From 896dfefcdfb1df85b5b9ccb1e801fbc9f8343abe Mon Sep 17 00:00:00 2001
From: "Thibault \"bui\" Koechlin" <thibault@crowdsec.net>
Date: Fri, 12 Jan 2024 14:30:08 +0100
Subject: [PATCH] [appsec] implement count transformation (#2698)

* implement count transfo
---
 pkg/appsec/appsec_rule/modsec_rule_test.go | 10 ++++++++++
 pkg/appsec/appsec_rule/modsecurity.go      | 15 ++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/pkg/appsec/appsec_rule/modsec_rule_test.go b/pkg/appsec/appsec_rule/modsec_rule_test.go
index 3c790cfb9..80411411d 100644
--- a/pkg/appsec/appsec_rule/modsec_rule_test.go
+++ b/pkg/appsec/appsec_rule/modsec_rule_test.go
@@ -8,6 +8,16 @@ func TestVPatchRuleString(t *testing.T) {
 		rule     CustomRule
 		expected string
 	}{
+		{
+			name: "Collection count",
+			rule: CustomRule{
+				Zones:     []string{"ARGS"},
+				Variables: []string{"foo"},
+				Match:     match{Type: "eq", Value: "1"},
+				Transform: []string{"count"},
+			},
+			expected: `SecRule &ARGS_GET:foo "@eq 1" "id:853070236,phase:2,deny,log,msg:'Collection count',tag:'crowdsec-Collection count'"`,
+		},
 		{
 			name: "Base Rule",
 			rule: CustomRule{
diff --git a/pkg/appsec/appsec_rule/modsecurity.go b/pkg/appsec/appsec_rule/modsecurity.go
index 1b30cd87e..0b117cd77 100644
--- a/pkg/appsec/appsec_rule/modsecurity.go
+++ b/pkg/appsec/appsec_rule/modsecurity.go
@@ -122,6 +122,16 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, appsecRuleName string, an
 		return ret, nil
 	}
 
+	zone_prefix := ""
+	variable_prefix := ""
+	if rule.Transform != nil {
+		for tidx, transform := range rule.Transform {
+			if transform == "count" {
+				zone_prefix = "&"
+				rule.Transform[tidx] = ""
+			}
+		}
+	}
 	for idx, zone := range rule.Zones {
 		if idx > 0 {
 			r.WriteByte('|')
@@ -137,7 +147,7 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, appsecRuleName string, an
 				if j > 0 {
 					r.WriteByte('|')
 				}
-				r.WriteString(fmt.Sprintf("%s:%s", mappedZone, variable))
+				r.WriteString(fmt.Sprintf("%s%s:%s%s", zone_prefix, mappedZone, variable_prefix, variable))
 			}
 		}
 	}
@@ -160,6 +170,9 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, appsecRuleName string, an
 
 	if rule.Transform != nil {
 		for _, transform := range rule.Transform {
+			if transform == "" {
+				continue
+			}
 			r.WriteByte(',')
 			if mappedTransform, ok := transformMap[transform]; ok {
 				r.WriteString(mappedTransform)