Skip to content

feat(libinjection): add libinjection 4 final to v2#3535

Merged
airween merged 13 commits intoowasp-modsecurity:v2/masterfrom
airween:v2/libinjection4final
Apr 5, 2026
Merged

feat(libinjection): add libinjection 4 final to v2#3535
airween merged 13 commits intoowasp-modsecurity:v2/masterfrom
airween:v2/libinjection4final

Conversation

@airween
Copy link
Copy Markdown
Member

@airween airween commented Apr 5, 2026

what

This PR introduces the new version of libinjection (v4.0.0).

Details:

  • removed old libinjection files from apache2/libinjection directory
  • added the new version as a submodule and pin the version v4.0.0
  • added submodule initialization in all GH workflow files
  • set the new path in build control files (Makefie.*, CMakeList)
  • added a safe version of set_match_to_tx() function (pass variable's length to handle strings which contain \0 chars)
  • aligned the libinjection related operator's behavior to the new API
  • added new tests to check captured variables added to TX.0

why

Libinjection code part was a bit old in v2. There are several improvements there and we plan to use other submodules too (eg to use a new JSON parser library) this PR starts to use it as a submodule.

Note that there is a similar pending PR for v3, #3528.

references

#3528

@airween airween requested a review from Copilot April 5, 2026 16:34
Copilot AI reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates ModSecurity v2’s embedded libinjection integration to libinjection v4.0.0 by switching from vendored sources to a Git submodule, updating build/CI wiring accordingly, and adapting the SQLi/XSS detection operators to the new API (including safe capture handling for values containing NUL bytes).

Changes:

  • Replaced vendored libinjection sources under apache2/libinjection with a git submodule at apache2/others/libinjection.
  • Updated build systems (Autotools, CMake, Windows makefiles) and GitHub Actions to initialize and compile against the new submodule path.
  • Updated libinjection-backed operators to handle injection_result_t and added set_match_to_tx_safe() plus regression tests validating TX:0 capture behavior.

Reviewed changes

Copilot reviewed 21 out of 22 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
tests/regression/misc/25-libinjection.t Adds regression coverage verifying capture populates TX.0 for SQLi/XSS operators.
tests/Makefile.am Switches unit-test build sources to libinjection submodule paths.
standalone/Makefile.am Switches standalone build sources to libinjection submodule paths.
iis/CMakeLists.txt Updates IIS build sources and include directories for the new libinjection location.
apache2/re_operators.c Adapts detectSQLi/detectXSS operator logic to libinjection v4 result codes and safe capture.
apache2/msc_util.h Declares new set_match_to_tx_safe() API.
apache2/msc_util.c Implements set_match_to_tx_safe() using length-aware duplication to preserve embedded NULs.
apache2/Makefile.win Updates Windows object list to compile libinjection sources from the submodule.
apache2/Makefile.am Updates Apache module build sources to compile libinjection from the submodule.
apache2/libinjection/libinjection.h Removes vendored libinjection header (now provided by submodule).
apache2/libinjection/libinjection_xss.h Removes vendored libinjection header (now provided by submodule).
apache2/libinjection/libinjection_xss.c Removes vendored libinjection implementation (now provided by submodule).
apache2/libinjection/libinjection_sqli.h Removes vendored libinjection header (now provided by submodule).
apache2/libinjection/libinjection_sqli.c Removes vendored libinjection implementation (now provided by submodule).
apache2/libinjection/libinjection_html5.h Removes vendored libinjection header (now provided by submodule).
apache2/libinjection/libinjection_html5.c Removes vendored libinjection implementation (now provided by submodule).
apache2/libinjection/COPYING.txt Removes vendored libinjection license file (license now tracked via submodule).
.gitmodules Adds libinjection as a git submodule under apache2/others/libinjection.
.github/workflows/test-ci-windows.yml Ensures checkout initializes submodules for Windows CI jobs.
.github/workflows/ci.yml Ensures checkout initializes submodules for Linux CI jobs and adds git where needed.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@airween airween requested a review from Copilot April 5, 2026 16:45
Copilot AI reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 22 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@airween airween requested a review from Copilot April 5, 2026 17:54
Copilot AI reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 22 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@airween airween requested a review from Copilot April 5, 2026 18:10
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 22 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@airween airween requested a review from fzipi April 5, 2026 18:20
@fzipi fzipi changed the title V2/libinjection4final feat(libinjection): add libinjection 4 final to v2 Apr 5, 2026
@airween airween merged commit 7f37ad4 into owasp-modsecurity:v2/master Apr 5, 2026
96 checks passed
@airween
Copy link
Copy Markdown
Member Author

airween commented Apr 5, 2026

Added the new way to wiki:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@fzipi fzipi fzipi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@airween @fzipi