Merged PR 2671382: MatchVariable Selectors should be applied case-insensitively

Alex Yang · Alex Yang · commit 45ea1f519ac8 · 2020-03-12T20:13:13.000Z
To keep behavioral parity between AzWAF and ModSecurity, we should apply the `Selector` field in `MatchVariable` case-insensitively. This applies to all 3 `MatchVariables` This is achieved by constructing a new key into the `conditionGroup` map, which converts the `Selector` in the `MatchVariable` struct to lower-case. PR URL: https://msazure.visualstudio.com/DefaultCollection/One/_git/Networking-Azwaf/pullrequest/2671382 Related work items: #6427995, #6428248
diff --git a/customrule/engine.go b/customrule/engine.go
@@ -56,13 +56,14 @@ func (f *customRuleEngineFactoryImpl) NewEngine(customRuleConfig waf.CustomRuleC
 				}
 
 				mv := matchVariable{m.VariableName(), m.Selector()}
+				cgKey := matchVariableWithLowerCaseSelector(mv)
 
 				// Use existing struct for this MatchVariable or create new one if not yet created
 				var cwsmv *conditionsWithSameMatchVar
 				var ok bool
-				if cwsmv, ok = engine.conditionGroups[mv]; !ok {
+				if cwsmv, ok = engine.conditionGroups[cgKey]; !ok {
 					cwsmv = &conditionsWithSameMatchVar{}
-					engine.conditionGroups[mv] = cwsmv
+					engine.conditionGroups[cgKey] = cwsmv
 				}
 
 				// Use existing struct for this transformation-pipeline or create new one if not yet created
@@ -387,7 +388,8 @@ type scanResults struct {
 }
 
 func (e *customRuleEvaluationImpl) scanTarget(m matchVariable, content string, results *scanResults) (err error) {
-	cg, ok := e.engine.conditionGroups[m]
+	cgKey := matchVariableWithLowerCaseSelector(m)
+	cg, ok := e.engine.conditionGroups[cgKey]
 	if !ok {
 		// There were no conditions that needed this target
 		return
@@ -549,6 +551,10 @@ func (e *customRuleEvaluationImpl) scanCookies(c string, results *scanResults) (
 	return
 }
 
+func matchVariableWithLowerCaseSelector(m matchVariable) matchVariable {
+	return matchVariable{variableName: m.variableName, selector: strings.ToLower(m.selector)}
+}
+
 func applyTransformations(s string, transformations []string) string {
 	// TODO implement a trie for caching already done transformations
 	for _, t := range transformations {
diff --git a/customrule/eval_postargs_test.go b/customrule/eval_postargs_test.go
@@ -63,6 +63,39 @@ func TestPostArgsEqualsBlockPositive(t *testing.T) {
 	assert.Equal(waf.Block, decision)
 }
 
+func TestPostArgsWithDifferentCasingEqualsBlockPositive(t *testing.T) {
+	assert := assert.New(t)
+	logger := testutils.NewTestLogger(t)
+
+	// Arrange
+	content := "firstName=john&lastName=travolta"
+	req := &mockWafHTTPRequest{
+		uri:    "/",
+		method: "POST",
+		headers: []waf.HeaderPair{
+			&mockHeaderPair{k: "Content-Type", v: "application/x-www-form-urlencoded"},
+			&mockHeaderPair{k: "Content-Length", v: fmt.Sprint(len(content))},
+		},
+		body: content,
+	}
+	engine, resLog, err := newEngineWithCustomRules(postArgsEqualsBlockRule)
+	if err != nil {
+		t.Fatalf("Got unexpected error: %s", err)
+	}
+
+	// Act
+	eval := engine.NewEvaluation(logger, resLog, req, waf.URLEncodedBody)
+	defer eval.Close()
+	err = eval.ScanHeaders()
+	err = eval.ScanBodyField(waf.URLEncodedContent, "FIRSTNAME", "john")
+	err = eval.ScanBodyField(waf.URLEncodedContent, "LASTNAME", "travolta")
+	decision := eval.EvalRules()
+
+	// Assert
+	assert.Nil(err)
+	assert.Equal(waf.Block, decision)
+}
+
 func TestPostArgsEqualsBlockNegative(t *testing.T) {
 	assert := assert.New(t)
 	logger := testutils.NewTestLogger(t)
diff --git a/customrule/eval_requestcookies_test.go b/customrule/eval_requestcookies_test.go
@@ -57,6 +57,34 @@ func TestRequestCookiesContainsBlockPositive(t *testing.T) {
 	assert.Equal(waf.Block, decision)
 }
 
+func TestRequestCookiesWithDifferentCasingContainsBlockPositive(t *testing.T) {
+	assert := assert.New(t)
+	logger := testutils.NewTestLogger(t)
+
+	// Arrange
+	req := &mockWafHTTPRequest{
+		uri:    "/",
+		method: "GET",
+		headers: []waf.HeaderPair{
+			&mockHeaderPair{k: "Cookie", v: "The_Oracles_Special_Recipe=neo+is+the+one; the_matrix_cookie_house=agent+smith"},
+		},
+	}
+	engine, resLog, err := newEngineWithCustomRules(requestCookiesContainsBlockRule)
+	if err != nil {
+		t.Fatalf("Got unexpected error: %s", err)
+	}
+
+	// Act
+	eval := engine.NewEvaluation(logger, resLog, req, waf.OtherBody)
+	defer eval.Close()
+	err = eval.ScanHeaders()
+	decision := eval.EvalRules()
+
+	// Assert
+	assert.Nil(err)
+	assert.Equal(waf.Block, decision)
+}
+
 func TestRequestCookiesContainsBlockNegative(t *testing.T) {
 	assert := assert.New(t)
 	logger := testutils.NewTestLogger(t)
diff --git a/customrule/eval_requestheaders_test.go b/customrule/eval_requestheaders_test.go
@@ -58,6 +58,34 @@ func TestRequestHeadersContainsBlockPositive(t *testing.T) {
 	assert.Equal(waf.Block, decision)
 }
 
+func TestRequestHeadersWithDifferentCasingContainsBlockPositive(t *testing.T) {
+	assert := assert.New(t)
+	logger := testutils.NewTestLogger(t)
+
+	// Arrange
+	req := &mockWafHTTPRequest{
+		uri:    "/",
+		method: "GET",
+		headers: []waf.HeaderPair{
+			&mockHeaderPair{k: "x-first-name", v: "John"},
+			&mockHeaderPair{k: "x-last-name", v: "Travolta"},
+		},
+	}
+	engine, resLog, err := newEngineWithCustomRules(requestHeadersContainsBlockRule)
+	if err != nil {
+		t.Fatalf("Got unexpected error: %s", err)
+	}
+
+	// Act
+	eval := engine.NewEvaluation(logger, resLog, req, waf.OtherBody)
+	err = eval.ScanHeaders()
+	decision := eval.EvalRules()
+
+	// Assert
+	assert.Nil(err)
+	assert.Equal(waf.Block, decision)
+}
+
 func TestRequestHeadersContainsBlockNegative(t *testing.T) {
 	assert := assert.New(t)
 	logger := testutils.NewTestLogger(t)
