diff --git a/src/maat_expr.c b/src/maat_expr.c index 5f7a4e7..bf46ce0 100644 --- a/src/maat_expr.c +++ b/src/maat_expr.c @@ -671,14 +671,17 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item, char *sub_key_array[MAAT_MAX_EXPR_ITEM_NUM]; int key_left_offset[MAAT_MAX_EXPR_ITEM_NUM]; int key_right_offset[MAAT_MAX_EXPR_ITEM_NUM]; + char tmp_keywords[MAX_KEYWORDS_STR_LEN + 1]; /* -1 means offset no limit, As long as the pattern appears in the scan data, it will hit */ memset(key_left_offset, -1, sizeof(key_left_offset)); memset(key_right_offset, -1, sizeof(key_right_offset)); + memcpy(tmp_keywords, expr_item->keywords, MAX_KEYWORDS_STR_LEN + 1); + switch (expr_item->expr_type) { case EXPR_TYPE_AND: - for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) { + for (i = 0, pos = tmp_keywords; ; i++, pos = NULL) { tmp = strtok_r_esc(pos, '&', &saveptr); if (NULL == tmp) { break; @@ -698,7 +701,7 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item, sub_expr_cnt = i; break; case EXPR_TYPE_OFFSET: - for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) { + for (i = 0, pos = tmp_keywords; ; i++, pos = NULL) { tmp = strtok_r_esc(pos, '&', &saveptr); if (NULL == tmp) { break; @@ -741,12 +744,12 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item, break; case EXPR_TYPE_STRING: //AND/OFFSET/STRING type expression use \b to represent blank(' ') sub_expr_cnt = 1; - sub_key_array[0] = expr_item->keywords; + sub_key_array[0] = tmp_keywords; sub_key_array[0] = str_unescape(sub_key_array[0]); break; case EXPR_TYPE_REGEX: //only regex type expression use \s to represent blank(' ') sub_expr_cnt = 1; - sub_key_array[0] = expr_item->keywords; + sub_key_array[0] = tmp_keywords; break; default: log_fatal(logger, MODULE_EXPR, @@ -917,6 +920,7 @@ int expr_runtime_commit(void *expr_runtime, const char *table_name, for (i = 0; i < rule_cnt; i++) { struct expr_item *expr_item = (struct expr_item *)ex_data_array[i]; struct expr_rule tmp_rule = {0}; + ret = expr_item_to_expr_rule(expr_item, &tmp_rule, expr_rt->logger); if (ret < 0) { continue; diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index 46a8073..8671caf 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -650,6 +650,68 @@ TEST_F(HsStringScan, BackslashR_N_Escape) { state = NULL; } +TEST_F(HsStringScan, BackslashR_N_Escape_IncUpdate) { + int ret = 0; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *table_name = "KEYWORDS_TABLE"; + const char *payload = "html>\\r\\n"; + struct maat *maat_inst = HsStringScan::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int table_id = maat_get_table_id(maat_inst, table_name); + ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(results[0], 234); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + maat_state_reset(state); + + const char *compile_table_name = "COMPILE_DEFAULT"; + const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; + + /* compile table add line */ + long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); + ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, + compile_id, "null", 1, 0); + EXPECT_EQ(ret, 1); + + /* group2compile table add line */ + long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, + group_id, compile_id, 0, table_name, 1, 0); + EXPECT_EQ(ret, 1); + + /* expr table add line */ + long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); + const char *keywords = "html>\\\\r\\\\n"; + + /* EXPR_TYPE_AND MATCH_METHOD_SUB */ + ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, + group_id, keywords, NULL, 1, 0, 0, 0); + EXPECT_EQ(ret, 1); + + sleep(WAIT_FOR_EFFECTIVE_S * 3); + + ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 2); + EXPECT_EQ(results[0], 234); + EXPECT_EQ(results[1], compile_id); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_free(state); + state = NULL; +} + TEST_F(HsStringScan, ExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -1564,6 +1626,68 @@ TEST_F(RsStringScan, BackslashR_N_Escape) { state = NULL; } +TEST_F(RsStringScan, BackslashR_N_Escape_IncUpdate) { + int ret = 0; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *table_name = "KEYWORDS_TABLE"; + const char *payload = "html>\\r\\n"; + struct maat *maat_inst = RsStringScan::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int table_id = maat_get_table_id(maat_inst, table_name); + ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(results[0], 234); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + maat_state_reset(state); + + const char *compile_table_name = "COMPILE_DEFAULT"; + const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; + + /* compile table add line */ + long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); + ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, + compile_id, "null", 1, 0); + EXPECT_EQ(ret, 1); + + /* group2compile table add line */ + long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, + group_id, compile_id, 0, table_name, 1, 0); + EXPECT_EQ(ret, 1); + + /* expr table add line */ + long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); + const char *keywords = "html>\\\\r\\\\n"; + + /* EXPR_TYPE_AND MATCH_METHOD_SUB */ + ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, + group_id, keywords, NULL, 1, 0, 0, 0); + EXPECT_EQ(ret, 1); + + sleep(WAIT_FOR_EFFECTIVE_S * 3); + + ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 2); + EXPECT_EQ(results[0], 234); + EXPECT_EQ(results[1], compile_id); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_free(state); + state = NULL; +} + TEST_F(RsStringScan, ExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; diff --git a/test/maat_json.json b/test/maat_json.json index 0ba5e71..6d068dc 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -4100,6 +4100,36 @@ "group_id": 259 } ] + }, + { + "compile_id": 234, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "user_region": "Payload escape", + "is_valid": "yes", + "groups": [ + { + "virtual_table": "KEYWORDS_TABLE", + "group_name": "EscapeGroup_234_1", + "group_id": 260, + "not_flag": 0, + "clause_index": 0, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "html>\\\\r\\\\n", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] } ], "plugin_table": [