[dev/Wasm] Removing unsupported try catch

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+The latest versions of both v2.9.x and v3.0.x are supported.
+
+## Reporting a Vulnerability
+
+For information on how to report a security issue, please see https://github.com/SpiderLabs/ModSecurity#security-issue

src/actions/accuracy.cc

@@ -17,6 +17,7 @@
 
 #include <iostream>
 #include <string>
+#include <charconv>
 
 #include "modsecurity/actions/action.h"
 #include "modsecurity/transaction.h"
@@ -28,9 +29,8 @@ namespace actions {
 
 
 bool Accuracy::init(std::string *error) {
-    try {
-        m_accuracy = std::stoi(m_parser_payload);
-    }  catch (...) {
+    const auto conv_res = std::from_chars(m_parser_payload.data(), m_parser_payload.data() + m_parser_payload.size(), m_accuracy);
+    if (conv_res.ec == std::errc::invalid_argument) {
         error->assign("Accuracy: The input \"" + m_parser_payload + "\" is " \
             "not a number.");
         return false;

src/actions/ctl/rule_remove_by_id.cc

@@ -17,6 +17,8 @@
 
 #include <iostream>
 #include <string>
+#include <charconv>
+
 
 #include "modsecurity/transaction.h"
 #include "src/utils/string.h"
@@ -42,19 +44,21 @@ bool RuleRemoveById::init(std::string *error) {
             std::string n2s = std::string(b, dash + 1, b.size() - (dash + 1));
             int n1n = 0;
             int n2n = 0;
-            try {
-                n1n = std::stoi(n1s);
-                added = true;
-            } catch (...) {
+
+            const auto conv_res = std::from_chars(n1s.data(), n1s.data() + n1s.size(), n1n);
+            if (conv_res.ec == std::errc::invalid_argument) {
                 error->assign("Not a number: " + n1s);
                 return false;
-            }
-            try {
-                n2n = std::stoi(n2s);
+            } else {
                 added = true;
-            } catch (...) {
+            }
+
+            const auto conv_res2 = std::from_chars(n2s.data(), n2s.data() + n2s.size(), n2n);
+            if (conv_res2.ec == std::errc::invalid_argument) {
                 error->assign("Not a number: " + n2s);
                 return false;
+            } else {
+                added = true;
             }
 
             if (n1n > n2n) {
@@ -64,13 +68,16 @@ bool RuleRemoveById::init(std::string *error) {
             m_ranges.push_back(std::make_pair(n1n, n2n));
             added = true;
         } else {
-            try {
-                int num = std::stoi(b);
-                m_ids.push_back(num);
-                added = true;
-            } catch (...) {
+            int num;
+            const auto conv_res3 = std::from_chars(b.data(), b.data() + b.size(), num);
+            if (conv_res3.ec == std::errc::invalid_argument) {
+                // Conversion Fail
                 error->assign("Not a number or range: " + b);
                 return false;
+            } else {
+                // Conversion Done
+                m_ids.push_back(num);
+                added = true;
             }
         }
     }

src/actions/ctl/rule_remove_target_by_id.cc

@@ -19,6 +19,7 @@
 #include <string>
 #include <vector>
 #include <utility>
+#include <charconv>
 
 #include "modsecurity/transaction.h"
 #include "src/utils/string.h"
@@ -38,9 +39,8 @@ bool RuleRemoveTargetById::init(std::string *error) {
         return false;
     }
 
-    try {
-        m_id = std::stoi(param[0]);
-    } catch(...) {
+    const auto conv_res = std::from_chars(param[0].data(), param[0].data() + param[0].size(), m_id);
+    if (conv_res.ec == std::errc::invalid_argument) {
         error->assign("Not able to convert '" + param[0] +
             "' into a number");
         return false;

src/actions/data/status.cc

@@ -18,6 +18,7 @@
 #include <iostream>
 #include <string>
 #include <memory>
+#include <charconv>
 
 #include "modsecurity/transaction.h"
 
