gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove escape of \b

Browse Source
This commit is contained in:
root
2024-08-21 02:20:04 +00:00
parent d16a5d3b92
commit b634070092
3 changed files with 196 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/maat_utils.c
View File

@@ -213,8 +213,20 @@ char *str_unescape(char *s)
case '&': case '&':
s[j] = '&'; s[j] = '&';
break; break;
case 'b': case '^':
s[j] = ' ';//space,0x20; s[j] = '^';
break;
case '$':
s[j] = '$';
break;
case '|':
s[j] = '|';
break;
case '(':
s[j] = '(';
break;
case ')':
s[j] = ')';
break; break;
case '\\': case '\\':
s[j] = '\\'; s[j] = '\\';

127
test/maat_framework_gtest.cpp
View File

@@ -712,6 +712,31 @@ TEST_F(HsStringScan, BackslashR_N_Escape_IncUpdate) {
state = NULL; state = NULL;
} }
TEST_F(HsStringScan, BackslashCtrlCharactor)
{
int ret = 0;
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;
int thread_id = 0;
const char *table_name = "KEYWORDS_TABLE";
const char *payload = "()abc^$def|";
struct maat *maat_inst = HsStringScan::_shared_maat_inst;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
int table_id = maat_get_table_id(maat_inst, table_name);
ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(results[0], 235);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_free(state);
state = NULL;
}
TEST_F(HsStringScan, ExprPlus) { TEST_F(HsStringScan, ExprPlus) {
long long results[ARRAY_SIZE] = {0}; long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0; size_t n_hit_result = 0;
@@ -1039,6 +1064,43 @@ TEST_F(HsStringScan, HexBinCaseSensitive) {
maat_state_free(state); maat_state_free(state);
} }
TEST_F(HsStringScan, HexbinCombineString)
{
const char *table_name = "KEYWORDS_TABLE";
const char *scan_data1 = "abcd ABCD";
const char *scan_data2 = "abcd abCD";
struct maat *maat_inst = HsStringScan::_shared_maat_inst;
int thread_id = 0;
int table_id = maat_get_table_id(maat_inst, table_name);
ASSERT_GT(table_id, 0);
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_reset(state);
ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(n_hit_result, 1);
EXPECT_EQ(results[0], 236);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_free(state);
}
TEST_F(HsStringScan, BugReport20190325) { TEST_F(HsStringScan, BugReport20190325) {
unsigned char scan_data[] = {/* Packet 1 */ unsigned char scan_data[] = {/* Packet 1 */
0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00,
@@ -1688,6 +1750,31 @@ TEST_F(RsStringScan, BackslashR_N_Escape_IncUpdate) {
state = NULL; state = NULL;
} }
TEST_F(RsStringScan, BackslashCtrlCharactor)
{
int ret = 0;
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;
int thread_id = 0;
const char *table_name = "KEYWORDS_TABLE";
const char *payload = "()abc^$def|";
struct maat *maat_inst = RsStringScan::_shared_maat_inst;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
int table_id = maat_get_table_id(maat_inst, table_name);
ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(results[0], 235);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_free(state);
state = NULL;
}
TEST_F(RsStringScan, ExprPlus) { TEST_F(RsStringScan, ExprPlus) {
long long results[ARRAY_SIZE] = {0}; long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0; size_t n_hit_result = 0;
@@ -2021,6 +2108,43 @@ TEST_F(RsStringScan, HexBinCaseSensitive) {
state = NULL; state = NULL;
} }
TEST_F(RsStringScan, HexbinCombineString)
{
const char *table_name = "KEYWORDS_TABLE";
const char *scan_data1 = "abcd ABCD";
const char *scan_data2 = "abcd abCD";
struct maat *maat_inst = RsStringScan::_shared_maat_inst;
int thread_id = 0;
int table_id = maat_get_table_id(maat_inst, table_name);
ASSERT_GT(table_id, 0);
long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_reset(state);
ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2),
results, ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(n_hit_result, 1);
EXPECT_EQ(results[0], 236);
ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
maat_state_free(state);
}
TEST_F(RsStringScan, BugReport20190325) { TEST_F(RsStringScan, BugReport20190325) {
unsigned char scan_data[] = {/* Packet 1 */ unsigned char scan_data[] = {/* Packet 1 */
0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00,
@@ -6545,7 +6669,6 @@ TEST_F(Policy, CompileEXData) {
struct rule_ex_param *param = (struct rule_ex_param *)ex_data; struct rule_ex_param *param = (struct rule_ex_param *)ex_data;
EXPECT_EQ(param->id, 7799); EXPECT_EQ(param->id, 7799);
str_unescape(param->name);
EXPECT_EQ(strcmp(param->name, expect_name), 0); EXPECT_EQ(strcmp(param->name, expect_name), 0);
maat_state_free(state); maat_state_free(state);
@@ -7715,7 +7838,7 @@ TEST_F(MaatCmd, RuleIDRecycle) {
TEST_F(MaatCmd, ReturnRuleIDWithDescendingOrder) { TEST_F(MaatCmd, ReturnRuleIDWithDescendingOrder) {
const char *table_name = "HTTP_URL"; const char *table_name = "HTTP_URL";
const char *scan_data = "This string will hit mulptiple rules."; const char *scan_data = "This string will hit mulptiple rules.";
const char *keywords = "string\\bwill\\bhit"; const char *keywords = "string will hit";
long long results[ARRAY_SIZE] = {0}; long long results[ARRAY_SIZE] = {0};
size_t n_hit_result = 0; size_t n_hit_result = 0;
int thread_id = 0; int thread_id = 0;

