Request_id new version

wargio · Jun 27, 2024 · 05ef2cf · 05ef2cf
1 parent 2ff7f12
commit 05ef2cf
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 41 deletions.
diff --git a/naxsi_src/naxsi.h b/naxsi_src/naxsi.h
@@ -411,6 +411,9 @@ typedef struct
   /* did libinjection sql/xss matched ? */
   ngx_flag_t libinjection_sql : 1;
   ngx_flag_t libinjection_xss : 1;
+  /* string representation of request_id
+     computed (inherit from NGINX) on demand only */
+  u_char request_id[NAXSI_REQUEST_ID_STRLEN + 1];
 } ngx_http_request_ctx_t;
 
 /*
@@ -480,6 +483,10 @@ typedef struct ngx_http_nx_json_s
 #define RT_POST_ACTION      "naxsi_flag_post_action"
 #define RT_LIBINJECTION_SQL "naxsi_flag_libinjection_sql"
 #define RT_LIBINJECTION_XSS "naxsi_flag_libinjection_xss"
+/*
+** name of other hardcoded variables
+*/
+#define RT_REQUEST_ID "request_id"
 
 /*
 ** To avoid getting DoS'ed, define max depth
@@ -619,7 +626,7 @@ ngx_http_apply_rulematch_v_n(ngx_http_rule_t*        r,
 int
 naxsi_is_illegal_host_name(const ngx_str_t* server_name);
 
-char*
+u_char*
 naxsi_request_id(ngx_http_request_t* req);
 
 /*libinjection_xss wrapper not exported by libinject_xss.h.*/

diff --git a/naxsi_src/naxsi_const.h b/naxsi_src/naxsi_const.h
@@ -6,6 +6,9 @@
 
 #define NAXSI_VERSION "1.7"
 
+#define NAXSI_REQUEST_ID_SIZE   16
+#define NAXSI_REQUEST_ID_STRLEN (NAXSI_REQUEST_ID_SIZE << 1)
+
 #define NAXSI_LOG_JSON_STRLEN (NGX_MAX_ERROR_STR - 100)
 
 /**

diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c
@@ -1133,10 +1133,11 @@ naxsi_create_log_array(ngx_http_request_ctx_t* ctx,
   sz_left -= sub;
   offset += sub;
 
-  char* req_id = naxsi_request_id(r);
-  sub          = 32;
+  const u_char* req_id = naxsi_request_id(r);
+
+  sub = strlen((const char*)req_id);
   if (sz_left > (100 + sub)) {
-    memcpy(fragment->data + offset, req_id, sub);
+    strcpy((char*)(fragment->data + offset), (const char*)req_id);
     if (sub >= sz_left) {
       sub = sz_left - 1;
     }

diff --git a/naxsi_src/naxsi_skeleton.c b/naxsi_src/naxsi_skeleton.c
@@ -598,6 +598,9 @@ ngx_http_naxsi_merge_loc_conf(ngx_conf_t* cf, void* parent, void* child)
 extern ngx_http_rule_t nx_int__libinject_sql;
 extern ngx_http_rule_t nx_int__libinject_xss;
 
+/* static hash for RT_REQUEST_ID string */
+static ngx_uint_t request_id_h;
+
 static ngx_int_t
 ngx_http_naxsi_init(ngx_conf_t* cf)
 {
@@ -649,6 +652,8 @@ ngx_http_naxsi_init(ngx_conf_t* cf)
     }
   }
 
+  request_id_h = ngx_hash_key_lc((u_char*)RT_REQUEST_ID, strlen(RT_REQUEST_ID));
+
   /* initialize prng (used for fragmented logs) */
 #ifndef _WIN32
   srandom(time(0) * getpid());
@@ -1290,13 +1295,13 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
   clock_t                    start, end;
   ngx_http_variable_value_t* lookup;
 
-  static ngx_str_t learning_flag         = ngx_string(RT_LEARNING);
-  static ngx_str_t enable_flag           = ngx_string(RT_ENABLE);
-  static ngx_str_t post_action_flag      = ngx_string(RT_POST_ACTION);
-  static ngx_str_t extensive_log_flag    = ngx_string(RT_EXTENSIVE_LOG);
-  static ngx_str_t json_log_flag         = ngx_string(RT_JSON_LOG);
-  static ngx_str_t libinjection_sql_flag = ngx_string(RT_LIBINJECTION_SQL);
-  static ngx_str_t libinjection_xss_flag = ngx_string(RT_LIBINJECTION_XSS);
+  static const ngx_str_t learning_flag         = ngx_string(RT_LEARNING);
+  static const ngx_str_t enable_flag           = ngx_string(RT_ENABLE);
+  static const ngx_str_t post_action_flag      = ngx_string(RT_POST_ACTION);
+  static const ngx_str_t extensive_log_flag    = ngx_string(RT_EXTENSIVE_LOG);
+  static const ngx_str_t json_log_flag         = ngx_string(RT_JSON_LOG);
+  static const ngx_str_t libinjection_sql_flag = ngx_string(RT_LIBINJECTION_SQL);
+  static const ngx_str_t libinjection_xss_flag = ngx_string(RT_LIBINJECTION_XSS);
 
