo "Files to scan: $(wc -l < /tmp/flawfinder-files.txt)" + fi - name: Run Flawfinder (SARIF) + shell: bash run: | - flawfinder \ - --sarif \ - --quiet \ - --minlevel=1 \ - $(cat /tmp/flawfinder-files.txt) \ - > flawfinder.sarif + if [[ ! -s /tmp/flawfinder-files.txt ]]; then + echo "Skipping flawfinder: no files." + echo '{"version":"2.1.0","runs":[]}' > flawfinder.sarif + exit 0 + fi + + flawfinder --sarif --quiet --minlevel=1 $(cat /tmp/flawfinder-files.txt) > flawfinder.sarif + - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index e2ff49b860..2691984328 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -29,9 +29,24 @@ jobs: run: | git clone --depth 1 https://github.com/0xdea/semgrep-rules .semgrep-rules - - name: Run Semgrep (SARIF) + - name: Run Semgrep (SARIF, robust excludes) + shell: bash run: | - EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') + set -euo pipefail + + EXCLUDE_FILE=".github/security-scan-excludes.txt" + EXCLUDES="" + + if [[ -f "$EXCLUDE_FILE" ]]; then + while IFS= read -r line; do + # Skip comments and empty lines + [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue + EXCLUDES+=" --exclude $line" + done < "$EXCLUDE_FILE" + fi + + echo "Semgrep excludes: $EXCLUDES" + semgrep scan \ --config .semgrep-rules \ $EXCLUDES \ From acba59e02405134859ea2124ef4db7b4058e93b1 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:35:45 +0100 Subject: [PATCH 091/106] Code scanning update 3 --- .github/workflows/ci.yml | 5 +++-- .github/workflows/flawfinder.yml | 2 +- .github/workflows/ossar.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/semgrep.yml | 2 +- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f20a3e8f10..c235c690a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -194,8 +194,9 @@ jobs: brew install autoconf \ automake \ libtool \ - cppcheck - - uses: actions/checkout@v4 + cppcheck \ + mbedtls + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 5564ab7469..65656282dc 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -77,7 +77,7 @@ jobs: - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: flawfinder.sarif category: flawfinder diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index f9ce555304..7d5ebbda7d 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -15,7 +15,7 @@ jobs: continue-on-error: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: recursive @@ -26,7 +26,7 @@ jobs: - name: Upload SARIF (if present) if: always() - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: .gdn/msdo.sarif category: ossar diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b3b3b5f533..54052c1e11 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -37,7 +37,7 @@ jobs: publish_results: false - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: scorecard.sarif category: scorecard diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 2691984328..3120c189e4 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -55,7 +55,7 @@ jobs: - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: semgrep.sarif category: semgrep From 62215449c87a1d20cb30d40c9d7d54f681d78415 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:45:17 +0100 Subject: [PATCH 092/106] Code scanning update 4 --- .github/workflows/ci.yml | 8 +++++-- .github/workflows/ossar.yml | 21 +++++++++++------ .github/workflows/osv-scanner-pr.yml | 3 ++- .github/workflows/osv-scanner-scheduled.yml | 3 ++- .github/workflows/semgrep.yml | 26 +++++++++++++++------ 5 files changed, 43 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c235c690a6..f2ea2aa2a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -202,9 +202,13 @@ jobs: fetch-depth: 0 - name: Build-Script ausführbar machen run: chmod +x build_on_macos.sh + - name: build_on_macos.sh + run: ./build_on_macos.sh - name: configure - run: | - ./build_on_macos.sh + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking ./configure - name: cppcheck run: make check-static diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index 7d5ebbda7d..0c68e74550 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -19,14 +19,21 @@ jobs: with: submodules: recursive - - name: Run OSSAR - id: ossar - continue-on-error: true - uses: github/ossar-action@v1 + - name: Reduce SARIF to a single run (GitHub Code Scanning requirement) + shell: bash + run: | + set -euo pipefail + if [ -f ".gdn/msdo.sarif" ]; then + jq '.runs = [ .runs[0] ]' .gdn/msdo.sarif > msdo.single.sarif + else + echo "No .gdn/msdo.sarif found" + exit 1 + fi - - name: Upload SARIF (if present) - if: always() + + - name: Upload SARIF uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: .gdn/msdo.sarif + sarif_file: msdo.single.sarif category: ossar + diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 7332e27e5a..fa360e8b3e 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -1,7 +1,6 @@ name: OSV Scanner (PR) on: - workflow_dispatch: pull_request: merge_group: @@ -13,3 +12,5 @@ permissions: jobs: scan-pr: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 + with: + allow-no-lockfiles: true diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index a3162c712f..edfbe14faa 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -1,7 +1,6 @@ name: OSV Scanner (Scheduled) on: - workflow_dispatch: schedule: - cron: "30 3 * * 1" push: @@ -15,3 +14,5 @@ permissions: jobs: scan: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 + with: + allow-no-lockfiles: true diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 3120c189e4..9e744bed31 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -25,30 +25,42 @@ jobs: python3 -m pip install --upgrade pip pip install semgrep - - name: Fetch OSS C/C++ rules + - name: Fetch Semgrep Community rules run: | - git clone --depth 1 https://github.com/0xdea/semgrep-rules .semgrep-rules + git clone --depth 1 https://github.com/semgrep/semgrep-rules .semgrep-rules - - name: Run Semgrep (SARIF, robust excludes) + - name: Run Semgrep (SARIF, robust excludes + configs) shell: bash run: | set -euo pipefail + # 1) Excludes aus Datei robust einlesen (Kommentare/Leerzeilen ignorieren) EXCLUDE_FILE=".github/security-scan-excludes.txt" EXCLUDES="" - if [[ -f "$EXCLUDE_FILE" ]]; then while IFS= read -r line; do - # Skip comments and empty lines [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue EXCLUDES+=" --exclude $line" done < "$EXCLUDE_FILE" fi + echo "Semgrep excludes:$EXCLUDES" + + # 2) Configs nur hinzufügen, wenn sie existieren (Repo-Struktur kann sich ändern) + CONFIGS=() + [[ -d ".semgrep-rules/c" ]] && CONFIGS+=("--config" ".semgrep-rules/c") + [[ -d ".semgrep-rules/cpp" ]] && CONFIGS+=("--config" ".semgrep-rules/cpp") + # Optional: generische Security-Audit Rules (sprache-unabhängig/teilweise generisch) + [[ -d ".semgrep-rules/security/audit" ]] && CONFIGS+=("--config" ".semgrep-rules/security/audit") - echo "Semgrep excludes: $EXCLUDES" + if [[ ${#CONFIGS[@]} -eq 0 ]]; then + echo "No suitable Semgrep community rule directories found; skipping." + echo '{"version":"2.1.0","runs":[]}' > semgrep.sarif + exit 0 + fi + # 3) Scan semgrep scan \ - --config .semgrep-rules \ + "${CONFIGS[@]}" \ $EXCLUDES \ --sarif -o semgrep.sarif \ . From 90faa9500087cd6149a5fe9b885ebe489012bd7a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:13:07 +0100 Subject: [PATCH 093/106] Code scanning update 5 --- .github/security-scan-excludes.txt | 1 + .github/workflows/ci.yml | 32 +++++++++++++++++++----------- .github/workflows/flawfinder.yml | 27 ++++++++++++++++++------- 3 files changed, 41 insertions(+), 19 deletions(-) diff --git a/.github/security-scan-excludes.txt b/.github/security-scan-excludes.txt index 0296389830..5a06e1c0bc 100644 --- a/.github/security-scan-excludes.txt +++ b/.github/security-scan-excludes.txt @@ -15,6 +15,7 @@ deps deps/* external external/* +others/* # VCS / CI .git diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f2ea2aa2a5..95a2255ab0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -185,30 +185,38 @@ jobs: # run: | # cmake --build build --config Release - - cppcheck: - runs-on: [macos-14] + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + steps: - name: Setup Dependencies run: | - brew install autoconf \ - automake \ - libtool \ - cppcheck \ - mbedtls - - uses: actions/checkout@v6 + brew update + brew install autoconf automake libtool cppcheck mbedtls + + - name: Checkout (with submodules) + uses: actions/checkout@v6 with: - submodules: true + submodules: recursive fetch-depth: 0 + + - name: Ensure submodules are up to date + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Build-Script ausführbar machen run: chmod +x build_on_macos.sh + - name: build_on_macos.sh run: ./build_on_macos.sh + - name: configure env: CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - ./configure + run: ./configure --disable-dependency-tracking + - name: cppcheck run: make check-static diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 65656282dc..6b7e2ef35e 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -63,21 +63,34 @@ jobs: echo "Files to scan: $(wc -l < /tmp/flawfinder-files.txt)" fi - - name: Run Flawfinder (SARIF) + - name: Build Flawfinder file list (headers only) shell: bash run: | - if [[ ! -s /tmp/flawfinder-files.txt ]]; then - echo "Skipping flawfinder: no files." - echo '{"version":"2.1.0","runs":[]}' > flawfinder.sarif + git ls-files headers '*.h' > /tmp/flawfinder-headers-files.txt + + - name: Run Flawfinder (SARIF, headers strict) + shell: bash + run: | + if [[ ! -s /tmp/flawfinder-headers-files.txt ]]; then + echo "Skipping flawfinder headers: no files." + echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif exit 0 fi - flawfinder --sarif --quiet --minlevel=1 $(cat /tmp/flawfinder-files.txt) > flawfinder.sarif + flawfinder \ + --sarif \ + --quiet \ + --minlevel=1 \ + --exclude-dir=vendor,third_party,deps,external,mbedtls \ + $(cat /tmp/flawfinder-headers-files.txt) \ + > flawfinder-headers.sarif + + - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: flawfinder.sarif - category: flawfinder + sarif_file: flawfinder-headers.sarif + category: flawfinder-headers-strict \ No newline at end of file From d08a7b0c979bd83319ba1dc73ff4210f24c40d8d Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:23:03 +0100 Subject: [PATCH 094/106] Fix memory leak #3470 --- headers/modsecurity/transaction.h | 18 ++++++++++++------ src/transaction.cc | 6 ++++++ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h index 3e70caa38e..d9d670d9c2 100644 --- a/headers/modsecurity/transaction.h +++ b/headers/modsecurity/transaction.h @@ -205,9 +205,12 @@ class TransactionAnchoredVariables { m_variableFilesTmpNames(t, "FILES_TMPNAMES"), m_variableMultipartPartHeaders(t, "MULTIPART_PART_HEADERS"), m_variableOffset(0), - m_variableArgsNames("ARGS_NAMES", &m_variableArgs), - m_variableArgsGetNames("ARGS_GET_NAMES", &m_variableArgsGet), - m_variableArgsPostNames("ARGS_POST_NAMES", &m_variableArgsPost) + m_pVariableArgsNames(std::make_unique("ARGS_NAMES", &m_variableArgs)), + m_variableArgsNames(*m_pVariableArgsNames), + m_pVariableArgsGetNames(std::make_unique("ARGS_GET_NAMES", &m_variableArgsGet)), + m_variableArgsGetNames(*m_pVariableArgsGetNames), + m_pVariableArgsPostNames(std::make_unique("ARGS_POST_NAMES", &m_variableArgsPost)), + m_variableArgsPostNames(*m_pVariableArgsPostNames) { } AnchoredSetVariable m_variableRequestHeadersNames; @@ -291,9 +294,12 @@ class TransactionAnchoredVariables { int m_variableOffset; - AnchoredSetVariableTranslationProxy m_variableArgsNames; - AnchoredSetVariableTranslationProxy m_variableArgsGetNames; - AnchoredSetVariableTranslationProxy m_variableArgsPostNames; + std::unique_ptr m_pVariableArgsNames; + AnchoredSetVariableTranslationProxy &m_variableArgsNames; + std::unique_ptr m_pVariableArgsGetNames; + AnchoredSetVariableTranslationProxy &m_variableArgsGetNames; + std::unique_ptr m_pVariableArgsPostNames; + AnchoredSetVariableTranslationProxy &m_variableArgsPostNames; }; class TransactionSecMarkerManagement { diff --git a/src/transaction.cc b/src/transaction.cc index 6c8ae9744c..a977464dbb 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -170,6 +170,12 @@ Transaction::~Transaction() { m_rulesMessages.clear(); + m_ruleRemoveById.clear(); + m_ruleRemoveByIdRange.clear(); + m_ruleRemoveByTag.clear(); + m_ruleRemoveTargetById.clear(); + m_ruleRemoveTargetByTag.clear(); + intervention::free(&m_it); intervention::clean(&m_it); From 6d8821329425ceffa13db01d137b8a17302ad084 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:30:02 +0100 Subject: [PATCH 095/106] Code scanning update 6 --- .github/workflows/ossar.yml | 39 --------------------- .github/workflows/osv-scanner-pr.yml | 3 +- .github/workflows/osv-scanner-scheduled.yml | 1 + 3 files changed, 3 insertions(+), 40 deletions(-) delete mode 100644 .github/workflows/ossar.yml diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml deleted file mode 100644 index 0c68e74550..0000000000 --- a/.github/workflows/ossar.