add support for respons headers and body processing

Dimss · Dimss · commit 5d8a4eb0dfd3 · 2026-01-19T15:37:33.000+02:00
diff --git a/dockerfiles/Makefile b/dockerfiles/Makefile
@@ -6,6 +6,7 @@ copy:
 	cp ../cmake-build-debug/libwafie.so /Users/dkartsev/.go/src/github.com/Dimss/wafie/cmd/modsecfilter
 	cp ../include/wafielib.h /Users/dkartsev/.go/src/github.com/Dimss/wafie/cmd/modsecfilter/include/wafie
 build-modsec-runtime:
+	podman build . -t  modsec
 	podman manifest rm modsec-runtime --ignore
 	podman build \
 		--manifest modsec-runtime \
diff --git a/dockerfiles/empty-config/rules/REQUEST-800-CUSTOM-RULES.conf b/dockerfiles/empty-config/rules/REQUEST-800-CUSTOM-RULES.conf
@@ -8,12 +8,13 @@
 
 # SecRule REQUEST_URI "@rx .*" "id:1000008,phase:1,pass,log,msg:'DEBUG: The current REQUEST_URI is: %{REQUEST_URI}'"
 
-SecAction \
-    "id:1000003, \
-    phase:1, \
-    log, \
-    deny, \
-    status:401, \
-    redirect:'add-header>FOO:BAR', \
-    msg:'hello message'"
+SecRule REQUEST_METHOD "@streq POST" \
+    "id:1000005,\
+    phase:2,\
+    pass,\
+    nolog,\
+    chain"
+    SecRule REQUEST_URI "@streq /v2/g-recaptcha-response" \
+        "t:none,\
+        exec:/tmp/empty-config/rules/recaptchav2.lua"
 
diff --git a/dockerfiles/empty-config/rules/recaptchav2.lua b/dockerfiles/empty-config/rules/recaptchav2.lua
@@ -0,0 +1,6 @@
+function main()
+    print("RUNNING RECAPTCHA v2 script")
+    local token = m.getvar("ARGS_POST:g-recaptcha-response")
+    print("token: " .. token)
+    return nil
+end
diff --git a/include/wafielib.h b/include/wafielib.h
@@ -23,12 +23,17 @@ typedef struct {
     char *uri;
     char *http_method;
     char *http_version;
-    char *body;
+    char *protocol;
+    char *request_body;
+    char *response_body;
     char *intervention_url;
-    size_t headers_count;
+    int response_code;
+    size_t request_headers_count;
+    size_t response_headers_count;
     int total_loaded_rules;
     uint32_t protection_id;
-    WafieEvaluationRequestHeader *headers;
+    WafieEvaluationRequestHeader *request_headers;
+    WafieEvaluationRequestHeader *response_headers;
     Transaction *transaction;
 } WafieEvaluationRequest;
 
@@ -44,4 +49,8 @@ int wafie_process_request_headers(WafieEvaluationRequest *request);
 
 int wafie_process_request_body(WafieEvaluationRequest *request);
 
+int wafie_process_response_headers(WafieEvaluationRequest *request);
+
+int wafie_process_response_body(WafieEvaluationRequest *request);
+
 #endif //WAFIELIB_LIBRARY_H
diff --git a/src/test.c b/src/test.c
@@ -67,36 +67,60 @@ int main() {
     // cfg[1].config_path = "/config2";
 
 
-    WafieEvaluationRequestHeader *headers1 = malloc(sizeof(WafieEvaluationRequestHeader) * 2);
+    WafieEvaluationRequestHeader *headers1 = malloc(sizeof(WafieEvaluationRequestHeader) * 3);
     headers1[0].key = (const unsigned char *) "Host";
     headers1[0].value = (const unsigned char *) "example.com";
     headers1[1].key = (const unsigned char *) "User-Agent";
     headers1[1].value = (const unsigned char *) "KubeGuard/1.0";
-    //
-    //
+    headers1[2].key = (const unsigned char *) "Content-Type";
+    headers1[2].value = (const unsigned char *) "application/x-www-form-urlencoded";
+
+    WafieEvaluationRequestHeader *headers2 = malloc(sizeof(WafieEvaluationRequestHeader) * 3);
+    headers2[0].key = (const unsigned char *) "Host";
+    headers2[0].value = (const unsigned char *) "example.com";
+    headers2[1].key = (const unsigned char *) "User-Agent";
+    headers2[1].value = (const unsigned char *) "KubeGuard/1.0";
+    headers2[2].key = (const unsigned char *) "Content-Type";
+    headers2[2].value = (const unsigned char *) "application/x-www-form-urlencoded";
+    // headers1[3].key = (const unsigned char *) "Content-Length";
+    // headers1[3].value = (const unsigned char *) "7"; // strlen("foo=bar")
+
     WafieEvaluationRequest request1 = {
         .client_ip = "192.168.127.1",
-        .uri = "/wp-login.php",
-        .http_method = "GET",
+        .uri = "/v2/g-recaptcha-response",
+        .http_method = "POST",
         .http_version = "1.1",
-        .headers_count = 2,
-        .headers = headers1,
-        // .body = "",
+        .request_headers_count = 3,
+        .request_headers = headers1,
+        .response_headers_count = 3,
+        .response_headers = headers2,
+        .response_code = 200,
+        .protocol = "HTTP/1.1",
+        // .body = "foo=bar",
         .protection_id = 1,
     };
+    //
+    //
 
