ModSec on IIS: Block on bad config (#111)

* ModSec on IIS: Block on bad config
2019-04-16 14:19:57 -07:00 · 2019-04-16 14:19:57 -07:00 · 7f0eced5bc
--- a/iis/moduleconfig.h
+++ b/iis/moduleconfig.h
@ -71,6 +71,8 @@ class MODSECURITY_STORED_CONTEXT : public IHttpStoredContext

    directory_config* config = nullptr;

+    bool configLoadingFailed = false;
+
 private:
    HRESULT 
    GetBooleanPropertyValue( 
--- a/iis/mymodule.cpp
+++ b/iis/mymodule.cpp
@ -798,7 +798,9 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
    HRESULT hr = MODSECURITY_STORED_CONTEXT::GetConfig(httpContext, &config);
    if (FAILED(hr))
    {
-        return RQ_NOTIFICATION_CONTINUE;
+        httpContext->GetResponse()->SetStatus(500, "WAF internal error. Unable to get config.");
+        httpContext->SetRequestHandled();
+        return RQ_NOTIFICATION_FINISH_REQUEST;
    }

    // If module is disabled, don't go any further
@ -808,6 +810,19 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
        return RQ_NOTIFICATION_CONTINUE;
    }

+    auto reportConfigurationError = [config, httpContext] {
+        config->configLoadingFailed = true;
+        httpContext->GetResponse()->SetStatus(500, "WAF internal error. Invalid configuration.");
+        httpContext->SetRequestHandled();
+        return RQ_NOTIFICATION_FINISH_REQUEST;
+    };
+
+    // If we previously failed to load the config, don't spam the event log by trying and failing again
+    if (config->configLoadingFailed)
+    {
+        return reportConfigurationError();
+    }
+
    if (config->config == nullptr)
    {
        char *path;
@ -816,7 +831,7 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
        hr = config->GlobalWideCharToMultiByte(config->GetPath(), wcslen(config->GetPath()), &path, &pathlen);
        if (FAILED(hr))
        {
-            return RQ_NOTIFICATION_FINISH_REQUEST;
+            return reportConfigurationError();
        }

        config->config = modsecGetDefaultConfig();
@ -829,7 +844,7 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
        if (FAILED(hr))
        {
            delete path;
-            return RQ_NOTIFICATION_FINISH_REQUEST;
+            return reportConfigurationError();
        }

        if (path[0] != 0)
@ -841,7 +856,7 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
                WriteEventViewerLog(err, EVENTLOG_ERROR_TYPE);
                delete apppath;
                delete path;
-                return RQ_NOTIFICATION_CONTINUE;
+                return reportConfigurationError();
            }

            modsecReportRemoteLoadedRules();