From 761e225f3e39c914187c0c0233e1fce5191f769b Mon Sep 17 00:00:00 2001 From: meirdev Date: Tue, 5 May 2026 16:22:17 +0300 Subject: [PATCH] Fix parsing of SecComponentSignature, SecServerSignature and SecWebAppId --- src/parser/seclang-scanner.cc | 6 ++-- src/parser/seclang-scanner.ll | 6 ++-- test/test-cases/regression/auditlog.json | 40 ++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 6 deletions(-) diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc index 26385c206..bd82f9e4f 100644 --- a/src/parser/seclang-scanner.cc +++ b/src/parser/seclang-scanner.cc @@ -6252,19 +6252,19 @@ case 150: /* rule 150 can match eol */ YY_RULE_SETUP #line 751 "seclang-scanner.ll" -{ return p::make_CONFIG_COMPONENT_SIG(strchr(yytext, ' ') + 2, *driver.loc.back()); } +{ return p::make_CONFIG_COMPONENT_SIG(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } YY_BREAK case 151: /* rule 151 can match eol */ YY_RULE_SETUP #line 752 "seclang-scanner.ll" -{ return p::make_CONFIG_SEC_SERVER_SIG(strchr(yytext, ' ') + 2, *driver.loc.back()); } +{ return p::make_CONFIG_SEC_SERVER_SIG(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } YY_BREAK case 152: /* rule 152 can match eol */ YY_RULE_SETUP #line 753 "seclang-scanner.ll" -{ return p::make_CONFIG_SEC_WEB_APP_ID(parserSanitizer(strchr(yytext, ' ') + 2), *driver.loc.back()); } +{ return p::make_CONFIG_SEC_WEB_APP_ID(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } YY_BREAK case 153: YY_RULE_SETUP diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll index f954be892..e2cf345d8 100755 --- a/src/parser/seclang-scanner.ll +++ b/src/parser/seclang-scanner.ll @@ -747,9 +747,9 @@ EQUALS_MINUS (?i:=\-) . { BEGIN(INITIAL); } } -{CONFIG_COMPONENT_SIG}[ \t]+["]{FREE_TEXT}["] { return p::make_CONFIG_COMPONENT_SIG(strchr(yytext, ' ') + 2, *driver.loc.back()); } -{CONFIG_SEC_SERVER_SIG}[ \t]+["]{FREE_TEXT}["] { return p::make_CONFIG_SEC_SERVER_SIG(strchr(yytext, ' ') + 2, *driver.loc.back()); } -{CONFIG_SEC_WEB_APP_ID}[ \t]+["]{FREE_TEXT}["] { return p::make_CONFIG_SEC_WEB_APP_ID(parserSanitizer(strchr(yytext, ' ') + 2), *driver.loc.back()); } +{CONFIG_COMPONENT_SIG}[ \t]+["]{FREE_TEXT}["] { return p::make_CONFIG_COMPONENT_SIG(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } +{CONFIG_SEC_SERVER_SIG}[ \t]+["]{FREE_TEXT}["] { return p::make_CONFIG_SEC_SERVER_SIG(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } +{CONFIG_SEC_WEB_APP_ID}[ \t]+["]{FREE_TEXT}["] { return p::make_CONFIG_SEC_WEB_APP_ID(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } {CONFIG_SEC_WEB_APP_ID}[ \t]+{FREE_TEXT_NEW_LINE} { return p::make_CONFIG_SEC_WEB_APP_ID(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } {CONFIG_CONTENT_INJECTION} { return p::make_CONFIG_CONTENT_INJECTION(*driver.loc.back()); } {CONFIG_DIR_AUDIT_DIR_MOD}[ \t]+{CONFIG_VALUE_NUMBER} { return p::make_CONFIG_DIR_AUDIT_DIR_MOD(parserSanitizer(find_separator(yytext)), *driver.loc.back()); } diff --git a/test/test-cases/regression/auditlog.json b/test/test-cases/regression/auditlog.json index f4d660987..7426177e0 100644 --- a/test/test-cases/regression/auditlog.json +++ b/test/test-cases/regression/auditlog.json @@ -883,5 +883,45 @@ "SecAuditLogFileMode 0600", "SecAuditLogType Serial" ] + }, + { + "enabled": 1, + "version_min": 300000, + "version_max": 0, + "title": "auditlog : validate the SecComponentSignature value", + "client": { + "ip": "200.249.12.31", + "port": 2313 + }, + "server": { + "ip": "200.249.12.31", + "port": 80 + }, + "request": { + "headers": { + "Host": "www.modsecurity.org", + "Content-Length": "0" + }, + "uri": "/index.php", + "method": "GET", + "http_version": 1.1, + "body": [ + "" + ] + }, + "expected": { + "audit_log": "[\"OWASP_CRS/4.25.0\"]", + "http_code": 200 + }, + "rules": [ + "SecAuditEngine On", + "SecAuditLogFormat JSON", + "SecAuditLogParts ABCFHZ", + "SecComponentSignature \"OWASP_CRS/4.25.0\"", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0600", + "SecAuditLog /tmp/audit_component_signature.log", + "SecAuditLogType Serial" + ] } ]