[thirdparty/squid.git] / src / acl / RegexData.cc

/*
 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * Portions of this code are copyrighted and released under GPLv2+ by:
 * Copyright (c) 2011, Marcus Kool
 * Please add new claims to the CONTRIBUTORS file instead.
 */

/* DEBUG: section 28    Access Control */

#include "squid.h"
#include "acl/Acl.h"
#include "acl/Checklist.h"
#include "acl/RegexData.h"
#include "base/RegexPattern.h"
#include "ConfigParser.h"
#include "Debug.h"
#include "sbuf/Algorithms.h"
#include "sbuf/List.h"

ACLRegexData::~ACLRegexData()
{
}

bool
ACLRegexData::match(char const *word)
{
    if (!word)
        return 0;

    debugs(28, 3, "checking '" << word << "'");

    // walk the list of patterns to see if one matches
    for (auto &i : data) {
        if (i.match(word)) {
            debugs(28, 2, '\'' << i.c_str() << "' found in '" << word << '\'');
            // TODO: old code also popped the pattern to second place of the list
            // in order to reduce patterns search times.
            return 1;
        }
    }

    return 0;
}

SBufList
ACLRegexData::dump() const
{
    SBufList sl;
    int flags = REG_EXTENDED | REG_NOSUB;

    // walk and dump the list
    // keeping the flags values consistent
    for (auto &i : data) {
        if (i.flags != flags) {
            if ((i.flags&REG_ICASE) != 0) {
                sl.emplace_back("-i");
            } else {
                sl.emplace_back("+i");
            }
            flags = i.flags;
        }

        sl.emplace_back(i.c_str());
    }

    return sl;
}

static const char *
removeUnnecessaryWildcards(char * t)
{
    char * orig = t;

    if (strncmp(t, "^.*", 3) == 0)
        t += 3;

    /* NOTE: an initial '.' might seem unnessary but is not;
     * it can be a valid requirement that cannot be optimised
     */
    while (*t == '.'  &&  *(t+1) == '*') {
        t += 2;
    }

    if (*t == '\0') {
        debugs(28, DBG_IMPORTANT, cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_IMPORTANT, "WARNING: regular expression '" << orig << "' has only wildcards and matches all strings. Using '.*' instead.");
        return ".*";
    }
    if (t != orig) {
        debugs(28, DBG_IMPORTANT, cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_IMPORTANT, "WARNING: regular expression '" << orig << "' has unnecessary wildcard(s). Using '" << t << "' instead.");
    }

    return t;
}

static bool
compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
{
    if (RE == NULL || *RE == '\0')
        return curlist.empty(); // XXX: old code did this. It looks wrong.

    regex_t comp;
    if (int errcode = regcomp(&comp, RE, flags)) {
        char errbuf[256];
        regerror(errcode, &comp, errbuf, sizeof errbuf);
        debugs(28, DBG_CRITICAL, cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_CRITICAL, "ERROR: invalid regular expression: '" << RE << "': " << errbuf);
        return false;
    }
    debugs(28, 2, "compiled '" << RE << "' with flags " << flags);

    curlist.emplace_back(flags, RE);
    curlist.back().regex = comp;

    return true;
}

static bool
compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
{
    if (RE.empty())
        return curlist.empty(); // XXX: old code did this. It looks wrong.
    SBuf regexp;
    static const SBuf openparen("("), closeparen(")"), separator(")|(");
    JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
                          closeparen);
    return compileRE(curlist, regexp.c_str(), flags);
}

/** Compose and compile one large RE from a set of (small) REs.
 * The ultimate goal is to have only one RE per ACL so that match() is
 * called only once per ACL.
 */
static int
compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
{
    std::list<RegexPattern> newlist;
    SBufList accumulatedRE;
    int numREs = 0, reSize = 0;
    int flags = REG_EXTENDED | REG_NOSUB;

