void Field::set_no_copy_byte_string(ByteString value) const { Internal::check_type(BYTE_STRING, type()); Internal::set_value_no_copy( ib(), ib_ftype_bytestr_mutable_in(value.ib()) ); }
Field Field::create_no_copy_byte_string( MemoryPool pool, const char* name, size_t name_length, ByteString value ) { return Internal::create_no_copy( pool, name, name_length, Field::BYTE_STRING, ib_ftype_bytestr_mutable_in(value.ib()) ); }
ib_status_t ib_field_create_bytestr_alias( ib_field_t **pf, ib_mpool_t *mp, const char *name, size_t nlen, uint8_t *val, size_t vlen ) { ib_status_t rc; ib_bytestr_t *bs; rc = ib_bytestr_alias_mem(&bs, mp, val, vlen); if (rc != IB_OK) { goto failed; } rc = ib_field_create_no_copy( pf, mp, name, nlen, IB_FTYPE_BYTESTR, ib_ftype_bytestr_mutable_in(bs) ); if (rc != IB_OK) { goto failed; } ib_field_util_log_debug("FIELD_CREATE_BYTESTR_ALIAS", (*pf)); return IB_OK; failed: /* Make sure everything is cleaned up on failure. */ *pf = NULL; return rc; }
static ib_status_t sqltfn_normalize_pg_tfn(ib_engine_t *ib, ib_mpool_t *mp, void *tfn_data, const ib_field_t *field_in, const ib_field_t **field_out, ib_flags_t *pflags) { assert(ib != NULL); assert(mp != NULL); assert(field_in != NULL); assert(field_out != NULL); assert(pflags != NULL); ib_bytestr_t *bs_in; ib_bytestr_t *bs_out; const char *buf_in; const char *buf_in_start; size_t buf_in_len; char *buf_out; char *buf_out_end; size_t buf_out_len; size_t lead_len = 0; ib_status_t rc; int ret; ib_field_t *field_new; /* Currently only bytestring types are supported. * Other types will just get passed through. */ if (field_in->type != IB_FTYPE_BYTESTR) { *field_out = field_in; return IB_OK; } /* Extract the underlying incoming value. */ rc = ib_field_value(field_in, ib_ftype_bytestr_mutable_out(&bs_in)); if (rc != IB_OK) { return rc; } /* Create a buffer for normalization. */ buf_out = buf_out_end = (char *)ib_mpool_alloc(mp, ib_bytestr_length(bs_in)); if (buf_out == NULL) { return IB_EALLOC; } /* As SQL can be injected into a string, the normalization * needs to start after the first quote character if one * exists. * * First try single quote, then double, then none. * * TODO: Handle returning multiple transformations: * 1) Straight normalization * 2) Normalization as if with single quotes (starting point * should be based on straight normalization) * 3) Normalization as if with double quotes (starting point * should be based on straight normalization) */ buf_in = (const char *)ib_bytestr_const_ptr(bs_in); buf_in_start = memchr(buf_in, '\'', ib_bytestr_length(bs_in)); if (buf_in_start == NULL) { buf_in_start = memchr(buf_in, '"', ib_bytestr_length(bs_in)); } if (buf_in_start == NULL) { buf_in_start = buf_in; buf_in_len = ib_bytestr_length(bs_in); } else { ++buf_in_start; /* After the quote. */ buf_in_len = ib_bytestr_length(bs_in) - (buf_in_start - buf_in); } /* Copy the leading string if one exists. */ if (buf_in_start != buf_in) { lead_len = buf_in_start - buf_in; memcpy(buf_out, buf_in, lead_len); buf_out_end += lead_len; } /* Normalize. */ ret = sqltfn_normalize_pg_ex(buf_in_start, buf_in_len, &buf_out_end, &buf_out_len); if (ret < 0) { return IB_EALLOC; } else if (ret > 0) { /* Mark as modified. */ *pflags = IB_TFN_FMODIFIED; } /* Create the output field wrapping bs_out. */ buf_out_len += lead_len; rc = ib_bytestr_alias_mem(&bs_out, mp, (uint8_t *)buf_out, buf_out_len); if (rc != IB_OK) { return rc; } rc =ib_field_create(&field_new, mp, field_in->name, field_in->nlen, IB_FTYPE_BYTESTR, ib_ftype_bytestr_mutable_in(bs_out)); if (rc == IB_OK) { *field_out = field_new; } return rc; }