 
     wafie_init();
     wafie_load_rule_sets(cfg, 1);
     wafie_init_transaction(&request1);
+    //request
     wafie_process_request_headers(&request1);
-    // wafie_process_request_body(&request1);
+    request1.request_body = "foo=bar";
+    wafie_process_request_body(&request1);
+    // response
+    wafie_process_response_headers(&request1);
+    // request1.response_body = "{foo:bar}";
+    wafie_process_response_body(&request1);
+    //cleanup
     wafie_cleanup(&request1);
 
-    fprintf(stdout, "************** intervention url -> %s\n", request1.intervention_url);
 
     free(headers1);
 
+
     char *audit_content = read_file("/tmp/modsec_audit.log");
     if (audit_content) {
         printf("Config loaded: %zu bytes\n", strlen(audit_content));
diff --git a/src/wafielib.c b/src/wafielib.c
@@ -202,7 +202,7 @@ int wafie_process_intervention(WafieEvaluationRequest *request) {
         fprintf(stdout, "[libwafie.wafie_process_intervention.protection.id: %d] intervention triggered \n",
                 request->protection_id);
         if (intervention.log != NULL) {
-            fprintf(stdout, "%s\n", intervention.log);
+            fprintf(stdout, "[intervention.log] %s\n", intervention.log);
             free(intervention.log);
             intervention.log = NULL;
         }
@@ -225,7 +225,7 @@ int wafie_process_intervention(WafieEvaluationRequest *request) {
     return 0;
 }
 
-// process headers
+// process request headers
 int wafie_process_request_headers(WafieEvaluationRequest *request) {
     if (request->transaction == NULL) {
         fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] transaction is NULL, skipping \n",
@@ -261,12 +261,13 @@ int wafie_process_request_headers(WafieEvaluationRequest *request) {
     if (intervention_status != 0) {
         goto finish_processing;
     }
-    for (size_t i = 0; i < request->headers_count; i++) {
-        msc_add_request_header(request->transaction, request->headers[i].key, request->headers[i].value);
+    for (size_t i = 0; i < request->request_headers_count; i++) {
+        msc_add_request_header(request->transaction, request->request_headers[i].key,
+                               request->request_headers[i].value);
         fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] header -> %s: %s\n",
                 request->protection_id,
-                (const char *) request->headers[i].key,
-                (const char *) request->headers[i].value);
+                (const char *) request->request_headers[i].key,
+                (const char *) request->request_headers[i].value);
     }
     fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] processing headers\n",
             request->protection_id);
@@ -294,7 +295,7 @@ int wafie_process_request_headers(WafieEvaluationRequest *request) {
     return intervention_status;
 }
 
-// process body
+// process request body
 int wafie_process_request_body(WafieEvaluationRequest *request) {
     if (request->transaction == NULL) {
         fprintf(stdout, "[libwafie.wafie_process_request_body.protection.id: %d] transaction is NULL, skipping \n",
@@ -304,28 +305,144 @@ int wafie_process_request_body(WafieEvaluationRequest *request) {
     struct timespec start, end;
     int intervention_status = 0;
     // process request body
-    if (request->body != NULL) {
+    if (request->request_body != NULL) {
         fprintf(stdout, "[libwafie.wafie_process_request_body.protection.id: %d] processing request\n",
                 request->protection_id);
         clock_gettime(CLOCK_MONOTONIC, &start);
         // append request body
-        msc_append_request_body(request->transaction,
-                                (const unsigned char *) request->body,
-                                strlen(request->body));
+        int const res = msc_append_request_body(request->transaction,
+                                                (const unsigned char *) request->request_body,
+                                                strlen(request->request_body));
+        if (res == 0) {
+            fprintf(
+                stdout,
+                "[libwafie.wafie_process_request_body.protection.id: %d] append request body failed return: %d\n",
+                request->protection_id, res);
+        }
         // process request body
         msc_process_request_body(request->transaction);
         // check for intervention
         intervention_status = wafie_process_intervention(request);
         clock_gettime(CLOCK_MONOTONIC, &end);
 