    for (const SBuf & configurationLineWord : sl) {
        static const SBuf minus_i("-i");
        static const SBuf plus_i("+i");
        if (configurationLineWord == minus_i) {
            if (flags & REG_ICASE) {
                /* optimisation of  -i ... -i */
                debugs(28, 2, "optimisation of -i ... -i" );
            } else {
                debugs(28, 2, "-i" );
                if (!compileRE(newlist, accumulatedRE, flags))
                    return 0;
                flags |= REG_ICASE;
                accumulatedRE.clear();
                reSize = 0;
            }
            continue;
        } else if (configurationLineWord == plus_i) {
            if ((flags & REG_ICASE) == 0) {
                /* optimisation of  +i ... +i */
                debugs(28, 2, "optimisation of +i ... +i");
            } else {
                debugs(28, 2, "+i");
                if (!compileRE(newlist, accumulatedRE, flags))
                    return 0;
                flags &= ~REG_ICASE;
                accumulatedRE.clear();
                reSize = 0;
            }
            continue;
        }

        debugs(28, 2, "adding RE '" << configurationLineWord << "'");
        accumulatedRE.push_back(configurationLineWord);
        ++numREs;
        reSize += configurationLineWord.length();

        if (reSize > 1024) { // must be < BUFSIZ everything included
            debugs(28, 2, "buffer full, generating new optimised RE..." );
            if (!compileRE(newlist, accumulatedRE, flags))
                return 0;
            accumulatedRE.clear();
            reSize = 0;
            continue;    /* do the loop again to add the RE to largeRE */
        }
    }

    if (!compileRE(newlist, accumulatedRE, flags))
        return 0;

    accumulatedRE.clear();
    reSize = 0;

    /* all was successful, so put the new list at the tail */
    curlist.splice(curlist.end(), newlist);

    debugs(28, 2, numREs << " REs are optimised into one RE.");
    if (numREs > 100) {
        debugs(28, (opt_parse_cfg_only?DBG_IMPORTANT:2), cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, (opt_parse_cfg_only?DBG_IMPORTANT:2), "WARNING: there are more than 100 regular expressions. " <<
               "Consider using less REs or use rules without expressions like 'dstdomain'.");
    }

    return 1;
}

static void
compileUnoptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
{
    int flags = REG_EXTENDED | REG_NOSUB;

    static const SBuf minus_i("-i"), plus_i("+i");
    for (auto configurationLineWord : sl) {
        if (configurationLineWord == minus_i) {
            flags |= REG_ICASE;
        } else if (configurationLineWord == plus_i) {
            flags &= ~REG_ICASE;
        } else {
            if (!compileRE(curlist, configurationLineWord.c_str() , flags))
                debugs(28, DBG_CRITICAL, "ERROR: Skipping regular expression. "
                       "Compile failed: '" << configurationLineWord << "'");
        }
    }
}

void
ACLRegexData::parse()
{
    debugs(28, 2, "new Regex line or file");

    SBufList sl;
    while (char *t = ConfigParser::RegexStrtokFile()) {
        const char *clean = removeUnnecessaryWildcards(t);
        if (strlen(clean) > BUFSIZ-1) {
            debugs(28, DBG_CRITICAL, cfg_filename << " line " << config_lineno << ": " << config_input_line);
            debugs(28, DBG_CRITICAL, "ERROR: Skipping regular expression. Larger than " << BUFSIZ-1 << " characters: '" << clean << "'");
        } else {
            debugs(28, 3, "buffering RE '" << clean << "'");
            sl.emplace_back(clean);
        }
    }

    if (!compileOptimisedREs(data, sl)) {
        debugs(28, DBG_IMPORTANT, "WARNING: optimisation of regular expressions failed; using fallback method without optimisation");
        compileUnoptimisedREs(data, sl);
    }
}

