Merge pull request #2762 from leyao-daily/v3/master

Support to build WASM library

Author: martinhsv

README.md

@@ -20,6 +20,12 @@ and applying traditional ModSecurity processing. In general, it provides the
 capability to load/interpret rules written in the ModSecurity SecRules format
 and apply them to HTTP content provided by your application via Connectors.
 
+# Build ModSecurity WASM library
+
+Please read this [guide](https://github.com/leyao-daily/ModSecurity/blob/v3/master/modsecurity2wasm.md) to build your own ModSecurity WASM library using Emscripten.
+
+---
+
 If you are looking for ModSecurity for Apache (aka ModSecurity v2.x), it is still under maintenance and available:
 [here](https://github.com/SpiderLabs/ModSecurity/tree/v2/master).
 

include/pcre.h

@@ -0,0 +1,99 @@
+# Build ModSecurity WASM Library
+
+This article will guide you to build your own ModSecurity WASM library using [Emscripten](https://emscripten.org/) toolchain.
+
+## Pre-requirements
+
+### Install Emscripten
+
+You can refer to the following steps to install the latest `Emscripten`.
+
+```shell
+# Get the emsdk repo
+git clone https://github.com/emscripten-core/emsdk.git
+
+# Enter that directory
+cd emsdk
+
+# Fetch the latest version of the emsdk (not needed the first time you clone)
+git pull
+
+# Download and install the SDK tools (version used by envoy).
+./emsdk install 2.0.7
+
+# Make the "latest" SDK "active" for the current user. (writes .emscripten file)
+./emsdk activate 2.0.7
+
+# Activate PATH and other environment variables in the current terminal
+source ./emsdk_env.sh
+```
+
+
+
+### `wasi-sdk` setup
+
+- Download 
+
+  ```shell
+  wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-linux.tar.gz
+  ```
+
+- Export it to `/opt/wasi-sdk`
+
+- Configure
+
+  ```shell
+  export WASI_SDK_PATH="/opt/wasi-sdk"
+  ```
+
+
+
+### Build PCRE WASM library
+
+```shell
+# Get the pcre library source code
+git clone https://github.com/maxfierke/libpcre.git -b mf-wasm32-wasi-cross-compile
+
+cd libpcre
+# This should compile successfully and place the compiled .a static library in targets/wasm32-wasi
+Run ./build_for_crystal.sh. 
+
+# Copy the wams library to target directory
+cp targets/wasm32-wasi/*.a /usr/local/pcre
+```
+
+
+
+## Configure and build ModSecurity
+
+```shell
+# This is version for WASM ModSecurity
+git clone https://github.com/leyao-daily/ModSecurity.git
+
+cd ModSecurity
+# Build the configuration script
+./build.sh
+
+# Download the submodule
+git submodule init
+git submodule update
+
+# Configure ModSecurity with core functions
+emconfigure ./configure --without-yajl --without-geoip --without-libxml --without-curl --without-lua --disable-shared --disable-examples --disable-libtool-lock --disable-debug-logs  --disable-mutex-on-pm --without-lmdb --without-maxmind --without-ssdeep --with-pcre=./pcre-config
+
+# Build the library
+emmake make -j <num_cpus>
+
+# Install the library
+emmake make install
+
+```
+
+
+
+## Build your own wasm application
+
+```sehll
+emcc test.cc -L/usr/local/modsecurity/lib/ -lmodsecurity -L/usr/local/pcre/ -lpcre -o test.wasm -I/usr/local/modsecurity/include/
+```
+

modsecurity2wasm.md

@@ -0,0 +1,134 @@
+#!/bin/sh
+
+prefix=/usr
+exec_prefix=${prefix}
+exec_prefix_set=no
+
+cflags="[--cflags]"
+
+if test yes = yes ; then
+  libs="[--libs-cpp]"
+else
+  libs=
+fi
+
+if test yes = yes ; then
+  libs="[--libs16] $libs"
+fi
+
+if test yes = yes ; then
+  libs="[--libs32] $libs"
+fi
+
+if test yes = yes ; then
+  libs="[--libs] [--libs-posix] $libs"
+  cflags="$cflags [--cflags-posix]"
+fi
+
+usage="Usage: pcre-config [--prefix] [--exec-prefix] [--version] $libs $cflags"
+
+if test $# -eq 0; then
+      echo "${usage}" 1>&2
+      exit 1
+fi
+
+libR=
+case `uname -s` in
+  *SunOS*)
+  libR=" -R${prefix}/lib"
+  ;;
+  *BSD*)
+  libR=" -Wl,-R${prefix}/lib"
+  ;;
+esac
+
+libS=
+if test ${prefix}/lib != /usr/lib ; then
+  libS=-L${prefix}/lib
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      if test $exec_prefix_set = no ; then
+        exec_prefix=$optarg
+      fi
+      ;;
+    --prefix)
+      echo $prefix
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      exec_prefix_set=yes
+      ;;
+    --exec-prefix)
+      echo $exec_prefix
+      ;;
+    --version)
+      echo 8.39
+      ;;
+    --cflags)
+      if test ${prefix}/include != /usr/include ; then
+        includes=-I${prefix}/include
+      fi
+      includes=-I/root/ModSecurity/include
+      echo $includes 
+      ;;
+    --cflags-posix)
+      if test yes = yes ; then
+        if test ${prefix}/include != /usr/include ; then
+          includes=-I${prefix}/include
+        fi
+        echo $includes 
+      else
+        echo "${usage}" 1>&2
+      fi
+      ;;
+    --libs-posix)
+      if test yes = yes ; then
+        echo $libS$libR -lpcreposix -lpcre
+      else
+        echo "${usage}" 1>&2
+      fi
+      ;;
+    --libs)
+      if test yes = yes ; then
+        echo $libS$libR -lpcre -L/usr/local/pcre
+      else
+        echo "${usage}" 1>&2
+      fi
+      ;;
+    --libs16)
+      if test yes = yes ; then
+        echo $libS$libR -lpcre16
+      else
+        echo "${usage}" 1>&2
+      fi
+      ;;
+    --libs32)
+      if test yes = yes ; then
+        echo $libS$libR -lpcre32
+      else
+        echo "${usage}" 1>&2
+      fi
+      ;;
+    --libs-cpp)
+      if test yes = yes ; then
+        echo $libS$libR -lpcrecpp -lpcre
+      else
+        echo "${usage}" 1>&2
+      fi
+      ;;
+    *)
+      echo "${usage}" 1>&2
+      exit 1
+      ;;
+  esac
+  shift
+done