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: OSSAR (best-effort) - -on: - schedule: - - cron: "15 4 * * 1" # Weekly, nicht auf PRs - workflow_dispatch: - -permissions: - contents: read - security-events: write - -jobs: - ossar: - runs-on: ubuntu-latest - continue-on-error: true - - steps: - - uses: actions/checkout@v6 - with: - submodules: recursive - - - name: Reduce SARIF to a single run (GitHub Code Scanning requirement) - shell: bash - run: | - set -euo pipefail - if [ -f ".gdn/msdo.sarif" ]; then - jq '.runs = [ .runs[0] ]' .gdn/msdo.sarif > msdo.single.sarif - else - echo "No .gdn/msdo.sarif found" - exit 1 - fi - - - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: msdo.single.sarif - category: ossar - diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index fa360e8b3e..1ebb5d7397 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -3,7 +3,8 @@ name: OSV Scanner (PR) on: pull_request: merge_group: - + workflow_dispatch: + permissions: contents: read security-events: write diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index edfbe14faa..10aaafacd2 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -1,6 +1,7 @@ name: OSV Scanner (Scheduled) on: + workflow_dispatch: schedule: - cron: "30 3 * * 1" push: From 3e3a6aa8a1b8e8cb408344d1c61d5b65fef239b3 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:40:39 +0100 Subject: [PATCH 096/106] Code scanning update 7 --- .github/workflows/flawfinder.yml | 10 ++++++++-- .github/workflows/osv-scanner-pr.yml | 5 ++--- .github/workflows/osv-scanner-scheduled.yml | 3 +-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 6b7e2ef35e..f35da11a63 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -77,6 +77,7 @@ jobs: exit 0 fi + set +e flawfinder \ --sarif \ --quiet \ @@ -84,9 +85,14 @@ jobs: --exclude-dir=vendor,third_party,deps,external,mbedtls \ $(cat /tmp/flawfinder-headers-files.txt) \ > flawfinder-headers.sarif + rc=$? + set -e - - + # 16 = findings found (nicht als Workflow-Fehler behandeln) + if [[ $rc -ne 0 && $rc -ne 16 ]]; then + echo "flawfinder failed with exit code $rc" + exit $rc + fi - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 1ebb5d7397..8abdc4a44d 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -4,7 +4,7 @@ on: pull_request: merge_group: workflow_dispatch: - + permissions: contents: read security-events: write @@ -13,5 +13,4 @@ permissions: jobs: scan-pr: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 - with: - allow-no-lockfiles: true + diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index 10aaafacd2..0a8f5f3930 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -15,5 +15,4 @@ permissions: jobs: scan: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 - with: - allow-no-lockfiles: true + From 8993f9443b6b8310830f5817fe7fa03c936947b2 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:47:11 +0100 Subject: [PATCH 097/106] Update flawfinder.yml --- .github/workflows/flawfinder.yml | 38 +++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index f35da11a63..78d5eaedcb 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -77,6 +77,9 @@ jobs: exit 0 fi + # Defensive: remove empty lines + sed -i '/^\s*$/d' /tmp/flawfinder-headers-files.txt + set +e flawfinder \ --sarif \ @@ -84,16 +87,41 @@ jobs: --minlevel=1 \ --exclude-dir=vendor,third_party,deps,external,mbedtls \ $(cat /tmp/flawfinder-headers-files.txt) \ - > flawfinder-headers.sarif + > flawfinder-headers.sarif \ + 2> flawfinder-headers.stderr rc=$? set -e - # 16 = findings found (nicht als Workflow-Fehler behandeln) - if [[ $rc -ne 0 && $rc -ne 16 ]]; then - echo "flawfinder failed with exit code $rc" - exit $rc + echo "flawfinder exit code: $rc" + if [[ -s flawfinder-headers.stderr ]]; then + echo "---- flawfinder stderr ----" + cat flawfinder-headers.stderr + echo "---------------------------" fi + # If output isn't valid JSON (SARIF), fall back to empty SARIF so upload doesn't fail + if ! python3 - <<'PY' + import json, sys + p="flawfinder-headers.sarif" + try: + with open(p,"r",encoding="utf-8") as f: + json.load(f) + except Exception as e: + print("SARIF parse failed:", e) + sys.exit(1) + sys.exit(0) + PY + then + echo "Writing empty SARIF because flawfinder output was not valid SARIF JSON." + echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif + fi + + # Treat "findings found" as success + if [[ $rc -ne 0 && $rc -ne 16 ]]; then + exit $rc + fi + + - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false uses: github/codeql-action/upload-sarif@v4 From d147040b59380053fe5bc45a4d92862abe7bfe76 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:56:50 +0100 Subject: [PATCH 098/106] Update flawfinder.yml --- .github/workflows/flawfinder.yml | 62 ++++++++++++++++---------------- 1 file changed, 30 insertions(+), 32 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 78d5eaedcb..13a12daa0a 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -66,27 +66,33 @@ jobs: - name: Build Flawfinder file list (headers only) shell: bash run: | - git ls-files headers '*.h' > /tmp/flawfinder-headers-files.txt + set -euo pipefail + git ls-files 'headers/**' \ + | grep -E '\.(h|hh|hpp|hxx)$' \ + > /tmp/flawfinder-headers-files.txt || true + + echo "Header files to scan: $(wc -l < /tmp/flawfinder-headers-files.txt || echo 0)" + - name: Run Flawfinder (SARIF, headers strict) shell: bash run: | + set -euo pipefail + if [[ ! -s /tmp/flawfinder-headers-files.txt ]]; then echo "Skipping flawfinder headers: no files." - echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif + echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif exit 0 fi - # Defensive: remove empty lines - sed -i '/^\s*$/d' /tmp/flawfinder-headers-files.txt + echo "Flawfinder version:" + flawfinder --version || true + # Run flawfinder. IMPORTANT: no --quiet here. set +e - flawfinder \ - --sarif \ - --quiet \ - --minlevel=1 \ - --exclude-dir=vendor,third_party,deps,external,mbedtls \ - $(cat /tmp/flawfinder-headers-files.txt) \ + xargs -a /tmp/flawfinder-headers-files.txt \ + flawfinder --sarif --minlevel=1 \ + --exclude-dir=vendor --exclude-dir=third_party --exclude-dir=deps --exclude-dir=external --exclude-dir=mbedtls \ > flawfinder-headers.sarif \ 2> flawfinder-headers.stderr rc=$? @@ -99,27 +105,19 @@ jobs: echo "---------------------------" fi - # If output isn't valid JSON (SARIF), fall back to empty SARIF so upload doesn't fail - if ! python3 - <<'PY' - import json, sys - p="flawfinder-headers.sarif" - try: - with open(p,"r",encoding="utf-8") as f: - json.load(f) - except Exception as e: - print("SARIF parse failed:", e) - sys.exit(1) - sys.exit(0) - PY - then - echo "Writing empty SARIF because flawfinder output was not valid SARIF JSON." - echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif - fi - - # Treat "findings found" as success - if [[ $rc -ne 0 && $rc -ne 16 ]]; then - exit $rc - fi + echo "SARIF size: $(wc -c < flawfinder-headers.sarif) bytes" + head -c 200 flawfinder-headers.sarif | cat -v || true + + # Validate JSON. If invalid => write minimal valid SARIF with a run. + if ! python3 -c 'import json; json.load(open("flawfinder-headers.sarif","r",encoding="utf-8"))' 2>/dev/null; then + echo "Writing minimal SARIF because flawfinder output was not valid SARIF JSON." + echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif + fi + + # 16 = findings found => don't fail job + if [[ $rc -ne 0 && $rc -ne 16 ]]; then + exit $rc + fi - name: Upload SARIF @@ -127,4 +125,4 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: flawfinder-headers.sarif - category: flawfinder-headers-strict \ No newline at end of file + category: flawfinder-headers-strict From 1e445f79e7571a844e02476541e299addaa70df5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:59:39 +0100 Subject: [PATCH 099/106] Update flawfinder.yml --- .github/workflows/flawfinder.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 13a12daa0a..f0ac0c2105 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -86,13 +86,11 @@ jobs: fi echo "Flawfinder version:" - flawfinder --version || true + flawfinder --version - # Run flawfinder. IMPORTANT: no --quiet here. set +e xargs -a /tmp/flawfinder-headers-files.txt \ flawfinder --sarif --minlevel=1 \ - --exclude-dir=vendor --exclude-dir=third_party --exclude-dir=deps --exclude-dir=external --exclude-dir=mbedtls \ > flawfinder-headers.sarif \ 2> flawfinder-headers.stderr rc=$? @@ -106,15 +104,14 @@ jobs: fi echo "SARIF size: $(wc -c < flawfinder-headers.sarif) bytes" - head -c 200 flawfinder-headers.sarif | cat -v || true - # Validate JSON. If invalid => write minimal valid SARIF with a run. + # Validate SARIF JSON if ! python3 -c 'import json; json.load(open("flawfinder-headers.sarif","r",encoding="utf-8"))' 2>/dev/null; then echo "Writing minimal SARIF because flawfinder output was not valid SARIF JSON." echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif fi - # 16 = findings found => don't fail job + # 16 = findings found → OK if [[ $rc -ne 0 && $rc -ne 16 ]]; then exit $rc fi From 047896330db1a8722ead0cb3aa444a943ae60b2e Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 22:06:47 +0100 Subject: [PATCH 100/106] OSV Scanner update --- .github/workflows/osv-scanner-pr.yml | 2 +- .github/workflows/osv-scanner-scheduled.