[PATCH]support \r\n escape

3 files changed, 75 insertions, 0 deletions

diff --git a/src/maat_utils.c b/src/maat_utils.c
index 9f91322..6e1c84a 100644
--- a/src/maat_utils.c
+++ b/src/maat_utils.c
@@ -219,6 +219,12 @@ char *str_unescape(char *s)
 				case '\\':
 					s[j] = '\\';
 					break;
+				case 'r':
+					s[j] = '\r';
+					break;
+				case 'n':
+					s[j] = '\n';
+					break;
 				default:
 					s[j] = s[i];
 					i--;	//undo the followed i++
diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp
index 044e8e6..8d292c1 100644
--- a/test/maat_framework_gtest.cpp
+++ b/test/maat_framework_gtest.cpp
@@ -811,6 +811,26 @@ TEST_F(MaatHsStringScan, Regex) {
     state = NULL;
 }
 
+TEST_F(MaatHsStringScan, BackslashR_N_Escape) {
+    int ret = 0;
+    long long results[ARRAY_SIZE] = {0};
+    size_t n_hit_result = 0;
+    int thread_id = 0;
+    const char *table_name = "KEYWORDS_TABLE";
+    const char *payload = "GET / HTTP/1.1\r\nHost: www.baidu.com\r\n\r\n";
+    struct maat *maat_inst = MaatHsStringScan::_shared_maat_inst;
+    struct maat_state *state = maat_state_new(maat_inst, thread_id);
+
+    int table_id = maat_get_table_id(maat_inst, table_name);
+    ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
+                            results, ARRAY_SIZE, &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_HIT);
+    EXPECT_EQ(results[0], 225);
+
+    maat_state_free(state);
+    state = NULL;
+}
+
 TEST_F(MaatHsStringScan, ExprPlus) {
     long long results[ARRAY_SIZE] = {0};
     size_t n_hit_result = 0;
@@ -1531,6 +1551,26 @@ TEST_F(MaatRsStringScan, Regex) {
     state = NULL;
 }
 
+TEST_F(MaatRsStringScan, BackslashR_N_Escape) {
+    int ret = 0;
+    long long results[ARRAY_SIZE] = {0};
+    size_t n_hit_result = 0;
+    int thread_id = 0;
+    const char *table_name = "KEYWORDS_TABLE";
+    const char *payload = "GET / HTTP/1.1\r\nHost: www.baidu.com\r\n\r\n";
+    struct maat *maat_inst = MaatRsStringScan::_shared_maat_inst;
+    struct maat_state *state = maat_state_new(maat_inst, thread_id);
+
+    int table_id = maat_get_table_id(maat_inst, table_name);
+    ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload),
+                            results, ARRAY_SIZE, &n_hit_result, state);
+    EXPECT_EQ(ret, MAAT_SCAN_HIT);
+    EXPECT_EQ(results[0], 225);
+
+    maat_state_free(state);
+    state = NULL;
+}
+
 TEST_F(MaatRsStringScan, ExprPlus) {
     long long results[ARRAY_SIZE] = {0};
     size_t n_hit_result = 0;
diff --git a/test/maat_json.json b/test/maat_json.json
index 72084d5..a0f1d82 100644
--- a/test/maat_json.json
+++ b/test/maat_json.json
@@ -3845,6 +3845,35 @@
                     ]
                 }
             ]
+        },
+        {
+            "compile_id": 225,
+            "service": 0,
+            "action": 0,
+            "do_blacklist": 0,
+            "do_log": 0,
+            "user_region": "Payload escape",
+            "is_valid": "yes",
+            "groups": [
+                {
+                    "group_name": "EscapeGroup_225_1",
+                    "virtual_table": "KEYWORDS_TABLE",
+                    "not_flag": 0,
+                    "clause_index": 0,
+                    "regions": [
+                        {
+                            "table_name": "KEYWORDS_TABLE",
+                            "table_type": "expr",
+                            "table_content": {
+                                "keywords": "GET\\b/\\bHTTP/1.1\\r\\nHost:\\bwww.baidu.com\\r\\n\\r\\n",
+                                "expr_type": "none",
+                                "match_method": "sub",
+                                "format": "uncase plain"
+                            }
+                        }
+                    ]
+                }
+            ]
         }
     ],
     "plugin_table": [