feat: improved XMLArgs processing

headers/modsecurity/rules_set_properties.h

@@ -52,6 +52,11 @@
         to = (from == PropertyNotSetBodyLimitAction) ? default : from;       \
     }
 
+#define merge_xmlargparse_value(to, from, default)                               \
+    if (to == PropertyNotSetConfigXMLParseXmlIntoArgs) {                                 \
+        to = (from == PropertyNotSetConfigXMLParseXmlIntoArgs) ? default : from;         \
+    }
+
 #ifdef __cplusplus
 
 namespace modsecurity {
@@ -177,6 +182,7 @@ class RulesSetProperties {
         m_secRequestBodyAccess(PropertyNotSetConfigBoolean),
         m_secResponseBodyAccess(PropertyNotSetConfigBoolean),
         m_secXMLExternalEntity(PropertyNotSetConfigBoolean),
+        m_secXMLParseXmlIntoArgs(PropertyNotSetConfigXMLParseXmlIntoArgs),
         m_tmpSaveUploadedFiles(PropertyNotSetConfigBoolean),
         m_uploadKeepFiles(PropertyNotSetConfigBoolean),
         m_debugLog(new DebugLog()),
@@ -191,6 +197,7 @@ class RulesSetProperties {
         m_secRequestBodyAccess(PropertyNotSetConfigBoolean),
         m_secResponseBodyAccess(PropertyNotSetConfigBoolean),
         m_secXMLExternalEntity(PropertyNotSetConfigBoolean),
+        m_secXMLParseXmlIntoArgs(PropertyNotSetConfigXMLParseXmlIntoArgs),
         m_tmpSaveUploadedFiles(PropertyNotSetConfigBoolean),
         m_uploadKeepFiles(PropertyNotSetConfigBoolean),
         m_debugLog(debugLog),
@@ -218,14 +225,27 @@ class RulesSetProperties {
 
     /**
      *
-     *
+     * The ConfigBoolean enumerator defines the states for configuration boolean values.
+     * The default value is PropertyNotSetConfigBoolean.
      */
     enum ConfigBoolean {
         TrueConfigBoolean,
         FalseConfigBoolean,
         PropertyNotSetConfigBoolean
     };
 
+    /**
+     *
+     * The ConfigXMLParseXmlIntoArgs enumerator defines the states for the configuration
+     * XMLParseXmlIntoArgs values.
+     * The default value is PropertyNotSetConfigXMLParseXmlIntoArgs.
+     */
+    enum ConfigXMLParseXmlIntoArgs {
+        TrueConfigXMLParseXmlIntoArgs,
+        FalseConfigXMLParseXmlIntoArgs,
+        OnlyArgsConfigXMLParseXmlIntoArgs,
+        PropertyNotSetConfigXMLParseXmlIntoArgs
+    };
 
     /**
      *
@@ -338,6 +358,19 @@ class RulesSetProperties {
         }
     }
 
+    static std::string configXMLParseXmlIntoArgsString(ConfigXMLParseXmlIntoArgs i) {
+        switch (i) {
+        case TrueConfigXMLParseXmlIntoArgs:
+            return "True";
+        case FalseConfigXMLParseXmlIntoArgs:
+            return "False";
+        case OnlyArgsConfigXMLParseXmlIntoArgs:
+            return "OnlyArgs";
+        case PropertyNotSetConfigXMLParseXmlIntoArgs:
+        default:
+            return "Not set";
+        }
+    }
 
     static int mergeProperties(RulesSetProperties *from,
         RulesSetProperties *to, std::ostringstream *err) {
@@ -357,6 +390,10 @@ class RulesSetProperties {
                             from->m_secXMLExternalEntity,
                             PropertyNotSetConfigBoolean);
 
