code_public/mod_reqin_log
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
32 Commits 1 Branch 0 Tags
17d76713803b7b08f46f66c52b2ffba947f7a7dd
Commit Graph

10 Commits

Author SHA1 Message Date
Jacquin Antoine
c61774f8ec conf: change socket path to /var/run/logcorrelator/http.socket 
- Update all documentation and configuration files
- Update test cases

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 02:14:31 +01:00
Jacquin Antoine
3e9ff25033 conf: change default socket path to /var/run/logcorrelator/http.sock 
- Update mod_reqin_log.conf example configuration
- Update README.md documentation and examples
- Update architecture.yml specification
- Update test_config_parsing.c test case

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 01:49:39 +01:00
Jacquin Antoine
2ac75364c2 refactor: remove unused scripts and integration tests 
- Remove scripts/build.sh and scripts/test.sh (not referenced in CI/CD)
- Remove tests/integration/test_integration.py (never automated)
- Keep only unit tests (C/cmocka) executed in GitLab CI

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 00:35:15 +01:00
Jacquin Antoine
c2e1221e5a release: version 1.0.2 - Audit security fixes and RPM packaging 
Security hardening:
- Add input sanitization for method (32), path (2048), host (256), http_version (16)
- Prevent log injection via oversized HTTP values
- Add LOG_THROTTLED macro for consistent error reporting
- Improve socket state double-check pattern to avoid unnecessary reconnects

Code quality:
- Fix const qualifier warnings in get_header()
- Add flags field to module definition
- Add -Wno-error=format-security for compatibility

Documentation:
- Clarify timestamp precision (microseconds expressed as nanoseconds)
- Update README and architecture.yml

Testing:
- Add 4 unit tests for input sanitization
- All 78 tests passing

Packaging:
- Remove DEB package support (RPM only: el8, el9, el10)
- Add CHANGELOG file included in RPM packages
- Bump version to 1.0.2

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-28 21:45:06 +01:00
Jacquin Antoine
d0ca0a7e4c fix: correction bugs + tests + migration el7 vers el10 
Correctifs de bugs critiques:
- Overflow entier dans le calcul du timestamp (nanoseconds)
- Validation des composantes temporelles dans format_iso8601
- Race condition mutex: échec dur pour MPM threadés (worker/event)
- Rejet des espaces en tête dans parse_int_strict

Nouveaux tests unitaires (38 ajoutés):
- Overflow timestamp, limites ISO8601, format fixe 20 chars
- Limite de taille JSON 64KB
- Détection headers sensibles (blacklist)
- Validation parse_int_strict
- dynbuf NULL handling et strlen mode

Migration packaging:
- Suppression CentOS 7 (EOL)
- Ajout AlmaLinux 10 (el10)
- RPMs supportés: el8, el9, el10

Mise à jour CI/CD et documentation:
- .gitlab-ci.yml: jobs verify pour el8/el9/el10
- architecture.yml: OS supportés à jour
- 70/70 tests pass

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-28 21:02:05 +01:00
Jacquin Antoine
175a0cccda fix: Sécuriser l’écriture socket et initialiser APR dans les tests 
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat>
 2026-02-28 20:38:58 +01:00
Jacquin Antoine
46291898e1 fix: renforcer la robustesse du module et étendre les tests/CI 
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat>
 2026-02-28 20:28:40 +01:00
Jacquin Antoine
e44059865b Security: fix critical vulnerabilities and harden module 
Security fixes:
#1 Buffer overflow: Validate socket path length against sun_path limit
    - Add MAX_SOCKET_PATH_LEN constant
    - Reject paths >= 108 bytes before snprintf

#2,#3 NULL pointer dereference: Add NULL checks
    - r->connection->local_ip: use conditional append
    - r->protocol: fallback to "UNKNOWN" if NULL

#4 Sensitive headers blacklist: Prevent credential leakage
    - Add DEFAULT_SENSITIVE_HEADERS[] blacklist
    - Block: Authorization, Cookie, Set-Cookie, X-Api-Key, etc.
    - Log skipped headers at DEBUG level only

#5 Memory exhaustion DoS: Add MAX_JSON_SIZE limit (64KB)
    - Check buffer size before adding headers
    - Truncate header list if limit reached

#6 Socket permissions: Change 0o666 → 0o660
    - Owner and group only (not world-writable)
    - Apache user must be in socket's group

#7 Race condition: Add mutex for FD access in worker/event MPMs
    - apr_thread_mutex_t protects socket_fd
    - FD_MUTEX_LOCK/UNLOCK macros
    - Created in reqin_log_create_server_conf()

#8 Timestamp overflow: Document 2262 limitation
    - Add comment explaining apr_time_t limits
    - Safe until ~2262 (uint64 nanoseconds)

#9 Error logging verbosity: Reduce information disclosure
    - APLOG_ERR: Generic messages only
    - APLOG_DEBUG: Detailed error information

#10 Socket path security: Move from /tmp to /var/run
    - Update socket_consumer.py, test scripts
    - Use environment variable MOD_REQIN_LOG_SOCKET
    - More secure default location

Files modified:
- src/mod_reqin_log.c: All security fixes
- scripts/socket_consumer.py: Permissions, path
- scripts/run_integration_tests.sh: Path security
- scripts/test_unix_socket.sh: Path security
- tests/integration/test_integration.py: Path security

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-26 23:37:30 +01:00
Jacquin Antoine
070c2a7bd2 Refactor: thread-safe per-process state and add tests 
Major changes:
- Move child state from global variable to server config (reqin_log_server_conf_t)
- Add reqin_log_create_server_conf() for proper per-server initialization
- Fix thread safety for worker/event MPMs
- Add cmocka unit tests (test_module_real.c)
- Add Python integration tests (test_integration.py)
- Update CI workflow and Dockerfiles for test execution
- Fix: Remove child_exit hook (not in architecture.yml)

Tests:
- Unit tests: JSON escaping, ISO8601 formatting, header truncation
- Integration tests: basic_logging, header_limits, socket_unavailable, socket_loss

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-26 23:28:45 +01:00
Jacquin Antoine
66549acf5c Initial commit: mod_reqin_log Apache module 
Features:
- JSON logging of HTTP requests to Unix domain socket
- Configurable HTTP headers logging (flat JSON structure)
- Header value truncation and count limits
- Automatic reconnect on socket disconnection
- Error reporting with throttling

Configuration directives:
- JsonSockLogEnabled: Enable/disable logging
- JsonSockLogSocket: Unix socket path
- JsonSockLogHeaders: List of headers to log
- JsonSockLogMaxHeaders: Maximum headers to log
- JsonSockLogMaxHeaderValueLen: Max header value length
- JsonSockLogReconnectInterval: Reconnect delay
- JsonSockLogErrorReportInterval: Error log throttle

Includes:
- Module source code (src/)
- Unit and integration tests (tests/, scripts/)
- Documentation (README.md, architecture.yml)
- Build configuration (CMakeLists.txt, Makefile)
- Packaging (deb/rpm)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-26 13:55:07 +01:00