Fix lexer rejection of '@' in ctl:ruleRemoveTarget actions (#3565)

src/actions/ctl/rule_remove_by_id.cc

@@ -27,7 +27,12 @@ namespace ctl {
 
 
 bool RuleRemoveById::init(std::string *error) {
-    std::string what(m_parser_payload, 15, m_parser_payload.size() - 15);
+    size_t pos = m_parser_payload.find("=");
+    if (pos == std::string::npos) {
+        error->assign(m_parser_payload + " is not a valid ID or range");
+        return false;
+    }
+    std::string what = m_parser_payload.substr(pos + 1);
     bool added = false;
     std::vector<std::string> toRemove = utils::string::ssplit(what, ' ');
     for (const std::string &a : toRemove) {

src/actions/ctl/rule_remove_by_tag.cc

@@ -26,7 +26,12 @@ namespace ctl {
 
 
 bool RuleRemoveByTag::init(std::string *error) {
-    std::string what(m_parser_payload, 16, m_parser_payload.size() - 16);
+    size_t pos = m_parser_payload.find("=");
+    if (pos == std::string::npos) {
+        error->assign(m_parser_payload + " is not a valid tag");
+        return false;
+    }
+    std::string what = m_parser_payload.substr(pos + 1);
     m_tag = what;
 
     return true;

src/actions/ctl/rule_remove_target_by_id.cc

@@ -30,7 +30,12 @@ namespace ctl {
 
 
 bool RuleRemoveTargetById::init(std::string *error) {
-    std::string what(m_parser_payload, 21, m_parser_payload.size() - 21);
+    size_t pos = m_parser_payload.find("=");
+    if (pos == std::string::npos) {
+        error->assign(m_parser_payload + " is not a valid `ID;VARIABLE'");
+        return false;
+    }
+    std::string what = m_parser_payload.substr(pos + 1);
     std::vector<std::string> param = utils::string::split(what, ';');
 
     if (param.size() < 2) {

src/actions/ctl/rule_remove_target_by_tag.cc

@@ -30,7 +30,12 @@ namespace ctl {
 
 
 bool RuleRemoveTargetByTag::init(std::string *error) {
-    std::string what(m_parser_payload, 22, m_parser_payload.size() - 22);
+    size_t pos = m_parser_payload.find("=");
+    if (pos == std::string::npos) {
+        error->assign(m_parser_payload + " is not a valid `TAG;VARIABLE'");
+        return false;
+    }
+    std::string what = m_parser_payload.substr(pos + 1);
     std::vector<std::string> param = utils::string::split(what, ';');
 
     if (param.size() < 2) {

src/parser/seclang-scanner.ll

@@ -457,7 +457,7 @@ FREE_TEXT_COMMA_QUOTE                   [^,\"\\n\\r]+
 NEW_LINE_FREE_TEXT                      [^, \t\"\n\r]+
 NOT !
 FREE_TEXT                               ([^\"]|([^\\]\\\"))+
-REMOVE_RULE_BY                          [0-9A-Za-z_\/\.\-\*\:\;\]\[\$]+
+REMOVE_RULE_BY                          [a-zA-Z0-9_\-\.\*\/\:\;\$@\=\(\)\[\]\']+
 
 VAR_FREE_TEXT_QUOTE                     ([^\']|([^\\]\\\'))+
 VAR_FREE_TEXT_SPACE                     [^ \t\"]+

test/test-cases/regression/action-ctl_rule_remove_target_by_id.json

@@ -219,5 +219,131 @@
       "SecRule REQUEST_FILENAME \"@unconditionalMatch\" \"id:1,phase:1,pass,t:none,ctl:ruleRemoveTargetById=2;REQUEST_HEADERS:referer\"",
       "SecRule REQUEST_HEADERS:Referer \"@contains attack\" \"id:2,phase:1,deny,t:none,log\""
     ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetById with @ character (Issue 3565)",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      "uri": "/index.html?@foo=attack",
+      "method": "GET",
+      "body": [
+        ""
+      ]
+    },
+    "response": {
+      "headers": {},
+      "body": [
+        ""
+      ]
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@endsWith /index.html\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=1;ARGS:@foo\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,t:none,status:403,block,deny\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetById with = character",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*"
+      },
+      "uri": "/index.html?foo=bar=attack",
+      "method": "GET"
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@unconditionalMatch\" \"id:9002100,phase:2,pass,ctl:ruleRemoveTargetById=1;ARGS:foo=bar\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,status:403,block,deny\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetById with ( and ) characters",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*"
+      },
+      "uri": "/index.html?foo(bar)=attack",
+      "method": "GET"
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@unconditionalMatch\" \"id:9002100,phase:2,pass,ctl:ruleRemoveTargetById=1;ARGS:foo(bar)\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,status:403,block,deny\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetById with ' character",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*"
+      },
+      "uri": "/index.html?foo'bar=attack",
+      "method": "GET"
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@unconditionalMatch\" \"id:9002100,phase:2,pass,ctl:ruleRemoveTargetById=1;ARGS:foo'bar\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,status:403,block,deny\""
+    ]
   }
-]
+]

test/test-cases/regression/action-ctl_rule_remove_target_by_tag.json

@@ -130,5 +130,131 @@
       "SecRule REQUEST_FILENAME \"@endsWith /wp-login.php\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS\"",
       "SecRule ARGS_NAMES \"@contains whee\" \"id:1,phase:3,t:none,nolog,pass,tag:'CRS2'\""
     ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetByTag with @ character (Issue 3565)",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      "uri": "/index.html?@foo=attack",
+      "method": "GET",
+      "body": [
+        ""
+      ]
+    },
+    "response": {
+      "headers": {},
+      "body": [
+        ""
+      ]
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@endsWith /index.html\" \"id:9002100,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS:@foo\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,t:none,status:403,block,deny,tag:'CRS'\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetByTag with = character",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*"
+      },
+      "uri": "/index.html?foo=bar=attack",
+      "method": "GET"
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@unconditionalMatch\" \"id:9002100,phase:2,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS:foo=bar\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,status:403,block,deny,tag:'CRS'\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetByTag with ( and ) characters",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*"
+      },
+      "uri": "/index.html?foo(bar)=attack",
+      "method": "GET"
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@unconditionalMatch\" \"id:9002100,phase:2,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS:foo(bar)\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,status:403,block,deny,tag:'CRS'\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "Testing CtlRuleRemoveTargetByTag with ' character",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "Accept": "*/*"
+      },
+      "uri": "/index.html?foo'bar=attack",
+      "method": "GET"
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REQUEST_FILENAME \"@unconditionalMatch\" \"id:9002100,phase:2,pass,ctl:ruleRemoveTargetByTag=CRS;ARGS:foo'bar\"",
+      "SecRule ARGS \"@contains attack\" \"id:1,phase:3,status:403,block,deny,tag:'CRS'\""
+    ]
   }
-]
+]