Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] Expose Modsecurity variables to ngx/LUA #234

Open
cbornet opened this issue Dec 23, 2020 · 3 comments
Open

[Feature request] Expose Modsecurity variables to ngx/LUA #234

cbornet opened this issue Dec 23, 2020 · 3 comments

Comments

@cbornet
Copy link

cbornet commented Dec 23, 2020

It would be nice to have the variables of Modsecurity exposed to ngx/LUA (ngx.var).
So we can do some treatment on the transaction (eg. increment a Prometheus counter, set headers, ...)
Something like having the variables $modsecurity_tx, $modsecurity_env, $modsecurity_geo available.
Also having the possibility to get all the rules that matched and their metadata (I'm not sure in which var they are stored).
Do you think that's feasible ?
@zimmerle
Copy link
Contributor

That sounds like a great idea.

We already exchange variables within Lua -
https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/engine/lua.cc#L258-L281

We also exchange transformations -
https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/engine/lua.cc#L412-L478

Alternatively, libModSecurity could be ported to Lua (bindings) and all the inspection could be held on a Lua script.

@fl0ppy-d1sk
Copy link

Hello @zimmerle, any news on that feature ?

@pr4u4t
Copy link

pr4u4t commented Oct 19, 2021
edited
Loading

Hi, @zimmerle, @fl0ppy-d1sk, @cbornet.
I've been investigating this topic for a while.

  1. Nginx variables are defined 'statically', every variable must be defined by filling ngx_http_variable_t and then calling ngx_http_add_variable. Handler to add variables must be placed in ngx_http_module_t ngx_http_modsecurity_ctx in preconfiguration. So using modsecurity variables in ngx configuration is highly ineffective.
  2. Situation looks better with Lua, libModsecurity must be patched with: pull style API and following code must be added to ngx_http_modsecurity_module.c of ModSecurity-nginx
const char *ngx_modsecurity_lua_ffi_transaction_variable(ngx_http_request_t *r,const char *v){
    ngx_http_modsecurity_ctx_t *ctx = NULL;
    Transaction *t = NULL;
    
    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
    if (ctx == NULL){
        dd("no ctx found");
        return NULL;
    }
    
    t = ctx->modsec_transaction;
    
    if (t == NULL){
        dd("no transaction found")
        return NULL;
    }
    
    return msc_get_transaction_variable(t,v);
}

Having this, variable value can be obtained from Lua code using FFI function call:

local base = require "resty.core.base"
local get_request = base.get_request
local ffi = require "ffi"
local C = ffi.C
local msc = {}

ffi.cdef[[
        typedef void ngx_http_request_t;
        const char *ngx_modsecurity_lua_ffi_transaction_variable(ngx_http_request_t *r, const char *var_name);
]]

msc.transaction_variable  = C.ngx_modsecurity_lua_ffi_transaction_variable

local anoscore = msc.transaction_variable(get_request(),'tx:anomaly_score')

I could provide patch and pull request for existing ModSecurity-nginx connector with Lua code to obtain variable in such way.

  1. libModSecurity functions can be called from Lua, I'm finishing a binding that could be used with nginx/openresty to perform security evaluation. Which can be viewed pr4u4t/ModSecurity-Lua

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zimmerle @cbornet @fl0ppy-d1sk @pr4u4t