Task50Start - Multiple http_methods on the same path

See TasksExplained? for more infos about tasks. This task is based on the template at TaskTemplateStart

Status : closed
Category : rule-generator
Date opened : 2007-04-05
Description : The same path should be configurable with multiple http methods and each method with its own set of parameters.
Referenced in stories/tasks : WebStatistics
Testsuite : test/functional/rules_generator_test.rb
Commited revision : 200

Remarks :

Rick and Helwin proposed rule chaining to solve the problem in http://article.gmane.org/gmane.comp.apache.mod-security.user/2883

<LocationMatch "/some/url">
        SecRule REQUEST_METHOD "!^(GET|SUBSCRIBE)$"
        SecRule REQUEST_METHOD "^GET$" "t:none,chain"
        SecRule1
        SecRule2
        ...
        SecRule REQUEST_METHOD "^SUBSCRIBE$" "t:none,chain"
        SecRule3
        SecRule4
        ...
        SecAction "allow,t:none,msg:'Request method passed all checks and it is thus allowed'"
</LocationMatch>

Ryan Barnett had earlier proposed skipping:

<LocationMatch "/some/url">
    SecRuleA
    SecRuleB

    SecRule REQUEST_METHOD "!^GET$" "t:none,skip:3"
    SecRule1
    SecRule2
    SecRule3

    SecRule REQUEST_METHOD !"!^SUBSCRIBE$" "t:none,skip:4"
    SecRule4
    SecRule5
    SecRule6
    SecRule7
    SecAction "allow,t:none,msg:'Request method passed all checks and is thus allowed'"
</LocationMatch>

Chaining has the disadvantage that everything has to be chained afterwards and specific options to a certain rule are not possible anymore. The simple skipping outlined above comes closer to a possible solution.

This is mine (proposed in http://article.gmane.org/gmane.comp.apache.mod-security.user/2890):

<LocationMatch "/some/url">
    
    SecRule REQUEST_METHOD "!^(GET|SUBSCRIBE)$"  "t:none,deny,..."

    SecRule REQUEST_METHOD "^GET$" "t:none,skip:1"
    SecRule REQUEST_METHOD "^SUBSCRIBE$" "t:none,skip:n"  -> n is the distance to the SUBSCRIBE rule group

    # http_method GET skip target point
    SecRule-1
    SecRule-2
    SecRule-3
    ...
    SecRule-n-2
    SecAction "skip:k"  -> jump to the final allow rule

    # http_method SUBSCRIBE skip target point
    SecRule-1
    SecRule-2
    SecRule-3
    ...
    SecRule-k-1

    # final allow rule skip target point
    SecAction "allow,t:none,msg:'Request method passed all checks and is thus allowed'"

</LocationMatch>

---

Changelog

2007-04-08 - calculating the relative distance between the http_method blocks (skip distance)

Based on the pattern above, the skip distance for the SUBSCRIBE method is calculated as follows:

   0 (number of methods after the SUBSCRIBE)
+  1 strict header test
+  1 strict cookie test
+  1 strict query string and post parameter test (2 in 1)
+  # headers of GET method
+  # cookies of GET method
+  # query string parameters of GET method
+  # post parameters of GET method
+  # mandatory parameters of GET method (headers + cookies + query string p. + post p.)
+  # crosschecks (query strings without a post parameter of the same name and post p. without a query string p. of the same name)
+  1 for the skip rule that skips all the other http_method blocks to reach final allow rule. This is not present in the last http_method block.

2007-04-10 - done

I have implemented the feature in the rule generator. It has been quite straight forward, once the number of rules had been broken down as outlined above.