Skip to content

Commit 37a630e

Browse files
authored
Merge pull request #2762 from leyao-daily/v3/master
Support to build WASM library
2 parents d2a1080 + 9b8a536 commit 37a630e

File tree

11 files changed

+932
-299
lines changed

11 files changed

+932
-299
lines changed

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,12 @@ and applying traditional ModSecurity processing. In general, it provides the
2020
capability to load/interpret rules written in the ModSecurity SecRules format
2121
and apply them to HTTP content provided by your application via Connectors.
2222

23+
# Build ModSecurity WASM library
24+
25+
Please read this [guide](https://github.com/leyao-daily/ModSecurity/blob/v3/master/modsecurity2wasm.md) to build your own ModSecurity WASM library using Emscripten.
26+
27+
---
28+
2329
If you are looking for ModSecurity for Apache (aka ModSecurity v2.x), it is still under maintenance and available:
2430
[here](https://github.com/SpiderLabs/ModSecurity/tree/v2/master).
2531

include/pcre.h

Lines changed: 677 additions & 0 deletions
Large diffs are not rendered by default.

modsecurity2wasm.md

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
# Build ModSecurity WASM Library
2+
3+
This article will guide you to build your own ModSecurity WASM library using [Emscripten](https://emscripten.org/) toolchain.
4+
5+
## Pre-requirements
6+
7+
### Install Emscripten
8+
9+
You can refer to the following steps to install the latest `Emscripten`.
10+
11+
```shell
12+
# Get the emsdk repo
13+
git clone https://github.com/emscripten-core/emsdk.git
14+
15+
# Enter that directory
16+
cd emsdk
17+
18+
# Fetch the latest version of the emsdk (not needed the first time you clone)
19+
git pull
20+
21+
# Download and install the SDK tools (version used by envoy).
22+
./emsdk install 2.0.7
23+
24+
# Make the "latest" SDK "active" for the current user. (writes .emscripten file)
25+
./emsdk activate 2.0.7
26+
27+
# Activate PATH and other environment variables in the current terminal
28+
source ./emsdk_env.sh
29+
```
30+
31+
32+
33+
### `wasi-sdk` setup
34+
35+
- Download
36+
37+
```shell
38+
wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-linux.tar.gz
39+
```
40+
41+
- Export it to `/opt/wasi-sdk`
42+
43+
- Configure
44+
45+
```shell
46+
export WASI_SDK_PATH="/opt/wasi-sdk"
47+
```
48+
49+
50+
51+
### Build PCRE WASM library
52+
53+
```shell
54+
# Get the pcre library source code
55+
git clone https://github.com/maxfierke/libpcre.git -b mf-wasm32-wasi-cross-compile
56+
57+
cd libpcre
58+
# This should compile successfully and place the compiled .a static library in targets/wasm32-wasi
59+
Run ./build_for_crystal.sh.
60+
61+
# Copy the wams library to target directory
62+
cp targets/wasm32-wasi/*.a /usr/local/pcre
63+
```
64+
65+
66+
67+
## Configure and build ModSecurity
68+
69+
```shell
70+
# This is version for WASM ModSecurity
71+
git clone https://github.com/leyao-daily/ModSecurity.git
72+
73+
cd ModSecurity
74+
# Build the configuration script
75+
./build.sh
76+
77+
# Download the submodule
78+
git submodule init
79+
git submodule update
80+
81+
# Configure ModSecurity with core functions
82+
emconfigure ./configure --without-yajl --without-geoip --without-libxml --without-curl --without-lua --disable-shared --disable-examples --disable-libtool-lock --disable-debug-logs --disable-mutex-on-pm --without-lmdb --without-maxmind --without-ssdeep --with-pcre=./pcre-config
83+
84+
# Build the library
85+
emmake make -j <num_cpus>
86+
87+
# Install the library
88+
emmake make install
89+
90+
```
91+
92+
93+
94+
## Build your own wasm application
95+
96+
```sehll
97+
emcc test.cc -L/usr/local/modsecurity/lib/ -lmodsecurity -L/usr/local/pcre/ -lpcre -o test.wasm -I/usr/local/modsecurity/include/
98+
```
99+