static ib_status_t sqli_normalize_tfn(ib_mpool_t *mp, const ib_field_t *field_in, const ib_field_t **field_out, void *tfn_data) { assert(mp != NULL); assert(field_in != NULL); assert(field_out != NULL); const sqli_pattern_set_t *ps = (const sqli_pattern_set_t *)tfn_data; sfilter sf; ib_bytestr_t *bs_in; ib_bytestr_t *bs_out; const char *buf_in; char *buf_in_start; size_t buf_in_len; char *buf_out; char *buf_out_end; size_t buf_out_len; size_t lead_len = 0; char prev_token_type; ib_field_t *field_new; ib_status_t rc; size_t fingerprint_len; /* Currently only bytestring types are supported. * Other types will just get passed through. */ if (field_in->type != IB_FTYPE_BYTESTR) { *field_out = field_in; return IB_OK; } /* Extract the underlying incoming value. */ rc = ib_field_value(field_in, ib_ftype_bytestr_mutable_out(&bs_in)); if (rc != IB_OK) { return rc; } /* Create a buffer big enough (double) to allow for normalization. */ buf_in = (const char *)ib_bytestr_const_ptr(bs_in); buf_out = buf_out_end = (char *)ib_mpool_calloc(mp, 2, ib_bytestr_length(bs_in)); if (buf_out == NULL) { return IB_EALLOC; } /* TODO: With the latest libinjection, we will need to do something like the * following, but more robust, instead of just calling is_sqli. This seems * to be because folding is now called, which removes some tokens. */ #if 0 /* As SQL can be injected into a string, the normalization * needs to start after the first quote character if one * exists. * * First try single quote, then double, then none. * * TODO: Handle returning multiple transformations: * 1) Straight normalization * 2) Normalization as if with single quotes (starting point * should be based on straight normalization) * 3) Normalization as if with double quotes (starting point * should be based on straight normalization) */ buf_in_start = memchr(buf_in, CHAR_SINGLE, ib_bytestr_length(bs_in)); if (buf_in_start == NULL) { buf_in_start = memchr(buf_in, CHAR_DOUBLE, ib_bytestr_length(bs_in)); } if (buf_in_start == NULL) { buf_in_start = (char *)buf_in; buf_in_len = ib_bytestr_length(bs_in); } else { ++buf_in_start; /* After the quote. */ buf_in_len = ib_bytestr_length(bs_in) - (buf_in_start - buf_in); } /* Copy the leading string if one exists. */ if (buf_in_start != buf_in) { lead_len = buf_in_start - buf_in; memcpy(buf_out, buf_in, lead_len); buf_out_end += lead_len; } #endif buf_in_start = (char *)buf_in; buf_in_len = ib_bytestr_length(bs_in); /* Copy the normalized tokens as a space separated list. Since * the tokenizer does not backtrack, and the normalized values * are always equal to or less than the original length, the * tokens are written back to the beginning of the original * buffer. */ libinjection_sqli_init(&sf,buf_in_start, buf_in_len, FLAG_NONE); libinjection_sqli_callback(&sf, sqli_lookup_word, (void *)ps); /* NOTE: We do not care if it is sqli, but just want the tokens. */ libinjection_is_sqli(&sf); if (strlen(sf.fingerprint) == 0) { *field_out = field_in; return IB_OK; } buf_out_len = 0; prev_token_type = 0; fingerprint_len = strlen(sf.fingerprint); for (size_t i = 0; i < fingerprint_len; ++i) { stoken_t current = sf.tokenvec[i]; size_t token_len = strlen(current.val); /* Add in the space if required. */ if ((buf_out_end != buf_out) && (current.type != 'o') && (prev_token_type != 'o') && (current.type != ',') && (*(buf_out_end - 1) != ',')) { *buf_out_end = ' '; buf_out_end += 1; ++buf_out_len; } /* Copy the token value. */ memcpy(buf_out_end, current.val, token_len); buf_out_end += token_len; buf_out_len += token_len; prev_token_type = current.type; } /* Create the output field wrapping bs_out. */ buf_out_len += lead_len; rc = ib_bytestr_alias_mem(&bs_out, mp, (uint8_t *)buf_out, buf_out_len); if (rc != IB_OK) { return rc; } rc = ib_field_create(&field_new, mp, field_in->name, field_in->nlen, IB_FTYPE_BYTESTR, ib_ftype_bytestr_mutable_in(bs_out)); if (rc == IB_OK) { *field_out = field_new; } return rc; }
/** * Set the matches into the given field name as .0, .1, .2 ... .9. * * @param[in] ib The IronBee engine to log to. * @param[in] tx The transaction to store the values into (tx->dpi). * @param[in] field_name The field to populate with Regex matches. * @param[in] ovector The vector of integer pairs of matches from PCRE. * @param[in] matches The number of matches. * @param[in] subject The matched-against string data. * * @returns IB_OK or IB_EALLOC. */ static ib_status_t pcre_set_matches(ib_engine_t *ib, ib_tx_t *tx, const char* field_name, int *ovector, int matches, const char *subject) { IB_FTRACE_INIT(); /* IronBee status. */ ib_status_t rc; /* Iterator. */ int i; /* Length of field_name. */ const int field_name_sz = strlen(field_name); /* The length of the match. */ size_t match_len; /* The first character in the match. */ const char* match_start; /* +3 = '.', [digit], and \0. */ char *full_field_name = malloc(field_name_sz+3); /* Holder to build an optional debug message in. */ char *debug_msg; /* Holder for a copy of the field value when creating a new field. */ ib_bytestr_t *field_value; /* Field holder. */ ib_field_t *ib_field; /* Ensure the above allocations happened. */ if (full_field_name==NULL) { IB_FTRACE_RET_STATUS(IB_EALLOC); } rc = ensure_field_exists(ib, tx, field_name); if (rc != IB_OK) { ib_log_alert_tx(tx, "Could not ensure that field %s was a list.", field_name); free(full_field_name); IB_FTRACE_RET_STATUS(IB_EINVAL); } /* We have a match! Now populate TX.0-9 in tx->dpi. */ for (i=0; i<matches; i++) { /* Build the field name. Typically TX.0, TX.1 ... TX.9 */ sprintf(full_field_name, "%s.%d", field_name, i); /* Readability. Mark the start and length of the string. */ match_start = subject+ovector[i*2]; match_len = ovector[i*2+1] - ovector[i*2]; /* If debugging this, copy the string value out and print it to the * log. This could be dangerous as there could be non-character * values in the match. */ if (ib_log_get_level(ib) >= 7) { debug_msg = malloc(match_len+1); /* Notice: Don't provoke a crash if malloc fails. */ if (debug_msg != NULL) { memcpy(debug_msg, match_start, match_len); debug_msg[match_len] = '\0'; ib_log_debug2_tx(tx, "REGEX Setting %s=%s", full_field_name, debug_msg); free(debug_msg); } } ib_data_get(tx->dpi, full_field_name, &ib_field); if (ib_field == NULL) { ib_data_add_bytestr(tx->dpi, full_field_name, (uint8_t*)subject+ovector[i*2], match_len, NULL); } else { ib_bytestr_dup_mem(&field_value, tx->mp, (const uint8_t*)match_start, match_len); ib_field_setv_no_copy( ib_field, ib_ftype_bytestr_mutable_in(field_value) ); } } IB_FTRACE_RET_STATUS(IB_OK); }
