Removed unnecessary memory allocaton, added test

wargio · Jun 29, 2024 · ae9b887 · ae9b887
1 parent 05ef2cf
commit ae9b887
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 20 deletions.
diff --git a/naxsi_src/naxsi_skeleton.c b/naxsi_src/naxsi_skeleton.c
@@ -1742,11 +1742,7 @@ ngx_http_naxsi_learning_variable(ngx_http_request_t*        r,
     return NGX_OK;
   }
 
-  v->data = ngx_palloc(r->pool, 1);
-  if (v->data == NULL) {
-    return NGX_ERROR;
-  }
-  v->data[0]      = ctx->learning ? '1' : '0';
+  v->data         = (u_char*)(ctx->learning ? "1" : "0");
   v->len          = 1;
   v->valid        = 1;
   v->no_cacheable = 0;
@@ -1764,11 +1760,7 @@ ngx_http_naxsi_block_variable(ngx_http_request_t* r, ngx_http_variable_value_t*
     return NGX_OK;
   }
 
-  v->data = ngx_palloc(r->pool, 1);
-  if (v->data == NULL) {
-    return NGX_ERROR;
-  }
-  v->data[0]      = ctx->block ? '1' : '0';
+  v->data         = (u_char*)(ctx->block ? "1" : "0");
   v->len          = 1;
   v->valid        = 1;
   v->no_cacheable = 0;
@@ -2102,25 +2094,17 @@ ngx_http_naxsi_request_id_variable(ngx_http_request_t*        r,
                                    uintptr_t                  data)
 {
   u_char* req_id = naxsi_request_id(r);
-  u_char* id     = NULL;
 
   if (req_id == NULL) {
     v->not_found = 1;
     return NGX_OK;
   }
 
-  id = ngx_pnalloc(r->pool, NAXSI_REQUEST_ID_STRLEN);
-  if (id == NULL) {
-    return NGX_ERROR;
-  }
-
-  memcpy(id, req_id, NAXSI_REQUEST_ID_STRLEN);
-
   v->valid        = 1;
   v->no_cacheable = 0;
   v->not_found    = 0;
   v->len          = NAXSI_REQUEST_ID_STRLEN;
-  v->data         = id;
+  v->data         = req_id;
   return NGX_OK;
 }
 
@@ -2143,7 +2127,7 @@ naxsi_request_id(ngx_http_request_t* req)
     return ctx->request_id;
   }
 
-  /* NAXSI request_id variable does not defined */
+  /* NGINX request_id variable does not defined */
   u_char bytes[NAXSI_REQUEST_ID_SIZE];
 #if (NGX_OPENSSL)
   if (RAND_bytes(bytes, NAXSI_REQUEST_ID_SIZE) != 1)

diff --git a/unit-tests/tests/37attack-var.t b/unit-tests/tests/37attack-var.t
@@ -498,3 +498,30 @@ use URI::Escape;
 --- error_code: 200
 --- response_body: 1000:URL:-,1007:URL:-,1200:ARGS:a,16:BODY:-
 
+
+=== TEST 16.1: Vars - naxsi_request_id
+--- main_config
+load_module $TEST_NGINX_NAXSI_MODULE_SO;
+--- http_config
+include $TEST_NGINX_NAXSI_RULES;
+map $naxsi_request_id $naxsi_req_format {
+    "~^[0-9a-f]{32}$" "Ok";
+    default           "BAD!";
+}
+--- config
+location / {
+    SecRulesEnabled;
+    DeniedUrl "/RequestDenied";
+    CheckRule "$SQL >= 8" BLOCK;
+    CheckRule "$RFI >= 8" BLOCK;
+    CheckRule "$TRAVERSAL >= 4" BLOCK;
+    CheckRule "$XSS >= 8" BLOCK;
+    return 200 "$naxsi_req_format";
+}
+location /RequestDenied {
+    return 412 "$naxsi_req_format";
+}
+--- request
+GET /?a=--select
+--- error_code: 412
+--- response_body: Ok