Merge pull request #149591 from Izorkin/update-modsecurity

update modsecurity packages
2022-02-14 19:56:50 +01:00 · 2022-02-14 19:56:50 +01:00 · 3ad52fcdd6
parent 4f3a4c40f1 8b37c4d5c4
commit 3ad52fcdd6
4 changed files with 79 additions and 13 deletions
--- a/pkgs/servers/http/nginx/modules.nix
+++ b/pkgs/servers/http/nginx/modules.nix
@ -252,8 +252,8 @@ in
      name = "modsecurity-nginx";
      owner = "SpiderLabs";
      repo = "ModSecurity-nginx";
-      rev = "v1.0.1";
-      sha256 = "0cbb3g3g4v6q5zc6an212ia5kjjad62bidnkm8b70i4qv1615pzf";
+      rev = "v1.0.2";
+      sha256 = "sha256-UXiitc3jZlgXlCsDPS+xEFLNRVgRbn8BCCXUEqAWlII=";
    };
    inputs = [ pkgs.curl pkgs.geoip pkgs.libmodsecurity pkgs.libxml2 pkgs.lmdb pkgs.yajl ];
  };
--- a/pkgs/tools/security/libmodsecurity/default.nix
+++ b/pkgs/tools/security/libmodsecurity/default.nix
@ -1,34 +1,57 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config
-, doxygen, perl, valgrind
-, curl, geoip, libxml2, lmdb, lua, pcre, yajl }:
+{ lib, stdenv, fetchFromGitHub
+, autoreconfHook, bison, flex, pkg-config
+, curl, geoip, libmaxminddb, libxml2, lmdb, lua, pcre
+, ssdeep, valgrind, yajl
+}:

 stdenv.mkDerivation rec {
  pname = "libmodsecurity";
-  version = "3.0.4";
+  version = "3.0.6";

  src = fetchFromGitHub {
    owner = "SpiderLabs";
    repo = "ModSecurity";
-    fetchSubmodules = true;
    rev = "v${version}";
-    sha256 = "07vry10cdll94sp652hwapn0ppjv3mb7n2s781yhy7hssap6f2vp";
+    sha256 = "sha256-V+NBT2YN8qO3Px8zEzSA2ZsjSf1pv8+VlLxYlrpqfGg=";
+    fetchSubmodules = true;
  };

-  nativeBuildInputs = [ autoreconfHook pkg-config doxygen ];
+  nativeBuildInputs = [ autoreconfHook bison flex pkg-config ];
+  buildInputs = [ curl geoip libmaxminddb libxml2 lmdb lua pcre ssdeep valgrind yajl ];

-  buildInputs = [ perl valgrind curl geoip libxml2 lmdb lua pcre yajl ];
+  outputs = [ "out" "dev" ];

  configureFlags = [
-    "--enable-static"
+    "--enable-parser-generation"
    "--with-curl=${curl.dev}"
    "--with-libxml=${libxml2.dev}"
+    "--with-lmdb=${lmdb.out}"
+    "--with-maxmind=${libmaxminddb}"
    "--with-pcre=${pcre.dev}"
-    "--with-yajl=${yajl}"
+    "--with-ssdeep=${ssdeep}"
  ];

+  postPatch = ''
+    substituteInPlace build/lmdb.m4 \
+      --replace "\''${path}/include/lmdb.h" "${lmdb.dev}/include/lmdb.h" \
+      --replace "lmdb_inc_path=\"\''${path}/include\"" "lmdb_inc_path=\"${lmdb.dev}/include\""
+    substituteInPlace build/ssdeep.m4 \
+      --replace "/usr/local/libfuzzy" "${ssdeep}/lib" \
+      --replace "\''${path}/include/fuzzy.h" "${ssdeep}/include/fuzzy.h" \
+      --replace "ssdeep_inc_path=\"\''${path}/include\"" "ssdeep_inc_path=\"${ssdeep}/include\""
+    substituteInPlace modsecurity.conf-recommended \
+      --replace "SecUnicodeMapFile unicode.mapping 20127" "SecUnicodeMapFile $out/share/modsecurity/unicode.mapping 20127"
+  '';
+
+  postInstall = ''
+    mkdir -p $out/share/modsecurity
+    cp ${src}/{AUTHORS,CHANGES,LICENSE,README.md,modsecurity.conf-recommended,unicode.mapping} $out/share/modsecurity
+  '';
+
  enableParallelBuilding = true;

  meta = with lib; {
+    homepage = "https://github.com/SpiderLabs/ModSecurity";
    description = ''
      ModSecurity v3 library component.
    '';
@ -40,7 +63,6 @@ stdenv.mkDerivation rec {
      the ModSecurity SecRules format and apply them to HTTP content provided
      by your application via Connectors.
    '';
-    homepage = "https://modsecurity.org/";
    license = licenses.asl20;
    platforms = platforms.all;
    maintainers = with maintainers; [ izorkin ];
--- a/pkgs/tools/security/modsecurity-crs/default.nix
+++ b/pkgs/tools/security/modsecurity-crs/default.nix
@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "3.3.2";
+  pname = "modsecurity-crs";
+
+  src = fetchFromGitHub {
+    owner = "coreruleset";
+    repo = "coreruleset";
+    rev = "v${version}";
+    sha256 = "sha256-m/iVLhk2y5BpYu8EwC2adrrDnbaVCQ0SE25ltvMokCw=";
+  };
+
+  installPhase = ''
+    install -D -m444 -t $out/rules ${src}/rules/*.conf
+    install -D -m444 -t $out/rules ${src}/rules/*.data
+    install -D -m444 -t $out/share/doc/modsecurity-crs ${src}/*.md
+    install -D -m444 -t $out/share/doc/modsecurity-crs ${src}/{CHANGES,INSTALL,LICENSE}
+    install -D -m444 -t $out/share/modsecurity-crs ${src}/rules/*.example
+    install -D -m444 -t $out/share/modsecurity-crs ${src}/crs-setup.conf.example
+    cat > $out/share/modsecurity-crs/modsecurity-crs.load.example <<EOF
+    ##
+    ## This is a sample file for loading OWASP CRS's rules.
+    ##
+    Include /etc/modsecurity/crs/crs-setup.conf
+    IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+    Include $out/rules/*.conf
+    IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
+    EOF
+  '';
+
+  meta = with lib; {
+    homepage = "https://coreruleset.org";
+    description = ''
+      The OWASP ModSecurity Core Rule Set is a set of generic attack detection
+      rules for use with ModSecurity or compatible web application firewalls.
+    '';
+    license = licenses.asl20;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ izorkin ];
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -7883,6 +7883,8 @@ with pkgs;

  modsecurity_standalone = callPackage ../tools/security/modsecurity { };

+  modsecurity-crs = callPackage ../tools/security/modsecurity-crs { };
+
  molly-guard = callPackage ../os-specific/linux/molly-guard { };

  molotov = callPackage ../applications/video/molotov {};