Meta-actions are not applied if multiMatch is enabled in the chain starter rule · Issue #2867 · owasp-modsecurity/ModSecurity (original) (raw)

Describe the bug

If the chain starter rule in a rule chain has multiMatch enabled, meta-actions (severity, data, msg, tag) are not applied and their respective fields are not populated in the audit log.

This issue is related to issues #2573 and #2754. PR #2673 fixed the former (and PR #2866 fixes the latter), however it explicitly excluded rule chains:

if (m_containsMultiMatchAction && !m_isChained) {

Logs and dumps

See regression test below:

---GrOr1Hxd---A--
[20/Jan/2023:13:58:23 +0000] 167422310350.316461 200.249.12.31 2313 200.249.12.31 80
---GrOr1Hxd---B--
GET /test.pl?param1=test&param2=tEst2 HTTP/1.1

---GrOr1Hxd---F--
HTTP/1.1 403

---GrOr1Hxd---H--
ModSecurity: Warning. Matched "Operator `Contains' with parameter `test2' against variable `ARGS:param2' (Value: `tEst2' ) [file "auditlog.json"] [line "3"] [id "1557"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "200.249.12.31"] [uri "/test.pl"] [unique_id "167422310350.316461"] [ref "o0,5v32,5t:lowercase"]

---GrOr1Hxd---Z--

To Reproduce

The following regression test reproduces the problem (adapted from the regression tests in the aforemntioned PR):

  {
    "enabled": 1,
    "version_min": 300000,
    "version_max": 0,
    "title": "auditlog : rule chain, multiMatch data",
    "client": {
      "ip": "200.249.12.31",
      "port": 2313
    },
    "server": {
      "ip": "200.249.12.31",
      "port": 80
    },
    "request": {
      "headers": {
      },
      "uri": "\/test.pl?param1=test&param2=tEst2",
      "method": "GET",
      "http_version": 1.1,
      "body": ""
    },
    "expected": {
      "audit_log": "\\[msg \"testmsg\"\\]",
      "error_log": "",
      "http_code": 403
    },
    "rules": [
      "SecRuleEngine On",
      "SecDefaultAction \"phase:1,nolog,auditlog,deny,status:403\"",
      "SecRule ARGS \"@contains test2\" \"id:1557,phase:1,multiMatch,block,log,t:none,t:urlDecode,t:lowercase,msg:'testmsg',chain\" SecRule REQUEST_METHOD \"@streq GET\" \"t:none\"",
      "SecAuditEngine RelevantOnly",
      "SecAuditLogParts ABCFHZ",
      "SecAuditLog /tmp/test/modsec_audit_multimatch_5.log",
      "SecAuditLogDirMode 0766",
      "SecAuditLogFileMode 0666",
      "SecAuditLogType Serial",
      "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
    ]
  }

Expected behavior

Meta-actions, which can only be used in the chain starter rule of a rule chain, should be applied when multiMatch is enabled in that rule.

Additional context

None.