feat: ctl:ruleRemoveTargetById regex support (maintainer's approach)

- Compile regex at config load, not per-request
- RuleRemoveTargetByIdEntry struct: literal or shared_ptr<Regex>
- Test 2 (ARGS:/mixpanel$/) passes; Test 1 blocked by parser owasp-modsecurity#2927

Made-with: Cursor

Author: etiennemunnich

headers/modsecurity/rule_remove_target_entry.h

@@ -0,0 +1,71 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifndef HEADERS_MODSECURITY_RULE_REMOVE_TARGET_ENTRY_H_
+#define HEADERS_MODSECURITY_RULE_REMOVE_TARGET_ENTRY_H_
+
+#include <memory>
+#include <string>
+
+#include "src/utils/regex.h"
+
+namespace modsecurity {
+
+/**
+ * Entry for ctl:ruleRemoveTargetById exclusion.
+ * Supports literal target (e.g. ARGS:pwd) or regex (e.g. ARGS:/^json\.\d+\.JobDescription$/).
+ * Regex is compiled at config load (maintainer's approach).
+ */
+struct RuleRemoveTargetByIdEntry {
+    int id;
+    std::string literal;
+    std::shared_ptr<Utils::Regex> regex;  // shared: same compiled regex reused per request
+
+    /**
+     * Match VariableValue. For regex: match against key (dict element).
+     * For literal: match against keyWithCollection (e.g. ARGS:mixpanel).
+     */
+    bool matches(const std::string &key, const std::string &keyWithCollection) const {
+        if (regex) {
+            return regex->searchAll(key).size() > 0;
+        }
+        return literal == keyWithCollection;
+    }
+
+    /**
+     * Match Variable (for getFinalVars). Uses case-insensitive literal match.
+     * Regex uses key from variable's fullName (extract part after colon).
+     */
+    bool matchesVariable(const std::string &fullName) const {
+        if (regex) {
+            size_t colon = fullName.find(':');
+            std::string keyPart = (colon != std::string::npos && colon + 1 < fullName.size())
+                ? fullName.substr(colon + 1) : fullName;
+            return regex->searchAll(keyPart).size() > 0;
+        }
+        if (literal.size() != fullName.size()) {
+            return false;
+        }
+        return std::equal(literal.begin(), literal.end(), fullName.begin(),
+            [](char a, char b) {
+                return std::tolower(static_cast<unsigned char>(a)) ==
+                       std::tolower(static_cast<unsigned char>(b));
+            });
+    }
+};
+
+}  // namespace modsecurity
+
+#endif  // HEADERS_MODSECURITY_RULE_REMOVE_TARGET_ENTRY_H_

headers/modsecurity/transaction.h

@@ -51,6 +51,9 @@ typedef struct Rules_t RulesSet;
 #include "modsecurity/variable_origin.h"
 #include "modsecurity/anchored_set_variable_translation_proxy.h"
 #include "modsecurity/audit_log.h"
+#ifdef __cplusplus
+#include "modsecurity/rule_remove_target_entry.h"
+#endif
 
 
 #ifndef NO_LOGS
@@ -525,7 +528,7 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
     /**
      *
      */
-    std::list< std::pair<int, std::string> > m_ruleRemoveTargetById;
+    std::list<RuleRemoveTargetByIdEntry> m_ruleRemoveTargetById;
 
     /**
      *

src/actions/ctl/rule_remove_target_by_id.cc

@@ -19,9 +19,12 @@
 #include <string>
 #include <vector>
 #include <utility>
+#include <memory>
 
 #include "modsecurity/transaction.h"
+#include "modsecurity/rule_remove_target_entry.h"
 #include "src/utils/string.h"
+#include "src/utils/regex.h"
 
 
 namespace modsecurity {
@@ -48,12 +51,35 @@ bool RuleRemoveTargetById::init(std::string *error) {
 
     m_target = param[1];
 
