Avoid extra processing of subsequent interventions if one was already triggered

defanator · defanator · commit 4f26b48998db · 2021-02-03T18:13:38.000+03:00
diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
@@ -56,6 +56,10 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
         return ngx_http_next_body_filter(r, in);
     }
 
+    if (ctx->intervention_triggered) {
+        return ngx_http_next_body_filter(r, in);
+    }
+
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
     if (mcf != NULL && mcf->sanity_checks_enabled != NGX_CONF_UNSET)
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -97,6 +97,7 @@ typedef struct {
     unsigned waiting_more_body:1;
     unsigned body_requested:1;
     unsigned processed:1;
+    unsigned intervention_triggered:1;
 } ngx_http_modsecurity_ctx_t;
 
 
diff --git a/src/ngx_http_modsecurity_header_filter.c b/src/ngx_http_modsecurity_header_filter.c
@@ -430,6 +430,10 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
         return ngx_http_next_header_filter(r);
     }
 
+    if (ctx->intervention_triggered) {
+        return ngx_http_next_header_filter(r);
+    }
+
 /* XXX: can it happen ?  already processed i mean */
 /* XXX: check behaviour on 'ModSecurity off' */
 
diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c
@@ -78,6 +78,10 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
         return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
 
+    if (ctx->intervention_triggered) {
+        return NGX_DECLINED;
+    }
+
     if (ctx->waiting_more_body == 1)
     {
         dd("waiting for more data before proceed. / count: %d",
diff --git a/src/ngx_http_modsecurity_rewrite.c b/src/ngx_http_modsecurity_rewrite.c
@@ -117,6 +117,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
         dd("Processing intervention with the connection information filled in");
         ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
         if (ret > 0) {
+            ctx->intervention_triggered = 1;
             return ret;
         }
 
@@ -157,6 +158,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
         dd("Processing intervention with the transaction information filled in (uri, method and version)");
         ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
         if (ret > 0) {
+            ctx->intervention_triggered = 1;
             return ret;
         }
 
@@ -208,6 +210,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
             return NGX_DECLINED;
             }
         if (ret > 0) {
+            ctx->intervention_triggered = 1;
             return ret;
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -430,6 +430,10 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)`
`430`	`430`	`return ngx_http_next_header_filter(r);`
`431`	`431`	`}`
`432`	`432`
	`433`	`+ if (ctx->intervention_triggered) {`
	`434`	`+ return ngx_http_next_header_filter(r);`
	`435`	`+ }`
	`436`	`+`
`433`	`437`	`/* XXX: can it happen ? already processed i mean */`
`434`	`438`	`/* XXX: check behaviour on 'ModSecurity off' */`
`435`	`439`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,10 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)`
`78`	`78`	`return NGX_HTTP_INTERNAL_SERVER_ERROR;`
`79`	`79`	`}`
`80`	`80`
	`81`	`+ if (ctx->intervention_triggered) {`
	`82`	`+ return NGX_DECLINED;`
	`83`	`+ }`
	`84`	`+`
`81`	`85`	`if (ctx->waiting_more_body == 1)`
`82`	`86`	`{`
`83`	`87`	`dd("waiting for more data before proceed. / count: %d",`
Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`117`	`117`	`dd("Processing intervention with the connection information filled in");`
`118`	`118`	`ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);`
`119`	`119`	`if (ret > 0) {`
	`120`	`+ ctx->intervention_triggered = 1;`
`120`	`121`	`return ret;`
`121`	`122`	`}`
`122`	`123`
`@@ -157,6 +158,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`157`	`158`	`dd("Processing intervention with the transaction information filled in (uri, method and version)");`
`158`	`159`	`ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);`
`159`	`160`	`if (ret > 0) {`
	`161`	`+ ctx->intervention_triggered = 1;`
`160`	`162`	`return ret;`
`161`	`163`	`}`
`162`	`164`
`@@ -208,6 +210,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`208`	`210`	`return NGX_DECLINED;`
`209`	`211`	`}`
`210`	`212`	`if (ret > 0) {`
	`213`	`+ ctx->intervention_triggered = 1;`
`211`	`214`	`return ret;`
`212`	`215`	`}`
`213`	`216`	`}`