Appears that tx.allowed_request_content_type is not parsed correctly.

[JaiHarpalani]

Using ModSec v3.0.1 with CRS v3.0.2, I define tx.allowed_request_content_type as follows:

SecAction
"id:900220,
phase:1,
nolog,
pass,
t:none,
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"

When I send a text/plain request, it is rejected.

I modified my assignment to re-order so that text/plain is no longer last and application/json is last.

SecAction
"id:900220,
phase:1,
nolog,
pass,
t:none,
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/octet-stream|text/plain|text/plain|application/json'"

Now, text/plain requests are accepted, but application/json requests are rejected.

Seems like the last value is not properly parsed.

[defanator]

Spent some time digging in similar one. So far my assumption is that parser is failing somewhere in the SETVAR_ACTION_QUOTED path.

Minimal configuration to show the differences in various quoting syntaxes:

root@vagrant:/home/test/ModSecurity# cat /etc/nginx/modsec/main.conf  | grep -v "^#" | strings
include /etc/nginx/modsec/modsecurity.conf
SecRule &TX:allowed_http_versions1 "@eq 0" \
    "id:1,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.allowed_http_versions1=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
SecRule &TX:allowed_http_versions2 "@eq 0" \
    "id:2,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.allowed_http_versions2=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0"
SecRule &TX:allowed_http_versions3 "@eq 0" \
    "id:3,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.allowed_http_versions3='HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"

Debug log excerpts:

[4] Running [independent] (non-disruptive) action: setvar
[8] Saving variable: TX:allowed_http_versions1 with value: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'
[4] Running [independent] (non-disruptive) action: setvar
[8] Saving variable: TX:allowed_http_versions2 with value: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
[4] Running [independent] (non-disruptive) action: setvar
[8] Saving variable: TX:allowed_http_versions3 with value: 'HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'

@zimmerle @victorhora appreciate your input here, especially any insights about parser debugging. I constructed a chain of "tokens" or "actions" like the following:

1. ACTION_SETVAR
2. BEGIN(SETVAR_ACTION_QUOTED)
3. BEGINX_
4. EXPECTING_VAR_PARAMETER_OR_MACRO_QUOTED
5. BEGIN_ACTION_WAITING_CONTENT
6. SETVAR_ACTION_QUOTED_WAITING_CONTENT

and stuck after (6) here.

I also noticed some changes were made in this area in the following commits, but haven't had enough time to check all the diffs:
6fe8655
a299997

[defanator]

@JaiHarpalani for the sake of clarity, last part of a list includes closing single quote char:

root@vagrant:/etc/nginx/modsec# curl -vi -X POST --data-binary "param1=value1&param2=value2" -H "Content-Type: text/plain" http://localhost/modsec-full/
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /modsec-full/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: text/plain
> Content-Length: 27
> 
* upload completely sent off: 27 out of 27 bytes
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: nginx/1.13.10
Server: nginx/1.13.10
< Date: Tue, 17 Apr 2018 15:22:30 GMT
Date: Tue, 17 Apr 2018 15:22:30 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 170
Content-Length: 170
< Connection: keep-alive
Connection: keep-alive

< 
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.10</center>
</body>
</html>
* Connection #0 to host localhost left intact

root@vagrant:/etc/nginx/modsec# curl -vi -X POST --data-binary "param1=value1&param2=value2" -H "Content-Type: text/plain'" http://localhost/modsec-full/
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /modsec-full/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: text/plain'
> Content-Length: 27
> 
* upload completely sent off: 27 out of 27 bytes
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.13.10
Server: nginx/1.13.10
< Date: Tue, 17 Apr 2018 15:22:49 GMT
Date: Tue, 17 Apr 2018 15:22:49 GMT
< Content-Type: text/plain
Content-Type: text/plain
< Content-Length: 39
Content-Length: 39
< Connection: keep-alive
Connection: keep-alive

< 
Thank you for requesting /modsec-full/
* Connection #0 to host localhost left intact

(note the Content-Type header in the 2nd case)

[victorhora]

Thanks for the helpful input @defanator.

So there's definitely a different behaviour for parsing setvar between v2 and v3. Let me see if I can come up with a fix here. @zimmerle I might need your help :)

@JaiHarpalani as a temporary workaround, you may wish to remove the single quotes around tx.allowed_request_content_type. That will be processed correctly by the parser and allows all the specified content-types.

[victorhora]

Just noticed an interesting warning from Flex when rebuilding the Parser:

/home/vhora/modsecurity-v3.0.2/src/parser/seclang-scanner.ll:713: warning, rule cannot be matched

Which, in my codebase (3.0.2) points to SETVAR_ACTION_QUOTED_WAITING_CONTENT (\')

[victorhora]

It seemed like the issue was really on that part of the code. I've changed the order on which SETVAR_ACTION_QUOTED_WAITING_CONTENT (') was waiting for the input and it looks like it's all good now.

I've tested with the CRS (tx.allowed_request_content_type) and now it should accept all those Content-Types as it is. And hopefully it might fix some other related issue.

It's being tested by the buildbots (#1759) but @JaiHarpalani @defanator, it would be nice if you could check if you get the same results as I did to be on the safe side.

Thanks.