owasp-modsecurity · Easton97-Jens · Mar 29, 2026 · Mar 29, 2026 · Mar 29, 2026 · Mar 30, 2026
diff --git a/build/win32/CMakeLists.txt b/build/win32/CMakeLists.txt
@@ -164,7 +164,7 @@ project(libModSecurityTests)
 
 function(setTestTargetProperties executable)
   target_compile_definitions(${executable} PRIVATE WITH_PCRE2)
-  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
+  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others)
   target_link_libraries(${executable} PRIVATE libModSecurity pcre2::pcre2 dirent::dirent)
   add_package_dependency(${executable} WITH_YAJL yajl::yajl HAVE_YAJL)
 endfunction()
@@ -239,7 +239,7 @@ setTestTargetProperties(rules_optimization)
 project(libModSecurityExamples)
 
 function(setExampleTargetProperties executable)
-  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
+  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others)
   target_link_libraries(${executable} PRIVATE libModSecurity)
 endfunction()
 

diff --git a/others/Makefile.am b/others/Makefile.am
@@ -15,6 +15,7 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli.h \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
+	libinjection/src/libinjection_error.h \
 	mbedtls/include/mbedtls/base64.h \
 	mbedtls/include/mbedtls/check_config.h \
 	mbedtls/include/mbedtls/mbedtls_config.h \

diff --git a/others/libinjection b/others/libinjection
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -187,6 +187,7 @@ OPERATORS = \
 	operators/contains_word.cc \
 	operators/detect_sqli.cc \
 	operators/detect_xss.cc \
+	operators/libinjection_adapter.cc \
 	operators/ends_with.cc \
 	operators/eq.cc \
 	operators/fuzzy_hash.cc \

diff --git a/src/operators/detect_sqli.cc b/src/operators/detect_sqli.cc
@@ -17,45 +17,84 @@
 
 #include <string>
 #include <list>
+#include <array>
 
 #include "src/operators/operator.h"
-#include "libinjection/src/libinjection.h"
-
-namespace modsecurity {
-namespace operators {
+#include "src/operators/libinjection_utils.h"
+#include "src/operators/libinjection_adapter.h"
+#include "src/utils/string.h"
+#include "libinjection/src/libinjection_error.h"
 
+namespace modsecurity::operators {
 
 bool DetectSQLi::evaluate(Transaction *t, RuleWithActions *rule,
     const std::string& input, RuleMessage &ruleMessage) {
-    char fingerprint[8];
-    int issqli;
+#ifndef NO_LOGS
+    const std::string loggable_input =
+        utils::string::limitTo(80, utils::string::toHexIfNeeded(input));
+#endif
+
+    std::array<char, 8> fingerprint{};
 
-    issqli = libinjection_sqli(input.c_str(), input.length(), fingerprint);
+    const injection_result_t sqli_result =
+        runLibinjectionSQLi(input.c_str(), input.length(), fingerprint.data());
 
-    if (!t) {
-        goto tisempty;
+    if (t == nullptr) {
+        return isMaliciousLibinjectionResult(sqli_result);
     }
 
-    if (issqli) {
-        t->m_matched.push_back(fingerprint);
-        ms_dbg_a(t, 4, "detected SQLi using libinjection with " \
-            "fingerprint '" + std::string(fingerprint) + "' at: '" +
-            input + "'");
-        if (rule && rule->hasCaptureAction()) {
-            t->m_collections.m_tx_collection->storeOrUpdateFirst(
-                "0", std::string(fingerprint));
-            ms_dbg_a(t, 7, "Added DetectSQLi match TX.0: " + \
-                std::string(fingerprint));
-        }
-    } else {
-        ms_dbg_a(t, 9, "detected SQLi: not able to find an " \
-            "inject on '" + input + "'");
+    switch (sqli_result) {
+        case LIBINJECTION_RESULT_TRUE:
+            t->m_matched.emplace_back(fingerprint.data());
+
+#ifndef NO_LOGS
+            ms_dbg_a(t, 4,
+                std::string("detected SQLi using libinjection with fingerprint '")
+                + fingerprint.data() + "' at: '" + loggable_input + "'");
+#endif
+
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst(
+                    "0", std::string(fingerprint.data()));
+
+                ms_dbg_a(t, 7,
+                    std::string("Added DetectSQLi match TX.0: ")
+                    + fingerprint.data());
+            }
+            break;
+
+        case LIBINJECTION_RESULT_ERROR:
+#ifndef NO_LOGS
+            ms_dbg_a(t, 4,
+                std::string("libinjection parser error during SQLi analysis (")
+                + libinjectionResultToString(sqli_result)
+                + "); treating as match (fail-safe). Input: '"
+                + loggable_input + "'");
+#endif
+
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst(
+                    "0", input);
+
+                ms_dbg_a(t, 7,
+                    std::string("Added DetectSQLi error input TX.0: ")
+                    + input);
+            }
+
+            // Keep m_matched untouched for parser-error paths to avoid
+            // introducing synthetic fingerprints for non-TRUE results.
+            break;
+
+        case LIBINJECTION_RESULT_FALSE:
+#ifndef NO_LOGS
+            ms_dbg_a(t, 9,
+                std::string("libinjection was not able to find any SQLi in: ")
+                + loggable_input);
+#endif
+            break;
     }
 