pcre-config

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,134 @@
1+
#!/bin/sh
2+
3+
prefix=/usr
4+
exec_prefix=${prefix}
5+
exec_prefix_set=no
6+
7+
cflags="[--cflags]"
8+
9+
if test yes = yes ; then
10+
libs="[--libs-cpp]"
11+
else
12+
libs=
13+
fi
14+
15+
if test yes = yes ; then
16+
libs="[--libs16] $libs"
17+
fi
18+
19+
if test yes = yes ; then
20+
libs="[--libs32] $libs"
21+
fi
22+
23+
if test yes = yes ; then
24+
libs="[--libs] [--libs-posix] $libs"
25+
cflags="$cflags [--cflags-posix]"
26+
fi
27+
28+
usage="Usage: pcre-config [--prefix] [--exec-prefix] [--version] $libs $cflags"
29+
30+
if test $# -eq 0; then
31+
echo "${usage}" 1>&2
32+
exit 1
33+
fi
34+
35+
libR=
36+
case `uname -s` in
37+
*SunOS*)
38+
libR=" -R${prefix}/lib"
39+
;;
40+
*BSD*)
41+
libR=" -Wl,-R${prefix}/lib"
42+
;;
43+
esac
44+
45+
libS=
46+
if test ${prefix}/lib != /usr/lib ; then
47+
libS=-L${prefix}/lib
48+
fi
49+
50+
while test $# -gt 0; do
51+
case "$1" in
52+
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
53+
*) optarg= ;;
54+
esac
55+
56+
case $1 in
57+
--prefix=*)
58+
prefix=$optarg
59+
if test $exec_prefix_set = no ; then
60+
exec_prefix=$optarg
61+
fi
62+
;;
63+
--prefix)
64+
echo $prefix
65+
;;
66+
--exec-prefix=*)
67+
exec_prefix=$optarg
68+
exec_prefix_set=yes
69+
;;
70+
--exec-prefix)
71+
echo $exec_prefix
72+
;;
73+
--version)
74+
echo 8.39
75+
;;
76+
--cflags)
77+
if test ${prefix}/include != /usr/include ; then
78+
includes=-I${prefix}/include
79+
fi
80+
includes=-I/root/ModSecurity/include
81+
echo $includes
82+
;;
83+
--cflags-posix)
84+
if test yes = yes ; then
85+
if test ${prefix}/include != /usr/include ; then
86+
includes=-I${prefix}/include
87+
fi
88+
echo $includes
89+
else
90+
echo "${usage}" 1>&2
91+
fi
92+
;;
93+
--libs-posix)
94+
if test yes = yes ; then
95+
echo $libS$libR -lpcreposix -lpcre
96+
else
97+
echo "${usage}" 1>&2
98+
fi
99+
;;
100+
--libs)
101+
if test yes = yes ; then
102+
echo $libS$libR -lpcre -L/usr/local/pcre
103+
else
104+
echo "${usage}" 1>&2
105+
fi
106+
;;
107+
--libs16)
108+
if test yes = yes ; then
109+
echo $libS$libR -lpcre16
110+
else
111+
echo "${usage}" 1>&2
112+
fi
113+
;;
114+
--libs32)
115+
if test yes = yes ; then
116+
echo $libS$libR -lpcre32
117+
else
118+
echo "${usage}" 1>&2
119+
fi
120+
;;
121+
--libs-cpp)
122+
if test yes = yes ; then
123+
echo $libS$libR -lpcrecpp -lpcre
124+
else
125+
echo "${usage}" 1>&2
126+
fi
127+
;;
128+
*)
129+
echo "${usage}" 1>&2
130+
exit 1
131+
;;
132+
esac
133+
shift
134+
done

src/operators/inspect_file.cc

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -62,15 +62,12 @@ bool InspectFile::evaluate(Transaction *transaction, const std::string &str) {
6262
openstr.append(m_param);
6363
openstr.append(" ");
6464
openstr.append(str);
65-
if (!(in = popen(openstr.c_str(), "r"))) {
66-
return false;
67-
}
6865

