owasp-modsecurity · chweidling · Jun 10, 2026 · Jun 10, 2026
diff --git a/headers/modsecurity/collection/collection.h b/headers/modsecurity/collection/collection.h
@@ -37,6 +37,9 @@ typedef struct Variable_t Variables;
 
 #ifdef __cplusplus
 namespace modsecurity {
+namespace Utils {
+class Regex;
+}
 namespace variables {
 class KeyExclusions;
 }
@@ -69,6 +72,17 @@ class Collection {
         std::vector<const VariableValue *> *l,
         variables::KeyExclusions &ke) = 0;
 
+    /*
+     * Resolve using a regular expression that was already compiled (e.g. the
+     * one held by a VariableRegex). This avoids recompiling - and JIT'ing - the
+     * same pattern on every transaction. The default implementation delegates
+     * to the string overload using the pattern text, so backends that do not
+     * override it keep their previous behaviour.
+     */
+    virtual void resolveRegularExpression(Utils::Regex *r,
+        std::vector<const VariableValue *> *l,
+        variables::KeyExclusions &ke);
+
 
     /* storeOrUpdateFirst */
     virtual bool storeOrUpdateFirst(const std::string &key,

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -240,6 +240,7 @@ UTILS = \
 
 
 COLLECTION = \
+	collection/collection.cc \
 	collection/collections.cc \
 	collection/backend/collection_data.cc \
 	collection/backend/in_memory-per_process.cc \

diff --git a/src/collection/backend/in_memory-per_process.cc b/src/collection/backend/in_memory-per_process.cc
@@ -194,14 +194,22 @@ void InMemoryPerProcess::resolveMultiMatches(const std::string& var,
 
 void InMemoryPerProcess::resolveRegularExpression(const std::string& var,
     std::vector<const VariableValue *> *l, variables::KeyExclusions &ke) {
+    // Callers that do not hold a compiled regex (e.g. the compartment-prefixed
+    // overloads) still pay the compilation cost here.
     Utils::Regex r(var, true);
+    resolveRegularExpression(&r, l, ke);
+}
+
+
+void InMemoryPerProcess::resolveRegularExpression(Utils::Regex *r,
+    std::vector<const VariableValue *> *l, variables::KeyExclusions &ke) {
     std::list<std::string> expiredVars;
 
     {
         const std::shared_lock lock(m_mutex); // read lock (shared access)
 
         for (const auto& x : m_map) {
-            const auto ret = Utils::regex_search(x.first, r);
+            const auto ret = Utils::regex_search(x.first, *r);
             if (ret <= 0) {
                 continue;
             }

diff --git a/src/collection/backend/in_memory-per_process.h b/src/collection/backend/in_memory-per_process.h
@@ -99,6 +99,9 @@ class InMemoryPerProcess :
     void resolveRegularExpression(const std::string& var,
         std::vector<const VariableValue *> *l,
         variables::KeyExclusions &ke) override;
+    void resolveRegularExpression(Utils::Regex *r,
+        std::vector<const VariableValue *> *l,
+        variables::KeyExclusions &ke) override;
 
     /* store */
     virtual void store(const std::string &key, std::string &compartment,

diff --git a/src/collection/collection.cc b/src/collection/collection.cc
@@ -0,0 +1,39 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2026 OWASP ModSecurity project
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact OWASP.
+ * directly using the email address modsecurity@owasp.org.
+ *
+ */
+
+
+#include "modsecurity/collection/collection.h"
+
+#include <string>
+#include <vector>
+
+#include "src/utils/regex.h"
+
+
+namespace modsecurity {
+namespace collection {
+
+
+void Collection::resolveRegularExpression(Utils::Regex *r,
+    std::vector<const VariableValue *> *l, variables::KeyExclusions &ke) {
+    // Default behaviour: fall back to the string-based resolution using the
+    // pattern carried by the compiled regex. Backends that can take advantage
+    // of the already-compiled regex (e.g. InMemoryPerProcess) override this.
+    resolveRegularExpression(r->pattern, l, ke);
+}
+
+
+}  // namespace collection
+}  // namespace modsecurity
diff --git a/src/variables/tx.h b/src/variables/tx.h
@@ -66,17 +66,14 @@ class Tx_NoDictElement : public Variable {
 class Tx_DictElementRegexp : public VariableRegex {
  public:
     explicit Tx_DictElementRegexp(const std::string &dictElement)
-        : VariableRegex("TX", dictElement),
-        m_dictElement(dictElement) { }
+        : VariableRegex("TX", dictElement) { }
 
     void evaluate(Transaction *t,
         RuleWithActions *rule,
         std::vector<const VariableValue *> *l) override {
         t->m_collections.m_tx_collection->resolveRegularExpression(
-            m_dictElement, l, m_keyExclusion);
+            &m_r, l, m_keyExclusion);
     }
-
-    std::string m_dictElement;
 };
 
 

diff --git a/test/test-cases/regression/variable-tx-regex-precompiled.json b/test/test-cases/regression/variable-tx-regex-precompiled.json
@@ -0,0 +1,78 @@
+[
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "TX regex variable selector (precompiled regex) - matches in a chained rule",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "User-Agent": "curl/7.38.0",
+        "Content-Length": "0"
+      },
+      "uri": "/test",
+      "method": "GET"
+    },
+    "response": {
+      "headers": {
+        "Content-Type": "text/html",
+        "Content-Length": "8"
+      },
+      "body": ["no need."]
+    },
+    "expected": {
+      "http_code": 403
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecAction \"id:1,phase:1,nolog,pass,setvar:'tx.score_a=1',setvar:'tx.score_b=1',setvar:'tx.other=1'\"",
+      "SecRule REQUEST_URI \"@contains /test\" \"id:2,phase:2,deny,status:403,log,chain\"",
+      "    SecRule TX:/^score_/ \"@eq 1\" \"t:none\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "title": "TX regex variable selector (precompiled regex) - selector excludes non-matching keys",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 123
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "localhost",
+        "User-Agent": "curl/7.38.0",
+        "Content-Length": "0"
+      },
+      "uri": "/test",
+      "method": "GET"
+    },
+    "response": {
+      "headers": {
+        "Content-Type": "text/html",
+        "Content-Length": "8"
+      },
+      "body": ["no need."]
+    },
+    "expected": {
+      "http_code": 200
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecAction \"id:1,phase:1,nolog,pass,setvar:'tx.other=1'\"",
+      "SecRule REQUEST_URI \"@contains /test\" \"id:2,phase:2,deny,status:403,log,chain\"",
+      "    SecRule TX:/^score_/ \"@eq 1\" \"t:none\""
+    ]
+  }
+]