-tisempty:
-    return issqli != 0;
+    return isMaliciousLibinjectionResult(sqli_result);
 }
 
-
-}  // namespace operators
-}  // namespace modsecurity
+}  // namespace modsecurity::operators
diff --git a/src/operators/detect_xss.cc b/src/operators/detect_xss.cc
@@ -18,36 +18,60 @@
 #include <string>
 
 #include "src/operators/operator.h"
-#include "libinjection/src/libinjection.h"
-
-
-namespace modsecurity {
-namespace operators {
+#include "src/operators/libinjection_utils.h"
+#include "src/operators/libinjection_adapter.h"
+#include "src/utils/string.h"
+#include "libinjection/src/libinjection_error.h"
 
+namespace modsecurity::operators {
 
 bool DetectXSS::evaluate(Transaction *t, RuleWithActions *rule,
     const std::string& input, RuleMessage &ruleMessage) {
-    int is_xss;
-
-    is_xss = libinjection_xss(input.c_str(), input.length());
-
-    if (t) {
-        if (is_xss) {
-            ms_dbg_a(t, 5, "detected XSS using libinjection.");
-            if (rule && rule->hasCaptureAction()) {
-                t->m_collections.m_tx_collection->storeOrUpdateFirst(
-                    "0", std::string(input));
-                ms_dbg_a(t, 7, "Added DetectXSS match TX.0: " + \
-                    std::string(input));
+#ifndef NO_LOGS
+    const std::string loggable_input =
+        utils::string::limitTo(80, utils::string::toHexIfNeeded(input));
+#endif
+
+    const injection_result_t xss_result =
+        runLibinjectionXSS(input.c_str(), input.length());
+
+    if (t == nullptr) {
+        return isMaliciousLibinjectionResult(xss_result);
+    }
+
+    switch (xss_result) {
+        case LIBINJECTION_RESULT_TRUE:
+            ms_dbg_a(t, 5, std::string("detected XSS using libinjection."));
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input);
+                ms_dbg_a(t, 7, std::string("Added DetectXSS match TX.0: ") + input);
             }
-        } else {
-            ms_dbg_a(t, 9, "libinjection was not able to " \
-                "find any XSS in: " + input);
+            break;
+
+        case LIBINJECTION_RESULT_ERROR:
+#ifndef NO_LOGS
+            ms_dbg_a(t, 4,
+                std::string("libinjection parser error during XSS analysis (")
+                + libinjectionResultToString(xss_result)
+                + "); treating as match (fail-safe). Input: "
+                + loggable_input);
+#endif
+            if (rule != nullptr && rule->hasCaptureAction()) {
+                t->m_collections.m_tx_collection->storeOrUpdateFirst("0", input);
+                ms_dbg_a(t, 7, std::string("Added DetectXSS error input TX.0: ") + input);
             }
+            break;
+
+        case LIBINJECTION_RESULT_FALSE:
+#ifndef NO_LOGS
+            ms_dbg_a(t, 9,
+                std::string("libinjection was not able to find any XSS in: ")
+                + loggable_input);
+#endif
+            break;
     }
-    return is_xss != 0;
-}
 
