Skip to content

Refactoring the cleaning of MATCHED_VAR* variables #3422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 27, 2025
Merged

Refactoring the cleaning of MATCHED_VAR* variables #3422

merged 1 commit into from
Jul 27, 2025

Conversation

@airween
Copy link
Member

@airween airween commented Jul 25, 2025

what

This PR changes the code behavior: now the engine cleans the MATCHED_VAR* variables after chained and non-chained rules too.

With current behavior if a rule is not chained then MATCHED_VAR* variables kept their values.

Changes:

  • moved cleanMatchedVars() method from RuleWithOperator class to RuleSet
    • the reason is: RuleWithOperator represents a SecRule object, which can be a chained or non-chained rule; it's important that SecRule (in this context) has a variable and an operator at least (SecAction does not have these)
    • RuleSet is a container which holds SecRule and SecAction objects
    • when the evaluate() method is called from the transaction's phase, then RuleSet evaluates all rules and actions in a loop
    • because the cleanMatchedVars() was a part of RuleWithOperator (which is a SecRule), then it was possible to call that only from that class
    • it was difficult to decide when a rule ended (see discussion)
    • otherwise, I think this method is better suited here, because we must clean these variables after each rule, whether it's chained or non-chained - but in case of chained rule, only after the last part of it
  • the location of this method call has also been moved after the point where RulesSet object evaluates the rules of phases, now we can call it after all evaluate() call - and the condition fits that it cleans the MATCHED_VAR* variables after all single rule and after all last part of chained rule
  • I also added the new test cases from previous PR

why

The issue #3382 describes the problem: if a non-chained rule evaluated, and the rule filled the MATCHED_VAR* variables, then those values remained after the ending of evaluation. Then if a next rule used any of MATCHED_VAR*, it found those values and led a false match.

other notes

There was a try before this, see #3418. There - as I wrote above - wasn't clean how the solution solves the issue exactly and was a suggestion we should clean these variables before the rule's evaluation. It was not possible, because the cleanMatchedVars() was a part of the one rule's method.

references

Closes #3382.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jul 25, 2025

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@airween
Copy link
Member Author

airween commented Jul 25, 2025

@MirkoDziadzka, @theseion what do you think about this PR?

theseion
theseion approved these changes Jul 27, 2025
View reviewed changes
Copy link
Collaborator

@theseion theseion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much better!

@airween airween merged commit 08b70e0 into owasp-modsecurity:v3/master Jul 27, 2025
50 checks passed
@airween airween mentioned this pull request Jul 27, 2025
Closed
@airween airween added the 3.x Related to ModSecurity version 3.x label Oct 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theseion theseion theseion approved these changes

+1 more reviewer

@MirkoDziadzka MirkoDziadzka MirkoDziadzka approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

3.x Related to ModSecurity version 3.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Semantic of MATCHED_VARS / MATCHED_VARS_NAMES

3 participants

@airween @theseion @MirkoDziadzka