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 8abdc4a44d..b47b2114df 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -12,5 +12,5 @@ permissions: jobs: scan-pr: - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index 0a8f5f3930..1a1b0fb6d9 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -14,5 +14,5 @@ permissions: jobs: scan: - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 From 9f9cfed39b12747687a16300b5266665bb73aba5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 22:20:36 +0100 Subject: [PATCH 101/106] OSV Scanner --- .github/workflows/osv-scanner-pr.yml | 5 ++++- .github/workflows/osv-scanner-scheduled.yml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index b47b2114df..971bf65ee6 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -13,4 +13,7 @@ permissions: jobs: scan-pr: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 - + with: + scan-args: | + --allow-no-lockfiles + --recursive \ No newline at end of file diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index 1a1b0fb6d9..d862cd31d4 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -15,4 +15,7 @@ permissions: jobs: scan: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 - + with: + scan-args: | + --allow-no-lockfiles + --recursive From cb27650943a63d363b29585993b95bfbaba734b4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 15 Dec 2025 10:00:20 +0100 Subject: [PATCH 102/106] Cleanup: remove code unrelated to the adjustment --- .github/codeql/codeql-config.yml | 21 - .github/dependabot.yaml | 15 - .github/security-scan-excludes.txt | 29 - .github/workflows/codeql.yml | 60 -- .../workflows/dependabot-auto-approve.yaml | 27 - .github/workflows/flawfinder.yml | 125 --- .github/workflows/osv-scanner-pr.yml | 19 - .github/workflows/osv-scanner-scheduled.yml | 21 - .github/workflows/scorecard.yml | 43 - .github/workflows/semgrep.yml | 73 -- headers/modsecurity/intervention.h | 747 +++++++++++++++++- src/transaction.cc | 7 - 12 files changed, 712 insertions(+), 475 deletions(-) delete mode 100644 .github/codeql/codeql-config.yml delete mode 100644 .github/dependabot.yaml delete mode 100644 .github/security-scan-excludes.txt delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/dependabot-auto-approve.yaml delete mode 100644 .github/workflows/flawfinder.yml delete mode 100644 .github/workflows/osv-scanner-pr.yml delete mode 100644 .github/workflows/osv-scanner-scheduled.yml delete mode 100644 .github/workflows/scorecard.yml delete mode 100644 .github/workflows/semgrep.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml deleted file mode 100644 index a10be7a00e..0000000000 --- a/.github/codeql/codeql-config.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: "CodeQL config for ModSecurity" - -queries: - - uses: security-extended - -paths-ignore: - # Tests - - "tests/**" - - "test/**" - - "**/*test*" - - # Third-party / submodules - - "others/**" - - "bindings/**" - - "examples/**" - - "doc/**" - - # Build & generated files - - "build/**" - - "**/*.png" - - "**/*.md" diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml deleted file mode 100644 index 16d9dd8134..0000000000 --- a/.github/dependabot.yaml +++ /dev/null @@ -1,15 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "gitsubmodule" - directory: "/" - schedule: - interval: "daily" - commit-message: - prefix: "Submodule Update" - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - commit-message: - prefix: "GitHub Actions Updates" \ No newline at end of file diff --git a/.github/security-scan-excludes.txt b/.github/security-scan-excludes.txt deleted file mode 100644 index 5a06e1c0bc..0000000000 --- a/.github/security-scan-excludes.txt +++ /dev/null @@ -1,29 +0,0 @@ -# Build & Output -build -build/* -out -out/* -dist -dist/* - -# Dependencies / Vendored -vendor -vendor/* -third_party -third_party/* -deps -deps/* -external -external/* -others/* - -# VCS / CI -.git -.github - -# Docs & misc -docs -examples -tests -test -benchmarks diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 7023b792eb..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: CodeQL_on_linux - - -on: - workflow_dispatch: - push: - branches: ["master", "main"] - pull_request: - branches: ["master", "main"] - schedule: - - cron: "19 3 * * 1" - - -permissions: - actions: read - contents: read - security-events: write - -jobs: - analyze: - name: CodeQL (C/C++) - runs-on: ubuntu-24.04 - - steps: - - name: Checkout (with submodules) - uses: actions/checkout@v6 - with: - submodules: recursive - fetch-depth: 0 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: c-cpp - build-mode: manual - config-file: ./.github/codeql/codeql-config.yml - - - name: Install build dependencies - run: | - sudo apt-get update - sudo apt-get install -y \ - build-essential pkg-config \ - autoconf automake libtool \ - flex bison \ - libyajl-dev \ - libxml2-dev \ - libpcre2-dev \ - libcurl4-openssl-dev \ - zlib1g-dev \ - libmbedtls-dev \ - ca-certificates - - - name: Build (required for CodeQL C/C++) - run: | - ./build_on_linux.sh - ./configure --disable-dependency-tracking - make -j"$(nproc)" - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml deleted file mode 100644 index 2b467fa367..0000000000 --- a/.github/workflows/dependabot-auto-approve.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Dependabot Auto-Approve -on: pull_request - -permissions: - pull-requests: write - contents: write - -jobs: - auto-approve: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Fetch Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Approve Pull Request - run: gh pr review --approve "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - name: Enable Auto-Merge - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml deleted file mode 100644 index f0ac0c2105..0000000000 --- a/.github/workflows/flawfinder.yml +++ /dev/null @@ -1,125 +0,0 @@ -name: Flawfinder (C/C++) - -on: - workflow_dispatch: - pull_request: - push: - branches: [ "main", "master" ] - schedule: - - cron: "20 2 * * 1" # Weekly - -permissions: - contents: read - security-events: write - -jobs: - flawfinder: - runs-on: ubuntu-latest - - steps: - - name: Checkout (inkl. Submodules) - uses: actions/checkout@v6 - with: - submodules: recursive - - - name: Install Flawfinder - run: | - sudo apt-get update - sudo apt-get install -y flawfinder - - - name: Build source file list (robust excludes) - shell: bash - run: | - set -euo pipefail - - EXCLUDE_FILE=".github/security-scan-excludes.txt" - EXCLUDE_TMP="/tmp/excludes.txt" - - # 1) Excludes vorbereiten (falls Datei fehlt/leer ist -> leere exclude list) - if [[ -f "$EXCLUDE_FILE" ]]; then - # Kommentare/Leerzeilen entfernen, "./" davor setzen - grep -vE '^\s*#|^\s*$' "$EXCLUDE_FILE" | sed 's|^|./|' > "$EXCLUDE_TMP" || true - else - : > "$EXCLUDE_TMP" - fi - - # 2) Relevante Quellfiles finden - find . \ - -type f \ - \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.cxx' -o -name '*.h' -o -name '*.hh' -o -name '*.hpp' -o -name '*.hxx' \) \ - > /tmp/all-src.txt - - # 3) Excludes anwenden (wenn exclude list leer -> einfach alles nehmen) - if [[ -s "$EXCLUDE_TMP" ]]; then - grep -v -F -f "$EXCLUDE_TMP" /tmp/all-src.txt > /tmp/flawfinder-files.txt || true - else - cp /tmp/all-src.txt /tmp/flawfinder-files.txt - fi - - # 4) Falls nix übrig bleibt, nicht failen – nur warnen - if [[ ! -s /tmp/flawfinder-files.txt ]]; then - echo "No source files to scan after excludes." - else - echo "Files to scan: $(wc -l < /tmp/flawfinder-files.txt)" - fi - - - name: Build Flawfinder file list (headers only) - shell: bash - run: | - set -euo pipefail - git ls-files 'headers/**' \ - | grep -E '\.(h|hh|hpp|hxx)$' \ - > /tmp/flawfinder-headers-files.txt || true - - echo "Header files to scan: $(wc -l < /tmp/flawfinder-headers-files.txt || echo 0)" - - - - name: Run Flawfinder (SARIF, headers strict) - shell: bash - run: | - set -euo pipefail - - if [[ ! -s /tmp/flawfinder-headers-files.txt ]]; then - echo "Skipping flawfinder headers: no files." - echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif - exit 0 - fi - - echo "Flawfinder version:" - flawfinder --version - - set +e - xargs -a /tmp/flawfinder-headers-files.txt \ - flawfinder --sarif --minlevel=1 \ - > flawfinder-headers.sarif \ - 2> flawfinder-headers.stderr - rc=$? - set -e - - echo "flawfinder exit code: $rc" - if [[ -s flawfinder-headers.stderr ]]; then - echo "---- flawfinder stderr ----" - cat flawfinder-headers.stderr - echo "---------------------------" - fi - - echo "SARIF size: $(wc -c < flawfinder-headers.sarif) bytes" - - # Validate SARIF JSON - if ! python3 -c 'import json; json.load(open("flawfinder-headers.sarif","r",encoding="utf-8"))' 2>/dev/null; then - echo "Writing minimal SARIF because flawfinder output was not valid SARIF JSON." - echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif - fi - - # 16 = findings found → OK - if [[ $rc -ne 0 && $rc -ne 16 ]]; then - exit $rc - fi - - - - name: Upload SARIF - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: flawfinder-headers.sarif - category: flawfinder-headers-strict diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml deleted file mode 100644 index 971bf65ee6..0000000000 --- a/.github/workflows/osv-scanner-pr.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: OSV Scanner (PR) - -on: - pull_request: - merge_group: - workflow_dispatch: - -permissions: - contents: read - security-events: write - actions: read - -jobs: - scan-pr: - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 - with: - scan-args: | - --allow-no-lockfiles - --recursive \ No newline at end of file diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml deleted file mode 100644 index d862cd31d4..0000000000 --- a/.github/workflows/osv-scanner-scheduled.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: OSV Scanner (Scheduled) - -on: - workflow_dispatch: - schedule: - - cron: "30 3 * * 1" - push: - branches: [ "main", "master" ] - -permissions: - contents: read - security-events: write - actions: read - -jobs: - scan: - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 - with: - scan-args: | - --allow-no-lockfiles - --recursive diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index 54052c1e11..0000000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: OSSF Scorecard - -on: - workflow_dispatch: - branch_protection_rule: - push: - branches: [ "main", "master" ] - schedule: - - cron: "10 1 * * 0" - -permissions: - contents: read - -jobs: - analysis: - runs-on: ubuntu-latest - permissions: - security-events: write - id-token: write - contents: read - issues: read - pull-requests: read - checks: read - - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - submodules: recursive - persist-credentials: false - - - name: Run Scorecard - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 - with: - results_file: scorecard.sarif - results_format: sarif - publish_results: false - - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: scorecard.sarif - category: scorecard diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index 9e744bed31..0000000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,73 +0,0 @@ -name: Semgrep (C/C++ SAST) - -on: - workflow_dispatch: - pull_request: - push: - branches: [ "main", "master" ] - -permissions: - contents: read - security-events: write - -jobs: - semgrep: - runs-on: ubuntu-latest - - steps: - - name: Checkout (inkl. Submodules) - uses: actions/checkout@v6 - with: - submodules: recursive - - - name: Install Semgrep - run: | - python3 -m pip install --upgrade pip - pip install semgrep - - - name: Fetch Semgrep Community rules - run: | - git clone --depth 1 https://github.com/semgrep/semgrep-rules .semgrep-rules - - - name: Run Semgrep (SARIF, robust excludes + configs) - shell: bash - run: | - set -euo pipefail - - # 1) Excludes aus Datei robust einlesen (Kommentare/Leerzeilen ignorieren) - EXCLUDE_FILE=".github/security-scan-excludes.txt" - EXCLUDES="" - if [[ -f "$EXCLUDE_FILE" ]]; then - while IFS= read -r line; do - [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue - EXCLUDES+=" --exclude $line" - done < "$EXCLUDE_FILE" - fi - echo "Semgrep excludes:$EXCLUDES" - - # 2) Configs nur hinzufügen, wenn sie existieren (Repo-Struktur kann sich ändern) - CONFIGS=() - [[ -d ".semgrep-rules/c" ]] && CONFIGS+=("--config" ".semgrep-rules/c") - [[ -d ".semgrep-rules/cpp" ]] && CONFIGS+=("--config" ".semgrep-rules/cpp") - # Optional: generische Security-Audit Rules (sprache-unabhängig/teilweise generisch) - [[ -d ".semgrep-rules/security/audit" ]] && CONFIGS+=("--config" ".semgrep-rules/security/audit") - - if [[ ${#CONFIGS[@]} -eq 0 ]]; then - echo "No suitable Semgrep community rule directories found; skipping." - echo '{"version":"2.1.0","runs":[]}' > semgrep.sarif - exit 0 - fi - - # 3) Scan - semgrep scan \ - "${CONFIGS[@]}" \ - $EXCLUDES \ - --sarif -o semgrep.sarif \ - . - - - name: Upload SARIF - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: semgrep.sarif - category: semgrep diff --git a/headers/modsecurity/intervention.h b/headers/modsecurity/intervention.h index af88e85813..83108d0e35 100644 --- a/headers/modsecurity/intervention.h +++ b/headers/modsecurity/intervention.h @@ -13,59 +13,736 @@ * */ -#ifndef HEADERS_MODSECURITY_INTERVENTION_H_ -#define HEADERS_MODSECURITY_INTERVENTION_H_ +#ifndef HEADERS_MODSECURITY_TRANSACTION_H_ +#define HEADERS_MODSECURITY_TRANSACTION_H_ #ifdef __cplusplus -namespace modsecurity { +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include #endif -typedef struct ModSecurityIntervention_t { - int status; - int pause; - char *url; - char *log; - int disruptive; -} ModSecurityIntervention; +#include +#include -#ifdef __cplusplus -namespace intervention { - static void reset(ModSecurityIntervention_t *i) { - i->status = 200; - i->pause = 0; - i->disruptive = 0; - } +#ifndef __cplusplus +typedef struct ModSecurity_t ModSecurity; +typedef struct Transaction_t Transaction; +typedef struct Rules_t RulesSet; +#endif + +#include "modsecurity/anchored_set_variable.h" +#include "modsecurity/anchored_variable.h" +#include "modsecurity/intervention.h" +#include "modsecurity/collection/collections.h" +#include "modsecurity/variable_value.h" +#include "modsecurity/collection/collection.h" +#include "modsecurity/variable_origin.h" +#include "modsecurity/anchored_set_variable_translation_proxy.h" +#include "modsecurity/audit_log.h" + + +#ifndef NO_LOGS +#define ms_dbg(b, c) \ + do { \ + if (m_rules && m_rules->m_debugLog && m_rules->m_debugLog->m_debugLevel >= b) { \ + m_rules->debug(b, m_id, m_uri, c); \ + } \ + } while (0); +#else +#define ms_dbg(b, c) \ + do { } while (0); +#endif - static void clean(ModSecurityIntervention_t *i) { - i->url = NULL; - i->log = NULL; - reset(i); +#ifndef NO_LOGS +#define ms_dbg_a(t, b, c) \ + do { \ + if (t && t->m_rules && t->m_rules->m_debugLog && t->m_rules->m_debugLog->m_debugLevel >= b) { \ + t->debug(b, c); \ + } \ + } while (0); +#else +#define ms_dbg_a(t, b, c) \ + do { } while (0); +#endif + + +#define LOGFY_ADD(a, b) \ + yajl_gen_string(g, reinterpret_cast(a), strlen(a)); \ + if (b.data() == NULL) { \ + yajl_gen_string(g, reinterpret_cast(""), \ + strlen("")); \ + } else { \ + yajl_gen_string(g, reinterpret_cast(b.data()), \ + b.length()); \ } - static void freeUrl(ModSecurityIntervention_t *i) { - if (i->url) { - free(i->url); - i->url = NULL; +#define LOGFY_ADD_INT(a, b) \ + yajl_gen_string(g, reinterpret_cast(a), strlen(a)); \ + yajl_gen_number(g, reinterpret_cast(b), strlen(b)); + +#define LOGFY_ADD_NUM(a, b) \ + yajl_gen_string(g, reinterpret_cast(a), strlen(a)); \ + yajl_gen_integer(g, b); + +#ifdef __cplusplus + +namespace modsecurity { + +class ModSecurity; +class Transaction; +class RulesSet; +class RuleMessage; +namespace actions { +class Action; +namespace disruptive { +enum AllowType : int; +} +} +namespace RequestBodyProcessor { +class XML; +class JSON; +class MultipartPartTmpFile; +} +namespace operators { +class Operator; +} + + +class TransactionAnchoredVariables { + public: + explicit TransactionAnchoredVariables(Transaction *t) + : m_variableRequestHeadersNames(t, "REQUEST_HEADERS_NAMES"), + m_variableResponseContentType(t, "RESPONSE_CONTENT_TYPE"), + m_variableResponseHeadersNames(t, "RESPONSE_HEADERS_NAMES"), + m_variableARGScombinedSize(t, "ARGS_COMBINED_SIZE"), + m_variableAuthType(t, "AUTH_TYPE"), + m_variableFilesCombinedSize(t, "FILES_COMBINED_SIZE"), + m_variableFullRequest(t, "FULL_REQUEST"), + m_variableFullRequestLength(t, "FULL_REQUEST_LENGTH"), + m_variableInboundDataError(t, "INBOUND_DATA_ERROR"), + m_variableMatchedVar(t, "MATCHED_VAR"), + m_variableMatchedVarName(t, "MATCHED_VAR_NAME"), + m_variableMscPcreError(t, "MSC_PCRE_ERROR"), + m_variableMscPcreLimitsExceeded(t, "MSC_PCRE_LIMITS_EXCEEDED"), + m_variableMultipartBoundaryQuoted(t, "MULTIPART_BOUNDARY_QUOTED"), + m_variableMultipartBoundaryWhiteSpace(t, + "MULTIPART_BOUNDARY_WHITESPACE"), + m_variableMultipartCrlfLFLines(t, "MULTIPART_CRLF_LF_LINES"), + m_variableMultipartDataAfter(t, "MULTIPART_DATA_AFTER"), + m_variableMultipartDataBefore(t, "MULTIPART_DATA_BEFORE"), + m_variableMultipartFileLimitExceeded(t, + "MULTIPART_FILE_LIMIT_EXCEEDED"), + m_variableMultipartHeaderFolding(t, "MULTIPART_HEADER_FOLDING"), + m_variableMultipartInvalidHeaderFolding(t, + "MULTIPART_INVALID_HEADER_FOLDING"), + m_variableMultipartInvalidPart(t, "MULTIPART_INVALID_PART"), + m_variableMultipartInvalidQuoting(t, "MULTIPART_INVALID_QUOTING"), + m_variableMultipartLFLine(t, "MULTIPART_LF_LINE"), + m_variableMultipartMissingSemicolon(t, "MULTIPART_MISSING_SEMICOLON"), + m_variableMultipartStrictError(t, "MULTIPART_STRICT_ERROR"), + m_variableMultipartUnmatchedBoundary(t, + "MULTIPART_UNMATCHED_BOUNDARY"), + m_variableOutboundDataError(t, "OUTBOUND_DATA_ERROR"), + m_variablePathInfo(t, "PATH_INFO"), + m_variableQueryString(t, "QUERY_STRING"), + m_variableRemoteAddr(t, "REMOTE_ADDR"), + m_variableRemoteHost(t, "REMOTE_HOST"), + m_variableRemotePort(t, "REMOTE_PORT"), + m_variableReqbodyError(t, "REQBODY_ERROR"), + m_variableReqbodyErrorMsg(t, "REQBODY_ERROR_MSG"), + m_variableReqbodyProcessorError(t, "REQBODY_PROCESSOR_ERROR"), + m_variableReqbodyProcessorErrorMsg(t, "REQBODY_PROCESSOR_ERROR_MSG"), + m_variableReqbodyProcessor(t, "REQBODY_PROCESSOR"), + m_variableRequestBasename(t, "REQUEST_BASENAME"), + m_variableRequestBody(t, "REQUEST_BODY"), + m_variableRequestBodyLength(t, "REQUEST_BODY_LENGTH"), + m_variableRequestFilename(t, "REQUEST_FILENAME"), + m_variableRequestLine(t, "REQUEST_LINE"), + m_variableRequestMethod(t, "REQUEST_METHOD"), + m_variableRequestProtocol(t, "REQUEST_PROTOCOL"), + m_variableRequestURI(t, "REQUEST_URI"), + m_variableRequestURIRaw(t, "REQUEST_URI_RAW"), + m_variableResource(t, "RESOURCE"), + m_variableResponseBody(t, "RESPONSE_BODY"), + m_variableResponseContentLength(t, "RESPONSE_CONTENT_LENGTH"), + m_variableResponseProtocol(t, "RESPONSE_PROTOCOL"), + m_variableResponseStatus(t, "RESPONSE_STATUS"), + m_variableServerAddr(t, "SERVER_ADDR"), + m_variableServerName(t, "SERVER_NAME"), + m_variableServerPort(t, "SERVER_PORT"), + m_variableSessionID(t, "SESSIONID"), + m_variableUniqueID(t, "UNIQUE_ID"), + m_variableUrlEncodedError(t, "URLENCODED_ERROR"), + m_variableUserID(t, "USERID"), + m_variableArgs(t, "ARGS"), + m_variableArgsGet(t, "ARGS_GET"), + m_variableArgsPost(t, "ARGS_POST"), + m_variableFilesSizes(t, "FILES_SIZES"), + m_variableFilesNames(t, "FILES_NAMES"), + m_variableFilesTmpContent(t, "FILES_TMP_CONTENT"), + m_variableMultipartFileName(t, "MULTIPART_FILENAME"), + m_variableMultipartName(t, "MULTIPART_NAME"), + m_variableMatchedVarsNames(t, "MATCHED_VARS_NAMES"), + m_variableMatchedVars(t, "MATCHED_VARS"), + m_variableFiles(t, "FILES"), + m_variableRequestCookies(t, "REQUEST_COOKIES"), + m_variableRequestHeaders(t, "REQUEST_HEADERS"), + m_variableResponseHeaders(t, "RESPONSE_HEADERS"), + m_variableGeo(t, "GEO"), + m_variableRequestCookiesNames(t, "REQUEST_COOKIES_NAMES"), + m_variableFilesTmpNames(t, "FILES_TMPNAMES"), + m_variableMultipartPartHeaders(t, "MULTIPART_PART_HEADERS"), + m_variableOffset(0), + m_variableArgsNames("ARGS_NAMES", &m_variableArgs), + m_variableArgsGetNames("ARGS_GET_NAMES", &m_variableArgsGet), + m_variableArgsPostNames("ARGS_POST_NAMES", &m_variableArgsPost) + { } + + AnchoredSetVariable m_variableRequestHeadersNames; + AnchoredVariable m_variableResponseContentType; + AnchoredSetVariable m_variableResponseHeadersNames; + AnchoredVariable m_variableARGScombinedSize; + AnchoredVariable m_variableAuthType; + AnchoredVariable m_variableFilesCombinedSize; + AnchoredVariable m_variableFullRequest; + AnchoredVariable m_variableFullRequestLength; + AnchoredVariable m_variableInboundDataError; + AnchoredVariable m_variableMatchedVar; + AnchoredVariable m_variableMatchedVarName; + AnchoredVariable m_variableMscPcreError; + AnchoredVariable m_variableMscPcreLimitsExceeded; + AnchoredVariable m_variableMultipartBoundaryQuoted; + AnchoredVariable m_variableMultipartBoundaryWhiteSpace; + AnchoredVariable m_variableMultipartCrlfLFLines; + AnchoredVariable m_variableMultipartDataAfter; + AnchoredVariable m_variableMultipartDataBefore; + AnchoredVariable m_variableMultipartFileLimitExceeded; + AnchoredVariable m_variableMultipartHeaderFolding; + AnchoredVariable m_variableMultipartInvalidHeaderFolding; + AnchoredVariable m_variableMultipartInvalidPart; + AnchoredVariable m_variableMultipartInvalidQuoting; + AnchoredVariable m_variableMultipartLFLine; + AnchoredVariable m_variableMultipartMissingSemicolon; + AnchoredVariable m_variableMultipartStrictError; + AnchoredVariable m_variableMultipartUnmatchedBoundary; + AnchoredVariable m_variableOutboundDataError; + AnchoredVariable m_variablePathInfo; + AnchoredVariable m_variableQueryString; + AnchoredVariable m_variableRemoteAddr; + AnchoredVariable m_variableRemoteHost; + AnchoredVariable m_variableRemotePort; + AnchoredVariable m_variableReqbodyError; + AnchoredVariable m_variableReqbodyErrorMsg; + AnchoredVariable m_variableReqbodyProcessorError; + AnchoredVariable m_variableReqbodyProcessorErrorMsg; + AnchoredVariable m_variableReqbodyProcessor; + AnchoredVariable m_variableRequestBasename; + AnchoredVariable m_variableRequestBody; + AnchoredVariable m_variableRequestBodyLength; + AnchoredVariable m_variableRequestFilename; + AnchoredVariable m_variableRequestLine; + AnchoredVariable m_variableRequestMethod; + AnchoredVariable m_variableRequestProtocol; + AnchoredVariable m_variableRequestURI; + AnchoredVariable m_variableRequestURIRaw; + AnchoredVariable m_variableResource; + AnchoredVariable m_variableResponseBody; + AnchoredVariable m_variableResponseContentLength; + AnchoredVariable m_variableResponseProtocol; + AnchoredVariable m_variableResponseStatus; + AnchoredVariable m_variableServerAddr; + AnchoredVariable m_variableServerName; + AnchoredVariable m_variableServerPort; + AnchoredVariable m_variableSessionID; + AnchoredVariable m_variableUniqueID; + AnchoredVariable m_variableUrlEncodedError; + AnchoredVariable m_variableUserID; + + AnchoredSetVariable m_variableArgs; + AnchoredSetVariable m_variableArgsGet; + AnchoredSetVariable m_variableArgsPost; + AnchoredSetVariable m_variableFilesSizes; + AnchoredSetVariable m_variableFilesNames; + AnchoredSetVariable m_variableFilesTmpContent; + AnchoredSetVariable m_variableMultipartFileName; + AnchoredSetVariable m_variableMultipartName; + AnchoredSetVariable m_variableMatchedVarsNames; + AnchoredSetVariable m_variableMatchedVars; + AnchoredSetVariable m_variableFiles; + AnchoredSetVariable m_variableRequestCookies; + AnchoredSetVariable m_variableRequestHeaders; + AnchoredSetVariable m_variableResponseHeaders; + AnchoredSetVariable m_variableGeo; + AnchoredSetVariable m_variableRequestCookiesNames; + AnchoredSetVariable