From d2b14de26860916bcd80864b5e985cada9c638f5 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Thu, 29 Nov 2018 10:37:23 -0300 Subject: [PATCH] Allow 0 length JSON requests As discussed at: #1822 --- CHANGES | 2 + src/transaction.cc | 2 +- .../regression/request-body-parser-json.json | 75 ++++++++++++++++++- 3 files changed, 76 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 1164ca34c7..b261a645c1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ v3.0.4 - YYYY-MMM-DD (to be released) ------------------------------------- + - Allow 0 length JSON requests. + [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern] - Fix "make dist" target to include default configuration [Issue #1966 - @defanator] - Replaced log locking using mutex with fcntl lock diff --git a/src/transaction.cc b/src/transaction.cc index 5795a8ff06..693bed6b90 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -734,7 +734,7 @@ int Transaction::processRequestBody() { &error); m_json->complete(&error); } - if (error.empty() == false) { + if (error.empty() == false && m_requestBody.str().size() > 0) { m_variableReqbodyError.set("1", m_variableOffset); m_variableReqbodyProcessorError.set("1", m_variableOffset); m_variableReqbodyErrorMsg.set("JSON parsing error: " + error, diff --git a/test/test-cases/regression/request-body-parser-json.json b/test/test-cases/regression/request-body-parser-json.json index fc5749d779..c13a432969 100644 --- a/test/test-cases/regression/request-body-parser-json.json +++ b/test/test-cases/regression/request-body-parser-json.json @@ -2,7 +2,7 @@ { "enabled":1, "version_min":300000, - "title":"Testing JSON request body parser 1/1", + "title":"Testing JSON request body parser 1/2", "expected":{ "debug_log": "Target value: \"bar\" \\(Variable: ARGS:json.foo\\)" }, @@ -41,7 +41,7 @@ { "enabled":1, "version_min":300000, - "title":"Testing JSON request body parser 1/1", + "title":"Testing JSON request body parser 2/2", "expected":{ "debug_log": "Target value: \"bar\" \\(Variable: ARGS:json.first_level.first_key\\)" }, @@ -79,6 +79,77 @@ "SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"", "SecRule ARGS \"bar\" \"id:'200441',phase:3,log\"" ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Testing JSON request body parser - issue #1822 (1/2)", + "expected":{ + "debug_log": "Target value: \"0\" .Variable: REQBODY_ERROR." + }, + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*", + "Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120", + "Content-Type": "application/json" + }, + "uri":"/?key=value&key=other_value", + "method":"POST", + "body": [ + ] + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "rules":[ + "SecRuleEngine On", + "SecRequestBodyAccess On", + "SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"", + "SecRule REQBODY_ERROR \"0\" \"id:'200441',phase:3,log\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Testing JSON request body parser - issue #1822 (2/2)", + "expected":{ + "debug_log": "Target value: \"1\" .Variable: REQBODY_ERROR." + }, + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*", + "Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120", + "Content-Type": "application/json" + }, + "uri":"/?key=value&key=other_value", + "method":"POST", + "body": [ + "a" + ] + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "rules":[ + "SecRuleEngine On", + "SecRequestBodyAccess On", + "SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"", + "SecRule REQBODY_ERROR \"0\" \"id:'200441',phase:3,log\"" + ] } ]