From b634070092bb161b4ee672c2bf214d25ef9bc322 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 21 Aug 2024 02:20:04 +0000 Subject: [PATCH] remove escape of \b --- src/maat_utils.c | 16 ++++- test/maat_framework_gtest.cpp | 127 +++++++++++++++++++++++++++++++++- test/maat_json.json | 60 +++++++++++++++- 3 files changed, 196 insertions(+), 7 deletions(-) diff --git a/src/maat_utils.c b/src/maat_utils.c index cdc31e3..e3aca86 100644 --- a/src/maat_utils.c +++ b/src/maat_utils.c @@ -213,8 +213,20 @@ char *str_unescape(char *s) case '&': s[j] = '&'; break; - case 'b': - s[j] = ' ';//space,0x20; + case '^': + s[j] = '^'; + break; + case '$': + s[j] = '$'; + break; + case '|': + s[j] = '|'; + break; + case '(': + s[j] = '('; + break; + case ')': + s[j] = ')'; break; case '\\': s[j] = '\\'; diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index da84bb1..3401865 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -712,6 +712,31 @@ TEST_F(HsStringScan, BackslashR_N_Escape_IncUpdate) { state = NULL; } +TEST_F(HsStringScan, BackslashCtrlCharactor) +{ + int ret = 0; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *table_name = "KEYWORDS_TABLE"; + const char *payload = "()abc^$def|"; + struct maat *maat_inst = HsStringScan::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int table_id = maat_get_table_id(maat_inst, table_name); + ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(results[0], 235); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_free(state); + state = NULL; +} + TEST_F(HsStringScan, ExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -1039,6 +1064,43 @@ TEST_F(HsStringScan, HexBinCaseSensitive) { maat_state_free(state); } +TEST_F(HsStringScan, HexbinCombineString) +{ + const char *table_name = "KEYWORDS_TABLE"; + const char *scan_data1 = "abcd ABCD"; + const char *scan_data2 = "abcd abCD"; + struct maat *maat_inst = HsStringScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_reset(state); + + ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 236); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_free(state); +} + TEST_F(HsStringScan, BugReport20190325) { unsigned char scan_data[] = {/* Packet 1 */ 0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, @@ -1688,6 +1750,31 @@ TEST_F(RsStringScan, BackslashR_N_Escape_IncUpdate) { state = NULL; } +TEST_F(RsStringScan, BackslashCtrlCharactor) +{ + int ret = 0; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *table_name = "KEYWORDS_TABLE"; + const char *payload = "()abc^$def|"; + struct maat *maat_inst = RsStringScan::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int table_id = maat_get_table_id(maat_inst, table_name); + ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(results[0], 235); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_free(state); + state = NULL; +} + TEST_F(RsStringScan, ExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -2021,6 +2108,43 @@ TEST_F(RsStringScan, HexBinCaseSensitive) { state = NULL; } +TEST_F(RsStringScan, HexbinCombineString) +{ + const char *table_name = "KEYWORDS_TABLE"; + const char *scan_data1 = "abcd ABCD"; + const char *scan_data2 = "abcd abCD"; + struct maat *maat_inst = RsStringScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_reset(state); + + ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 236); + + ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + maat_state_free(state); +} + TEST_F(RsStringScan, BugReport20190325) { unsigned char scan_data[] = {/* Packet 1 */ 0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, @@ -6545,7 +6669,6 @@ TEST_F(Policy, CompileEXData) { struct rule_ex_param *param = (struct rule_ex_param *)ex_data; EXPECT_EQ(param->id, 7799); - str_unescape(param->name); EXPECT_EQ(strcmp(param->name, expect_name), 0); maat_state_free(state); @@ -7715,7 +7838,7 @@ TEST_F(MaatCmd, RuleIDRecycle) { TEST_F(MaatCmd, ReturnRuleIDWithDescendingOrder) { const char *table_name = "HTTP_URL"; const char *scan_data = "This string will hit mulptiple rules."; - const char *keywords = "string\\bwill\\bhit"; + const char *keywords = "string will hit"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; diff --git a/test/maat_json.json b/test/maat_json.json index de8227e..c9961e3 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -369,7 +369,7 @@ "table_name": "HTTP_SIGNATURE", "table_type": "expr_plus", "table_content": { - "district": "HtTP\\bUrL", + "district": "HtTP UrL", "keywords": "abckkk&123", "expr_type": "and" } @@ -2342,7 +2342,7 @@ "table_type": "flag_plus", "table_name": "FLAG_PLUS_CONFIG", "table_content": { - "district": "I love\\bChina", + "district": "I love China", "flag": 30, "flag_mask": 14 } @@ -2383,7 +2383,7 @@ "action": 1, "do_blacklist": 1, "do_log": 1, - "user_region": "Something:I\\bhave\\ba\\bname,7799", + "user_region": "Something:I have a name,7799", "compile_table_name": "COMPILE_FIREWALL_DEFAULT", "is_valid": "yes", "groups": [ @@ -3801,6 +3801,60 @@ ] } ] + }, + { + "compile_id": 235, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "user_region": "Payload escape", + "is_valid": "yes", + "groups": [ + { + "virtual_table": "KEYWORDS_TABLE", + "group_name": "EscapeGroup_235_1", + "group_id": 261, + "not_flag": 0, + "clause_index": 0, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "\\(\\)abc\\^\\$def\\|", + "expr_type": "and" + } + } + ] + } + ] + }, + { + "compile_id": 236, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "user_region": "StringScan.HexBinCombineString", + "is_valid": "yes", + "groups": [ + { + "virtual_table": "KEYWORDS_TABLE", + "group_name": "236_keywords_group", + "group_id": 262, + "regions": [ + { + "table_type": "expr", + "table_name": "KEYWORDS_TABLE", + "table_content": { + "keywords": "cd |6162|", + "expr_type": "and" + } + } + ] + } + ] } ], "plugin_table": [