Implement RE2 fallback to libpcre

WGH- · WGH- · commit bf1699d39a79 · 2020-09-05T17:23:32.000+03:00
RE2 doesn't support certain features, like negative lookaround,
so when a regular expression cannot be compiled with RE2, it's
compiled with libpcre instead.

This has some runtime cost, as this fallback is implemented
with an extra heap object and virtual function calls.

When RE2 is not enabled, however, everything works as it did before.
diff --git a/src/regex/backend/backend.h b/src/regex/backend/backend.h
@@ -0,0 +1,46 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2019
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+#ifndef SRC_REGEX_BACKEND_BACKEND_H_
+#define SRC_REGEX_BACKEND_BACKEND_H_
+
+#include <list>
+#include <vector>
+#include <string>
+
+#include "src/regex/regex_match.h"
+
+namespace modsecurity {
+namespace regex {
+namespace backend {
+
+class Backend {
+public:
+    virtual ~Backend() {}
+
+    virtual bool ok() const = 0;
+
+    virtual std::list<RegexMatch> searchAll(const std::string& s) const = 0;
+    virtual bool searchOneMatch(const std::string& s, std::vector<RegexMatchCapture>& captures) const = 0;
+    virtual int search(const std::string &s, RegexMatch *m) const = 0;
+    virtual int search(const std::string &s) const = 0;
+
+    virtual const std::string& getPattern() const = 0;
+};
+
+}  // namespace backend
+}  // namespace regex
+}  // namespace modsecurity
+
+#endif  // SRC_REGEX_BACKEND_BACKEND_H_
diff --git a/src/regex/backend/pcre.h b/src/regex/backend/pcre.h
@@ -23,6 +23,7 @@
 #include <list>
 #include <vector>
 
+#include "src/regex/backend/backend.h"
 #include "src/regex/regex_match.h"
 
 #ifndef SRC_REGEX_BACKEND_PCRE_H_
@@ -37,7 +38,7 @@ namespace backend {
 #define OVECCOUNT 900
 
 
-class Pcre {
+class Pcre : public Backend {
  public:
     explicit Pcre(const std::string& pattern_);
     ~Pcre();
@@ -46,13 +47,21 @@ class Pcre {
     Pcre(const Pcre&) = delete;
     Pcre& operator=(const Pcre&) = delete;
 
-    std::list<RegexMatch> searchAll(const std::string& s) const;
-    bool searchOneMatch(const std::string& s, std::vector<RegexMatchCapture>& captures) const;
-    int search(const std::string &s, RegexMatch *m) const;
-    int search(const std::string &s) const;
+    std::list<RegexMatch> searchAll(const std::string& s) const override;
+    bool searchOneMatch(const std::string& s, std::vector<RegexMatchCapture>& captures) const override;
+    int search(const std::string &s, RegexMatch *m) const override;
+    int search(const std::string &s) const override;
 
-    const std::string pattern;
+    virtual bool ok() const override {
+        return m_pc != NULL;
+    }
+
+    virtual const std::string& getPattern() const override {
+        return pattern;
+    };
  private:
+    const std::string pattern;
+
     pcre *m_pc = NULL;
     pcre_extra *m_pce = NULL;
 };
diff --git a/src/regex/backend/re2.cc b/src/regex/backend/re2.cc
@@ -29,15 +29,18 @@ namespace backend {
 static RE2::Options get_re2_options() {
     RE2::Options res;
 
+    // Re2 is usually used with fallback to libpcre,
+    // so disable unnecessary stderr noise
+    res.set_log_errors(false);
+
     res.set_dot_nl(true);
 
     return res;
 }
 
 
-Re2::Re2(const std::string& pattern_)
-    : pattern(pattern_.empty() ? ".*" : pattern_),
-      re(pattern, get_re2_options())
+Re2::Re2(const std::string& pattern)
+    : re(pattern.empty() ? ".*" : pattern, get_re2_options())
 {
 }
 
diff --git a/src/regex/backend/re2.h b/src/regex/backend/re2.h
@@ -21,6 +21,7 @@
 #include <vector>
 #include <list>
 
+#include "src/regex/backend/backend.h"
 #include "src/regex/regex_match.h"
 
 #ifndef SRC_REGEX_BACKEND_RE2_H_
@@ -32,20 +33,25 @@ namespace backend {
 
 #ifdef WITH_RE2
 
-class Re2 {
+class Re2 : public Backend {
  public:
     explicit Re2(const std::string& pattern_);
 
     // RE2 class is not copyable, so neither is this
     Re2(const Re2&) = delete;
     Re2& operator=(const Re2&) = delete;
 
-    std::list<RegexMatch> searchAll(const std::string& s) const;
-    bool searchOneMatch(const std::string& s, std::vector<RegexMatchCapture>& captures) const;
-    int search(const std::string &s, RegexMatch *m) const;
-    int search(const std::string &s) const;
+    std::list<RegexMatch> searchAll(const std::string& s) const override;
+    bool searchOneMatch(const std::string& s, std::vector<RegexMatchCapture>& captures) const override;
+    int search(const std::string &s, RegexMatch *m) const override;
+    int search(const std::string &s) const override;
+    virtual bool ok() const override {
+        return re.ok();
+    }
 
