From f426088b6a9c0d49bf2c9bf11583c1b36ac019b2 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Fri, 14 Jun 2019 16:11:52 +0100
Subject: [PATCH] [Project] Implement checks for symbols against allowed ids

---
 src/libmime/filter.c            | 11 +++++--
 src/libserver/rspamd_symcache.c | 55 +++++++++++++++++----------------
 src/libserver/rspamd_symcache.h |  5 +--
 3 files changed, 41 insertions(+), 30 deletions(-)

diff --git a/src/libmime/filter.c b/src/libmime/filter.c
index 3550370ed..39d073b05 100644
--- a/src/libmime/filter.c
+++ b/src/libmime/filter.c
@@ -208,6 +208,13 @@ insert_metric_result (struct rspamd_task *task,
 		}
 	}
 	else {
+		if (sdef->cache_item) {
+			/* Check if we can insert this symbol at all */
+			if (!rspamd_symcache_is_item_allowed (task, sdef->cache_item)) {
+				return NULL;
+			}
+		}
+
 		final_score = (*sdef->weight_ptr) * weight;
 
 		PTR_ARRAY_FOREACH (sdef->groups, i, gr) {
@@ -434,8 +441,8 @@ rspamd_task_insert_result_full (struct rspamd_task *task,
 			flags);
 
 	/* Process cache item */
-	if (task->cfg->cache) {
-		rspamd_symcache_inc_frequency (task->cfg->cache, symbol);
+	if (task->cfg->cache && s->sym) {
+		rspamd_symcache_inc_frequency (task->cfg->cache, s->sym->cache_item);
 	}
 
 	return s;
diff --git a/src/libserver/rspamd_symcache.c b/src/libserver/rspamd_symcache.c
index ac0b8dded..1ae279e73 100644
--- a/src/libserver/rspamd_symcache.c
+++ b/src/libserver/rspamd_symcache.c
@@ -2281,14 +2281,8 @@ rspamd_symcache_start_refresh (struct rspamd_symcache *cache,
 
 void
 rspamd_symcache_inc_frequency (struct rspamd_symcache *cache,
-							   const gchar *symbol)
+							   struct rspamd_symcache_item *item)
 {
-	struct rspamd_symcache_item *item;
-
-	g_assert (cache != NULL);
-
-	item = g_hash_table_lookup (cache->items_by_symbol, symbol);
-
 	if (item != NULL) {
 		g_atomic_int_inc (&item->st->hits);
 	}
@@ -2604,28 +2598,37 @@ rspamd_symcache_is_symbol_enabled (struct rspamd_task *task,
 		item = rspamd_symcache_find_filter (cache, symbol, true);
 
 		if (item) {
-			dyn_item = rspamd_symcache_get_dynamic (checkpoint, item);
-			if (CHECK_START_BIT (checkpoint, dyn_item)) {
+
+			if (!rspamd_symcache_is_item_allowed (task, item)) {
 				ret = FALSE;
 			}
 			else {
-				if (item->specific.normal.condition_cb != -1) {
-					/* We also executes condition callback to check if we need this symbol */
-					L = task->cfg->lua_state;
-					lua_rawgeti (L, LUA_REGISTRYINDEX,
-							item->specific.normal.condition_cb);
-					ptask = lua_newuserdata (L, sizeof (struct rspamd_task *));
-					rspamd_lua_setclass (L, "rspamd{task}", -1);
-					*ptask = task;
-
-					if (lua_pcall (L, 1, 1, 0) != 0) {
-						msg_info_task ("call to condition for %s failed: %s",
-								item->symbol, lua_tostring (L, -1));
-						lua_pop (L, 1);
-					}
-					else {
-						ret = lua_toboolean (L, -1);
-						lua_pop (L, 1);
+				dyn_item = rspamd_symcache_get_dynamic (checkpoint, item);
+				if (CHECK_START_BIT (checkpoint, dyn_item)) {
+					ret = FALSE;
+				}
+				else {
+					if (item->specific.normal.condition_cb != -1) {
+						/*
+						 * We also executes condition callback to check
+						 * if we need this symbol
+						 */
+						L = task->cfg->lua_state;
+						lua_rawgeti (L, LUA_REGISTRYINDEX,
+								item->specific.normal.condition_cb);
+						ptask = lua_newuserdata (L, sizeof (struct rspamd_task *));
+						rspamd_lua_setclass (L, "rspamd{task}", -1);
+						*ptask = task;
+
+						if (lua_pcall (L, 1, 1, 0) != 0) {
+							msg_info_task ("call to condition for %s failed: %s",
+									item->symbol, lua_tostring (L, -1));
+							lua_pop (L, 1);
+						}
+						else {
+							ret = lua_toboolean (L, -1);
+							lua_pop (L, 1);
+						}
 					}
 				}
 			}
diff --git a/src/libserver/rspamd_symcache.h b/src/libserver/rspamd_symcache.h
index fcf3d1c77..b063109a4 100644
--- a/src/libserver/rspamd_symcache.h
+++ b/src/libserver/rspamd_symcache.h
@@ -207,7 +207,7 @@ void rspamd_symcache_start_refresh (struct rspamd_symcache *cache,
  * @param symbol
  */
 void rspamd_symcache_inc_frequency (struct rspamd_symcache *cache,
-									const gchar *symbol);
+									struct rspamd_symcache_item *item);
 
 /**
  * Add dependency relation between two symbols identified by id (source) and
@@ -482,7 +482,8 @@ void rspamd_symcache_process_settings_elt (struct rspamd_symcache *cache,
 										   struct rspamd_config_settings_elt *elt);
 
 /**
- * Check if a symbol is allowed for execution/insertion
+ * Check if a symbol is allowed for execution/insertion, this does not involve
+ * condition scripts to be checked (so it is intended to be fast).
  * @param task
  * @param item
  * @return
-- 
2.39.5