Add -Werror=format-security CFLAG for all build case #101
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Quality Assurance | |
on: | |
push: | |
pull_request: | |
jobs: | |
build-linux: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-22.04] | |
platform: [x32, x64] | |
compiler: [gcc, clang] | |
configure: | |
- {label: "with pcre, no study, no jit", opt: "--enable-pcre-study=no" } | |
- {label: "with pcre, with study, no jit", opt: "--enable-pcre-study=yes" } | |
- {label: "with pcre, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" } | |
- {label: "with pcre, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } | |
- {label: "with pcre2", opt: "--with-pcre2 --enable-pcre-study=no" } | |
- {label: "with pcre2, with study, no jit", opt: "--with-pcre2 --enable-pcre-study=yes" } | |
- {label: "with pcre2, no study, with jit", opt: "--with-pcre2 --enable-pcre-study=no --enable-pcre-jit" } | |
- {label: "with pcre2, with study, with jit", opt: "--with-pcre2 --enable-pcre-study=yes --enable-pcre-jit" } | |
- {label: "with lua", opt: "--with-lua" } | |
- {label: "wo lua", opt: "--without-lua" } | |
steps: | |
- name: Setup Dependencies | |
run: | | |
sudo apt-get update -y -qq | |
sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data | |
- uses: actions/checkout@v2 | |
- name: autogen.sh | |
run: ./autogen.sh | |
- name: configure ${{ matrix.configure.label }} | |
run: ./configure --enable-assertions ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' | |
- uses: ammaraskar/gcc-problem-matcher@master | |
- name: make | |
run: make -j `nproc` | |
- name: install module | |
run: sudo make install | |
- name: prepare config | |
run: | | |
sudo cp .github/security2.conf /etc/apache2/mods-enabled/ | |
sudo cp modsecurity.conf-recommended /etc/apache2/modsecurity.conf | |
sudo cp unicode.mapping /etc/apache2/ | |
sudo mkdir -p /var/cache/modsecurity | |
sudo chown -R www-data:www-data /var/cache/modsecurity | |
- name: first check config (to get syntax errors) | |
run: sudo apachectl configtest | |
- name: start apache with module | |
run: sudo systemctl restart apache2.service | |
- name: Search for errors/warnings in error log | |
run: | | |
# '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error) | |
errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || : | |
if [[ -z "${errors}" ]]; then exit 0; fi | |
echo "::error:: Found errors/warnings in error.log" | |
echo "${errors}" | |
exit 1 | |
- name: Check error.log | |
run: | | |
# Send requests & check log format | |
# Valid request | |
curl -s http://127.0.01/ > /dev/null || echo $? | |
# Invalid request | |
curl -s http://127.0.01/%2e%2f > /dev/null || echo $? | |
# Check log format | |
grep -F ModSecurity < /var/log/apache2/error.log | grep -vP "^\[[^\]]+\] \[security2:[a-z]+\] \[pid [0-9]+:tid [0-9]+\] (?:\[client [0-9.:]+\] )?ModSecurity" || exit 0 | |
# grep -v succeeded => found some lines with invalid format | |
exit 1 | |
- name: Show httpd error log | |
if: always() | |
run: sudo cat /var/log/apache2/error.log | |
- name: Show mod_security2 audit log | |
if: always() | |
run: sudo cat /var/log/apache2/modsec_audit.log |