fix: add msc_fullinfo() to check JIT compilation

[airween]

what

I usually use mod_security2 Apache module with these build options:

./configure --enable-pcre-study=yes --enable-pcre-jit=yes --with-pcre2

During an issue investigation I ran into an interesting message. Consider this rule:

SecRule ARGS "@verifyCC \d{13,16}" "id:1,phase:2,log,capture,pass"

and this payload:

$ cat jsonpayload.json
[1234567890123456,1234567890123456,1234567890123456]

When I send this request:

curl -H "Content-Type: application/json" -X POST -d @jsonpayload.json http://localhost

I see these messages in debug.log:

Rule 7fbd7d71a6d0 [id "1"][file "test.conf"][line "476"] - Execution error - Does not support JIT (0).

Which is not true.

why

The problem is that the regex engine (in case of using PCRE2) does not handle the jit variable correctly (in case of verifyCC operator this variable is here, as you can see it's initialized with 0).

Let's see what happens when the engine runs any of the relevant codes (and user used the same build options).

The engine has its own regex structure which has a member with name jit_compile_rc. This stores the information about the engine is able to use JIT or not.

When a rule use the PCRE engine, it fills the regex object and set jit_compile_rc member here.

#ifdef WITH_PCRE_JIT
    regex->jit_compile_rc = pcre2_jit_compile(regex->re, PCRE2_JIT_COMPLETE);
#endif

As I wrote above, at the operator the jit variable is initialized with 0, and in case of PCRE2 it does not change during the execution.

The condition is here:

        if ((rc != 0) || (jit != 1)) {
            *error_msg = apr_psprintf(msr->mp,
                    "Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
                    "Execution error - "
                    ... other part of error message...
        }

The variable rc is set here:

            #ifdef WITH_PCRE2
        rc = regex->jit_compile_rc;
            #else

so the rc will hold the value of pcre2_jit_compile()'s return value. Let's see what is the return value of this function:

"Such a call returns zero if JIT is available and has a working allocator"

So the variable rc will be 0 (if JIT is available). But what about the variable jit? It's still 0. As you can see in case of old PCRE code, it calls msc_fullinfo(), which in case of PCRE2 decides JIT is usable or not with calling the function pcre2_pattern_info(). See how does it work:

"A non-zero result means that JIT compilation was successful. A result of 0 means that JIT support is not available, or the pattern was not processed by pcre2_jit_compile()"

This is necessary to get a full description of JIT status in current call, and sets the correct value of jit.

[theseion]

Looks good to me

[sonarqubecloud]

Quality Gate failed

Failed conditions
25.0% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud