Update Regex util to support match limits

If the rx or rxGlobal operator encounters a regex error,
the RX_ERROR and RX_ERROR_RULE_ID variables are set.
RX_ERROR contains a simple error code which can be either
OTHER or MATCH_LIMIT. RX_ERROR_RULE_ID unsurprisingly
contains the ID of the rule associated with the error.
More than one rule may encounter regex errors,
but only the first error is reflected in these variables.

Author: brandonpayton

Diff for: headers/modsecurity/rules_set_properties.h

@@ -379,6 +379,7 @@ class RulesSetProperties {
                                     from->m_responseBodyLimitAction,
                                     PropertyNotSetBodyLimitAction);
 
+        to->m_pcreMatchLimit.merge(&from->m_pcreMatchLimit);
         to->m_uploadFileLimit.merge(&from->m_uploadFileLimit);
         to->m_uploadFileMode.merge(&from->m_uploadFileMode);
         to->m_uploadDirectory.merge(&from->m_uploadDirectory);
@@ -470,6 +471,7 @@ class RulesSetProperties {
     ConfigDouble m_requestBodyLimit;
     ConfigDouble m_requestBodyNoFilesLimit;
     ConfigDouble m_responseBodyLimit;
+    ConfigInt m_pcreMatchLimit;
     ConfigInt m_uploadFileLimit;
     ConfigInt m_uploadFileMode;
     DebugLog *m_debugLog;

Diff for: headers/modsecurity/transaction.h

@@ -184,6 +184,8 @@ class TransactionAnchoredVariables {
         m_variableUniqueID(t, "UNIQUE_ID"),
         m_variableUrlEncodedError(t, "URLENCODED_ERROR"),
         m_variableUserID(t, "USERID"),
+        m_variableRxError(t, "RX_ERROR"),
+        m_variableRxErrorRuleID(t, "RX_ERROR_RULE_ID"),
         m_variableArgs(t, "ARGS"),
         m_variableArgsGet(t, "ARGS_GET"),
         m_variableArgsPost(t, "ARGS_POST"),
@@ -264,6 +266,8 @@ class TransactionAnchoredVariables {
     AnchoredVariable m_variableUniqueID;
     AnchoredVariable m_variableUrlEncodedError;
     AnchoredVariable m_variableUserID;
+    AnchoredVariable m_variableRxError;
+    AnchoredVariable m_variableRxErrorRuleID;
 
     AnchoredSetVariable m_variableArgs;
     AnchoredSetVariable m_variableArgsGet;

Diff for: src/operators/rx.cc

@@ -51,12 +51,41 @@ bool Rx::evaluate(Transaction *transaction, RuleWithActions *rule,
         re = m_re;
     }
 
-    std::vector<Utils::SMatchCapture> captures;
     if (re->hasError()) {
         ms_dbg_a(transaction, 3, "Error with regular expression: \"" + re->pattern + "\"");
         return false;
     }
-    re->searchOneMatch(input, captures);
+
+    Utils::RegexResult regex_result;
+    std::vector<Utils::SMatchCapture> captures;
+
+    if (transaction && transaction->m_rules->m_pcreMatchLimit.m_set) {
+        unsigned long match_limit = transaction->m_rules->m_pcreMatchLimit.m_value;
+        regex_result = re->searchOneMatch(input, captures, match_limit);
+    } else {
+        regex_result = re->searchOneMatch(input, captures);
+    }
+
+    // FIXME: DRY regex error reporting. This logic is currently duplicated in other operators.
+    if (regex_result != Utils::RegexResult::Ok) {
+        std::string regex_error_str = "OTHER";
+        if (regex_result == Utils::RegexResult::ErrorMatchLimit) {
+            regex_error_str = "MATCH_LIMIT";
+        }
+
+        ms_dbg_a(transaction, 1, "rx: regex error '" + regex_error_str + "' for pattern '" + re->pattern + "'");
+
+        // Only expose the first regex error to indicate there is an issue
+        if (rule && transaction && transaction->m_variableRxError.m_value.empty()) {
+            transaction->m_variableRxError.set(regex_error_str, transaction->m_variableOffset);
+            transaction->m_variableRxErrorRuleID.set(
+                std::to_string(rule->m_ruleId),
+                transaction->m_variableOffset
+            );
+        }
+
+        return false;
+    }
 
     if (rule && rule->hasCaptureAction() && transaction) {
         for (const Utils::SMatchCapture& capture : captures) {

Diff for: src/operators/rx_global.cc

@@ -51,8 +51,36 @@ bool RxGlobal::evaluate(Transaction *transaction, RuleWithActions *rule,
         re = m_re;
     }
 
+    Utils::RegexResult regex_result;
     std::vector<Utils::SMatchCapture> captures;
-    re->searchGlobal(input, captures);
+    if (transaction && transaction->m_rules->m_pcreMatchLimit.m_set) {
+        unsigned long match_limit = transaction->m_rules->m_pcreMatchLimit.m_value;
+        regex_result = re->searchGlobal(input, captures, match_limit);
+    } else {
+        regex_result = re->searchGlobal(input, captures);
+    }
+
+    // FIXME: DRY regex error reporting. This logic is currently duplicated in other operators.
+    if (regex_result != Utils::RegexResult::Ok) {
+        std::string regex_error_str = "OTHER";
+        if (regex_result == Utils::RegexResult::ErrorMatchLimit) {
+            regex_error_str = "MATCH_LIMIT";
+        }
+
+        ms_dbg_a(transaction, 1, "rxGlobal: regex error '" + regex_error_str + "' for pattern '" + re->pattern + "'");
+
+        // Only expose the first regex error to indicate there is an issue
+        if (rule && transaction && transaction->m_variableRxError.m_value.empty()) {
+            transaction->m_variableRxError.set(regex_error_str, transaction->m_variableOffset);
+            transaction->m_variableRxErrorRuleID.set(
+                std::to_string(rule->m_ruleId),
+                transaction->m_variableOffset
+            );
+        }
+
+        return false;
+    }
+
 
     if (rule && rule->hasCaptureAction() && transaction) {
         for (const Utils::SMatchCapture& capture : captures) {

Diff for: src/parser/location.hh

@@ -1,8 +1,8 @@
-// A Bison parser, made by GNU Bison 3.7.2.
+// A Bison parser, made by GNU Bison 3.7.5.
 
 // Locations for Bison parsers in C++
 
-// Copyright (C) 2002-2015, 2018-2020 Free Software Foundation, Inc.
+// Copyright (C) 2002-2015, 2018-2021 Free Software Foundation, Inc.
 
 // This program is free software: you can redistribute it and/or modify
 // it under the terms of the GNU General Public License as published by

Diff for: src/parser/position.hh

@@ -1,4 +1,4 @@
-// A Bison parser, made by GNU Bison 3.7.2.
+// A Bison parser, made by GNU Bison 3.7.5.
 
 // Starting with Bison 3.2, this file is useless: the structure it
 // used to define is now defined in "location.hh".