bool
ACLRegexData::empty() const
{
    return data.empty();
}

ACLData<char const *> *
ACLRegexData::clone() const
{
    /* Regex's don't clone yet. */
    assert(data.empty());
    return new ACLRegexData;
}
Commit	Line	Data
225b7b10	1	/*
4ac4a490	2	* Copyright (C) 1996-2017 The Squid Software Foundation and contributors
225b7b10	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	/*
	10	* Portions of this code are copyrighted and released under GPLv2+ by:
6564daea	11	* Copyright (c) 2011, Marcus Kool
bbc27441	12	* Please add new claims to the CONTRIBUTORS file instead.
225b7b10	13	*/
225b7b10	14
bbc27441 AJ	15	/* DEBUG: section 28 Access Control */
bbc27441 AJ	16
582c2af2	17	#include "squid.h"
3ad63615	18	#include "acl/Acl.h"
602d9612 A	19	#include "acl/Checklist.h"
602d9612 A	20	#include "acl/RegexData.h"
8fcefb30	21	#include "base/RegexPattern.h"
d295d770	22	#include "ConfigParser.h"
582c2af2	23	#include "Debug.h"
d80c8446	24	#include "sbuf/Algorithms.h"
85fd48c8	25	#include "sbuf/List.h"
225b7b10	26
225b7b10	27	ACLRegexData::~ACLRegexData()
225b7b10	28	{
62e76326	29	}
225b7b10	30
225b7b10	31	bool
48071869	32	ACLRegexData::match(char const *word)
225b7b10	33	{
e2b74520	34	if (!word)
48071869	35	return 0;
48071869	36
e2b74520	37	debugs(28, 3, "checking '" << word << "'");
48071869	38
e2b74520 AJ	39	// walk the list of patterns to see if one matches
e2b74520 AJ	40	for (auto &i : data) {
95b8eae2	41	if (i.match(word)) {
e56933d3	42	debugs(28, 2, '\'' << i.c_str() << "' found in '" << word << '\'');
e2b74520 AJ	43	// TODO: old code also popped the pattern to second place of the list
e2b74520 AJ	44	// in order to reduce patterns search times.
48071869	45	return 1;
48071869	46	}
48071869	47	}
	48
	49	return 0;
225b7b10	50	}
225b7b10	51
8966008b	52	SBufList
4f8ca96e	53	ACLRegexData::dump() const
225b7b10	54	{
8966008b	55	SBufList sl;
ae315d9c	56	int flags = REG_EXTENDED \| REG_NOSUB;
48071869	57
e2b74520 AJ	58	// walk and dump the list
	59	// keeping the flags values consistent
	60	for (auto &i : data) {
	61	if (i.flags != flags) {
	62	if ((i.flags&REG_ICASE) != 0) {
e56933d3	63	sl.emplace_back("-i");
ae315d9c	64	} else {
e56933d3	65	sl.emplace_back("+i");
ae315d9c	66	}
e2b74520	67	flags = i.flags;
ae315d9c AJ	68	}
ae315d9c AJ	69
e56933d3	70	sl.emplace_back(i.c_str());
48071869	71	}
48071869	72
8966008b	73	return sl;
48071869	74	}
48071869	75
e022e8c6	76	static const char *
6564daea MK	77	removeUnnecessaryWildcards(char * t)
	78	{
	79	char * orig = t;
	80
	81	if (strncmp(t, "^.*", 3) == 0)
	82	t += 3;
	83
	84	/* NOTE: an initial '.' might seem unnessary but is not;
	85	* it can be a valid requirement that cannot be optimised
	86	*/
	87	while (t == '.' && (t+1) == '*') {
	88	t += 2;
	89	}
	90
	91	if (*t == '\0') {
e56933d3	92	debugs(28, DBG_IMPORTANT, cfg_filename << " line " << config_lineno << ": " << config_input_line);
6564daea MK	93	debugs(28, DBG_IMPORTANT, "WARNING: regular expression '" << orig << "' has only wildcards and matches all strings. Using '.*' instead.");
	94	return ".*";
	95	}
	96	if (t != orig) {
e56933d3	97	debugs(28, DBG_IMPORTANT, cfg_filename << " line " << config_lineno << ": " << config_input_line);
6564daea MK	98	debugs(28, DBG_IMPORTANT, "WARNING: regular expression '" << orig << "' has unnecessary wildcard(s). Using '" << t << "' instead.");
