feat: regex key support for ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByTag

Add regex pattern matching in the variable-key position of
ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByTag, enabling
exclusions like:

  ctl:ruleRemoveTargetById=932125;ARGS:/^json\.\d+\.JobDescription$/
  ctl:ruleRemoveTargetByTag=XSS;ARGS:/^json\.\d+\.JobDescription$/

JSON body processing generates argument names with dynamic array
indices (json.0.Field, json.1.Field, ...). Without regex keys,
operators cannot scope exclusions to specific keys without listing
every possible index or disabling rules entirely.

Design:
- Regex detected by /pattern/ delimiter in COLLECTION:/pattern/
- Compiled once at config load via Utils::Regex (PCRE2/PCRE1)
- Stored as shared_ptr - zero per-request compilation
- Literal targets continue to work unchanged (no breaking change)
- Shared RuleRemoveTargetSpec struct used by both ById and ByTag
- Lexer REMOVE_RULE_TARGET_VALUE class shared by both actions

Aligns ModSecurity v3 with Coraza (corazawaf/coraza#1561).

Fixes owasp-modsecurity#3505

Author: etiennemunnich

headers/modsecurity/rule_remove_target_entry.h

@@ -24,31 +24,23 @@
 namespace modsecurity {
 
 /**
- * Entry for ctl:ruleRemoveTargetById exclusion.
+ * Shared target-matching logic for ctl:ruleRemoveTarget{ById,ByTag}.
  * Supports literal target (e.g. ARGS:pwd) or regex (e.g. ARGS:/^json\.\d+\.JobDescription$/).
- * Regex is compiled at config load (maintainer's approach).
+ * Regex is compiled at config load time.
  */
-struct RuleRemoveTargetByIdEntry {
-    int id;
+struct RuleRemoveTargetSpec {
     std::string literal;
-    std::shared_ptr<Utils::Regex> regex;  // shared: same compiled regex reused per request
+    std::shared_ptr<Utils::Regex> regex;
 
-    /**
-     * Match VariableValue. For regex: match against key (dict element).
-     * For literal: match against keyWithCollection (e.g. ARGS:mixpanel).
-     */
-    bool matches(const std::string &key, const std::string &keyWithCollection) const {
+    bool matchesKeyWithCollection(const std::string &key,
+                                  const std::string &keyWithCollection) const {
         if (regex) {
             return regex->searchAll(key).size() > 0;
         }
         return literal == keyWithCollection;
     }
 
-    /**
-     * Match Variable (for getFinalVars). Uses case-insensitive literal match.
-     * Regex uses key from variable's fullName (extract part after colon).
-     */
-    bool matchesVariable(const std::string &fullName) const {
+    bool matchesFullName(const std::string &fullName) const {
         if (regex) {
             size_t colon = fullName.find(':');
             std::string keyPart = (colon != std::string::npos && colon + 1 < fullName.size())
@@ -66,6 +58,18 @@ struct RuleRemoveTargetByIdEntry {
     }
 };
 
+
+struct RuleRemoveTargetByIdEntry {
+    int id;
+    RuleRemoveTargetSpec target;
+};
+
+
+struct RuleRemoveTargetByTagEntry {
+    std::string tag;
+    RuleRemoveTargetSpec target;
+};
+
 }  // namespace modsecurity
 
 #endif  // HEADERS_MODSECURITY_RULE_REMOVE_TARGET_ENTRY_H_

headers/modsecurity/transaction.h

@@ -523,7 +523,7 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
     /**
      *
      */
-    std::list< std::pair<std::string, std::string> > m_ruleRemoveTargetByTag;
+    std::list<RuleRemoveTargetByTagEntry> m_ruleRemoveTargetByTag;
 
     /**
      *

src/actions/ctl/rule_remove_target_by_id.cc

@@ -77,8 +77,8 @@ bool RuleRemoveTargetById::init(std::string *error) {
 bool RuleRemoveTargetById::evaluate(RuleWithActions *rule, Transaction *transaction) {
     RuleRemoveTargetByIdEntry entry;
     entry.id = m_id;
-    entry.literal = m_target;
-    entry.regex = m_regex;  // shared_ptr: reuse pre-compiled regex
+    entry.target.literal = m_target;
+    entry.target.regex = m_regex;
     transaction->m_ruleRemoveTargetById.push_back(std::move(entry));
     return true;
 }

src/actions/ctl/rule_remove_target_by_tag.cc

@@ -19,9 +19,12 @@
 #include <string>
 #include <vector>
 #include <utility>
+#include <memory>
 
 #include "modsecurity/transaction.h"
+#include "modsecurity/rule_remove_target_entry.h"
 #include "src/utils/string.h"
+#include "src/utils/regex.h"
 
 
 namespace modsecurity {
@@ -41,12 +44,34 @@ bool RuleRemoveTargetByTag::init(std::string *error) {
     m_tag = param[0];
     m_target = param[1];
 
+    if (m_target.size() >= 4) {
+        size_t colon = m_target.find(':');
+        if (colon != std::string::npos && colon + 2 < m_target.size() &&
+            m_target[colon + 1] == '/' && m_target[m_target.size() - 1] == '/') {
+            size_t pattern_start = colon + 2;
+            size_t pattern_end = m_target.size() - 1;
+            if (pattern_end > pattern_start) {
+                std::string pattern = m_target.substr(pattern_start,
+                    pattern_end - pattern_start);
+                m_regex = std::make_unique<Utils::Regex>(pattern, true);
+                if (m_regex->hasError()) {
+                    error->assign("Invalid regex in ctl:ruleRemoveTargetByTag: " +
+                        m_target);
+                    return false;
+                }
+            }
+        }
+    }
+
     return true;
 }
 
 bool RuleRemoveTargetByTag::evaluate(RuleWithActions *rule, Transaction *transaction) {
-    transaction->m_ruleRemoveTargetByTag.push_back(
-        std::make_pair(m_tag, m_target));
+    RuleRemoveTargetByTagEntry entry;
+    entry.tag = m_tag;
+    entry.target.literal = m_target;
+    entry.target.regex = m_regex;
+    transaction->m_ruleRemoveTargetByTag.push_back(std::move(entry));
     return true;
 }
 

src/actions/ctl/rule_remove_target_by_tag.h

@@ -13,10 +13,12 @@
  *
  */
 
+#include <memory>
 #include <string>
 
 #include "modsecurity/actions/action.h"
 #include "modsecurity/transaction.h"
+#include "src/utils/regex.h"
 
 
 #ifndef SRC_ACTIONS_CTL_RULE_REMOVE_TARGET_BY_TAG_H_
@@ -37,6 +39,7 @@ class RuleRemoveTargetByTag : public Action {
 
     std::string m_tag;
     std::string m_target;
+    std::shared_ptr<Utils::Regex> m_regex;
 };