m_variableFilesTmpNames; + AnchoredSetVariable m_variableMultipartPartHeaders; + + int m_variableOffset; + + AnchoredSetVariableTranslationProxy m_variableArgsNames; + AnchoredSetVariableTranslationProxy m_variableArgsGetNames; + AnchoredSetVariableTranslationProxy m_variableArgsPostNames; +}; + +class TransactionSecMarkerManagement { + public: + bool isInsideAMarker() const { + if (m_marker) { + return true; } + + return false; } - static void freeLog(ModSecurityIntervention_t *i) { - if (i->log) { - free(i->log); - i->log = NULL; - } + std::shared_ptr getCurrentMarker() const { + assert((m_marker != nullptr) && "You might have forgotten to call and evaluate isInsideAMarker() before calling getCurrentMarker()."); + return m_marker; } - static void free(ModSecurityIntervention_t *i) { - freeUrl(i); - freeLog(i); + void removeMarker() { + m_marker.reset(); } -} // namespace intervention + void addMarker(const std::shared_ptr &name) { + m_marker = name; + } + + private: + std::shared_ptr m_marker; +}; + +/** @ingroup ModSecurity_CPP_API */ +class Transaction : public TransactionAnchoredVariables, public TransactionSecMarkerManagement { + public: + Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData); + Transaction(ModSecurity *ms, RulesSet *rules, const char *id, + void *logCbData); + ~Transaction(); + + Transaction ( const Transaction & ) = delete; + bool operator ==(const Transaction &b) const { return false; }; + Transaction &operator =(const Transaction &b) const = delete; + + /** TODO: Should be an structure that fits an IP address */ + int processConnection(const char *client, int cPort, + const char *server, int sPort); + int processURI(const char *uri, const char *protocol, + const char *http_version); + + /** + * Types of request body that ModSecurity may give a special treatment + * for the data. + */ + enum RequestBodyType { + /** + * + */ + UnknownFormat, + /** + * + */ + MultiPartRequestBody, + /** + * + */ + WWWFormUrlEncoded, + /** + * + */ + JSONRequestBody, + /** + * + */ + XMLRequestBody + }; + + int processRequestHeaders(); + int addRequestHeader(const std::string& key, const std::string& value); + int addRequestHeader(const unsigned char *key, const unsigned char *value); + int addRequestHeader(const unsigned char *key, size_t len_key, + const unsigned char *value, size_t len_value); + + int processRequestBody(); + int appendRequestBody(const unsigned char *body, size_t size); + int requestBodyFromFile(const char *path); + + int processResponseHeaders(int code, const std::string& proto); + int addResponseHeader(const std::string& key, const std::string& value); + int addResponseHeader(const unsigned char *key, const unsigned char *value); + int addResponseHeader(const unsigned char *key, size_t len_key, + const unsigned char *value, size_t len_value); + + int processResponseBody(); + int appendResponseBody(const unsigned char *body, size_t size); + + int processLogging(); + int updateStatusCode(int status); + + int setRequestHostName(const std::string& hostname); + + bool intervention(ModSecurityIntervention *it); + + bool addArgument(const std::string& orig, const std::string& key, + const std::string& value, size_t offset); + bool extractArguments(const std::string &orig, const std::string& buf, + size_t offset); + + const char *getResponseBody() const; + size_t getResponseBodyLength(); + size_t getRequestBodyLength(); + +#ifndef NO_LOGS + void debug(int, const std::string &) const; +#endif + void serverLog(const RuleMessage &rm); + + int getRuleEngineState() const; + + std::string toJSON(int parts); + std::string toOldAuditLogFormat(int parts, const std::string &trailer, const std::string &header); + std::string toOldAuditLogFormatIndex(const std::string &filename, + double size, const std::string &md5); + + /** + * Filled during the class instantiation, this variable can be later + * used to fill the SecRule variable `duration'. The variable `duration' + * is dynamic calculated, it is always relative to the value found in + * m_creationTimeStamp. + * + * @note There is space for performance improvement. This value don't + * need to be filled if there is no rule using the variable + * `duration'. + */ + const clock_t m_creationTimeStamp; + + /** + * Holds the client IP address. + */ + std::string m_clientIpAddress; + + /** + * Holds the HTTP version: 1.2, 2.0, 3.0 and so on.... + */ + std::string m_httpVersion; + + /** + * Holds the server IP Address + */ + std::string m_serverIpAddress; + + /** + * Holds the request's hostname + */ + std::string m_requestHostName; + + /** + * Holds the raw URI that was requested. + */ + std::string m_uri; + + /** + * Holds the URI that was requests (without the query string). + */ + std::string m_uri_no_query_string_decoded; + + /** + * Holds the combined size of all arguments, later used to fill the + * variable ARGS_COMBINED_SIZE. + */ + double m_ARGScombinedSizeDouble; + + /** + * Client tcp port. + */ + int m_clientPort; + + /** + * This variable is set by the action `severity' and later can be + * consulted via the SecLanguage variable HIGHEST_SEVERITY. + */ + int m_highestSeverityAction; + + /** + * Holds the HTTP return code when it is known. If 0 nothing was + * set. + */ + int m_httpCodeReturned; + + /** + * Holds the server port. + */ + int m_serverPort; + + /** + * ModSecurity instance used to start this transaction. Basically used + * to fill the server log whenever is needed. + */ + ModSecurity *m_ms; + + /** + * Holds the type of the request body, in case there is one. + */ + RequestBodyType m_requestBodyType; + + /** + * Holds the request body "processor" + */ + RequestBodyType m_requestBodyProcessor; + + /** + * Rules object utilized during this specific transaction. + */ + RulesSet * const m_rules; + + /** + * + */ + std::list m_ruleRemoveById; + std::list > m_ruleRemoveByIdRange; + + /** + * + */ + std::list m_ruleRemoveByTag; + + /** + * + */ + std::list< std::pair > m_ruleRemoveTargetByTag; + + /** + * + */ + std::list< std::pair > m_ruleRemoveTargetById; + + /** + * + */ + int m_requestBodyAccess; + + /** + * The list m_auditLogModifier contains modifications to the `auditlogs' + * for this specific request, those modifications can happens via the + * utilization of the action: `ctl:auditLogParts=' + * + */ + std::list< std::pair > m_auditLogModifier; + + /** + * This transaction's most recent action ctl:auditEngine + * + */ + audit_log::AuditLog::AuditLogStatus m_ctlAuditEngine; + + /** + * This variable holds all the messages asked to be save by the utilization + * of the actions: `log_data' and `msg'. These should be included on the + * auditlogs. + */ + std::list m_rulesMessages; + + /** + * Holds the request body, in case of any. + */ + std::ostringstream m_requestBody; + + /** + * Holds the response body, in case of any. + */ + std::ostringstream m_responseBody; + + /** + * Contains the unique ID of the transaction. Use by the variable + * `UNIQUE_ID'. This unique id is also saved as part of the AuditLog. + */ + const std::string m_id; + + /** + * Holds the amount of rules that should be skipped. If bigger than 0 the + * current rule should be skipped and the number needs to be decreased. + */ + int m_skip_next; + + /** + * If allow action was utilized, this variable holds the allow type. + */ + modsecurity::actions::disruptive::AllowType m_allowType; + + /** + * Holds the decode URI. Notice that m_uri holds the raw version + * of the URI. + */ + std::string m_uri_decoded; + + /** + * Actions (disruptive?) that should be taken by the connector related to + * that transaction. + */ + std::vector m_actions; + ModSecurityIntervention m_it; + + /** + * Holds the creation time stamp, using std::time. + * + * TODO: m_timeStamp and m_creationTimeStamp may be merged into a single + * variable. + */ + const time_t m_timeStamp; + + + /** + * Holds all the collections related to that transaction. + */ + collection::Collections m_collections; + + /** + * Holds the whatever matched in the operation utilization. + * That variable will be further used by the capture action. + * + */ + std::list m_matched; + + RequestBodyProcessor::XML *m_xml; + RequestBodyProcessor::JSON *m_json; + + int m_secRuleEngine; + int m_secXMLParseXmlIntoArgs; + + std::string m_variableDuration; + std::map m_variableEnvs; + std::string m_variableHighestSeverityAction; + std::string m_variableRemoteUser; + std::string m_variableTime; + std::string m_variableTimeDay; + std::string m_variableTimeEpoch; + std::string m_variableTimeHour; + std::string m_variableTimeMin; + std::string m_variableTimeSec; + std::string m_variableTimeWDay; + std::string m_variableTimeYear; + + std::vector> m_multipartPartTmpFiles; + + private: + + Transaction(ModSecurity *ms, RulesSet *rules, const char *id, + void *logCbData, const time_t timestamp); + + /** + * Pointer to the callback function that will be called to fill + * the web server (connector) log. + */ + void *m_logCbData; +}; + + #endif #ifdef __cplusplus +extern "C" { +#endif + +/** @ingroup ModSecurity_C_API */ +Transaction *msc_new_transaction(ModSecurity *ms, + RulesSet *rules, void *logCbData); + +/** @ingroup ModSecurity_C_API */ +Transaction *msc_new_transaction_with_id(ModSecurity *ms, + RulesSet *rules, const char *id, void *logCbData); + +/** @ingroup ModSecurity_C_API */ +int msc_process_connection(Transaction *transaction, + const char *client, int cPort, const char *server, int sPort); + +/** @ingroup ModSecurity_C_API */ +int msc_process_request_headers(Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +int msc_add_request_header(Transaction *transaction, const unsigned char *key, + const unsigned char *value); + +/** @ingroup ModSecurity_C_API */ +int msc_add_n_request_header(Transaction *transaction, + const unsigned char *key, size_t len_key, const unsigned char *value, + size_t len_value); + +/** @ingroup ModSecurity_C_API */ +int msc_process_request_body(Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +int msc_append_request_body(Transaction *transaction, + const unsigned char *body, size_t size); + +/** @ingroup ModSecurity_C_API */ +int msc_request_body_from_file(Transaction *transaction, const char *path); + +/** @ingroup ModSecurity_C_API */ +int msc_process_response_headers(Transaction *transaction, int code, + const char* protocol); + +/** @ingroup ModSecurity_C_API */ +int msc_add_response_header(Transaction *transaction, + const unsigned char *key, const unsigned char *value); + +/** @ingroup ModSecurity_C_API */ +int msc_add_n_response_header(Transaction *transaction, + const unsigned char *key, size_t len_key, const unsigned char *value, + size_t len_value); + +/** @ingroup ModSecurity_C_API */ +int msc_process_response_body(Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +int msc_append_response_body(Transaction *transaction, + const unsigned char *body, size_t size); + +/** @ingroup ModSecurity_C_API */ +int msc_process_uri(Transaction *transaction, const char *uri, + const char *protocol, const char *http_version); + +/** @ingroup ModSecurity_C_API */ +const char *msc_get_response_body(const Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +size_t msc_get_response_body_length(Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +size_t msc_get_request_body_length(Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +void msc_transaction_cleanup(Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +int msc_intervention(Transaction *transaction, ModSecurityIntervention *it); + +/** @ingroup ModSecurity_C_API */ +void msc_intervention_cleanup(ModSecurityIntervention *it); + +/** @ingroup ModSecurity_C_API */ +int msc_process_logging(Transaction *transaction); + +/** @ingroup ModSecurity_C_API */ +int msc_update_status_code(Transaction *transaction, int status); + +/** @ingroup ModSecurity_C_API */ +int msc_set_request_hostname(Transaction *transaction, const unsigned char *hostname); + +#ifdef __cplusplus +} } // namespace modsecurity #endif -#endif // HEADERS_MODSECURITY_INTERVENTION_H_ + +#endif // HEADERS_MODSECURITY_TRANSACTION_H_ \ No newline at end of file diff --git a/src/transaction.cc b/src/transaction.cc index a977464dbb..36f5508d33 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -170,12 +170,6 @@ Transaction::~Transaction() { m_rulesMessages.clear(); - m_ruleRemoveById.clear(); - m_ruleRemoveByIdRange.clear(); - m_ruleRemoveByTag.clear(); - m_ruleRemoveTargetById.clear(); - m_ruleRemoveTargetByTag.clear(); - intervention::free(&m_it); intervention::clean(&m_it); @@ -2332,4 +2326,3 @@ extern "C" int msc_set_request_hostname(Transaction *transaction, } // namespace modsecurity - From be24c6e850f686d3fcb58743e274d85675ab1e90 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 15 Dec 2025 10:09:42 +0100 Subject: [PATCH 103/106] Cleanup: remove code unrelated to the adjustment --- headers/modsecurity/transaction.h | 20 +++++++------------- src/transaction.cc | 2 +- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h index d9d670d9c2..83108d0e35 100644 --- a/headers/modsecurity/transaction.h +++ b/headers/modsecurity/transaction.h @@ -205,12 +205,9 @@ class TransactionAnchoredVariables { m_variableFilesTmpNames(t, "FILES_TMPNAMES"), m_variableMultipartPartHeaders(t, "MULTIPART_PART_HEADERS"), m_variableOffset(0), - m_pVariableArgsNames(std::make_unique("ARGS_NAMES", &m_variableArgs)), - m_variableArgsNames(*m_pVariableArgsNames), - m_pVariableArgsGetNames(std::make_unique("ARGS_GET_NAMES", &m_variableArgsGet)), - m_variableArgsGetNames(*m_pVariableArgsGetNames), - m_pVariableArgsPostNames(std::make_unique("ARGS_POST_NAMES", &m_variableArgsPost)), - m_variableArgsPostNames(*m_pVariableArgsPostNames) + m_variableArgsNames("ARGS_NAMES", &m_variableArgs), + m_variableArgsGetNames("ARGS_GET_NAMES", &m_variableArgsGet), + m_variableArgsPostNames("ARGS_POST_NAMES", &m_variableArgsPost) { } AnchoredSetVariable m_variableRequestHeadersNames; @@ -294,12 +291,9 @@ class TransactionAnchoredVariables { int m_variableOffset; - std::unique_ptr m_pVariableArgsNames; - AnchoredSetVariableTranslationProxy &m_variableArgsNames; - std::unique_ptr m_pVariableArgsGetNames; - AnchoredSetVariableTranslationProxy &m_variableArgsGetNames; - std::unique_ptr m_pVariableArgsPostNames; - AnchoredSetVariableTranslationProxy &m_variableArgsPostNames; + AnchoredSetVariableTranslationProxy m_variableArgsNames; + AnchoredSetVariableTranslationProxy m_variableArgsGetNames; + AnchoredSetVariableTranslationProxy m_variableArgsPostNames; }; class TransactionSecMarkerManagement { @@ -751,4 +745,4 @@ int msc_set_request_hostname(Transaction *transaction, const unsigned char *host #endif -#endif // HEADERS_MODSECURITY_TRANSACTION_H_ +#endif // HEADERS_MODSECURITY_TRANSACTION_H_ \ No newline at end of file diff --git a/src/transaction.cc b/src/transaction.cc index 36f5508d33..78ffcc2c3c 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -2325,4 +2325,4 @@ extern "C" int msc_set_request_hostname(Transaction *transaction, } -} // namespace modsecurity +} // namespace modsecurity \ No newline at end of file From d5a01ecdc90ef5603f2a17d0c41d2404c92690b5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 15 Dec 2025 10:25:37 +0100 Subject: [PATCH 104/106] updade --- headers/modsecurity/transaction.h | 2 +- src/transaction.cc | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h index 83108d0e35..3e70caa38e 100644 --- a/headers/modsecurity/transaction.h +++ b/headers/modsecurity/transaction.h @@ -745,4 +745,4 @@ int msc_set_request_hostname(Transaction *transaction, const unsigned char *host #endif -#endif // HEADERS_MODSECURITY_TRANSACTION_H_ \ No newline at end of file +#endif // HEADERS_MODSECURITY_TRANSACTION_H_ diff --git a/src/transaction.cc b/src/transaction.cc index 78ffcc2c3c..6c8ae9744c 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -2325,4 +2325,5 @@ extern "C" int msc_set_request_hostname(Transaction *transaction, } -} // namespace modsecurity \ No newline at end of file +} // namespace modsecurity + From 5dab5803c3084ff2f692b9d8590998658ec53229 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 15 Dec 2025 10:34:43 +0100 Subject: [PATCH 105/106] Cleanup: remove unrelated code --- headers/modsecurity/intervention.h | 747 ++--------------------------- 1 file changed, 35 insertions(+), 712 deletions(-) diff --git a/headers/modsecurity/intervention.h b/headers/modsecurity/intervention.h index 83108d0e35..af88e85813 100644 --- a/headers/modsecurity/intervention.h +++ b/headers/modsecurity/intervention.h @@ -13,736 +13,59 @@ * */ -#ifndef HEADERS_MODSECURITY_TRANSACTION_H_ -#define HEADERS_MODSECURITY_TRANSACTION_H_ +#ifndef HEADERS_MODSECURITY_INTERVENTION_H_ +#define HEADERS_MODSECURITY_INTERVENTION_H_ #ifdef __cplusplus -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#endif - -#include -#include - -#ifndef __cplusplus -typedef struct ModSecurity_t ModSecurity; -typedef struct Transaction_t Transaction; -typedef struct Rules_t RulesSet; -#endif - -#include "modsecurity/anchored_set_variable.h" -#include "modsecurity/anchored_variable.h" -#include "modsecurity/intervention.h" -#include "modsecurity/collection/collections.h" -#include "modsecurity/variable_value.h" -#include "modsecurity/collection/collection.h" -#include "modsecurity/variable_origin.h" -#include "modsecurity/anchored_set_variable_translation_proxy.h" -#include "modsecurity/audit_log.h" - - -#ifndef NO_LOGS -#define ms_dbg(b, c) \ - do { \ - if (m_rules && m_rules->m_debugLog && m_rules->m_debugLog->m_debugLevel >= b) { \ - m_rules->debug(b, m_id, m_uri, c); \ - } \ - } while (0); -#else -#define ms_dbg(b, c) \ - do { } while (0); -#endif - -#ifndef NO_LOGS -#define ms_dbg_a(t, b, c) \ - do { \ - if (t && t->m_rules && t->m_rules->m_debugLog && t->m_rules->m_debugLog->m_debugLevel >= b) { \ - t->debug(b, c); \ - } \ - } while (0); -#else -#define ms_dbg_a(t, b, c) \ - do { } while (0); +namespace modsecurity { #endif - -#define LOGFY_ADD(a, b) \ - yajl_gen_string(g, reinterpret_cast(a), strlen(a)); \ - if (b.data() == NULL) { \ - yajl_gen_string(g, reinterpret_cast(""), \ - strlen("")); \ - } else { \ - yajl_gen_string(g, reinterpret_cast(b.data()), \ - b.length()); \ - } - -#define LOGFY_ADD_INT(a, b) \ - yajl_gen_string(g, reinterpret_cast(a), strlen(a)); \ - yajl_gen_number(g, reinterpret_cast(b), strlen(b)); - -#define LOGFY_ADD_NUM(a, b) \ - yajl_gen_string(g, reinterpret_cast(a), strlen(a)); \ - yajl_gen_integer(g, b); +typedef struct ModSecurityIntervention_t { + int status; + int pause; + char *url; + char *log; + int disruptive; +} ModSecurityIntervention; #ifdef __cplusplus - -namespace modsecurity { - -class ModSecurity; -class Transaction; -class RulesSet; -class RuleMessage; -namespace actions { -class Action; -namespace disruptive { -enum AllowType : int; -} -} -namespace RequestBodyProcessor { -class XML; -class JSON; -class MultipartPartTmpFile; -} -namespace operators { -class Operator; -} - - -class TransactionAnchoredVariables { - public: - explicit TransactionAnchoredVariables(Transaction *t) - : m_variableRequestHeadersNames(t, "REQUEST_HEADERS_NAMES"), - m_variableResponseContentType(t, "RESPONSE_CONTENT_TYPE"), - m_variableResponseHeadersNames(t, "RESPONSE_HEADERS_NAMES"), - m_variableARGScombinedSize(t, "ARGS_COMBINED_SIZE"), - m_variableAuthType(t, "AUTH_TYPE"), - m_variableFilesCombinedSize(t, "FILES_COMBINED_SIZE"), - m_variableFullRequest(t, "FULL_REQUEST"), - m_variableFullRequestLength(t, "FULL_REQUEST_LENGTH"), - m_variableInboundDataError(t, "INBOUND_DATA_ERROR"), - m_variableMatchedVar(t, "MATCHED_VAR"), - m_variableMatchedVarName(t, "MATCHED_VAR_NAME"), - m_variableMscPcreError(t, "MSC_PCRE_ERROR"), - m_variableMscPcreLimitsExceeded(t, "MSC_PCRE_LIMITS_EXCEEDED"), - m_variableMultipartBoundaryQuoted(t, "MULTIPART_BOUNDARY_QUOTED"), - m_variableMultipartBoundaryWhiteSpace(t, - "MULTIPART_BOUNDARY_WHITESPACE"), - m_variableMultipartCrlfLFLines(t, "MULTIPART_CRLF_LF_LINES"), - m_variableMultipartDataAfter(t, "MULTIPART_DATA_AFTER"), - m_variableMultipartDataBefore(t, "MULTIPART_DATA_BEFORE"), - m_variableMultipartFileLimitExceeded(t, - "MULTIPART_FILE_LIMIT_EXCEEDED"), - m_variableMultipartHeaderFolding(t, "MULTIPART_HEADER_FOLDING"), - m_variableMultipartInvalidHeaderFolding(t, - "MULTIPART_INVALID_HEADER_FOLDING"), - m_variableMultipartInvalidPart(t, "MULTIPART_INVALID_PART"), - m_variableMultipartInvalidQuoting(t, "MULTIPART_INVALID_QUOTING"), - m_variableMultipartLFLine(t, "MULTIPART_LF_LINE"), - m_variableMultipartMissingSemicolon(t, "MULTIPART_MISSING_SEMICOLON"), - m_variableMultipartStrictError(t, "MULTIPART_STRICT_ERROR"), - m_variableMultipartUnmatchedBoundary(t, - "MULTIPART_UNMATCHED_BOUNDARY"), - m_variableOutboundDataError(t, "OUTBOUND_DATA_ERROR"), - m_variablePathInfo(t, "PATH_INFO"), - m_variableQueryString(t, "QUERY_STRING"), - m_variableRemoteAddr(t, "REMOTE_ADDR"), - m_variableRemoteHost(t, "REMOTE_HOST"), - m_variableRemotePort(t, "REMOTE_PORT"), - m_variableReqbodyError(t, "REQBODY_ERROR"), - m_variableReqbodyErrorMsg(t, "REQBODY_ERROR_MSG"), - m_variableReqbodyProcessorError(t, "REQBODY_PROCESSOR_ERROR"), - m_variableReqbodyProcessorErrorMsg(t, "REQBODY_PROCESSOR_ERROR_MSG"), - m_variableReqbodyProcessor(t, "REQBODY_PROCESSOR"), - m_variableRequestBasename(t, "REQUEST_BASENAME"), - m_variableRequestBody(t, "REQUEST_BODY"), - m_variableRequestBodyLength(t, "REQUEST_BODY_LENGTH"), - m_variableRequestFilename(t, "REQUEST_FILENAME"), - m_variableRequestLine(t, "REQUEST_LINE"), - m_variableRequestMethod(t, "REQUEST_METHOD"), - m_variableRequestProtocol(t, "REQUEST_PROTOCOL"), - m_variableRequestURI(t, "REQUEST_URI"), - m_variableRequestURIRaw(t, "REQUEST_URI_RAW"), - m_variableResource(t, "RESOURCE"), - m_variableResponseBody(t, "RESPONSE_BODY"), - m_variableResponseContentLength(t, "RESPONSE_CONTENT_LENGTH"), - m_variableResponseProtocol(t, "RESPONSE_PROTOCOL"), - m_variableResponseStatus(t, "RESPONSE_STATUS"), - m_variableServerAddr(t, "SERVER_ADDR"), - m_variableServerName(t, "SERVER_NAME"), - m_variableServerPort(t, "SERVER_PORT"), - m_variableSessionID(t, "SESSIONID"), - m_variableUniqueID(t, "UNIQUE_ID"), - m_variableUrlEncodedError(t, "URLENCODED_ERROR"), - m_variableUserID(t, "USERID"), - m_variableArgs(t, "ARGS"), - m_variableArgsGet(t, "ARGS_GET"), - m_variableArgsPost(t, "ARGS_POST"), - m_variableFilesSizes(t, "FILES_SIZES"), - m_variableFilesNames(t, "FILES_NAMES"), - m_variableFilesTmpContent(t, "FILES_TMP_CONTENT"), - m_variableMultipartFileName(t, "MULTIPART_FILENAME"), - m_variableMultipartName(t, "MULTIPART_NAME"), - m_variableMatchedVarsNames(t, "MATCHED_VARS_NAMES"), - m_variableMatchedVars(t, "MATCHED_VARS"), - m_variableFiles(t, "FILES"), - m_variableRequestCookies(t, "REQUEST_COOKIES"), - m_variableRequestHeaders(t, "REQUEST_HEADERS"), - m_variableResponseHeaders(t, "RESPONSE_HEADERS"), - m_variableGeo(t, "GEO"), - m_variableRequestCookiesNames(t, "REQUEST_COOKIES_NAMES"), - m_variableFilesTmpNames(t, "FILES_TMPNAMES"), - m_variableMultipartPartHeaders(t, "MULTIPART_PART_HEADERS"), - m_variableOffset(0), - m_variableArgsNames("ARGS_NAMES", &m_variableArgs), - m_variableArgsGetNames("ARGS_GET_NAMES", &m_variableArgsGet), - m_variableArgsPostNames("ARGS_POST_NAMES", &m_variableArgsPost) - { } - - AnchoredSetVariable