Tests for #118 (#120)

wargio · Dec 9, 2023 · c34e49f · c34e49f
1 parent 117a245
commit c34e49f
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 4 deletions.
diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c
@@ -1705,7 +1705,7 @@ ngx_http_spliturl_ruleset(ngx_pool_t*             pool,
 
   orig     = str;
   full_len = strlen(orig);
-  if (*(orig + full_len - 1) == '&') {
+  if (full_len > 0 && *(orig + full_len - 1) == '&') {
     NX_DEBUG(_debug_spliturl_ruleset,
              NGX_LOG_DEBUG_HTTP,
              req->connection->log,

diff --git a/unit-tests/tests/06naxsi_weirds.t b/unit-tests/tests/06naxsi_weirds.t
@@ -22,7 +22,7 @@ location / {
 	 CheckRule "$RFI >= 8" BLOCK;
 	 CheckRule "$TRAVERSAL >= 4" BLOCK;
 	 CheckRule "$XSS >= 8" BLOCK;
-  	 root $TEST_NGINX_SERVROOT/html/;
+	 root $TEST_NGINX_SERVROOT/html/;
          index index.html index.htm;
 }
 location /RequestDenied {
@@ -32,7 +32,53 @@ location /RequestDenied {
 GET /?&&&&a&&&&&
 --- error_code: 412
 
-=== WL TEST 1.0a: weird request in URL
+=== WL TEST 1.0a: weird request in URL (?&...)
+--- main_config
+load_module $TEST_NGINX_NAXSI_MODULE_SO;
+--- http_config
+include $TEST_NGINX_NAXSI_RULES;
+--- config
+location / {
+	 SecRulesEnabled;
+	 DeniedUrl "/RequestDenied";
+	 CheckRule "$SQL >= 8" BLOCK;
+	 CheckRule "$RFI >= 8" BLOCK;
+	 CheckRule "$TRAVERSAL >= 4" BLOCK;
+	 CheckRule "$XSS >= 8" BLOCK;
+  	 root $TEST_NGINX_SERVROOT/html/;
+         index index.html index.htm;
+}
+location /RequestDenied {
+	 return 412;
+}
+--- request
+GET /?&a=2
+--- error_code: 412
+
+=== WL TEST 1.0b: weird request in URL (?...&&...)
+--- main_config
+load_module $TEST_NGINX_NAXSI_MODULE_SO;
+--- http_config
+include $TEST_NGINX_NAXSI_RULES;
+--- config
+location / {
+	 SecRulesEnabled;
+	 DeniedUrl "/RequestDenied";
+	 CheckRule "$SQL >= 8" BLOCK;
+	 CheckRule "$RFI >= 8" BLOCK;
+	 CheckRule "$TRAVERSAL >= 4" BLOCK;
+	 CheckRule "$XSS >= 8" BLOCK;
+  	 root $TEST_NGINX_SERVROOT/html/;
+         index index.html index.htm;
+}
+location /RequestDenied {
+	 return 412;
+}
+--- request
+GET /?a=2&&b=3
+--- error_code: 412
+
+=== WL TEST 1.0c: weird request in URL (?...&)
 --- main_config
 load_module $TEST_NGINX_NAXSI_MODULE_SO;
 --- http_config
@@ -52,7 +98,7 @@ location /RequestDenied {
 	 return 412;
 }
 --- request
-GET /?&&a=2
+GET /?a=2&
 --- error_code: 412
 
 === WL TEST 1.01: weird request in URL (wl on fullzone)