@@ -27,9 +28,8 @@ namespace actions {
 namespace data {
 
 bool Status::init(std::string *error) {
-    try {
-        m_status = std::stoi(m_parser_payload);
-    } catch (...) {
+    const auto conv_res = std::from_chars(m_parser_payload.data(), m_parser_payload.data() + m_parser_payload.size(), m_status);
+    if (conv_res.ec == std::errc::invalid_argument) {
         error->assign("Not a valid number: " + m_parser_payload);
         return false;
     }

src/actions/maturity.cc

@@ -17,6 +17,7 @@
 
 #include <iostream>
 #include <string>
+#include <charconv>
 
 #include "modsecurity/actions/action.h"
 #include "modsecurity/transaction.h"
@@ -28,9 +29,10 @@ namespace actions {
 
 
 bool Maturity::init(std::string *error) {
-    try {
-        m_maturity = std::stoi(m_parser_payload);
-    }  catch (...) {
+
+    const auto conv_res = std::from_chars(m_parser_payload.data(), m_parser_payload.data() + m_parser_payload.size(), m_maturity);
+    if (conv_res.ec == std::errc::invalid_argument) {
+        // Conversion error
         error->assign("Maturity: The input \"" + m_parser_payload + "\" is " \
             "not a number.");
         return false;

src/actions/phase.cc

@@ -17,6 +17,7 @@
 
 #include <iostream>
 #include <string>
+#include <charconv>
 
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
@@ -31,8 +32,22 @@ bool Phase::init(std::string *error) {
     std::string a = utils::string::tolower(m_parser_payload);
     m_phase = -1;
 
-    try {
-        m_phase = std::stoi(m_parser_payload);
+
+    const auto conv_res = std::from_chars(m_parser_payload.data(), m_parser_payload.data() + m_parser_payload.size(), m_phase);
+    if (conv_res.ec == std::errc::invalid_argument) {
+        // Conversion Fail
+        if (a == "request") {
+            m_phase = modsecurity::Phases::RequestBodyPhase;
+            m_secRulesPhase = 2;
+        } else if (a == "response") {
+            m_phase = modsecurity::Phases::ResponseBodyPhase;
+            m_secRulesPhase = 4;
+        } else if (a == "logging") {
+            m_phase = modsecurity::Phases::LoggingPhase;
+            m_secRulesPhase = 5;
+        }
+    } else {
+        // Conversion Done
         if (m_phase == 0) {
             m_phase = modsecurity::Phases::ConnectionPhase;
             m_secRulesPhase = 0;
@@ -55,19 +70,7 @@ bool Phase::init(std::string *error) {
             error->assign("Unknown phase: " + m_parser_payload);
             return false;
         }
-    } catch (...) {
-        if (a == "request") {
-            m_phase = modsecurity::Phases::RequestBodyPhase;
-            m_secRulesPhase = 2;
-        } else if (a == "response") {
-            m_phase = modsecurity::Phases::ResponseBodyPhase;
-            m_secRulesPhase = 4;
-        } else if (a == "logging") {
-            m_phase = modsecurity::Phases::LoggingPhase;
-            m_secRulesPhase = 5;
-        }
     }
-
     return true;
 }
 

src/actions/rule_id.cc

@@ -17,6 +17,7 @@
 
 #include <iostream>
 #include <string>
+#include <sstream>
 
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
@@ -27,10 +28,12 @@ namespace actions {
 
 bool RuleId::init(std::string *error) {
     std::string a = m_parser_payload;
-
-    try {
-        m_ruleId = std::stod(a);
-    } catch (...) {
+
+    std::stringstream ss;
+    ss<<a;
+    ss>>m_ruleId;
+    if (ss.fail()) {
+        ss.clear();
         m_ruleId = 0;
         error->assign("The input \"" + a + "\" does not " \
             "seems to be a valid rule id.");

src/actions/set_var.cc

@@ -18,6 +18,7 @@
 #include <iostream>
 #include <string>
 #include <memory>
+#include <charconv>
 
 #include "modsecurity/rules_set.h"
 #include "modsecurity/transaction.h"
@@ -104,28 +105,29 @@ bool SetVar::evaluate(RuleWithActions *rule, Transaction *t) {
         int pre = 0;
         int value = 0;
 
-        try {
-            pre = stoi(resolvedPre);
-        } catch (...) {
+
+        const auto conv_res = std::from_chars(resolvedPre.data(), resolvedPre.data() + resolvedPre.size(), pre);
+        if (conv_res.ec == std::errc::invalid_argument) {
+            // Conversion error
             pre = 0;
         }
 