static ib_status_t sqli_normalize_tfn(ib_engine_t *ib, ib_mpool_t *mp, void *tfn_data, const ib_field_t *field_in, const ib_field_t **field_out, ib_flags_t *pflags) { assert(ib != NULL); assert(mp != NULL); assert(field_in != NULL); assert(field_out != NULL); assert(pflags != NULL); sfilter sf; ib_bytestr_t *bs_in; ib_bytestr_t *bs_out; const char *buf_in; char *buf_in_start; size_t buf_in_len; char *buf_out; char *buf_out_end; size_t buf_out_len; size_t lead_len = 0; char prev_token_type; ib_field_t *field_new; ib_status_t rc; size_t pat_len; /* Currently only bytestring types are supported. * Other types will just get passed through. */ if (field_in->type != IB_FTYPE_BYTESTR) { *field_out = field_in; return IB_OK; } /* Extract the underlying incoming value. */ rc = ib_field_value(field_in, ib_ftype_bytestr_mutable_out(&bs_in)); if (rc != IB_OK) { return rc; } /* Create a buffer big enough (double) to allow for normalization. */ buf_in = (const char *)ib_bytestr_const_ptr(bs_in); buf_out = buf_out_end = (char *)ib_mpool_calloc(mp, 2, ib_bytestr_length(bs_in)); if (buf_out == NULL) { return IB_EALLOC; } /* As SQL can be injected into a string, the normalization * needs to start after the first quote character if one * exists. * * First try single quote, then double, then none. * * TODO: Handle returning multiple transformations: * 1) Straight normalization * 2) Normalization as if with single quotes (starting point * should be based on straight normalization) * 3) Normalization as if with double quotes (starting point * should be based on straight normalization) */ buf_in_start = memchr(buf_in, CHAR_SINGLE, ib_bytestr_length(bs_in)); if (buf_in_start == NULL) { buf_in_start = memchr(buf_in, CHAR_DOUBLE, ib_bytestr_length(bs_in)); } if (buf_in_start == NULL) { buf_in_start = (char *)buf_in; buf_in_len = ib_bytestr_length(bs_in); } else { ++buf_in_start; /* After the quote. */ buf_in_len = ib_bytestr_length(bs_in) - (buf_in_start - buf_in); } /* Copy the leading string if one exists. */ if (buf_in_start != buf_in) { lead_len = buf_in_start - buf_in; memcpy(buf_out, buf_in, lead_len); buf_out_end += lead_len; } /* Copy the normalized tokens as a space separated list. Since * the tokenizer does not backtrack, and the normalized values * are always equal to or less than the original length, the * tokens are written back to the beginning of the original * buffer. */ libinjection_is_sqli(&sf, buf_in_start, buf_in_len, NULL, NULL); buf_out_len = 0; prev_token_type = 0; pat_len = strlen(sf.pat); for (size_t i = 0; i < pat_len; ++i) { stoken_t current = sf.tokenvec[i]; size_t token_len = strlen(current.val); ib_log_debug2(ib, "SQLi TOKEN: %c \"%s\"", current.type, current.val); /* Add in the space if required. */ if ((buf_out_end != buf_out) && (current.type != 'o') && (prev_token_type != 'o') && (current.type != ',') && (*(buf_out_end - 1) != ',')) { *buf_out_end = ' '; buf_out_end += 1; ++buf_out_len; } /* Copy the token value. */ memcpy(buf_out_end, current.val, token_len); buf_out_end += token_len; buf_out_len += token_len; prev_token_type = current.type; } /* Mark as modified. */ *pflags = IB_TFN_FMODIFIED; /* Create the output field wrapping bs_out. */ buf_out_len += lead_len; rc = ib_bytestr_alias_mem(&bs_out, mp, (uint8_t *)buf_out, buf_out_len); if (rc != IB_OK) { return rc; } rc = ib_field_create(&field_new, mp, field_in->name, field_in->nlen, IB_FTYPE_BYTESTR, ib_ftype_bytestr_mutable_in(bs_out)); if (rc == IB_OK) { *field_out = field_new; } return rc; }