Refine libinjection updates and test coverage

- update adapter and detection sources
- improve multithreaded unit tests
- add SQLi/XSS logging changes
- hide test override symbols
- fix linker visibility for test hooks

Author: Easton97-Jens

src/operators/detect_sqli.cc

@@ -22,12 +22,17 @@
 #include "src/operators/operator.h"
 #include "src/operators/libinjection_utils.h"
 #include "src/operators/libinjection_adapter.h"
+#include "src/utils/string.h"
 #include "libinjection/src/libinjection_error.h"
 
 namespace modsecurity::operators {
 
 bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
     const std::string& input, RuleMessage &ruleMessage) {
+#ifndef NO_LOGS
+    const std::string loggable_input =
+        utils::string::limitTo(80, utils::string::toHexIfNeeded(input));
+#endif
 
     std::array<char, 8> fingerprint{};
 
@@ -42,9 +47,11 @@ bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
         case LIBINJECTION_RESULT_TRUE:
             t->m_matched.emplace_back(fingerprint.data());
 
+#ifndef NO_LOGS
             ms_dbg_a(t, 4,
                 std::string("detected SQLi using libinjection with fingerprint '")
-                + fingerprint.data() + "' at: '" + input + "'");
+                + fingerprint.data() + "' at: '" + loggable_input + "'");
+#endif
 
             if (rule != nullptr && rule->hasCaptureAction()) {
                 t->m_collections.m_tx_collection->storeOrUpdateFirst(
@@ -57,11 +64,13 @@ bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
             break;
 
         case LIBINJECTION_RESULT_ERROR:
+#ifndef NO_LOGS
             ms_dbg_a(t, 4,
                 std::string("libinjection parser error during SQLi analysis (")
                 + libinjectionResultToString(sqli_result)
                 + "); treating as match (fail-safe). Input: '"
-                + input + "'");
+                + loggable_input + "'");
+#endif
 
             if (rule != nullptr && rule->hasCaptureAction()) {
                 t->m_collections.m_tx_collection->storeOrUpdateFirst(
@@ -77,9 +86,11 @@ bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
             break;
 
         case LIBINJECTION_RESULT_FALSE:
+#ifndef NO_LOGS
             ms_dbg_a(t, 9,
                 std::string("libinjection was not able to find any SQLi in: ")
-                + input);
+                + loggable_input);
+#endif
             break;
     }
 

src/operators/detect_xss.cc

@@ -20,12 +20,17 @@
 #include "src/operators/operator.h"
 #include "src/operators/libinjection_utils.h"
 #include "src/operators/libinjection_adapter.h"
+#include "src/utils/string.h"
 #include "libinjection/src/libinjection_error.h"
 
 namespace modsecurity::operators {
 
 bool DetectXSS::evaluate(Transaction *t, RuleWithActions *rule,
     const std::string& input, RuleMessage &ruleMessage) {
+#ifndef NO_LOGS
+    const std::string loggable_input =
+        utils::string::limitTo(80, utils::string::toHexIfNeeded(input));
+#endif
 
     const injection_result_t xss_result =
         runLibinjectionXSS(input.c_str(), input.length());
@@ -44,20 +49,25 @@ bool DetectXSS::evaluate(Transaction *t, RuleWithActions *rule,
             break;
 
         case LIBINJECTION_RESULT_ERROR:
+#ifndef NO_LOGS
             ms_dbg_a(t, 4,
                 std::string("libinjection parser error during XSS analysis (")
                 + libinjectionResultToString(xss_result)
                 + "); treating as match (fail-safe). Input: "
-                + input);
+                + loggable_input);
+#endif
             if (rule != nullptr && rule->hasCaptureAction()) {
                 t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input);
                 ms_dbg_a(t, 7, std::string("Added DetectXSS error input TX.0: ") + input);
             }
             break;
 
         case LIBINJECTION_RESULT_FALSE:
+#ifndef NO_LOGS
             ms_dbg_a(t, 9,
-                std::string("libinjection was not able to find any XSS in: ") + input);
+                std::string("libinjection was not able to find any XSS in: ")
+                + loggable_input);
+#endif
             break;
     }
 

src/operators/libinjection_adapter.cc

@@ -1,5 +1,16 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
  */
 
 #include "src/operators/libinjection_adapter.h"

src/operators/libinjection_adapter.h

@@ -1,5 +1,16 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
  */
 
 #ifndef SRC_OPERATORS_LIBINJECTION_ADAPTER_H_

test/unit/unit.cc

@@ -175,6 +175,7 @@ UnitTestResult perform_unit_test_once(const UnitTest &t, modsecurity::Transactio
 template<typename TestType>
 UnitTestResult perform_unit_test_multithreaded(const UnitTest &t,
     modsecurity_test::ModSecurityTestContext &context) {
+    (void)context;
 
     constexpr auto NUM_THREADS = 50;
     constexpr auto ITERATIONS = 5'000;
@@ -189,9 +190,11 @@ UnitTestResult perform_unit_test_multithreaded(const UnitTest &t,
     {
         auto &result = results[i];
         threads[i] = std::thread(
-            [&item, &t, &result, &context]()
+            [&item, &t, &result]()
             {
-                auto transaction = context.create_transaction();
+                modsecurity_test::ModSecurityTestContext thread_context(
+                    "ModSecurity-unit mtstress-thread");
+                auto transaction = thread_context.create_transaction();
                 for (auto j = 0; j != ITERATIONS; ++j)
                     result = TestType::eval(*item.get(), t, transaction);
             });