Can we use back-references with Modsecurity 2.9 rsub operator?

Question

I would like to know if we can use back-references with Modsecurity 2.9 rsub operator (Apache).

For example I have these 2 JSON response bodies:

BODY1 "Africa":

{
  "error": "null",
  "id": "1",
  "result": {
    "group": [
    {
      "name": "glossina",
      "class": "insect"
    },
    {
      "name": "latrodectus",
      "class": "arachnid"
    }
        ],
        "climate": "tropical",
        "continent": "africa"
  }
}

aka in one line, africa1.json:

{ "error": "null", "id": "1", "result": { "group": [ { "name": "glossina", "class": "insect" }, { "name": "latrodectus", "class": "arachnid" } ], "climate": "tropical", "continent": "africa" }}

BODY2 "America":

{
  "error": "null",
  "id": "1",
  "result": {
    "group": [
    {
      "name": "trichopoda",
      "class": "insect"
    },
    {
      "name": "marma",
      "class": "arachnid"
    }
        ],
        "climate": "tropical",
        "continent": "america"
  }
}

aka in one line, america1.json:

{ "error": "null", "id": "1", "result": { "group": [ { "name": "trichopoda", "class": "insect" }, { "name": "marma", "class": "arachnid" } ], "climate": "tropical", "continent": "america" }}

What I want is to get a "group" list empty if the continent is "america".

I achieve quite easily for example with sed:

sed -E 's/"group": \[(.*)\](.*"continent": "america")/"group": \[\] \2/'

See below:

$ cat africa1.json | sed -E 's/"group": \[(.*)\](.*"continent": "america")/"group": \[\] \2/'
{ "error": "null", "id": "1", "result": { "group": [ { "name": "glossina", "class": "insect" }, { "name": "latrodectus", "class": "arachnid" } ], "climate": "tropical", "continent": "africa" }}

$ cat america1.json | sed -E 's/"group": \[(.*)\](.*"continent": "america")/"group": \[\] \2/'
{ "error": "null", "id": "1", "result": { "group": [] , "climate": "tropical", "continent": "america" }}

This is only an example, I can have may continents, and many fields between "group" and "continent" (not only "climate).

Can we proceed with the same method with ModSecurity rsub operator ? I'm quite sure there are other solutions but this one is quite simple (I did it with an additional LUA script but I would prefer to avoid this as far as it's possible).

Thanks

Spin

Answer 1

I have a solution (the regex is approximate but is "enough" for the example) with a LUA script.

The rules:

SecRule RESPONSE_BODY "@rx .*" "id:172,phase:4,exec:/mypath/exec-replace-str.lua,auditlog,log,msg:'From RESPONSE BODY TX.stringrep=%{TX.stringrep}'"
SecRule STREAM_OUTPUT_BODY '@rsub s/%{TX.stringrep}/[ ]' "phase:4,capture,id:173,t:none,nolog,pass"

The LUA script /mypath/exec-replace-str.lua:

function main()

local respBody = m.getvar("RESPONSE_BODY")

_,_,stringrep = string.find( respBody ,'"group": (%[.*%]).*"continent": "america"' )

stringrep = string.gsub( stringrep, "[%[%]]", ".")
 
m.setvar("TX.stringrep", stringrep)

return 1
end

But I'm looking for an answer without LUA script if possible.