	99	}
	100
	101	return t;
	102	}
	103
e2b74520	104	static bool
c98b6afe	105	compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
48071869	106	{
e2b74520 AJ	107	if (RE == NULL \|\| *RE == '\0')
e2b74520 AJ	108	return curlist.empty(); // XXX: old code did this. It looks wrong.
6564daea	109
e2b74520 AJ	110	regex_t comp;
e2b74520 AJ	111	if (int errcode = regcomp(&comp, RE, flags)) {
6564daea MK	112	char errbuf[256];
6564daea MK	113	regerror(errcode, &comp, errbuf, sizeof errbuf);
e56933d3	114	debugs(28, DBG_CRITICAL, cfg_filename << " line " << config_lineno << ": " << config_input_line);
6564daea	115	debugs(28, DBG_CRITICAL, "ERROR: invalid regular expression: '" << RE << "': " << errbuf);
e2b74520	116	return false;
6564daea	117	}
e2b74520	118	debugs(28, 2, "compiled '" << RE << "' with flags " << flags);
6564daea	119
e2b74520 AJ	120	curlist.emplace_back(flags, RE);
e2b74520 AJ	121	curlist.back().regex = comp;
6564daea	122
e2b74520	123	return true;
6564daea MK	124	}
6564daea MK	125
d80c8446 FC	126	static bool
	127	compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
	128	{
85fd48c8 SM	129	if (RE.empty())
	130	return curlist.empty(); // XXX: old code did this. It looks wrong.
	131	SBuf regexp;
	132	static const SBuf openparen("("), closeparen(")"), separator(")\|(");
	133	JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
	134	closeparen);
	135	return compileRE(curlist, regexp.c_str(), flags);
d80c8446 FC	136	}
d80c8446 FC	137
6564daea	138	/** Compose and compile one large RE from a set of (small) REs.
95b8eae2	139	* The ultimate goal is to have only one RE per ACL so that match() is
6564daea MK	140	* called only once per ACL.
	141	*/
	142	static int
c98b6afe	143	compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
6564daea	144	{
e2b74520	145	std::list<RegexPattern> newlist;
d80c8446 FC	146	SBufList accumulatedRE;
d80c8446 FC	147	int numREs = 0, reSize = 0;
48071869	148	int flags = REG_EXTENDED \| REG_NOSUB;
d740b987	149
1284c24c	150	for (const SBuf & configurationLineWord : sl) {
c98b6afe FC	151	static const SBuf minus_i("-i");
c98b6afe FC	152	static const SBuf plus_i("+i");
1284c24c	153	if (configurationLineWord == minus_i) {
6564daea MK	154	if (flags & REG_ICASE) {
6564daea MK	155	/* optimisation of -i ... -i */
e56933d3	156	debugs(28, 2, "optimisation of -i ... -i" );
6564daea	157	} else {
e56933d3	158	debugs(28, 2, "-i" );
d80c8446	159	if (!compileRE(newlist, accumulatedRE, flags))
6564daea	160	return 0;
6564daea	161	flags \|= REG_ICASE;
d80c8446 FC	162	accumulatedRE.clear();
d80c8446 FC	163	reSize = 0;
6564daea	164	}
38d17033	165	continue;
1284c24c	166	} else if (configurationLineWord == plus_i) {
6564daea MK	167	if ((flags & REG_ICASE) == 0) {
6564daea MK	168	/* optimisation of +i ... +i */
e56933d3	169	debugs(28, 2, "optimisation of +i ... +i");
6564daea	170	} else {
e56933d3	171	debugs(28, 2, "+i");
d80c8446	172	if (!compileRE(newlist, accumulatedRE, flags))
6564daea	173	return 0;
6564daea	174	flags &= ~REG_ICASE;
d80c8446 FC	175	accumulatedRE.clear();
d80c8446 FC	176	reSize = 0;
6564daea	177	}
38d17033 FC	178	continue;
	179	}
	180
	181	debugs(28, 2, "adding RE '" << configurationLineWord << "'");
	182	accumulatedRE.push_back(configurationLineWord);
	183	++numREs;
	184	reSize += configurationLineWord.length();
	185
	186	if (reSize > 1024) { // must be < BUFSIZ everything included