m_variableRequestHeadersNames; - AnchoredVariable m_variableResponseContentType; - AnchoredSetVariable m_variableResponseHeadersNames; - AnchoredVariable m_variableARGScombinedSize; - AnchoredVariable m_variableAuthType; - AnchoredVariable m_variableFilesCombinedSize; - AnchoredVariable m_variableFullRequest; - AnchoredVariable m_variableFullRequestLength; - AnchoredVariable m_variableInboundDataError; - AnchoredVariable m_variableMatchedVar; - AnchoredVariable m_variableMatchedVarName; - AnchoredVariable m_variableMscPcreError; - AnchoredVariable m_variableMscPcreLimitsExceeded; - AnchoredVariable m_variableMultipartBoundaryQuoted; - AnchoredVariable m_variableMultipartBoundaryWhiteSpace; - AnchoredVariable m_variableMultipartCrlfLFLines; - AnchoredVariable m_variableMultipartDataAfter; - AnchoredVariable m_variableMultipartDataBefore; - AnchoredVariable m_variableMultipartFileLimitExceeded; - AnchoredVariable m_variableMultipartHeaderFolding; - AnchoredVariable m_variableMultipartInvalidHeaderFolding; - AnchoredVariable m_variableMultipartInvalidPart; - AnchoredVariable m_variableMultipartInvalidQuoting; - AnchoredVariable m_variableMultipartLFLine; - AnchoredVariable m_variableMultipartMissingSemicolon; - AnchoredVariable m_variableMultipartStrictError; - AnchoredVariable m_variableMultipartUnmatchedBoundary; - AnchoredVariable m_variableOutboundDataError; - AnchoredVariable m_variablePathInfo; - AnchoredVariable m_variableQueryString; - AnchoredVariable m_variableRemoteAddr; - AnchoredVariable m_variableRemoteHost; - AnchoredVariable m_variableRemotePort; - AnchoredVariable m_variableReqbodyError; - AnchoredVariable m_variableReqbodyErrorMsg; - AnchoredVariable m_variableReqbodyProcessorError; - AnchoredVariable m_variableReqbodyProcessorErrorMsg; - AnchoredVariable m_variableReqbodyProcessor; - AnchoredVariable m_variableRequestBasename; - AnchoredVariable m_variableRequestBody; - AnchoredVariable m_variableRequestBodyLength; - AnchoredVariable m_variableRequestFilename; - AnchoredVariable m_variableRequestLine; - AnchoredVariable m_variableRequestMethod; - AnchoredVariable m_variableRequestProtocol; - AnchoredVariable m_variableRequestURI; - AnchoredVariable m_variableRequestURIRaw; - AnchoredVariable m_variableResource; - AnchoredVariable m_variableResponseBody; - AnchoredVariable m_variableResponseContentLength; - AnchoredVariable m_variableResponseProtocol; - AnchoredVariable m_variableResponseStatus; - AnchoredVariable m_variableServerAddr; - AnchoredVariable m_variableServerName; - AnchoredVariable m_variableServerPort; - AnchoredVariable m_variableSessionID; - AnchoredVariable m_variableUniqueID; - AnchoredVariable m_variableUrlEncodedError; - AnchoredVariable m_variableUserID; - - AnchoredSetVariable m_variableArgs; - AnchoredSetVariable m_variableArgsGet; - AnchoredSetVariable m_variableArgsPost; - AnchoredSetVariable m_variableFilesSizes; - AnchoredSetVariable m_variableFilesNames; - AnchoredSetVariable m_variableFilesTmpContent; - AnchoredSetVariable m_variableMultipartFileName; - AnchoredSetVariable m_variableMultipartName; - AnchoredSetVariable m_variableMatchedVarsNames; - AnchoredSetVariable m_variableMatchedVars; - AnchoredSetVariable m_variableFiles; - AnchoredSetVariable m_variableRequestCookies; - AnchoredSetVariable m_variableRequestHeaders; - AnchoredSetVariable m_variableResponseHeaders; - AnchoredSetVariable m_variableGeo; - AnchoredSetVariable m_variableRequestCookiesNames; - AnchoredSetVariable m_variableFilesTmpNames; - AnchoredSetVariable m_variableMultipartPartHeaders; - - int m_variableOffset; - - AnchoredSetVariableTranslationProxy m_variableArgsNames; - AnchoredSetVariableTranslationProxy m_variableArgsGetNames; - AnchoredSetVariableTranslationProxy m_variableArgsPostNames; -}; - -class TransactionSecMarkerManagement { - public: - bool isInsideAMarker() const { - if (m_marker) { - return true; - } - - return false; +namespace intervention { + static void reset(ModSecurityIntervention_t *i) { + i->status = 200; + i->pause = 0; + i->disruptive = 0; } - std::shared_ptr getCurrentMarker() const { - assert((m_marker != nullptr) && "You might have forgotten to call and evaluate isInsideAMarker() before calling getCurrentMarker()."); - return m_marker; + static void clean(ModSecurityIntervention_t *i) { + i->url = NULL; + i->log = NULL; + reset(i); } - void removeMarker() { - m_marker.reset(); + static void freeUrl(ModSecurityIntervention_t *i) { + if (i->url) { + free(i->url); + i->url = NULL; + } } - void addMarker(const std::shared_ptr &name) { - m_marker = name; + static void freeLog(ModSecurityIntervention_t *i) { + if (i->log) { + free(i->log); + i->log = NULL; + } } - private: - std::shared_ptr m_marker; -}; - -/** @ingroup ModSecurity_CPP_API */ -class Transaction : public TransactionAnchoredVariables, public TransactionSecMarkerManagement { - public: - Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData); - Transaction(ModSecurity *ms, RulesSet *rules, const char *id, - void *logCbData); - ~Transaction(); - - Transaction ( const Transaction & ) = delete; - bool operator ==(const Transaction &b) const { return false; }; - Transaction &operator =(const Transaction &b) const = delete; - - /** TODO: Should be an structure that fits an IP address */ - int processConnection(const char *client, int cPort, - const char *server, int sPort); - int processURI(const char *uri, const char *protocol, - const char *http_version); - - /** - * Types of request body that ModSecurity may give a special treatment - * for the data. - */ - enum RequestBodyType { - /** - * - */ - UnknownFormat, - /** - * - */ - MultiPartRequestBody, - /** - * - */ - WWWFormUrlEncoded, - /** - * - */ - JSONRequestBody, - /** - * - */ - XMLRequestBody - }; - - int processRequestHeaders(); - int addRequestHeader(const std::string& key, const std::string& value); - int addRequestHeader(const unsigned char *key, const unsigned char *value); - int addRequestHeader(const unsigned char *key, size_t len_key, - const unsigned char *value, size_t len_value); - - int processRequestBody(); - int appendRequestBody(const unsigned char *body, size_t size); - int requestBodyFromFile(const char *path); - - int processResponseHeaders(int code, const std::string& proto); - int addResponseHeader(const std::string& key, const std::string& value); - int addResponseHeader(const unsigned char *key, const unsigned char *value); - int addResponseHeader(const unsigned char *key, size_t len_key, - const unsigned char *value, size_t len_value); - - int processResponseBody(); - int appendResponseBody(const unsigned char *body, size_t size); - - int processLogging(); - int updateStatusCode(int status); - - int setRequestHostName(const std::string& hostname); - - bool intervention(ModSecurityIntervention *it); - - bool addArgument(const std::string& orig, const std::string& key, - const std::string& value, size_t offset); - bool extractArguments(const std::string &orig, const std::string& buf, - size_t offset); - - const char *getResponseBody() const; - size_t getResponseBodyLength(); - size_t getRequestBodyLength(); - -#ifndef NO_LOGS - void debug(int, const std::string &) const; -#endif - void serverLog(const RuleMessage &rm); - - int getRuleEngineState() const; - - std::string toJSON(int parts); - std::string toOldAuditLogFormat(int parts, const std::string &trailer, const std::string &header); - std::string toOldAuditLogFormatIndex(const std::string &filename, - double size, const std::string &md5); - - /** - * Filled during the class instantiation, this variable can be later - * used to fill the SecRule variable `duration'. The variable `duration' - * is dynamic calculated, it is always relative to the value found in - * m_creationTimeStamp. - * - * @note There is space for performance improvement. This value don't - * need to be filled if there is no rule using the variable - * `duration'. - */ - const clock_t m_creationTimeStamp; - - /** - * Holds the client IP address. - */ - std::string m_clientIpAddress; - - /** - * Holds the HTTP version: 1.2, 2.0, 3.0 and so on.... - */ - std::string m_httpVersion; - - /** - * Holds the server IP Address - */ - std::string m_serverIpAddress; - - /** - * Holds the request's hostname - */ - std::string m_requestHostName; - - /** - * Holds the raw URI that was requested. - */ - std::string m_uri; - - /** - * Holds the URI that was requests (without the query string). - */ - std::string m_uri_no_query_string_decoded; - - /** - * Holds the combined size of all arguments, later used to fill the - * variable ARGS_COMBINED_SIZE. - */ - double m_ARGScombinedSizeDouble; - - /** - * Client tcp port. - */ - int m_clientPort; - - /** - * This variable is set by the action `severity' and later can be - * consulted via the SecLanguage variable HIGHEST_SEVERITY. - */ - int m_highestSeverityAction; - - /** - * Holds the HTTP return code when it is known. If 0 nothing was - * set. - */ - int m_httpCodeReturned; - - /** - * Holds the server port. - */ - int m_serverPort; - - /** - * ModSecurity instance used to start this transaction. Basically used - * to fill the server log whenever is needed. - */ - ModSecurity *m_ms; - - /** - * Holds the type of the request body, in case there is one. - */ - RequestBodyType m_requestBodyType; - - /** - * Holds the request body "processor" - */ - RequestBodyType m_requestBodyProcessor; - - /** - * Rules object utilized during this specific transaction. - */ - RulesSet * const m_rules; - - /** - * - */ - std::list m_ruleRemoveById; - std::list > m_ruleRemoveByIdRange; - - /** - * - */ - std::list m_ruleRemoveByTag; - - /** - * - */ - std::list< std::pair > m_ruleRemoveTargetByTag; - - /** - * - */ - std::list< std::pair > m_ruleRemoveTargetById; - - /** - * - */ - int m_requestBodyAccess; - - /** - * The list m_auditLogModifier contains modifications to the `auditlogs' - * for this specific request, those modifications can happens via the - * utilization of the action: `ctl:auditLogParts=' - * - */ - std::list< std::pair > m_auditLogModifier; - - /** - * This transaction's most recent action ctl:auditEngine - * - */ - audit_log::AuditLog::AuditLogStatus m_ctlAuditEngine; - - /** - * This variable holds all the messages asked to be save by the utilization - * of the actions: `log_data' and `msg'. These should be included on the - * auditlogs. - */ - std::list m_rulesMessages; - - /** - * Holds the request body, in case of any. - */ - std::ostringstream m_requestBody; - - /** - * Holds the response body, in case of any. - */ - std::ostringstream m_responseBody; - - /** - * Contains the unique ID of the transaction. Use by the variable - * `UNIQUE_ID'. This unique id is also saved as part of the AuditLog. - */ - const std::string m_id; - - /** - * Holds the amount of rules that should be skipped. If bigger than 0 the - * current rule should be skipped and the number needs to be decreased. - */ - int m_skip_next; - - /** - * If allow action was utilized, this variable holds the allow type. - */ - modsecurity::actions::disruptive::AllowType m_allowType; - - /** - * Holds the decode URI. Notice that m_uri holds the raw version - * of the URI. - */ - std::string m_uri_decoded; - - /** - * Actions (disruptive?) that should be taken by the connector related to - * that transaction. - */ - std::vector m_actions; - ModSecurityIntervention m_it; - - /** - * Holds the creation time stamp, using std::time. - * - * TODO: m_timeStamp and m_creationTimeStamp may be merged into a single - * variable. - */ - const time_t m_timeStamp; - - - /** - * Holds all the collections related to that transaction. - */ - collection::Collections m_collections; - - /** - * Holds the whatever matched in the operation utilization. - * That variable will be further used by the capture action. - * - */ - std::list m_matched; - - RequestBodyProcessor::XML *m_xml; - RequestBodyProcessor::JSON *m_json; - - int m_secRuleEngine; - int m_secXMLParseXmlIntoArgs; - - std::string m_variableDuration; - std::map m_variableEnvs; - std::string m_variableHighestSeverityAction; - std::string m_variableRemoteUser; - std::string m_variableTime; - std::string m_variableTimeDay; - std::string m_variableTimeEpoch; - std::string m_variableTimeHour; - std::string m_variableTimeMin; - std::string m_variableTimeSec; - std::string m_variableTimeWDay; - std::string m_variableTimeYear; - - std::vector> m_multipartPartTmpFiles; - - private: - - Transaction(ModSecurity *ms, RulesSet *rules, const char *id, - void *logCbData, const time_t timestamp); - - /** - * Pointer to the callback function that will be called to fill - * the web server (connector) log. - */ - void *m_logCbData; -}; - + static void free(ModSecurityIntervention_t *i) { + freeUrl(i); + freeLog(i); + } +} // namespace intervention #endif #ifdef __cplusplus -extern "C" { -#endif - -/** @ingroup ModSecurity_C_API */ -Transaction *msc_new_transaction(ModSecurity *ms, - RulesSet *rules, void *logCbData); - -/** @ingroup ModSecurity_C_API */ -Transaction *msc_new_transaction_with_id(ModSecurity *ms, - RulesSet *rules, const char *id, void *logCbData); - -/** @ingroup ModSecurity_C_API */ -int msc_process_connection(Transaction *transaction, - const char *client, int cPort, const char *server, int sPort); - -/** @ingroup ModSecurity_C_API */ -int msc_process_request_headers(Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -int msc_add_request_header(Transaction *transaction, const unsigned char *key, - const unsigned char *value); - -/** @ingroup ModSecurity_C_API */ -int msc_add_n_request_header(Transaction *transaction, - const unsigned char *key, size_t len_key, const unsigned char *value, - size_t len_value); - -/** @ingroup ModSecurity_C_API */ -int msc_process_request_body(Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -int msc_append_request_body(Transaction *transaction, - const unsigned char *body, size_t size); - -/** @ingroup ModSecurity_C_API */ -int msc_request_body_from_file(Transaction *transaction, const char *path); - -/** @ingroup ModSecurity_C_API */ -int msc_process_response_headers(Transaction *transaction, int code, - const char* protocol); - -/** @ingroup ModSecurity_C_API */ -int msc_add_response_header(Transaction *transaction, - const unsigned char *key, const unsigned char *value); - -/** @ingroup ModSecurity_C_API */ -int msc_add_n_response_header(Transaction *transaction, - const unsigned char *key, size_t len_key, const unsigned char *value, - size_t len_value); - -/** @ingroup ModSecurity_C_API */ -int msc_process_response_body(Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -int msc_append_response_body(Transaction *transaction, - const unsigned char *body, size_t size); - -/** @ingroup ModSecurity_C_API */ -int msc_process_uri(Transaction *transaction, const char *uri, - const char *protocol, const char *http_version); - -/** @ingroup ModSecurity_C_API */ -const char *msc_get_response_body(const Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -size_t msc_get_response_body_length(Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -size_t msc_get_request_body_length(Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -void msc_transaction_cleanup(Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -int msc_intervention(Transaction *transaction, ModSecurityIntervention *it); - -/** @ingroup ModSecurity_C_API */ -void msc_intervention_cleanup(ModSecurityIntervention *it); - -/** @ingroup ModSecurity_C_API */ -int msc_process_logging(Transaction *transaction); - -/** @ingroup ModSecurity_C_API */ -int msc_update_status_code(Transaction *transaction, int status); - -/** @ingroup ModSecurity_C_API */ -int msc_set_request_hostname(Transaction *transaction, const unsigned char *hostname); - -#ifdef __cplusplus -} } // namespace modsecurity #endif - -#endif // HEADERS_MODSECURITY_TRANSACTION_H_ \ No newline at end of file +#endif // HEADERS_MODSECURITY_INTERVENTION_H_ From 4e705e7213c667ec676d436cd340f6e7317444ea Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 16 Dec 2025 11:17:06 +0100 Subject: [PATCH 106/106] SHA-256 Implementierung on ModSecurity (mbed TLS 4.x) --- src/unique_id.cc | 10 +++++-- src/utils/md5.h | 31 ++++++------------- src/utils/sha1.h | 74 ++++++++++++++++++++++++++-------------------- src/utils/sha256.h | 34 +++++++++++++++++++++ 4 files changed, 92 insertions(+), 57 deletions(-) create mode 100644 src/utils/sha256.h diff --git a/src/unique_id.cc b/src/unique_id.cc index 01075cc549..b7c254f1b8 100644 --- a/src/unique_id.cc +++ b/src/unique_id.cc @@ -56,7 +56,9 @@ #endif #include -#include "src/utils/sha1.h" +/*#include "src/utils/sha1.h"*/ +#include "src/utils/sha256.h" + namespace modsecurity { @@ -72,7 +74,9 @@ void UniqueId::fillUniqueId() { data = macAddress + name; - this->uniqueId_str = Utils::Sha1::hexdigest(data); + /*this->uniqueId_str = Utils::Sha1::hexdigest(data);*/ + this->uniqueId_str = Utils::Sha256::hexdigest(data); + } // Based on: @@ -235,4 +239,4 @@ std::string UniqueId::ethernetMacAddress() { } -} // namespace modsecurity +} // namespace modsecurity \ No newline at end of file diff --git a/src/utils/md5.h b/src/utils/md5.h index d77bde4fbf..2b66bd8ea2 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -8,27 +8,20 @@ #ifndef SRC_UTILS_MD5_H_ #define SRC_UTILS_MD5_H_ -#include "src/utils/sha1.h" // bringt DigestImpl und psa/crypto.h rein +#include "src/utils/sha1.h" // nutzt DigestImpl + detail::ensure_psa_init() #include +#include // optional (weil sha1.h es schon inkludiert), aber ok + namespace modsecurity::Utils { -// Wrapper mit gleicher Signatur wie mbedtls_md5, -// intern aber PSA-API. +// PSA-Wrapper mit alter Signatur inline int modsec_psa_md5(const unsigned char *input, size_t ilen, unsigned char output[16]) { - // sha1.h macht bereits ein lazy psa_crypto_init() in modsec_psa_sha1, - // aber falls MD5 vor SHA1 benutzt wird, sorgen wir hier auch nochmal vor. - static bool psa_initialized = false; - - if (!psa_initialized) { - psa_status_t init_status = psa_crypto_init(); - if (init_status != PSA_SUCCESS) { - return -1; - } - psa_initialized = true; + if (!detail::ensure_psa_init()) { + return -1; } size_t out_len = 0; @@ -41,17 +34,11 @@ inline int modsec_psa_md5(const unsigned char *input, &out_len ); - if (status != PSA_SUCCESS || out_len != 16) { - return -1; - } - - return 0; + return (status == PSA_SUCCESS && out_len == 16) ? 0 : -1; } -// Statt &mbedtls_md5 benutzen wir jetzt &modsec_psa_md5. -class Md5 : public DigestImpl<&modsec_psa_md5, 16> { -}; +class Md5 : public DigestImpl<&modsec_psa_md5, 16> {}; } // namespace modsecurity::Utils -#endif // SRC_UTILS_MD5_H_ +#endif // SRC_UTILS_MD5_H_ \ No newline at end of file diff --git a/src/utils/sha1.h b/src/utils/sha1.h index 74cbad408f..4e772e39f4 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -10,69 +10,85 @@ #include #include -#include +#include // NEW: std::once_flag, std::call_once #include "src/utils/string.h" -// NEU: PSA statt mbedtls/sha1.h +// PSA statt mbedtls/sha1.h #include namespace modsecurity::Utils { using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); +// Gemeinsamer, thread-sicherer PSA-Init für alle Digests +namespace detail { +inline bool ensure_psa_init() { + static std::once_flag once; + static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR; + + std::call_once(once, []() { + init_status = psa_crypto_init(); + }); + + return init_status == PSA_SUCCESS; +} +} // namespace detail + template class DigestImpl { public: static std::string digest(const std::string& input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](std::string_view digest) { return std::string(digest); }); } static void digestReplace(std::string& value) { - digestHelper(value, [&value](const auto digest) mutable { - value = digest; + digestHelper(value, [&value](std::string_view digest) mutable { + value.assign(digest.data(), digest.size()); }); } static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](std::string_view digest) { return utils::string::string_to_hex(digest); }); } private: template - static auto digestHelper(const std::string &input, - ConvertOp convertOp) -> auto { - char digest[DigestSize]; + static auto digestHelper(const std::string &input, ConvertOp convertOp) + -> decltype(convertOp(std::string_view{})) { - const auto ret = (*digestOp)( - reinterpret_cast(input.c_str()), + unsigned char digest[DigestSize]; + + const int ret = (*digestOp)( + reinterpret_cast(input.data()), input.size(), - reinterpret_cast(digest) + digest ); - assert(ret == 0); - return convertOp(std::string_view(digest, DigestSize)); + // NEW: kein assert-only; in Release sonst potentiell UB. + if (ret != 0) { + return convertOp(std::string_view{}); // leerer Digest signalisiert Fehler + } + + return convertOp(std::string_view( + reinterpret_cast(digest), DigestSize + )); } }; -// NEU: Wrapper, der die PSA-API in die alte Signatur presst. + +// PSA-Wrapper mit alter Signatur inline int modsec_psa_sha1(const unsigned char *input, size_t ilen, unsigned char output[20]) { - static bool psa_initialized = false; - - if (!psa_initialized) { - psa_status_t init_status = psa_crypto_init(); - if (init_status != PSA_SUCCESS) { - return -1; - } - psa_initialized = true; + if (!detail::ensure_psa_init()) { + return -1; } size_t out_len = 0; @@ -85,17 +101,11 @@ inline int modsec_psa_sha1(const unsigned char *input, &out_len ); - if (status != PSA_SUCCESS || out_len != 20) { - return -1; - } - - return 0; + return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1; } -// Statt &mbedtls_sha1 nehmen wir jetzt unseren PSA-Wrapper -class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> { -}; +class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; } // namespace modsecurity::Utils -#endif // SRC_UTILS_SHA1_H_ +#endif // SRC_UTILS_SHA1_H_ \ No newline at end of file diff --git a/src/utils/sha256.h b/src/utils/sha256.h new file mode 100644 index 0000000000..7ecd379912 --- /dev/null +++ b/src/utils/sha256.h @@ -0,0 +1,34 @@ +#ifndef SRC_UTILS_SHA256_H_ +#define SRC_UTILS_SHA256_H_ + +#include "src/utils/sha1.h" // bringt DigestImpl + detail::ensure_psa_init() +#include + +namespace modsecurity::Utils { + +inline int modsec_psa_sha256(const unsigned char *input, + size_t ilen, + unsigned char output[32]) +{ + if (!detail::ensure_psa_init()) { + return -1; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_SHA_256, + input, + ilen, + output, + 32, + &out_len + ); + + return (status == PSA_SUCCESS && out_len == 32) ? 0 : -1; +} + +class Sha256 : public DigestImpl<&modsec_psa_sha256, 32> {}; + +} // namespace modsecurity::Utils + +#endif // SRC_UTILS_SHA256_H_ \ No newline at end of file