REQUEST_URI vs REQUEST_PATH bug and clean up

clean up request and response bodies, and stumble into a nasty bug where only the url path was being checked instead of the full url :-O
djellemah · Sep 25, 2018 · 4990b33 · 4990b33
1 parent 0e9c63d
commit 4990b33
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/lib/rodsec/rack.rb b/lib/rodsec/rack.rb
@@ -62,7 +62,6 @@ def initialize app, config:, rules: nil, logger: nil, log_blk: nil
     HTTP_HOST = 'HTTP_HOST'.freeze
     SERVER_PORT = 'SERVER_PORT'.freeze
     HTTP_VERSION = 'HTTP_VERSION'.freeze
-    REQUEST_PATH = 'REQUEST_PATH'.freeze
     REQUEST_METHOD = 'REQUEST_METHOD'.freeze
     SLASH = '/'.freeze
     HTTP_HEADER_RX = /HTTP_(.*)|(CONTENT_.*)/.freeze
@@ -86,7 +85,7 @@ def call env
 
         _, version = env[HTTP_VERSION]&.split(SLASH)
 
-        txn.uri! env[REQUEST_PATH], env[REQUEST_METHOD], version
+        txn.uri! env[REQUEST_URI], env[REQUEST_METHOD], version
       end.call
 
       # request_headers! - another scope for variables

diff --git a/lib/rodsec/transaction.rb b/lib/rodsec/transaction.rb
@@ -1,5 +1,3 @@
-require 'pathname'
-
 require_relative 'wrapper'
 require_relative 'string_pointers'
 
@@ -93,16 +91,16 @@ def request_headers! header_hash
 
     ##################################
     # Phase REQUEST_BODY.  SecRules 2
-    # optional if the client knows that body is empty
     #
-    # body
+    # body can be a String, or an Enumerable of strings
     def request_body! body
       enum_of_body(body).each do |body_part|
         body_part = body_part.to_s
         rv = Wrapper.msc_append_request_body txn_ptr, (strptr body_part), body_part.bytesize
         rv == 1 or raise Error, "msc_append_request_body failed"
       end
 
+      # This MUST be called, otherwise rules aren't triggered.
       rv = Wrapper.msc_process_request_body txn_ptr
       rv == 1 or raise Error, "msc_process_request_body failed"
 
@@ -137,13 +135,16 @@ def response_headers! http_status_code = 200, http_with_version = 'HTTP 1.1', he
 
     ##################################
     # Phase RESPONSE_BODY. SecRules 4
+    #
+    # body can be a String, or an Enumerable of strings
     def response_body! body
       enum_of_body(body).each do |body_part|
         body_part = body_part.to_s
         rv = Wrapper.msc_append_response_body txn_ptr, (strptr body_part), body_part.bytesize
-        rv == 1 or raise Error, "msc_append_request_body failed"
+        rv == 1 or raise Error, 'msc_append_response_body failed'
       end
 
+      # This MUST be called, otherwise rules aren't triggered
       rv = Wrapper.msc_process_response_body txn_ptr
       rv == 1 or raise Error, "msc_process_response_body failed"