-    const std::string pattern;
+    virtual const std::string& getPattern() const override {
+        return re.pattern();
+    };
  private:
     const RE2 re;
 };
diff --git a/src/regex/backend_fallback.h b/src/regex/backend_fallback.h
@@ -0,0 +1,75 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2019
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+#ifndef SRC_REGEX_BACKEND_FALLBACK_H_
+#define SRC_REGEX_BACKEND_FALLBACK_H_
+
+#include <memory>
+
+#include "src/regex/backend/backend.h"
+
+namespace modsecurity {
+namespace regex {
+
+template<typename T>
+static backend::Backend* compile_regex_fallback(const std::string& pattern) {
+    return new T(pattern);
+}
+
+template<typename T, typename T2, typename... Args>
+static backend::Backend* compile_regex_fallback(const std::string& pattern) {
+    T *regex = new T{pattern};
+    if (regex->ok()) {
+        return regex;
+    } else {
+        delete regex;
+        return compile_regex_fallback<T2, Args...>(pattern);
+    }
+}
+
+template<typename... Args>
+class BackendFallback : public backend::Backend {
+public:
+    BackendFallback(const std::string& pattern)
+        : backend(compile_regex_fallback<Args...>(pattern))
+    {}
+
+    virtual bool ok() const override {
+        return backend->ok();
+    }
+
+    std::list<RegexMatch> searchAll(const std::string& s) const override {
+        return backend->searchAll(s);
+    }
+    bool searchOneMatch(const std::string& s, std::vector<RegexMatchCapture>& captures) const override {
+        return backend->searchOneMatch(s, captures);
+    }
+    int search(const std::string &s, RegexMatch *m) const override {
+        return backend->search(s, m);
+    }
+    int search(const std::string &s) const override {
+        return backend->search(s);
+    }
+
+    const std::string& getPattern() const override {
+        return backend->getPattern();
+    }
+private:
+    std::unique_ptr<backend::Backend> backend;
+};
+
+}  // namespace regex
+}  // namespace modsecurity
+
+#endif // SRC_REGEX_BACKEND_FALLBACK_H_
diff --git a/src/regex/regex.h b/src/regex/regex.h
@@ -21,9 +21,11 @@
 #include <list>
 #include <vector>
 
+#include "src/regex/backend/backend.h"
 #include "src/regex/backend/pcre.h"
 #include "src/regex/backend/re2.h"
 #include "src/regex/regex_match.h"
+#include "src/regex/backend_fallback.h"
 
 #ifndef SRC_REGEX_REGEX_H_
 #define SRC_REGEX_REGEX_H_
@@ -33,11 +35,15 @@ namespace modsecurity {
 namespace regex {
 
 #ifdef WITH_PCRE
-using selectedBackend = backend::Pcre;
-#elif WITH_RE2
-using selectedBackend = backend::Re2;
+#   ifdef WITH_RE2
+        using selectedBackend = BackendFallback<
+            backend::Re2, backend::Pcre
+        >;
+#   else
+        using selectedBackend = backend::Pcre;
+#   endif
 #else
-#error "no regex backend selected"
+#   error "PCRE is not available"
 #endif
 
 class Regex : public selectedBackend {
diff --git a/src/variables/variable.h b/src/variables/variable.h
@@ -115,9 +115,9 @@ class KeyExclusion {
 // FIXME: use pre built regex.
 class KeyExclusionRegex : public KeyExclusion {
  public:
-    explicit KeyExclusionRegex(const regex::Regex &re)
-        : m_re(re.pattern) { }
-    explicit KeyExclusionRegex(const std::string &re)
+    explicit KeyExclusionRegex(regex::Regex re)
+        : m_re(re.getPattern()) { }
+    explicit KeyExclusionRegex(std::string re)
         : m_re(re) { }
 
     ~KeyExclusionRegex() override { }

Original file line number	Diff line number	Diff line change
`@@ -29,15 +29,18 @@ namespace backend {`
`29`	`29`	`static RE2::Options get_re2_options() {`
`30`	`30`	`RE2::Options res;`
`31`	`31`
	`32`	`+ // Re2 is usually used with fallback to libpcre,`
	`33`	`+ // so disable unnecessary stderr noise`
	`34`	`+ res.set_log_errors(false);`
	`35`	`+`
`32`	`36`	`res.set_dot_nl(true);`
`33`	`37`
`34`	`38`	`return res;`
`35`	`39`	`}`
`36`	`40`
`37`	`41`
`38`		`-Re2::Re2(const std::string& pattern_)`
`39`		`- : pattern(pattern_.empty() ? ".*" : pattern_),`
`40`		`- re(pattern, get_re2_options())`
	`42`	`+Re2::Re2(const std::string& pattern)`
	`43`	`+ : re(pattern.empty() ? ".*" : pattern, get_re2_options())`
`41`	`44`	`{`
`42`	`45`	`}`
`43`	`46`