-        long long elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
-        double elapsed_ms = elapsed_ns / 1000000.0;
+        long long const elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
+        double const elapsed_ms = elapsed_ns / 1000000.0;
         fprintf(stdout, "[libwafie.wafie_process_request_body.protection.id: %d] processing request took  %.3f ms\n",
                 request->protection_id, elapsed_ms);
 
         if (intervention_status != 0) {
             return intervention_status;
         }
+    } else {
+        fprintf(stdout, "[libwafie.wafie_process_request_body.protection.id: %d] request body NULL, skipping \n",
+                request->protection_id);
+    }
+    return intervention_status;
+}
+
+// process response headers
+int wafie_process_response_headers(WafieEvaluationRequest *request) {
+    if (request->transaction == NULL) {
+        fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] transaction is NULL, skipping \n",
+                request->protection_id);
+        return 0;
+    }
+    if (request->response_headers_count == 0) {
+        fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] no response headers, skipping \n",
+                request->protection_id);
+        return 0;
+    }
+    if (request->response_code == 0) {
+        fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] no response code, skipping \n",
+                request->protection_id);
+        return 0;
+    }
+    if (request->protocol == NULL) {
+        fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] no response protocol, skipping \n",
+                request->protection_id);
+        return 0;
+    }
+    struct timespec start, end;
+    clock_gettime(CLOCK_MONOTONIC, &start);
+    fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] processing request \n",
+            request->protection_id);
+    int intervention_status = 0;
+    // add response headers to transaction
+    for (size_t i = 0; i < request->response_headers_count; i++) {
+        msc_add_response_header(request->transaction, request->response_headers[i].key,
+                                request->response_headers[i].value);
+        fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] header -> %s: %s\n",
+                request->protection_id,
+                (const char *) request->response_headers[i].key,
+                (const char *) request->response_headers[i].value);
+    }
+    fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] processing headers\n",
+            request->protection_id);
+    // process response headers phase
+    msc_process_response_headers(request->transaction, request->response_code, request->protocol);
+    intervention_status = wafie_process_intervention(request);
+    if (intervention_status != 0) {
+        goto finish_processing;
+    }
+    // process response body phase
+    fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] processing body\n",
+            request->protection_id);
+    msc_process_response_body(request->transaction);
+    intervention_status = wafie_process_intervention(request);
+    // unconditionally finish processing once intervention detected
+finish_processing:
+    clock_gettime(CLOCK_MONOTONIC, &end);
+    long long elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
+    double elapsed_ms = elapsed_ns / 1000000.0;
+    fprintf(
+        stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] processing request took  %.3f ms\n",
+        request->protection_id, elapsed_ms);
+    fprintf(stdout, "[libwafie.wafie_process_response_headers.protection.id: %d] intervention status: %d\n",
+            request->protection_id, intervention_status);
+    return intervention_status;
+}
+
+// process request body
+int wafie_process_response_body(WafieEvaluationRequest *request) {
+    if (request->transaction == NULL) {
+        fprintf(stdout, "[libwafie.wafie_process_response_body.protection.id: %d] transaction is NULL, skipping \n",
+                request->protection_id);
+        return 0;
+    }
+    struct timespec start, end;
+    int intervention_status = 0;
+    // process request body
+    if (request->response_body != NULL) {
+        fprintf(stdout, "[libwafie.wafie_process_response_body.protection.id: %d] processing request\n",
+                request->protection_id);
+        clock_gettime(CLOCK_MONOTONIC, &start);
+        // append request body
+        int const res = msc_append_response_body(request->transaction,
+                                                (const unsigned char *) request->response_body,
+                                                strlen(request->response_body));
+        if (res == 0) {
+            fprintf(
+                stdout,
+                "[libwafie.wafie_process_response_body.protection.id: %d] append response body failed return: %d\n",
+                request->protection_id, res);
+        }
+        // process request body
+        msc_process_response_body(request->transaction);
+        // check for intervention
+        intervention_status = wafie_process_intervention(request);
+        clock_gettime(CLOCK_MONOTONIC, &end);
+
+        long long const elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
+        double const elapsed_ms = elapsed_ns / 1000000.0;
+        fprintf(stdout, "[libwafie.wafie_process_response_body.protection.id: %d] processing request took  %.3f ms\n",
+                request->protection_id, elapsed_ms);
+
+        if (intervention_status != 0) {
+            return intervention_status;
+        }
+    } else {
+        fprintf(stdout, "[libwafie.wafie_process_response_body.protection.id: %d] response body NULL, skipping \n",
+                request->protection_id);
     }
     return intervention_status;
 }
