Merge pull request #2854 from airween/v3/logescape

martinhsv · web-flow · commit 860b1183ac1d · 2023-01-18T14:36:01.000-08:00
Escape log field 'data' value
diff --git a/src/rule_message.cc b/src/rule_message.cc
@@ -29,17 +29,17 @@ std::string RuleMessage::_details(const RuleMessage *rm) {
     msg.append(" [file \"" + std::string(*rm->m_ruleFile.get()) + "\"]");
     msg.append(" [line \"" + std::to_string(rm->m_ruleLine) + "\"]");
     msg.append(" [id \"" + std::to_string(rm->m_ruleId) + "\"]");
-    msg.append(" [rev \"" + rm->m_rev + "\"]");
+    msg.append(" [rev \"" + utils::string::toHexIfNeeded(rm->m_rev, true) + "\"]");
     msg.append(" [msg \"" + rm->m_message + "\"]");
-    msg.append(" [data \"" + utils::string::limitTo(200, rm->m_data) + "\"]");
+    msg.append(" [data \"" + utils::string::toHexIfNeeded(utils::string::limitTo(200, rm->m_data), true) + "\"]");
     msg.append(" [severity \"" +
         std::to_string(rm->m_severity) + "\"]");
-    msg.append(" [ver \"" + rm->m_ver + "\"]");
+    msg.append(" [ver \"" + utils::string::toHexIfNeeded(rm->m_ver, true) + "\"]");
     msg.append(" [maturity \"" + std::to_string(rm->m_maturity) + "\"]");
     msg.append(" [accuracy \"" + std::to_string(rm->m_accuracy) + "\"]");
 
     for (auto &a : rm->m_tags) {
-        msg.append(" [tag \"" + a + "\"]");
+        msg.append(" [tag \"" + utils::string::toHexIfNeeded(a, true) + "\"]");
     }
 
     msg.append(" [hostname \"" + *rm->m_serverIpAddress.get() \
diff --git a/src/utils/string.cc b/src/utils/string.cc
@@ -135,13 +135,14 @@ std::string string_to_hex(const std::string& input) {
     return output;
 }
 
-
-std::string toHexIfNeeded(const std::string &str) {
+std::string toHexIfNeeded(const std::string &str, bool escape_spec) {
+    // escape_spec: escape special chars or not
+    // spec chars: '"' (quotation mark, ascii 34), '\' (backslash, ascii 92)
     std::stringstream res;
 
     for (int i = 0; i < str.size(); i++) {
         int c = (unsigned char)str.at(i);
-        if (c < 32 || c > 126) {
+        if (c < 32 || c > 126 || (escape_spec == true && (c == 34 || c == 92))) {
             res << "\\x" << std::setw(2) << std::setfill('0') << std::hex << c;
         } else {
             res << str.at(i);
@@ -267,7 +268,6 @@ void replaceAll(std::string *str, const std::string& from,
     }
 }
 
-
 }  // namespace string
 }  // namespace utils
 }  // namespace modsecurity
diff --git a/src/utils/string.h b/src/utils/string.h
@@ -61,7 +61,7 @@ std::string dash_if_empty(const std::string *str);
 std::string limitTo(int amount, const std::string &str);
 std::string removeBracketsIfNeeded(std::string a);
 std::string string_to_hex(const std::string& input);
-std::string toHexIfNeeded(const std::string &str);
+std::string toHexIfNeeded(const std::string &str, bool escape_spec = false);
 std::string tolower(std::string str);
 std::string toupper(std::string str);
 std::vector<std::string> ssplit(std::string str, char delimiter);
