gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-20076: 存储转义之前的字符串,避免增量更新时对已转义的规则再次转义

Browse Source
This commit is contained in:
liuchang
2024-04-23 02:33:49 +00:00
committed by 杨威
parent 5c93f40900
commit 56238be701
3 changed files with 162 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/maat_expr.c
View File

@@ -671,14 +671,17 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item,
char *sub_key_array[MAAT_MAX_EXPR_ITEM_NUM];
int key_left_offset[MAAT_MAX_EXPR_ITEM_NUM];
int key_right_offset[MAAT_MAX_EXPR_ITEM_NUM];
char tmp_keywords[MAX_KEYWORDS_STR_LEN + 1];
/* -1 means offset no limit, As long as the pattern appears in the scan data, it will hit */
memset(key_left_offset, -1, sizeof(key_left_offset));
memset(key_right_offset, -1, sizeof(key_right_offset));
memcpy(tmp_keywords, expr_item->keywords, MAX_KEYWORDS_STR_LEN + 1);
switch (expr_item->expr_type) {
case EXPR_TYPE_AND:
for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) {
for (i = 0, pos = tmp_keywords; ; i++, pos = NULL) {
tmp = strtok_r_esc(pos, '&', &saveptr);
if (NULL == tmp) {
break;
@@ -698,7 +701,7 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item,
sub_expr_cnt = i;
break;
case EXPR_TYPE_OFFSET:
for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) {
for (i = 0, pos = tmp_keywords; ; i++, pos = NULL) {
tmp = strtok_r_esc(pos, '&', &saveptr);
if (NULL == tmp) {
break;
@@ -741,12 +744,12 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item,
break;
case EXPR_TYPE_STRING: //AND/OFFSET/STRING type expression use \b to represent blank(' ')
sub_expr_cnt = 1;
sub_key_array[0] = expr_item->keywords;
sub_key_array[0] = tmp_keywords;
sub_key_array[0] = str_unescape(sub_key_array[0]);
break;
case EXPR_TYPE_REGEX: //only regex type expression use \s to represent blank(' ')
sub_expr_cnt = 1;
sub_key_array[0] = expr_item->keywords;
sub_key_array[0] = tmp_keywords;
break;
default:
log_fatal(logger, MODULE_EXPR,
@@ -917,6 +920,7 @@ int expr_runtime_commit(void *expr_runtime, const char *table_name,
for (i = 0; i < rule_cnt; i++) {
struct expr_item *expr_item = (struct expr_item *)ex_data_array[i];
struct expr_rule tmp_rule = {0};
ret = expr_item_to_expr_rule(expr_item, &tmp_rule, expr_rt->logger);
if (ret < 0) {
continue;

124
test/maat_framework_gtest.cpp
View File

@@ -650,6 +650,68 @@ TEST_F(HsStringScan, BackslashR_N_Escape) {
state = NULL;
}
TEST_F(HsStringScan, BackslashR_N_Escape_IncUpdate) {
int ret = 0;
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;
int thread_id = 0;
const char *table_name = "KEYWORDS_TABLE";
const char *payload = "html>\\r\\n";
struct maat *maat_inst = HsStringScan::_shared_maat_inst;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
int table_id = maat_get_table_id(maat_inst, table_name);
ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(results[0], 234);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_reset(state);
const char *compile_table_name = "COMPILE_DEFAULT";
const char *g2c_table_name = "GROUP2COMPILE_DEFAULT";
/* compile table add line */
long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1);
ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD,
compile_id, "null", 1, 0);
EXPECT_EQ(ret, 1);
/* group2compile table add line */
long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1);
ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD,
group_id, compile_id, 0, table_name, 1, 0);
EXPECT_EQ(ret, 1);
/* expr table add line */
long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1);
const char *keywords = "html>\\\\r\\\\n";
/* EXPR_TYPE_AND MATCH_METHOD_SUB */
ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id,
group_id, keywords, NULL, 1, 0, 0, 0);
EXPECT_EQ(ret, 1);
sleep(WAIT_FOR_EFFECTIVE_S * 3);
ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(n_hit_result, 2);
EXPECT_EQ(results[0], 234);
EXPECT_EQ(results[1], compile_id);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_free(state);
state = NULL;
}
TEST_F(HsStringScan, ExprPlus) {
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;
@@ -1564,6 +1626,68 @@ TEST_F(RsStringScan, BackslashR_N_Escape) {
state = NULL;
}
TEST_F(RsStringScan, BackslashR_N_Escape_IncUpdate) {
int ret = 0;
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;
int thread_id = 0;
const char *table_name = "KEYWORDS_TABLE";
const char *payload = "html>\\r\\n";
struct maat *maat_inst = RsStringScan::_shared_maat_inst;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
int table_id = maat_get_table_id(maat_inst, table_name);
ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(results[0], 234);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_reset(state);
const char *compile_table_name = "COMPILE_DEFAULT";
const char *g2c_table_name = "GROUP2COMPILE_DEFAULT";
/* compile table add line */
long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1);
ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD,
compile_id, "null", 1, 0);
EXPECT_EQ(ret, 1);
/* group2compile table add line */
long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1);
ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD,
group_id, compile_id, 0, table_name, 1, 0);
EXPECT_EQ(ret, 1);
/* expr table add line */
long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1);
const char *keywords = "html>\\\\r\\\\n";
/* EXPR_TYPE_AND MATCH_METHOD_SUB */
ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id,
group_id, keywords, NULL, 1, 0, 0, 0);
EXPECT_EQ(ret, 1);
sleep(WAIT_FOR_EFFECTIVE_S * 3);
ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(n_hit_result, 2);
EXPECT_EQ(results[0], 234);
EXPECT_EQ(results[1], compile_id);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_free(state);
state = NULL;
}
TEST_F(RsStringScan, ExprPlus) {
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;

30
test/maat_json.json
View File

@@ -4100,6 +4100,36 @@
"group_id": 259
}
]
},
{
"compile_id": 234,
"service": 0,
"action": 0,
"do_blacklist": 0,
"do_log": 0,
"user_region": "Payload escape",
"is_valid": "yes",
"groups": [
{
"virtual_table": "KEYWORDS_TABLE",
"group_name": "EscapeGroup_234_1",
"group_id": 260,
"not_flag": 0,
"clause_index": 0,
"regions": [
{
"table_name": "KEYWORDS_TABLE",
"table_type": "expr",
"table_content": {
"keywords": "html>\\\\r\\\\n",
"expr_type": "none",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
}
],
"plugin_table": [