6966
while (fgets(buff, sizeof(buff), in) != NULL) {
7067
s << buff;
7168
}
7269

73-
pclose(in);
70+
//pclose(in);
7471

7572
res.append(s.str());
7673
if (res.size() > 1 && res.at(0) != '1') {

src/operators/rbl.cc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,7 @@ bool Rbl::evaluate(Transaction *t, RuleWithActions *rule,
211211
return false;
212212
}
213213

214-
rc = getaddrinfo(host.c_str(), NULL, NULL, &info);
214+
rc = 0;
215215

216216
if (rc != 0) {
217217
if (info != NULL) {

src/request_body_processor/multipart.cc

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ MultipartPartTmpFile::~MultipartPartTmpFile() {
4545
Close();
4646
}
4747

48-
const int unlink_rc = unlink(m_tmp_file_name.c_str());
48+
const int unlink_rc = 0;
4949
if (unlink_rc < 0) {
5050
ms_dbg_a(m_transaction, 1, "Multipart: Failed to delete file (part) \"" \
5151
+ m_tmp_file_name + "\" because " \
@@ -81,9 +81,7 @@ void MultipartPartTmpFile::Open() {
8181

8282
int mode = m_transaction->m_rules->m_uploadFileMode.m_value;
8383
if ((m_tmp_file_fd != -1) && (mode != 0)) {
84-
if (fchmod(m_tmp_file_fd, mode) == -1) {
8584
m_tmp_file_fd = -1;
86-
}
8785
}
8886
}
8987

src/rule_with_actions.cc

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,6 @@ RuleWithActions::RuleWithActions(
120120
delete a;
121121
std::cout << "General failure, action: " << a->m_name;
122122
std::cout << " has an unknown type." << std::endl;
123-
throw;
124123
}
125124
}
126125
delete actions;
@@ -513,27 +512,36 @@ void RuleWithActions::performLogging(Transaction *trans,
513512
trans->m_rulesMessages.push_back(*ruleMessage);
514513

515514
/* error */
515+
trans->serverLog(ruleMessage);
516+
/*
516517
if (!ruleMessage->m_isDisruptive) {
517518
trans->serverLog(ruleMessage);
518519
}
520+
*/
519521
}
520522
} else if (hasBlockAction() && !hasMultimatch()) {
521523
/* warn */
522524
trans->m_rulesMessages.push_back(*ruleMessage);
523525
/* error */
526+
trans->serverLog(ruleMessage);
527+
/*
524528
if (!ruleMessage->m_isDisruptive) {
525529
trans->serverLog(ruleMessage);
526530
}
531+
*/
527532
} else {
528533
if (isItToBeLogged && !hasMultimatch()
529534
&& !ruleMessage->m_message.empty()) {
530535
/* warn */
531536
trans->m_rulesMessages.push_back(*ruleMessage);
532537

533538
/* error */
539+
trans->serverLog(ruleMessage);
540+
/*
534541
if (!ruleMessage->m_isDisruptive) {
535542
trans->serverLog(ruleMessage);
536543
}
544+
*/
537545
}
538546
}
539547
} else {
@@ -542,10 +550,12 @@ void RuleWithActions::performLogging(Transaction *trans,
542550
trans->m_rulesMessages.push_back(*ruleMessage.get());
543551

544552
/* error */
553+
trans->serverLog(ruleMessage);
554+
/*
545555
if (!ruleMessage->m_isDisruptive) {
546556
trans->serverLog(ruleMessage);
547557
}
548-
558+
*/
549559
RuleMessage *rm = new RuleMessage(this, trans);
550560
rm->m_saveMessage = ruleMessage->m_saveMessage;
551561
ruleMessage.reset(rm);

src/unique_id.cc

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -90,10 +90,6 @@ std::string UniqueId::machineName() {
9090
#ifdef HAVE_SYS_UTSNAME_H
9191
static struct utsname u;
9292

93-
if (uname(&u) < 0) {
94-
goto failed;
95-
}
96-
9793
snprintf(machine_name, len-1, "%s", u.nodename);
9894
#endif
9995

0 commit comments

Comments
 (0)