TSG-20076: 存储转义之前的字符串，避免增量更新时对已转义的规则再次转义

author: liuchang <[email protected]> 2024-04-23 02:33:49 +0000
committer: 杨威 <[email protected]> 2024-04-23 10:15:33 +0000
commit: 56238be7018c22a5c5f48a9274b1e30e7df7ed57 (patch)
tree: 51d605cc3bb8ab06bd18606728d285a47762ee53
parent: 5c93f409003c2fdde3c1dd3f4c8929d19b83cb5b (diff)
3 files changed, 162 insertions, 4 deletions
diff --git a/src/maat_expr.c b/src/maat_expr.c
index 5f7a4e7..bf46ce0 100644
--- a/src/maat_expr.c
+++ b/src/maat_expr.c
@@ -671,14 +671,17 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item,
     char *sub_key_array[MAAT_MAX_EXPR_ITEM_NUM];
     int key_left_offset[MAAT_MAX_EXPR_ITEM_NUM];
     int key_right_offset[MAAT_MAX_EXPR_ITEM_NUM];
+    char tmp_keywords[MAX_KEYWORDS_STR_LEN + 1];
 
     /* -1 means offset no limit, As long as the pattern appears in the scan data, it will hit */
     memset(key_left_offset, -1, sizeof(key_left_offset));
     memset(key_right_offset, -1, sizeof(key_right_offset));
 
+    memcpy(tmp_keywords, expr_item->keywords, MAX_KEYWORDS_STR_LEN + 1);
+
     switch (expr_item->expr_type) {
         case EXPR_TYPE_AND:
-            for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) {
+            for (i = 0, pos = tmp_keywords; ; i++, pos = NULL) {
                 tmp = strtok_r_esc(pos, '&', &saveptr);
                 if (NULL == tmp) {
                     break;
@@ -698,7 +701,7 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item,
             sub_expr_cnt = i;
             break;
         case EXPR_TYPE_OFFSET:
-            for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) {
+            for (i = 0, pos = tmp_keywords; ; i++, pos = NULL) {
                 tmp = strtok_r_esc(pos, '&', &saveptr);
                 if (NULL == tmp) {
                     break;
@@ -741,12 +744,12 @@ static int expr_item_to_expr_rule(struct expr_item *expr_item,
             break;
         case EXPR_TYPE_STRING: //AND/OFFSET/STRING type expression use \b to represent blank(' ')
             sub_expr_cnt = 1;
-            sub_key_array[0] = expr_item->keywords;
+            sub_key_array[0] = tmp_keywords;
             sub_key_array[0] = str_unescape(sub_key_array[0]);
             break;
         case EXPR_TYPE_REGEX: //only regex type expression use \s to represent blank(' ')
             sub_expr_cnt = 1;
-            sub_key_array[0] = expr_item->keywords;
+            sub_key_array[0] = tmp_keywords;
             break;
         default:
             log_fatal(logger, MODULE_EXPR, 
@@ -917,6 +920,7 @@ int expr_runtime_commit(void *expr_runtime, const char *table_name,
         for (i = 0; i < rule_cnt; i++) {
             struct expr_item *expr_item = (struct expr_item *)ex_data_array[i];
             struct expr_rule tmp_rule = {0};
+
             ret = expr_item_to_expr_rule(expr_item, &tmp_rule, expr_rt->logger);
             if (ret < 0) {
                 continue;
diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp
index 46a8073..8671caf 100644
--- a/test/maat_framework_gtest.cpp
+++ b/test/maat_framework_gtest.cpp
@@ -650,6 +650,68 @@ TEST_F(HsStringScan, BackslashR_N_Escape) {
     state = NULL;
 }
 
+TEST_F(HsStringScan, BackslashR_N_Escape_IncUpdate) {
+    int ret = 0;
+    long long results[ARRAY_SIZE] = {0};
+    size_t n_hit_result = 0;
+    int thread_id = 0;
+    const char *table_name = "KEYWORDS_TABLE";
+    const char *payload = "html>\\r\\n";
+    struct maat *maat_inst = HsStringScan::_shared_maat_inst;
+    struct maat_state *state = maat_state_new(maat_inst, thread_id);
+
+    int table_id = maat_get_table_id(maat_inst, table_name);
+    ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
+                            results, ARRAY_SIZE, &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_HIT);
+    EXPECT_EQ(results[0], 234);
+
+    ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
+                              &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_OK);
+    maat_state_reset(state);
+
+    const char *compile_table_name = "COMPILE_DEFAULT";
+    const char *g2c_table_name = "GROUP2COMPILE_DEFAULT";
+
+    /* compile table add line */
+    long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1);
+    ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD,
+                                 compile_id, "null", 1, 0);
+    EXPECT_EQ(ret, 1);
+
+    /* group2compile table add line */
+    long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1);
+    ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD,
+                                       group_id, compile_id, 0, table_name, 1, 0);
+    EXPECT_EQ(ret, 1);
+
+    /* expr table add line */
+    long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1);
+    const char *keywords = "html>\\\\r\\\\n";
+
+    /* EXPR_TYPE_AND MATCH_METHOD_SUB */
+    ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id,
+                              group_id, keywords, NULL, 1, 0, 0, 0);
+    EXPECT_EQ(ret, 1);
+
+    sleep(WAIT_FOR_EFFECTIVE_S * 3);
+
+    ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), 
+                            results, ARRAY_SIZE, &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_HIT);
+    EXPECT_EQ(n_hit_result, 2);
+    EXPECT_EQ(results[0], 234);
+    EXPECT_EQ(results[1], compile_id);
+
+    ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
+                              &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_OK);
+
+    maat_state_free(state);
+    state = NULL;
+}
+
 TEST_F(HsStringScan, ExprPlus) {
     long long results[ARRAY_SIZE] = {0};
     size_t n_hit_result = 0;
@@ -1564,6 +1626,68 @@ TEST_F(RsStringScan, BackslashR_N_Escape) {
     state = NULL;
 }
 
