Skip to content

fix: clean matched vars after chained and non-chained rule #3418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: v3/master
Choose a base branch
from

Conversation

airween
Copy link
Member

@airween airween commented Jul 14, 2025

what

This PR changes the code behavior: now the engine cleans the MATCHED_VAR* variables after chained and non-chained rules too.

why

Until now if there was a single (non-chained) rule, and if any of the MATCHED_VAR* variable were filled, then the next rule which used them accessed the filled value, even the rule does not use chain action.

references

See issue #3382.

This PR fixes #3382.

other notes

please see commit 5572ac0; I added this change because the first test on Windows was failed. It seems like the argument processing order is non-deterministic, at least it's different on Windows (see the log: the first argument is the last from the QUERY_STRING, and the tests were success on all other platforms).

Copy link

@airween
Copy link
Member Author

airween commented Jul 14, 2025

@mirkodziadzka-avi could you take a review on this?

Copy link
Contributor

@MirkoDziadzka MirkoDziadzka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks.

Can we also update the documentation? I think this is at least as important than this change.

@airween
Copy link
Member Author

airween commented Jul 23, 2025

Looks good to me, thanks.

Great, thanks!

Can we also update the documentation? I think this is at least as important than this change.

Indeed, after the merge I'm going to update it. Thank you!

@airween airween requested review from theseion and fzipi July 23, 2025 15:43
Copy link
Contributor

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding so many tests.

@@ -355,6 +355,9 @@ bool RuleWithOperator::evaluate(Transaction *trans,

/* last rule in the chain. */
performLogging(trans, ruleMessage, true, true);
if (m_ruleId > 0) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this check? If I understand correctly, m_ruleId == 0 would be an invalid rule (caught exception). Would we even get here then? As far as I can tell, nothing bad would happen if m_ruleId == 0, since cleanMatchedVars() operates on the transaction only.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, m_ruleId == 0 would be an invalid rule

Yes, except if it's a chained rule. Generally, every chained rule (rules?) has (have?) only one unique id. In libmodsecurity3, despite you set up the id action at the first rule (in a chained rule), the last rule will own that id. Therefore this condition (m_ruleId > 0) tells us this is the end of a rule, no matter that's chained or not, we should clean the MATCHED_* variables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Semantic of MATCHED_VARS / MATCHED_VARS_NAMES
4 participants