Try to address the response headers in the right place

zimmerle · zimmerle · commit 1ff22591cae4 · 2016-03-15T17:58:52.000-03:00
This is the very first attempt to address the response headers in
the right place.
diff --git a/config b/config
@@ -92,6 +92,8 @@ if test -n "$ngx_module_link"; then
         ngx_module_libs="$ngx_feature_libs"
         ngx_module_incs="$ngx_feature_path"
 
+    ngx_module_order="$ngx_module_name ngx_http_chunked_filter_module"
+
 	. auto/module
 else
 	CFLAGS="$ngx_modsecurity_opt_I $CFLAGS"
diff --git a/src/ddebug.h b/src/ddebug.h
@@ -17,6 +17,16 @@
 
 
 #define DDEBUG 0
+/*
+ * Setting MODSECURITY_SANITY_CHECKS will help you in the debug process. By
+ * defining MODSECURITY_SANITY_CHECKS a set of functions will be executed in
+ * order to make sure the well behavior of ModSecurity, letting you know (via
+ * debug_logs) if something unexpected happens.
+ *
+ * If performance is not a concern, it is safe to keep it set.
+ *
+ */
+#define MODSECURITY_SANITY_CHECKS 1
 
 #if defined(DDEBUG) && (DDEBUG)
 
diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
@@ -41,6 +41,9 @@ ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *i
     int buffer_fully_loadead = 0;
     ngx_chain_t *chain = in;
     ngx_http_modsecurity_ctx_t *ctx = NULL;
+    ngx_list_part_t *part = &r->headers_out.headers.part;
+    ngx_table_elt_t *data = part->elts;
+    ngx_uint_t i = 0;
 
     if (in == NULL) {
         return ngx_http_next_body_filter(r, in);
@@ -54,6 +57,63 @@ ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *i
         return ngx_http_next_body_filter(r, in);
     }
 
+#ifdef MODSECURITY_SANITY_CHECKS
+    /*
+     * Identify if there is a header that was not inspected by ModSecurity.
+     *
+     */
+    for (i = 0; ; i++) {
+        int found = 0;
+        ngx_uint_t j = 0;
+        ngx_table_elt_t *s1;
+        ngx_http_modsecurity_header_t *vals;
+
+        if (i >= part->nelts)
+        {
+            if (part->next == NULL)
+            {
+                break;
+            }
+
+            part = part->next;
+            data = part->elts;
+            i = 0;
+        }
+
+        vals = ctx->headers_out->elts;
+        s1 = &data[i];
+        /*
+         * Headers that were inspected by ModSecurity.
+         *
+         */
+        while (j < ctx->headers_out->nelts)
+        {
+            ngx_str_t *s2 = &vals[j].name;
+            ngx_str_t *s3 = &vals[j].value;
+
+            if (s1->key.len == s2->len && ngx_strncmp(s1->key.data, s2->data, s1->key.len) == 0)
+            {
+                if (s1->value.len == s3->len && ngx_strncmp(s1->value.data, s3->data, s1->value.len) == 0)
+                {
+                    found = 1;
+                    break;
+                }
+            }
+            j++;
+        }
+        if (!found) {
+            dd("header: `%.*s' with value: `%.*s' was not inpected by ModSecurity",
+                (int) s1->key.len,
+                (const char *) s1->key.data,
+                (int) s1->value.len,
+                (const char *) s1->value.data);
+
+            return ngx_http_filter_finalize_request(r,
+                &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        }
+    }
+#endif
+
     for (; chain != NULL; chain = chain->next)
     {
         if (chain->buf->last_buf)
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -25,11 +25,29 @@
 #include <modsecurity/transaction.h>
 #include <modsecurity/rules.h>
 
+typedef struct {
+    ngx_str_t name;
+    ngx_str_t value;
+} ngx_http_modsecurity_header_t;
+
+
 typedef struct {
     ngx_http_request_t *r;
     Transaction *modsec_transaction;
     ModSecurityIntervention *delayed_intervention;
 
+#ifdef MODSECURITY_SANITY_CHECKS
+    /*
+     * Should be filled with the headers that were sent to ModSecurity.
+     *
+     * The idea is to compare this set of headers with the headers that were
+     * sent to the client. This check was placed because we don't have control
+     * over other modules, thus, we may partially inspect the headers.
+     *
+     */
+    ngx_array_t *headers_out;
+#endif
+
     unsigned waiting_more_body:1;
     unsigned body_requested:1;
     unsigned processed:1;
@@ -55,6 +73,16 @@ typedef struct {
 } ngx_http_modsecurity_main_conf_t;
 
 
+typedef ngx_int_t (*ngx_http_modsecurity_resolv_header_pt)(ngx_http_request_t *r, ngx_str_t name, off_t offset);
+
+
+typedef struct {
+    ngx_str_t name;
+    ngx_uint_t offset;
+    ngx_http_modsecurity_resolv_header_pt resolver;
+} ngx_http_modsecurity_header_out_t;
+
+
 extern ngx_module_t ngx_http_modsecurity;
 extern ngx_http_output_header_filter_pt ngx_http_modsecurity_next_header_filter;
 extern ngx_http_output_body_filter_pt ngx_http_modsecurity_next_body_filter;
@@ -64,5 +92,7 @@ extern int ngx_http_modsecurity_process_intervention (Transaction *transaction,
 extern ngx_http_modsecurity_ctx_t *ngx_http_modsecurity_create_ctx(ngx_http_request_t *r);
 extern char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p);
 
+typedef ngx_str_t (*ngx_http_modsecurity_get_header_pt)(ngx_http_request_t *r, void *value);
+
 
 #endif
diff --git a/src/ngx_http_modsecurity_header_filter.c b/src/ngx_http_modsecurity_header_filter.c
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
