Avoid extra processing of subsequent interventions if one was already triggered

defanator · defanator · commit 4f26b48998db · 2021-02-03T18:13:38.000+03:00
diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
@@ -56,6 +56,10 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
 return ngx_http_next_body_filter(r, in);
 }
 
+ if (ctx->intervention_triggered){
+ return ngx_http_next_body_filter(r, in);
+ }
+
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
 mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
 if (mcf != NULL && mcf->sanity_checks_enabled != NGX_CONF_UNSET)
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -97,6 +97,7 @@ typedef struct{
 unsigned waiting_more_body:1;
 unsigned body_requested:1;
 unsigned processed:1;
+ unsigned intervention_triggered:1;
 } ngx_http_modsecurity_ctx_t;
 
 
diff --git a/src/ngx_http_modsecurity_header_filter.c b/src/ngx_http_modsecurity_header_filter.c
@@ -430,6 +430,10 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
 return ngx_http_next_header_filter(r);
 }
 
+ if (ctx->intervention_triggered){
+ return ngx_http_next_header_filter(r);
+ }
+
 /* XXX: can it happen ? already processed i mean */
 /* XXX: check behaviour on 'ModSecurity off' */
 
diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c
@@ -78,6 +78,10 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
 return NGX_HTTP_INTERNAL_SERVER_ERROR;
 }
 
+ if (ctx->intervention_triggered){
+ return NGX_DECLINED;
+ }
+
 if (ctx->waiting_more_body == 1)
{
 dd("waiting for more data before proceed. / count: %d",
diff --git a/src/ngx_http_modsecurity_rewrite.c b/src/ngx_http_modsecurity_rewrite.c
@@ -117,6 +117,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
 dd("Processing intervention with the connection information filled in");
 ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
 if (ret > 0){
+ ctx->intervention_triggered = 1;
 return ret;
 }
 
@@ -157,6 +158,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
 dd("Processing intervention with the transaction information filled in (uri, method and version)");
 ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
 if (ret > 0){
+ ctx->intervention_triggered = 1;
 return ret;
 }
 
@@ -208,6 +210,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
 return NGX_DECLINED;
 }
 if (ret > 0){
+ ctx->intervention_triggered = 1;
 return ret;
 }
 }

-Original file line number
+Diff line change
 returnngx_http_next_body_filter(r, in);
+ }
 +if (ctx->intervention_triggered){
 +returnngx_http_next_body_filter(r, in);
 + }
++
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
 mcf=ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
 if (mcf!=NULL&&mcf->sanity_checks_enabled!=NGX_CONF_UNSET)
-Original file line number
+Diff line change
 unsignedwaiting_more_body:1;
 unsignedbody_requested:1;
 unsignedprocessed:1;
 +unsignedintervention_triggered:1;
 } ngx_http_modsecurity_ctx_t;
Original file line number	Diff line number	Diff line change
`@@ -430,6 +430,10 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)`
`430`	`430`	`returnngx_http_next_header_filter(r);`
`431`	`431`	`}`
`432`	`432`
	`433`	`+if (ctx->intervention_triggered){`
	`434`	`+returnngx_http_next_header_filter(r);`
	`435`	`+ }`
	`436`	`+`
`433`	`437`	`/* XXX: can it happen ? already processed i mean */`
`434`	`438`	`/* XXX: check behaviour on 'ModSecurity off' */`
`435`	`439`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,10 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)`
`78`	`78`	`returnNGX_HTTP_INTERNAL_SERVER_ERROR;`
`79`	`79`	`}`
`80`	`80`
	`81`	`+if (ctx->intervention_triggered){`
	`82`	`+returnNGX_DECLINED;`
	`83`	`+ }`
	`84`	`+`
`81`	`85`	`if (ctx->waiting_more_body==1)`
`82`	`86`	`{`
`83`	`87`	`dd("waiting for more data before proceed. / count: %d",`
Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`117`	`117`	`dd("Processing intervention with the connection information filled in");`
`118`	`118`	`ret=ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);`
`119`	`119`	`if (ret>0){`
	`120`	`+ctx->intervention_triggered=1;`
`120`	`121`	`returnret;`
`121`	`122`	`}`
`122`	`123`
`@@ -157,6 +158,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`157`	`158`	`dd("Processing intervention with the transaction information filled in (uri, method and version)");`
`158`	`159`	`ret=ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);`
`159`	`160`	`if (ret>0){`
	`161`	`+ctx->intervention_triggered=1;`
`160`	`162`	`returnret;`
`161`	`163`	`}`
`162`	`164`
`@@ -208,6 +210,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`208`	`210`	`returnNGX_DECLINED;`
`209`	`211`	`}`
`210`	`212`	`if (ret>0){`
	`213`	`+ctx->intervention_triggered=1;`
`211`	`214`	`returnret;`
`212`	`215`	`}`
`213`	`216`	`}`