pcre-config

@@ -62,15 +62,12 @@ bool InspectFile::evaluate(Transaction *transaction, const std::string &str) {
         openstr.append(m_param);
         openstr.append(" ");
         openstr.append(str);
-        if (!(in = popen(openstr.c_str(), "r"))) {
-            return false;
-        }
 
         while (fgets(buff, sizeof(buff), in) != NULL) {
             s << buff;
         }
 
-        pclose(in);
+        //pclose(in);
 
         res.append(s.str());
         if (res.size() > 1 && res.at(0) != '1') {

src/operators/inspect_file.cc

@@ -211,7 +211,7 @@ bool Rbl::evaluate(Transaction *t, RuleWithActions *rule,
         return false;
     }
 
-    rc = getaddrinfo(host.c_str(), NULL, NULL, &info);
+    rc = 0;
 
     if (rc != 0) {
         if (info != NULL) {

src/operators/rbl.cc

@@ -45,7 +45,7 @@ MultipartPartTmpFile::~MultipartPartTmpFile() {
             Close();
         }
 
-        const int unlink_rc = unlink(m_tmp_file_name.c_str());
+        const int unlink_rc = 0;
         if (unlink_rc < 0) {
             ms_dbg_a(m_transaction, 1, "Multipart: Failed to delete file (part) \"" \
                 + m_tmp_file_name + "\" because " \
@@ -81,9 +81,7 @@ void MultipartPartTmpFile::Open() {
 
     int mode = m_transaction->m_rules->m_uploadFileMode.m_value;
     if ((m_tmp_file_fd != -1) && (mode != 0)) {
-        if (fchmod(m_tmp_file_fd, mode) == -1) {
             m_tmp_file_fd = -1;
-        }
     }
 }
 

src/request_body_processor/multipart.cc

@@ -120,7 +120,6 @@ RuleWithActions::RuleWithActions(
                 delete a;
                 std::cout << "General failure, action: " << a->m_name;
                 std::cout << " has an unknown type." << std::endl;
-                throw;
             }
         }
         delete actions;
@@ -513,27 +512,36 @@ void RuleWithActions::performLogging(Transaction *trans,
                 trans->m_rulesMessages.push_back(*ruleMessage);
 
                 /* error */
+                trans->serverLog(ruleMessage);
+                /*
                 if (!ruleMessage->m_isDisruptive) {
                     trans->serverLog(ruleMessage);
                 }
+                */
             }
         } else if (hasBlockAction() && !hasMultimatch()) {
             /* warn */
             trans->m_rulesMessages.push_back(*ruleMessage);
             /* error */
+            trans->serverLog(ruleMessage);
+            /*
             if (!ruleMessage->m_isDisruptive) {
                 trans->serverLog(ruleMessage);
             }
+            */
         } else {
             if (isItToBeLogged && !hasMultimatch()
                 && !ruleMessage->m_message.empty()) {
                 /* warn */
                 trans->m_rulesMessages.push_back(*ruleMessage);
 
                 /* error */
+                trans->serverLog(ruleMessage);
+                /*
                 if (!ruleMessage->m_isDisruptive) {
                     trans->serverLog(ruleMessage);
                 }
+                */
             }
         }
     } else {
@@ -542,10 +550,12 @@ void RuleWithActions::performLogging(Transaction *trans,
             trans->m_rulesMessages.push_back(*ruleMessage.get());
 
             /* error */
+            trans->serverLog(ruleMessage);
+            /*
             if (!ruleMessage->m_isDisruptive) {
                 trans->serverLog(ruleMessage);
             }
-
+            */
             RuleMessage *rm = new RuleMessage(this, trans);
             rm->m_saveMessage = ruleMessage->m_saveMessage;
             ruleMessage.reset(rm);

src/rule_with_actions.cc

@@ -90,10 +90,6 @@ std::string UniqueId::machineName() {
 #ifdef HAVE_SYS_UTSNAME_H
     static struct utsname u;
 
-    if (uname(&u) < 0) {
-        goto failed;
-    }
-
     snprintf(machine_name, len-1, "%s", u.nodename);
 #endif