-        try {
-            std::vector<const VariableValue *> l;
-            RuleWithOperator *rr = dynamic_cast<RuleWithOperator *>(rule);
-            m_variable->evaluate(t, rr, &l);
-            if (l.size() == 0) {
+        std::vector<const VariableValue *> l;
+        RuleWithOperator *rr = dynamic_cast<RuleWithOperator *>(rule);
+        m_variable->evaluate(t, rr, &l);
+        if (l.size() == 0) {
+            value = 0;
+        } else {
+            const auto conv_res2 = std::from_chars(l[0]->getValue().data(), l[0]->getValue().data() + l[0]->getValue().size(), value);
+            if (conv_res2.ec == std::errc::invalid_argument) {
                 value = 0;
-            } else {
-                value = stoi(l[0]->getValue());
-                for (auto &i : l) {
-                    delete i;
-                }
             }
-        } catch (...) {
-            value = 0;
+            for (auto &i : l) {
+                delete i;
+            }
         }
 
+
         if (m_operation == sumAndSetOperation) {
             targetValue = std::to_string(value + pre);
         } else if (m_operation == substractAndSetOperation) {

src/actions/severity.cc

@@ -18,6 +18,7 @@
 #include <iostream>
 #include <string>
 #include <memory>
+#include <charconv>
 
 #include "modsecurity/rules_set.h"
 #include "modsecurity/actions/action.h"
@@ -58,15 +59,14 @@ bool Severity::init(std::string *error) {
         m_severity = 7;
         return true;
     } else {
-        try {
-            m_severity = std::stoi(a);
-            return true;
-        }  catch (...) {
+        const auto conv_res = std::from_chars(a.data(), a.data() + a.size(), m_severity);
+        if (conv_res.ec == std::errc::invalid_argument) {
             error->assign("Severity: The input \"" + a + "\" is " \
                 "not a number.");
+        } else {
+            return true;
         }
     }
-
     return false;
 }
 

src/actions/skip.cc

@@ -17,6 +17,7 @@
 
 #include <iostream>
 #include <string>
+#include <charconv>
 
 #include "modsecurity/rules_set.h"
 #include "modsecurity/actions/action.h"
@@ -27,9 +28,8 @@ namespace actions {
 
 
 bool Skip::init(std::string *error) {
-    try {
-        m_skip_next = std::stoi(m_parser_payload);
-    }  catch (...) {
+    const auto conv_res = std::from_chars(m_parser_payload.data(), m_parser_payload.data() + m_parser_payload.size(), m_skip_next);
+    if (conv_res.ec == std::errc::invalid_argument) {
         error->assign("Skip: The input \"" + m_parser_payload + "\" is " \
             "not a number.");
         return false;

src/operators/eq.cc

@@ -16,6 +16,7 @@
 #include "src/operators/eq.h"
 
 #include <string>
+#include <charconv>
 
 #include "src/operators/operator.h"
 
@@ -29,14 +30,12 @@ bool Eq::evaluate(Transaction *transaction, const std::string &input) {
     int i = 0;
     std::string pt(m_string->evaluate(transaction));
 
-    try {
-        p = std::stoi(pt);
-    } catch (...) {
+    const auto conv_res = std::from_chars(pt.data(), pt.data() + pt.size(), p);
+    if (conv_res.ec == std::errc::invalid_argument) {
         p = 0;
     }
-    try {
-        i = std::stoi(input);
-    } catch (...) {
+    const auto conv_res2 = std::from_chars(input.data(), input.data() + input.size(), i);
+    if (conv_res2.ec == std::errc::invalid_argument) {
         i = 0;
     }
 

src/operators/fuzzy_hash.cc

@@ -38,9 +38,8 @@ bool FuzzyHash::init(const std::string &param2, std::string *error) {
     }
     digit.append(std::string(m_param, pos+1));
     file.append(std::string(m_param, 0, pos));
-    try {
-        m_threshold = std::stoi(digit);
-    } catch (...) {
+    const auto conv_res = std::from_chars(digit.data(), digit.data() + digit.size(), m_threshold);
+    if (conv_res.ec == std::errc::invalid_argument) {
         error->assign("Expecting a digit, got: " + digit);
         return false;
     }