60
test/maat_json.json
View File

@@ -369,7 +369,7 @@
"table_name": "HTTP_SIGNATURE", "table_name": "HTTP_SIGNATURE",
"table_type": "expr_plus", "table_type": "expr_plus",
"table_content": { "table_content": {
"district": "HtTP\\bUrL", "district": "HtTP UrL",
"keywords": "abckkk&123", "keywords": "abckkk&123",
"expr_type": "and" "expr_type": "and"
} }
@@ -2342,7 +2342,7 @@
"table_type": "flag_plus", "table_type": "flag_plus",
"table_name": "FLAG_PLUS_CONFIG", "table_name": "FLAG_PLUS_CONFIG",
"table_content": { "table_content": {
"district": "I love\\bChina", "district": "I love China",
"flag": 30, "flag": 30,
"flag_mask": 14 "flag_mask": 14
} }
@@ -2383,7 +2383,7 @@
"action": 1, "action": 1,
"do_blacklist": 1, "do_blacklist": 1,
"do_log": 1, "do_log": 1,
"user_region": "Something:I\\bhave\\ba\\bname,7799", "user_region": "Something:I have a name,7799",
"compile_table_name": "COMPILE_FIREWALL_DEFAULT", "compile_table_name": "COMPILE_FIREWALL_DEFAULT",
"is_valid": "yes", "is_valid": "yes",
"groups": [ "groups": [
@@ -3801,6 +3801,60 @@
] ]
} }
] ]
},
{
"compile_id": 235,
"service": 0,
"action": 0,
"do_blacklist": 0,
"do_log": 0,
"user_region": "Payload escape",
"is_valid": "yes",
"groups": [
{
"virtual_table": "KEYWORDS_TABLE",
"group_name": "EscapeGroup_235_1",
"group_id": 261,
"not_flag": 0,
"clause_index": 0,
"regions": [
{
"table_name": "KEYWORDS_TABLE",
"table_type": "expr",
"table_content": {
"keywords": "\\(\\)abc\\^\\$def\\|",
"expr_type": "and"
}
}
]
}
]
},
{
"compile_id": 236,
"service": 0,
"action": 0,
"do_blacklist": 0,
"do_log": 0,
"user_region": "StringScan.HexBinCombineString",
"is_valid": "yes",
"groups": [
{
"virtual_table": "KEYWORDS_TABLE",
"group_name": "236_keywords_group",
"group_id": 262,
"regions": [
{
"table_type": "expr",
"table_name": "KEYWORDS_TABLE",
"table_content": {
"keywords": "cd |6162|",
"expr_type": "and"
}
}
]
}
]
} }
], ],
"plugin_table": [ "plugin_table": [