   ctx = ngx_http_get_module_ctx(r, ngx_http_naxsi_module);
   cf  = ngx_http_get_module_loc_conf(r, ngx_http_naxsi_module);
@@ -1320,7 +1325,7 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
      trying to do something.  */
   if (cf->force_disabled) {
     /* Look if the user did not try to enable naxsi dynamically */
-    lookup = ngx_http_get_variable(r, &enable_flag, cf->flag_enable_h);
+    lookup = ngx_http_get_variable(r, (ngx_str_t*)&enable_flag, cf->flag_enable_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
       ngx_log_debug(NGX_LOG_DEBUG_HTTP,
                     r->connection->log,
@@ -1390,7 +1395,7 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
     so check len as well */
     ctx->learning = cf->learning;
 
-    lookup = ngx_http_get_variable(r, &learning_flag, cf->flag_learning_h);
+    lookup = ngx_http_get_variable(r, (ngx_str_t*)&learning_flag, cf->flag_learning_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
 
       ctx->learning = lookup->data[0] - '0';
@@ -1418,7 +1423,7 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
              "XX-dummy : orig enabled : %d",
              ctx->enabled ? 1 : 0);
 
-    lookup = ngx_http_get_variable(r, &enable_flag, cf->flag_enable_h);
+    lookup = ngx_http_get_variable(r, (ngx_str_t*)&enable_flag, cf->flag_enable_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
       ctx->enabled = lookup->data[0] - '0';
       NX_DEBUG(_debug_modifier,
@@ -1447,8 +1452,8 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
              "XX-dummy : orig libinjection_sql : %d",
              ctx->libinjection_sql ? 1 : 0);
 
-    lookup = ngx_http_get_variable(r, &libinjection_sql_flag, cf->flag_libinjection_sql_h);
-
+    lookup =
+      ngx_http_get_variable(r, (ngx_str_t*)&libinjection_sql_flag, cf->flag_libinjection_sql_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
       ctx->libinjection_sql = lookup->data[0] - '0';
       NX_DEBUG(_debug_modifier,
@@ -1477,7 +1482,8 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
              "XX-dummy : orig libinjection_xss : %d",
              ctx->libinjection_xss ? 1 : 0);
 
-    lookup = ngx_http_get_variable(r, &libinjection_xss_flag, cf->flag_libinjection_xss_h);
+    lookup =
+      ngx_http_get_variable(r, (ngx_str_t*)&libinjection_xss_flag, cf->flag_libinjection_xss_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
       ctx->libinjection_xss = lookup->data[0] - '0';
       NX_DEBUG(_debug_modifier,
@@ -1503,7 +1509,7 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
              "XX-dummy : orig post_action : %d",
              ctx->post_action ? 1 : 0);
 
-    lookup = ngx_http_get_variable(r, &post_action_flag, cf->flag_post_action_h);
+    lookup = ngx_http_get_variable(r, (ngx_str_t*)&post_action_flag, cf->flag_post_action_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
       ctx->post_action = lookup->data[0] - '0';
       NX_DEBUG(_debug_modifier,
@@ -1527,7 +1533,7 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
              "XX-dummy : orig extensive_log : %d",
              ctx->extensive_log ? 1 : 0);
 
-    lookup = ngx_http_get_variable(r, &extensive_log_flag, cf->flag_extensive_log_h);
+    lookup = ngx_http_get_variable(r, (ngx_str_t*)&extensive_log_flag, cf->flag_extensive_log_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
       ctx->extensive_log = lookup->data[0] - '0';
       NX_DEBUG(_debug_modifier,
@@ -1551,7 +1557,7 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
              "XX-dummy : orig json_log : %d",
              ctx->json_log ? 1 : 0);
 
-    lookup = ngx_http_get_variable(r, &json_log_flag, cf->flag_json_log_h);
+    lookup = ngx_http_get_variable(r, (ngx_str_t*)&json_log_flag, cf->flag_json_log_h);
     if (lookup && !lookup->not_found && lookup->len > 0) {
       ctx->json_log = lookup->data[0] - '0';
       NX_DEBUG(_debug_modifier,
@@ -2095,44 +2101,61 @@ ngx_http_naxsi_request_id_variable(ngx_http_request_t*        r,
                                    ngx_http_variable_value_t* v,
                                    uintptr_t                  data)
 {
-  char*   req_id = naxsi_request_id(r);
+  u_char* req_id = naxsi_request_id(r);
   u_char* id     = NULL;
 
   if (req_id == NULL) {
-    return NGX_ERROR;
+    v->not_found = 1;
+    return NGX_OK;
   }
 
