Unable to parse absolute Windows path as value of modsecurity.conf directive

[skvoboo-gh]

Describe the bug

Unable to parse absolute Windows path as value of modsecurity.conf directive.
RulesSet::loadFromUri() failed with error message:

Rules error. File: C:\Program Files (x86)\ModSecurity\modsecurity.conf. Line: 3. Column: 59. Invalid input:  SecAuditLog "D:\Data Directory\ModSecurity\logs\audit.log"

To Reproduce

Load modsecurity.conf with content:

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog "D:\Data Directory\ModSecurity\logs\audit.log"

Expected behavior

There are no errors.

Server (please complete the following information):

• ModSecurity version: ModSecurity v3.0.14
• OS: Windows

[airween]

@skvoboo-gh,

thanks for the report. It seems like the parser does not have any rule to parse this directive with ", see the source:
#https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/src/parser/seclang-scanner.ll#L760

Only one syntax is there without quote marks.

Could you try without " to confirm this?

[skvoboo-gh]

Relative Linux path with " can be parsed successfully:

SecAuditLog "logs/audit.log"

[airween]

Relative Linux path with " can be parsed successfully:

SecAuditLog "logs/audit.log"

Sorry, there is a rule with ":
https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/src/parser/seclang-scanner.ll#L764

I'll check this out what could be the problem.

[skvoboo-gh]

Could you try without " to confirm this?

RulesSet::loadFromUri() failed with error message:

Rules error. File: C:\Program Files (x86)\ModSecurity\modsecurity.conf. Line: 3. Column: 57. Invalid input:  \Data Directory\ModSecurity\logs\audit.log

[airween]

Thanks, I think I found the problem.

Now the CONFIG_VALUE_PATH syntax is this:

CONFIG_VALUE_PATH                       [0-9A-Za-z_\/\.\-\*\:]+

but this does not contains space and backslash. I think the expected value would be:

CONFIG_VALUE_PATH                       [0-9A-Za-z_\\\/\.\-\*\: ]+

See regex101 examples:

• original
• fixed

The first one splits the path components into several pieces.

[skvoboo-gh]

Please also allow the characters ( and )

SecAuditLog "C:\Program Files (x86)\ModSecurity\2DB8C4A3-B83E-4450-BB04-08830CADDD56\logs\audit.log"

[airween]

@skvoboo-gh could you try PR #3430?

[skvoboo-gh]

could you try PR #3430?

LGTM

[airween]

LGTM

Sorry, does this mean you tried on Windows and it worked?

[skvoboo-gh]

The changes in the src/parser/seclang-scanner.ll looks good to me.
I didn't build libModSecurity from your branch.

[skvoboo-gh]

@airween
I built libModSecurity from your branch.

SecAuditLog directive parsed correctly.
However, the issue persists for the IncludeOptional directive.

modsecurity.conf

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog "C:\Program Files (x86)\ModSecurity\2DB8C4A3-B83E-4450-BB04-08830CADDD56\logs\audit.log"
IncludeOptional "C:\Program Files (x86)\ModSecurity\rules\modsecurity_10_*.conf"

Error message

Rules error. File: C:\Program Files (x86)\ModSecurity\modsecurity.conf. Line: 4. Column: 81. Invalid input: IncludeOptional "C:\Program Files (x86)\ModSecurity\rules\modsecurity_10_*.conf"

The issue with IncludeOptional is probably related to owasp-modsecurity/ModSecurity-nginx#338

[airween]

@skvoboo-gh,

thanks for the test and confirmation, we're going to merge the PR soon.

However, the issue persists for the IncludeOptional directive.

Yes, that's a know issue, but that's not trivial to fix - it's not enough to change a token pattern, we should introduce a new keyword and logic behind to. But I try to fix that soon too.

The only workaround is you change IncludeOptional to Include.

[airween]

I built libModSecurity from your branch.

We changed the token's syntax, could you build and try it again?

Thanks!