+    return isMaliciousLibinjectionResult(xss_result);
+}
 
-}  // namespace operators
-}  // namespace modsecurity
+}  // namespace modsecurity::operators
diff --git a/src/operators/libinjection_adapter.cc b/src/operators/libinjection_adapter.cc
@@ -0,0 +1,68 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/operators/libinjection_adapter.h"
+
+#include "libinjection/src/libinjection.h"
+
+namespace modsecurity::operators {
+namespace {
+
+// Per-thread overrides avoid cross-thread interference during mtstress tests.
+// Intentional design:
+// - thread_local to isolate tests across threads
+// - function pointers to keep zero-overhead call path
+// - mutable for test injection hooks
+// NOSONAR: required for testing override mechanism (see set*OverrideForTesting)
+thread_local DetectSQLiFn g_sqli_override = nullptr;  // NOSONAR
+thread_local DetectXSSFn g_xss_override = nullptr;    // NOSONAR
+
+}
+
+injection_result_t runLibinjectionSQLi(const char *input, size_t len,
+    char *fingerprint) {
+    if (DetectSQLiFn fn = g_sqli_override) {
+        return fn(input, len, fingerprint);
+    }
+
+    return libinjection_sqli(input, len, fingerprint);
+}
+
+injection_result_t runLibinjectionXSS(const char *input, size_t len) {
+    if (DetectXSSFn fn = g_xss_override) {
+        return fn(input, len);
+    }
+
+    return libinjection_xss(input, len);
+}
+
+// Test-only hook: allows injecting alternative detection functions
+// NOSONAR: function pointer is intentional (no std::function overhead)
+void setLibinjectionSQLiOverrideForTesting(DetectSQLiFn fn) {  // NOSONAR
+    g_sqli_override = fn;
+}
+
+// Test-only hook: allows injecting alternative detection functions
+// NOSONAR: function pointer is intentional (no std::function overhead)
+void setLibinjectionXSSOverrideForTesting(DetectXSSFn fn) {  // NOSONAR
+    g_xss_override = fn;
+}
+
+void clearLibinjectionOverridesForTesting() {
+    g_sqli_override = nullptr;
+    g_xss_override = nullptr;
+}
+
+}  // namespace modsecurity::operators
diff --git a/src/operators/libinjection_adapter.h b/src/operators/libinjection_adapter.h
@@ -0,0 +1,38 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifndef SRC_OPERATORS_LIBINJECTION_ADAPTER_H_
+#define SRC_OPERATORS_LIBINJECTION_ADAPTER_H_
+
+#include <cstddef>
+
+#include "libinjection/src/libinjection_error.h"  // matches detect_xss.cc, detect_sqli.cc, and libinjection_utils.h
+
+namespace modsecurity::operators {
+
+using DetectSQLiFn = injection_result_t (*)(const char *, size_t, char *);
+using DetectXSSFn = injection_result_t (*)(const char *, size_t);
+
+injection_result_t runLibinjectionSQLi(const char *input, size_t len,
+    char *fingerprint);
+injection_result_t runLibinjectionXSS(const char *input, size_t len);
+
+void setLibinjectionSQLiOverrideForTesting(DetectSQLiFn fn);
+void setLibinjectionXSSOverrideForTesting(DetectXSSFn fn);
+void clearLibinjectionOverridesForTesting();
+
+}  // namespace modsecurity::operators
+
+#endif  // SRC_OPERATORS_LIBINJECTION_ADAPTER_H_
diff --git a/src/operators/libinjection_utils.h b/src/operators/libinjection_utils.h
@@ -0,0 +1,48 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifndef SRC_OPERATORS_LIBINJECTION_UTILS_H_
+#define SRC_OPERATORS_LIBINJECTION_UTILS_H_
+
+#include "libinjection/src/libinjection_error.h"
+
+namespace modsecurity::operators {
+
+/*
+ * libinjection parser errors are handled in fail-safe mode as suspicious
+ * results, so callers can block on both confirmed detections and parser
+ * failures.
+ */
+static inline bool isMaliciousLibinjectionResult(injection_result_t result) {
+    return result == LIBINJECTION_RESULT_TRUE
+        || result == LIBINJECTION_RESULT_ERROR;
+}
+
+static inline const char *libinjectionResultToString(injection_result_t result) {
+    switch (result) {
+        case LIBINJECTION_RESULT_TRUE:
+            return "attack-detected";
+        case LIBINJECTION_RESULT_FALSE:
+            return "no-attack";
+        case LIBINJECTION_RESULT_ERROR:
+            return "parser-error";
+    }
+
+    return "unexpected-result";
+}
+
+}  // namespace modsecurity::operators
+
+#endif  // SRC_OPERATORS_LIBINJECTION_UTILS_H_
diff --git a/test/Makefile.am b/test/Makefile.am
@@ -73,6 +73,7 @@ unit_tests_LDFLAGS = \
 unit_tests_CPPFLAGS = \
 	-Icommon \
 	-I$(top_srcdir)/ \
+	-I$(top_srcdir)/others \
 	-g \
 	-I$(top_builddir)/headers \
 	$(CURL_CFLAGS) \