-  id = ngx_pnalloc(r->pool, 32);
+  id = ngx_pnalloc(r->pool, NAXSI_REQUEST_ID_STRLEN);
   if (id == NULL) {
     return NGX_ERROR;
   }
 
-  memcpy(id, req_id, 32);
+  memcpy(id, req_id, NAXSI_REQUEST_ID_STRLEN);
 
   v->valid        = 1;
   v->no_cacheable = 0;
   v->not_found    = 0;
-  v->len          = 32;
+  v->len          = NAXSI_REQUEST_ID_STRLEN;
   v->data         = id;
   return NGX_OK;
 }
 
-char*
+u_char*
 naxsi_request_id(ngx_http_request_t* req)
 {
-  ngx_http_variable_value_t* lookup;
+  ngx_http_request_ctx_t* ctx = recover_request_ctx(req);
+  if (!ctx)
+    return NULL;
 
-  static ngx_str_t  request_id_varname  = ngx_string("request_id");
-  static ngx_uint_t request_id_h        = 0;
-  static char       request_id_dump[33] = { 0 };
+  if (ctx->request_id[0] != 0)
+    return ctx->request_id;
 
-  if (request_id_h == 0)
-    request_id_h = ngx_hash_key_lc(request_id_varname.data, request_id_varname.len);
+  static const ngx_str_t     request_id_varname = ngx_string(RT_REQUEST_ID);
+  ngx_http_variable_value_t* lookup;
 
-  lookup = ngx_http_get_variable(req, &request_id_varname, request_id_h);
+  lookup = ngx_http_get_variable(req, (ngx_str_t*)&request_id_varname, request_id_h);
   if (lookup && !lookup->not_found && lookup->len > 0) {
-    memcpy(request_id_dump, lookup->data, 32);
-    return request_id_dump;
+    memcpy(ctx->request_id, lookup->data, NAXSI_REQUEST_ID_STRLEN);
+    return ctx->request_id;
   }
-  return NULL;
+
+  /* NAXSI request_id variable does not defined */
+  u_char bytes[NAXSI_REQUEST_ID_SIZE];
+#if (NGX_OPENSSL)
+  if (RAND_bytes(bytes, NAXSI_REQUEST_ID_SIZE) != 1)
+    return NULL;
+#else
+  uint32_t*    bytes32 = (uint32_t*)bytes;
+  const size_t len     = (NAXSI_REQUEST_ID_SIZE / sizeof(uint32_t));
+
+  for (size_t i = 0; i < len; i++) {
+    bytes32[i] = (uint32_t)ngx_random();
+  }
+#endif
+  ngx_hex_dump(ctx->request_id, bytes, NAXSI_REQUEST_ID_SIZE);
+  return ctx->request_id;
 }
diff --git a/naxsi_src/naxsi_utils.c b/naxsi_src/naxsi_utils.c
@@ -947,9 +947,9 @@ naxsi_log_offending_as_json(ngx_http_request_ctx_t* ctx,
   ngx_str_t*                 str = NULL;
   ngx_http_naxsi_loc_conf_t* cf  = NULL;
 
-  char    json[NAXSI_LOG_JSON_STRLEN];
-  char *  out = json + 1, *end = (json + sizeof(json)) - 2;
-  u_char* req_id = (u_char*)naxsi_request_id(req);
+  char          json[NAXSI_LOG_JSON_STRLEN];
+  char *        out = json + 1, *end = (json + sizeof(json)) - 2;
+  const u_char* req_id = naxsi_request_id(req);
 
   // json object begin
   json[0] = '{';
@@ -971,7 +971,7 @@ naxsi_log_offending_as_json(ngx_http_request_ctx_t* ctx,
   }
 
   // request id
-  out    = naxsi_log_as_json_string(out, end, "rid", req_id, 32);
+  out    = naxsi_log_as_json_string(out, end, "rid", req_id, strlen((const char*)req_id));
   *out++ = ',';
   if (out >= end) {
     goto log_json;
@@ -1065,7 +1065,7 @@ naxsi_log_offending(ngx_http_request_ctx_t* ctx,
   ngx_http_naxsi_loc_conf_t* cf;
   ngx_str_t                  tmp_uri = { 0 }, tmp_val = { 0 }, tmp_name = { 0 };
   ngx_str_t                  empty  = ngx_string("");
-  char*                      req_id = naxsi_request_id(req);
+  const u_char*              req_id = naxsi_request_id(req);
 
   cf = ngx_http_get_module_loc_conf(req, ngx_http_naxsi_module);