+        merge_xmlargparse_value(to->m_secXMLParseXmlIntoArgs,
+                            from->m_secXMLParseXmlIntoArgs,
+                            PropertyNotSetConfigXMLParseXmlIntoArgs);
+
         merge_boolean_value(to->m_uploadKeepFiles,
                             from->m_uploadKeepFiles,
                             PropertyNotSetConfigBoolean);
@@ -464,6 +501,7 @@ class RulesSetProperties {
     ConfigBoolean m_secRequestBodyAccess;
     ConfigBoolean m_secResponseBodyAccess;
     ConfigBoolean m_secXMLExternalEntity;
+    ConfigXMLParseXmlIntoArgs m_secXMLParseXmlIntoArgs;
     ConfigBoolean m_tmpSaveUploadedFiles;
     ConfigBoolean m_uploadKeepFiles;
     ConfigDouble m_argumentsLimit;

headers/modsecurity/transaction.h

@@ -619,6 +619,7 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
     RequestBodyProcessor::JSON *m_json;
 
     int m_secRuleEngine;
+    int m_secXMLParseXmlIntoArgs;
 
     std::string m_variableDuration;
     std::map<std::string, std::string> m_variableEnvs;

src/Makefile.am

@@ -119,6 +119,7 @@ ACTIONS = \
 	actions/chain.cc \
 	actions/ctl/audit_log_parts.cc \
 	actions/ctl/audit_engine.cc \
+	actions/ctl/parse_xml_into_args.cc \
 	actions/ctl/rule_engine.cc \
 	actions/ctl/request_body_processor_json.cc \
 	actions/ctl/request_body_processor_xml.cc \

src/actions/ctl/parse_xml_into_args.cc

@@ -0,0 +1,63 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2025 OWASP ModSecurity project
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact OWASP.
+ * directly using the email address [email protected].
+ *
+ */
+
+#include "src/actions/ctl/parse_xml_into_args.h"
+
+#include <iostream>
+#include <string>
+
+#include "modsecurity/rules_set_properties.h"
+#include "modsecurity/rules_set.h"
+#include "modsecurity/transaction.h"
+
+namespace modsecurity {
+namespace actions {
+namespace ctl {
+
+
+bool ParseXmlIntoArgs::init(std::string *error) {
+    std::string what(m_parser_payload, 17, m_parser_payload.size() - 17);
+
+    if (what == "on") {
+        m_secXMLParseXmlIntoArgs = RulesSetProperties::TrueConfigXMLParseXmlIntoArgs;
+    } else if (what == "off") {
+        m_secXMLParseXmlIntoArgs = RulesSetProperties::FalseConfigXMLParseXmlIntoArgs;
+    } else if (what == "onlyargs") {
+        m_secXMLParseXmlIntoArgs = RulesSetProperties::OnlyArgsConfigXMLParseXmlIntoArgs;
+    } else {
+        error->assign("Internal error. Expected: On, Off or OnlyArgs; " \
+            "got: " + m_parser_payload);
+        return false;
+    }
+
+    return true;
+}
+
+bool ParseXmlIntoArgs::evaluate(RuleWithActions *rule, Transaction *transaction) {
+    std::stringstream a;
+    a << "Setting SecParseXmlIntoArgs to ";
+    a << modsecurity::RulesSetProperties::configXMLParseXmlIntoArgsString(m_secXMLParseXmlIntoArgs);
+    a << " as requested by a ctl:parseXmlIntoArgs action";
+
+    ms_dbg_a(transaction, 8, a.str());
+
+    transaction->m_secXMLParseXmlIntoArgs = m_secXMLParseXmlIntoArgs;
+    return true;
+}
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity

src/actions/ctl/parse_xml_into_args.h

@@ -0,0 +1,48 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2025 OWASP ModSecurity Project
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact OWASP.
+ * directly using the email address [email protected]
+ *
+ */
+
+#include <string>
+
+#include "modsecurity/rules_set_properties.h"
+#include "modsecurity/actions/action.h"
+#include "modsecurity/transaction.h"
+
+
+#ifndef SRC_ACTIONS_CTL_PARSE_XML_INTO_ARGS_H_
+#define SRC_ACTIONS_CTL_PARSE_XML_INTO_ARGS_H_
+
+namespace modsecurity {
+namespace actions {
+namespace ctl {
+
+
+class ParseXmlIntoArgs : public Action {
+ public:
+    explicit ParseXmlIntoArgs(const std::string &action) 
+        : Action(action),
+        m_secXMLParseXmlIntoArgs(RulesSetProperties::PropertyNotSetConfigXMLParseXmlIntoArgs) { }
+
+    bool init(std::string *error) override;
+    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
+
+    RulesSetProperties::ConfigXMLParseXmlIntoArgs m_secXMLParseXmlIntoArgs;
+};
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity
+
+#endif  // SRC_ACTIONS_CTL_PARSE_XML_INTO_ARGS_H_