feat: allow selectors on *_NAMES collections

[blotus]

Hello,

This PR aims to allow the use of rules such as SecRule &REQUEST_COOKIES_NAMES:JSESSIONID "@eq 0" "id:45" (supported by ModSecurity and also present as an example in the documentation of Coraza), which currently causes Coraza to crash due to an explicit panic call.

There are 3 main changes:

• Check if a collection supports selectors during parsing time, instead of throwing an error at runtime.
• Make collections.NamedCollectionNames implements collection.Keyed: this allows the use of a selector for the collections created with .Names()
• Remove runtime panics calls: as Coraza is designed to be embedded in other software, calling panic is never a good idea.

Parser changes

I've embedded information about whether a collection can be selected or not in the internal/variables/variables.go file, as a comment for each collection that does support it (hopefully, I did not miss any), and added a CanBeSelected method that is called during parsing to check if the selector is allowed or not.

I don't know if I'm really happy with embedding information in comments, but it was the least intrusive way I found to handle this.

collections.NamedCollectionNames implements collection.Keyed

This one is straightforward, NamedCollectionNames now implements Get, FindString and FindRegex.
Because it's a named collection, the key and the value in the returned results will be the same: the name of the key.

Remove runtime panic

The first two were removed as part of making namedCollectionNames implements Keyed.

The other two (which are the ones that caused the crash mentioned at the beginning of this PR) have been replaced by an error log.
In theory, this log should never occur because selectability is now checked during parsing (in practice, it could happen if a collection is marked as selectable but does not implement Keyed).

[codecov]

Codecov Report

Attention: Patch coverage is 59.37500% with 39 lines in your changes missing coverage. Please review.

Project coverage is 83.32%. Comparing base (4ff1f76) to head (f8e778f).
Report is 116 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/variables/variablesmap.gen.go	50.00%	26 Missing ⚠️
internal/corazawaf/transaction.go	8.33%	11 Missing ⚠️
internal/collections/named.go	93.10%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1143      +/-   ##
==========================================
+ Coverage   82.72%   83.32%   +0.60%     
==========================================
  Files         162      166       +4     
  Lines        9080     9696     +616     
==========================================
+ Hits         7511     8079     +568     
- Misses       1319     1366      +47     
- Partials      250      251       +1     

Flag	Coverage Δ
default	83.32% <59.37%> (+5.48%)	⬆️
examples	83.32% <59.37%> (+56.89%)	⬆️
ftw	83.32% <59.37%> (+35.95%)	⬆️
ftw-multiphase	83.32% <59.37%> (+33.77%)	⬆️
tinygo	83.32% <59.37%> (+7.91%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jptosso]

Interesting, thank you very much for your contribution

Im a bit worried about how the complexity of variables is growing. Maybe not for this PR, but we need to improve generation of code, even for this "selectable" feature

[fzipi]

I don't think adding everything here makes sense. Just return true on those who can, and use the default otherwise.

[jptosso]

Although for performance it makes sense, I believe this is easier to maintain and more readable

[jcchavezs]

This is auto generated so I would not be concern about readability. @blotus could you do a quick benchmark on this matter i.e. adding everything or just true and all the rest on a default?

[blotus]

I agree that readability does not really matter here.
I've updated the code generation to only generate the cases where true is returned.

[fzipi]

Im a bit worried about how the complexity of variables is growing. Maybe not for this PR, but we need to improve generation of code, even for this "selectable" feature

Definitely not for this PR. We should create an issue to refactor generation then.

[jptosso]

LGTM in general, but I believe this lacks negative tests and its decreasing the general project coverage

[jcchavezs]

Is there any chance data is empty? if so I would handle the empty case before this allocation.

[blotus]

Yes, there are probably situations where data can be empty (I haven't tested, but I'd expect a collection like XML to have an empty data on a non-XML request )

AFAIK, declaring a slice like this does not perform any actual allocation (other than the header of the slice, which will be all zero), and the actual allocation will be performed the first time we append to it, but I can add a check on data if you are worried about it.

[blotus]

Also, from what I see, this check is not performed in the existing code (here for example)

[jcchavezs]

I wonder if MatchData is mutable, if so we probably want to reuse the pointer?

[jptosso]

We discussed time ago that panic is ok, as this is a low level issue and coraza should not run here

[blotus]

I'm not sure I agree with this: coraza is designed as a library, and in my point of view, this means that explicit panics must be avoided at all costs (with very little exceptions, if you can call panic, you can return an error), and not doing anything is almost always better than bringing down a production website.

If a function call can lead to a panic, it should be made very clear to the caller (either with an explicit function name (Must....) or, at the very least, with some documentation): I don't mind wrapping every call to coraza with a recover, but I need to be aware it's required.

For this specific case, it can only (AFAIK) be triggered by a configuration error, so this means it should be detected when parsing the configuration (and is now thanks to this PR), so the panic has become redundant.