+    // Detect regex format: COLLECTION:/pattern/ (e.g. ARGS:/mixpanel$/)
+    if (m_target.size() >= 4) {
+        size_t colon = m_target.find(':');
+        if (colon != std::string::npos && colon + 2 < m_target.size() &&
+            m_target[colon + 1] == '/' && m_target[m_target.size() - 1] == '/') {
+            size_t pattern_start = colon + 2;
+            size_t pattern_end = m_target.size() - 1;
+            if (pattern_end > pattern_start) {
+                std::string pattern = m_target.substr(pattern_start,
+                    pattern_end - pattern_start);
+                m_regex = std::make_unique<Utils::Regex>(pattern, true);
+                if (m_regex->hasError()) {
+                    error->assign("Invalid regex in ctl:ruleRemoveTargetById: " +
+                        m_target);
+                    return false;
+                }
+            }
+        }
+    }
+
     return true;
 }
 
 bool RuleRemoveTargetById::evaluate(RuleWithActions *rule, Transaction *transaction) {
-    transaction->m_ruleRemoveTargetById.push_back(
-        std::make_pair(m_id, m_target));
+    RuleRemoveTargetByIdEntry entry;
+    entry.id = m_id;
+    entry.literal = m_target;
+    entry.regex = m_regex;  // shared_ptr: reuse pre-compiled regex
+    transaction->m_ruleRemoveTargetById.push_back(std::move(entry));
     return true;
 }
 

src/actions/ctl/rule_remove_target_by_id.h

@@ -13,10 +13,12 @@
  *
  */
 
+#include <memory>
 #include <string>
 
 #include "modsecurity/actions/action.h"
 #include "modsecurity/transaction.h"
+#include "src/utils/regex.h"
 
 
 #ifndef SRC_ACTIONS_CTL_RULE_REMOVE_TARGET_BY_ID_H_
@@ -39,6 +41,7 @@ class RuleRemoveTargetById : public Action {
 
     int m_id;
     std::string m_target;
+    std::shared_ptr<Utils::Regex> m_regex;  // pre-compiled at config load
 };
 
 

src/rule_with_operator.cc

@@ -166,15 +166,8 @@ inline void RuleWithOperator::getFinalVars(variables::Variables *vars,
         if (std::find_if(trans->m_ruleRemoveTargetById.begin(),
                 trans->m_ruleRemoveTargetById.end(),
                 [&, variable, this](const auto &m) -> bool {
-                    const auto& str1 = m.second;
-                    const auto& str2 = *variable->m_fullName.get();
-                    return m.first == m_ruleId &&
-                           str1.size() == str2.size() &&
-                           std::equal(str1.begin(), str1.end(), str2.begin(),
-                                      [](char a, char b) {
-                                          return std::tolower(static_cast<unsigned char>(a)) ==
-                                                 std::tolower(static_cast<unsigned char>(b));
-                                      }); // end-of std::equal
+                    return m.id == m_ruleId &&
+                           m.matchesVariable(*variable->m_fullName.get());
                 }) != trans->m_ruleRemoveTargetById.end()) {
             continue;
         }
@@ -266,7 +259,8 @@ bool RuleWithOperator::evaluate(Transaction *trans,
                 std::find_if(trans->m_ruleRemoveTargetById.begin(),
                     trans->m_ruleRemoveTargetById.end(),
                     [&, v, this](const auto &m) -> bool {
-                        return m.first == m_ruleId && m.second == v->getKeyWithCollection();
+                        return m.id == m_ruleId &&
+                               m.matches(v->getKey(), v->getKeyWithCollection());
                     }) != trans->m_ruleRemoveTargetById.end()
             ) {
                 delete v;

test/benchmark/Makefile.am

@@ -33,6 +33,7 @@ benchmark_LDFLAGS = \
 	$(LUA_LDFLAGS)
 
 benchmark_CPPFLAGS = \
+	-I$(top_srcdir) \
 	-I$(top_builddir)/headers \
 	$(GLOBAL_CPPFLAGS) \
 	$(PCRE_CFLAGS) \

tools/rules-check/Makefile.am

@@ -30,6 +30,7 @@ modsec_rules_check_LDFLAGS = \
 	$(LIBXML2_LDFLAGS)
 
 modsec_rules_check_CPPFLAGS = \
+	-I$(top_srcdir) \
 	-I$(top_builddir)/headers \
 	$(GLOBAL_CPPFLAGS) \
 	$(PCRE_CFLAGS) \