+TEST_F(RsStringScan, BackslashR_N_Escape_IncUpdate) {
+    int ret = 0;
+    long long results[ARRAY_SIZE] = {0};
+    size_t n_hit_result = 0;
+    int thread_id = 0;
+    const char *table_name = "KEYWORDS_TABLE";
+    const char *payload = "html>\\r\\n";
+    struct maat *maat_inst = RsStringScan::_shared_maat_inst;
+    struct maat_state *state = maat_state_new(maat_inst, thread_id);
+
+    int table_id = maat_get_table_id(maat_inst, table_name);
+    ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
+                            results, ARRAY_SIZE, &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_HIT);
+    EXPECT_EQ(results[0], 234);
+
+    ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
+                              &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_OK);
+    maat_state_reset(state);
+
+    const char *compile_table_name = "COMPILE_DEFAULT";
+    const char *g2c_table_name = "GROUP2COMPILE_DEFAULT";
+
+    /* compile table add line */
+    long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1);
+    ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD,
+                                 compile_id, "null", 1, 0);
+    EXPECT_EQ(ret, 1);
+
+    /* group2compile table add line */
+    long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1);
+    ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD,
+                                       group_id, compile_id, 0, table_name, 1, 0);
+    EXPECT_EQ(ret, 1);
+
+    /* expr table add line */
+    long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1);
+    const char *keywords = "html>\\\\r\\\\n";
+
+    /* EXPR_TYPE_AND MATCH_METHOD_SUB */
+    ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id,
+                              group_id, keywords, NULL, 1, 0, 0, 0);
+    EXPECT_EQ(ret, 1);
+
+    sleep(WAIT_FOR_EFFECTIVE_S * 3);
+
+    ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), 
+                            results, ARRAY_SIZE, &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_HIT);
+    EXPECT_EQ(n_hit_result, 2);
+    EXPECT_EQ(results[0], 234);
+    EXPECT_EQ(results[1], compile_id);
+
+    ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE,
+                              &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_OK);
+
+    maat_state_free(state);
+    state = NULL;
+}
+
 TEST_F(RsStringScan, ExprPlus) {
     long long results[ARRAY_SIZE] = {0};
     size_t n_hit_result = 0;
diff --git a/test/maat_json.json b/test/maat_json.json
index 0ba5e71..6d068dc 100644
--- a/test/maat_json.json
+++ b/test/maat_json.json
@@ -4100,6 +4100,36 @@
                     "group_id": 259
                 }
             ]
+        },
+        {
+            "compile_id": 234,
+            "service": 0,
+            "action": 0,
+            "do_blacklist": 0,
+            "do_log": 0,
+            "user_region": "Payload escape",
+            "is_valid": "yes",
+            "groups": [
+                {
+                    "virtual_table": "KEYWORDS_TABLE",
+                    "group_name": "EscapeGroup_234_1",
+                    "group_id": 260,
+                    "not_flag": 0,
+                    "clause_index": 0,
+                    "regions": [
+                        {
+                            "table_name": "KEYWORDS_TABLE",
+                            "table_type": "expr",
+                            "table_content": {
+                                "keywords": "html>\\\\r\\\\n",
+                                "expr_type": "none",
+                                "match_method": "sub",
+                                "format": "uncase plain"
+                            }
+                        }
+                    ]
+                }
+            ]
         }
     ],
     "plugin_table": [
author	liuchang <[email protected]>	2024-04-23 02:33:49 +0000
committer	杨威 <[email protected]>	2024-04-23 10:15:33 +0000
commit	56238be7018c22a5c5f48a9274b1e30e7df7ed57 (patch)
tree	51d605cc3bb8ab06bd18606728d285a47762ee53
parent	5c93f409003c2fdde3c1dd3f4c8929d19b83cb5b (diff)