After 3.0.9 is it impossible to include configs by wildcard mask.

[wiseelf]

Describe the bug

After 3.0.9 is it impossible to include configs by wildcard mask. Works well on 3.0.8.

Logs and dumps

2023/05/18 15:12:16 [emerg] 1#1: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/main.conf. Line: 3. Column: 55. "/usr/local/owasp-modsecurity-crs/rules/*.conf": Not able to open file. Looking at: '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"'. in /etc/nginx/nginx.conf:21
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/main.conf. Line: 3. Column: 55. "/usr/local/owasp-modsecurity-crs/rules/*.conf": Not able to open file. Looking at: '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"'. in /etc/nginx/nginx.conf:21

To Reproduce

Just type set this in config
Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"

Expected behavior

All configs are included.

Server (please complete the following information):

• ModSecurity version ModSecurity v3.0.9
• WebServer: nginx-1.24.0
• OS (and distro): nginx docker image

Rule Set (please complete the following information):

• Running any public or commercial rule set? Public ruleset https://github.com/coreruleset/coreruleset.git
• What is the version number? v3.3.4

[airween]

2023/05/18 15:12:16 [emerg] 1#1: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/main.conf. Line: 3. Column: 55. "/usr/local/owasp-modsecurity-crs/rules/*.conf": Not able to open file. Looking at: '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"'. in /etc/nginx/nginx.conf:21
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/main.conf. Line: 3. Column: 55. "/usr/local/owasp-modsecurity-crs/rules/*.conf": Not able to open file. Looking at: '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"'. in /etc/nginx/nginx.conf:21

To Reproduce

Just type set this in config Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"

Hmm...

# cat /usr/share/modsecurity-crs/owasp-crs.load 
##
## This file loads OWASP CRS's rules when the package is installed
## It is Included by libapache2-mod-security2
##
Include /etc/modsecurity/crs/crs-setup.conf
Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/share/modsecurity-crs/rules/*.conf
Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

2023/05/18 20:22:27 [notice] 45949#45949: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/919/0)
2023/05/18 20:22:28 [notice] 45956#45956: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/919/0)

Used with libmodsecurity3 (3.0.9), from here.

Are you sure there is no any apparmor/selinux/unix permission issue?

[wiseelf]

I'm building from source. Can provide docker file.

var/www/html $ cat /etc/nginx/modsec/main.conf
Include "/etc/nginx/modsec/modsecurity.conf"
Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"
Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"

/var/www/html $ nginx -t
2023/05/18 19:23:21 [emerg] 9#9: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/main.conf. Line: 3. Column: 55. "/usr/local/owasp-modsecurity-crs/rules/*.conf": Not able to open file. Looking at: '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"'. in /etc/nginx/nginx.conf:23
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/main.conf. Line: 3. Column: 55. "/usr/local/owasp-modsecurity-crs/rules/*.conf": Not able to open file. Looking at: '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"', '/etc/nginx/modsec/"/usr/local/owasp-modsecurity-crs/rules/*.conf"'. in /etc/nginx/nginx.conf:23
nginx: configuration file /etc/nginx/nginx.conf test failed

/var/www/html $ cat /dev//null > /etc/nginx/modsec/main.conf
/var/www/html $ nginx -t
2023/05/18 19:09:18 [notice] 14#14: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/0/0)
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Same image with 3.0.8:

/var/www/html $ nginx -t
2023/05/18 19:21:49 [notice] 12#12: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/918/0)
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[wiseelf]

Here is the POC repo: https://github.com/wiseelf/modsecurity-docker-poc

docker build . -t nginx-modsec:v3.0.8 --build-arg MODSEC_TAG=v3.0.8
docker build . -t nginx-modsec:v3.0.9 --build-arg MODSEC_TAG=v3.0.9

First image works, second fails.

[airween]

What happens if you remove the " marks?

 Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"

to

 Include /usr/local/owasp-modsecurity-crs/rules/*.conf

[wiseelf]

Yes, it works without "

/var/www/html $ nginx -t
2023/05/19 07:28:45 [notice] 7#7: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/918/0)
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[airween]

Yes, it works without "

Thanks. Seems like commit 53cf6eb is broken.

[wiseelf]

@airween will it be fixed? :)

[airween]

@airween will it be fixed? :)

I'm sure that will be... once 😃

If I will have some time, I can take a look.

[martinhsv]

@wiseelf , thanks for the report.

@airween, agreed about the commit that broke this use case. I'll create a PR.

[martinhsv]

This is a an interesting issue because it's not clear that a quoted filepath ought to be treated the same as an unquoted one with respect to special characters. Perhaps the presence of quotes should indicate a more literal interpretation of the filepath, comparable to if one executes ```ls "my*special2.conf" in linux.

I have nevertheless restored the handling to be comparable to pre-v3.0.9. (The change in v3.0.9 was unannounced and presumably unintentional.)