e56933d3	187	debugs(28, 2, "buffer full, generating new optimised RE..." );
d80c8446	188	if (!compileRE(newlist, accumulatedRE, flags))
6564daea	189	return 0;
d80c8446 FC	190	accumulatedRE.clear();
d80c8446 FC	191	reSize = 0;
6564daea	192	continue; /* do the loop again to add the RE to largeRE */
48071869	193	}
6564daea MK	194	}
6564daea MK	195
d80c8446	196	if (!compileRE(newlist, accumulatedRE, flags))
6564daea	197	return 0;
6564daea	198
d80c8446 FC	199	accumulatedRE.clear();
	200	reSize = 0;
	201
6564daea	202	/* all was successful, so put the new list at the tail */
e2b74520	203	curlist.splice(curlist.end(), newlist);
6564daea	204
e56933d3	205	debugs(28, 2, numREs << " REs are optimised into one RE.");
6564daea	206	if (numREs > 100) {
e56933d3	207	debugs(28, (opt_parse_cfg_only?DBG_IMPORTANT:2), cfg_filename << " line " << config_lineno << ": " << config_input_line);
6564daea MK	208	debugs(28, (opt_parse_cfg_only?DBG_IMPORTANT:2), "WARNING: there are more than 100 regular expressions. " <<
	209	"Consider using less REs or use rules without expressions like 'dstdomain'.");
	210	}
	211
	212	return 1;
	213	}
48071869	214
6564daea	215	static void
c98b6afe	216	compileUnoptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
6564daea	217	{
6564daea MK	218	int flags = REG_EXTENDED \| REG_NOSUB;
6564daea MK	219
c98b6afe	220	static const SBuf minus_i("-i"), plus_i("+i");
1284c24c FC	221	for (auto configurationLineWord : sl) {
1284c24c FC	222	if (configurationLineWord == minus_i) {
6564daea	223	flags \|= REG_ICASE;
1284c24c	224	} else if (configurationLineWord == plus_i) {
48071869	225	flags &= ~REG_ICASE;
6564daea	226	} else {
1284c24c FC	227	if (!compileRE(curlist, configurationLineWord.c_str() , flags))
1284c24c FC	228	debugs(28, DBG_CRITICAL, "ERROR: Skipping regular expression. "
236b4c67	229	"Compile failed: '" << configurationLineWord << "'");
48071869	230	}
6564daea MK	231	}
	232	}
	233
e2b74520 AJ	234	void
e2b74520 AJ	235	ACLRegexData::parse()
6564daea	236	{
e2b74520	237	debugs(28, 2, "new Regex line or file");
6564daea	238
c98b6afe	239	SBufList sl;
e2b74520	240	while (char *t = ConfigParser::RegexStrtokFile()) {
e022e8c6 AJ	241	const char *clean = removeUnnecessaryWildcards(t);
e022e8c6 AJ	242	if (strlen(clean) > BUFSIZ-1) {
e56933d3	243	debugs(28, DBG_CRITICAL, cfg_filename << " line " << config_lineno << ": " << config_input_line);
e022e8c6	244	debugs(28, DBG_CRITICAL, "ERROR: Skipping regular expression. Larger than " << BUFSIZ-1 << " characters: '" << clean << "'");
6564daea	245	} else {
e2b74520	246	debugs(28, 3, "buffering RE '" << clean << "'");
e56933d3	247	sl.emplace_back(clean);
48071869	248	}
6564daea	249	}
48071869	250
c98b6afe	251	if (!compileOptimisedREs(data, sl)) {
6564daea	252	debugs(28, DBG_IMPORTANT, "WARNING: optimisation of regular expressions failed; using fallback method without optimisation");
c98b6afe	253	compileUnoptimisedREs(data, sl);
48071869	254	}
225b7b10	255	}
225b7b10	256
65092baf	257	bool
	258	ACLRegexData::empty() const
	259	{
e2b74520	260	return data.empty();
65092baf	261	}
225b7b10	262
5dee515e	263	ACLData<char const >
225b7b10	264	ACLRegexData::clone() const
	265	{
	266	/* Regex's don't clone yet. */
e2b74520	267	assert(data.empty());
225b7b10	268	return new ACLRegexData;
225b7b10	269	}
f53969cc	270