Pull request #3525: http_inspect: script tag type check

Merge in SNORT/snort3 from ~ASERBENI/snort3:script_mime to master

Squashed commit of the following:

commit 8b16e57c27cc3ce8dfce56fbe29a8876f8eadb2d
Author: Andrii Serbeniuk <aserbeni@cisco.com>
Date:   Fri Jul 22 13:10:35 2022 +0300

    http_inspect: add more explicit js type values to otag type check

diff --git a/src/service_inspectors/http_inspect/http_js_norm.cc b/src/service_inspectors/http_inspect/http_js_norm.cc
index 5ce25cead2805597173fce283e2f69143274b4d6..d9e9b4792e7ff6a0a51c840f484db581e972daa4 100644 (file)
--- a/src/service_inspectors/http_inspect/http_js_norm.cc
+++ b/src/service_inspectors/http_inspect/http_js_norm.cc
@@ -109,19 +109,52 @@ void HttpJsNorm::configure()
     static constexpr const char* attr_slash = "/";
     static constexpr const char* attr_gt = ">";
     static constexpr const char* attr_src = "SRC";
-    static constexpr const char* attr_js1 = "JAVASCRIPT";
-    static constexpr const char* attr_js2 = "ECMASCRIPT";
-    static constexpr const char* attr_vb = "VBSCRIPT";
+
+    static constexpr const char* attr_js = "JAVASCRIPT";    // legacy only
+    static constexpr const char* attr_ecma = "ECMASCRIPT";  // legacy only
+    static constexpr const char* attr_vb = "VBSCRIPT";      // legacy only
+
+    static constexpr const size_t attrs_js_size = 15;
+    static constexpr const char* attrs_js[attrs_js_size] =
+    {
+        "APPLICATION/JAVASCRIPT",
+        "APPLICATION/ECMASCRIPT",
+        "APPLICATION/X-JAVASCRIPT",
+        "APPLICATION/X-ECMASCRIPT",
+        "TEXT/JAVASCRIPT",
+        "TEXT/JAVASCRIPT1.0",
+        "TEXT/JAVASCRIPT1.1",
+        "TEXT/JAVASCRIPT1.2",
+        "TEXT/JAVASCRIPT1.3",
+        "TEXT/JAVASCRIPT1.4",
+        "TEXT/JAVASCRIPT1.5",
+        "TEXT/ECMASCRIPT",
+        "TEXT/X-JAVASCRIPT",
+        "TEXT/X-ECMASCRIPT",
+        "TEXT/JSCRIPT"
+    };
+
+    static constexpr const size_t attrs_non_js_size = 2;
+    static constexpr const char* attrs_non_js[attrs_non_js_size] =
+    {
+        "TEXT/VBSCRIPT",
+        "APPLICATION/JSON"
+    };
 
     mpse_otag->add(otag_start, strlen(otag_start), 0);
+
     mpse_attr->add(attr_slash, strlen(attr_slash), AID_SLASH);
     mpse_attr->add(attr_gt, strlen(attr_gt), AID_GT);
     mpse_attr->add(attr_src, strlen(attr_src), AID_SRC);
-    mpse_attr->add(attr_js1, strlen(attr_js1), AID_JS);
-    mpse_attr->add(attr_js2, strlen(attr_js2), AID_ECMA);
-    mpse_attr->add(attr_vb, strlen(attr_vb), AID_VB);
-    mpse_type->add(attr_js1, strlen(attr_js1), AID_JS);
-    mpse_type->add(attr_js2, strlen(attr_js2), AID_ECMA);
+
+    for (unsigned i = 0; i < attrs_js_size; ++i)
+        mpse_attr->add(attrs_js[i], strlen(attrs_js[i]), AID_JS);
+
+    for (unsigned i = 0; i < attrs_non_js_size; ++i)
+        mpse_attr->add(attrs_non_js[i], strlen(attrs_non_js[i]), AID_NON_JS);
+
+    mpse_type->add(attr_js, strlen(attr_js), AID_JS);
+    mpse_type->add(attr_ecma, strlen(attr_ecma), AID_ECMA);
     mpse_type->add(attr_vb, strlen(attr_vb), AID_VB);
 
     mpse_otag->prep();
@@ -556,11 +589,7 @@ int HttpJsNorm::match_attr(void* pid, void*, int index, void* sctx, void*)
         ctx->is_javascript = true;
         return 0;
 
-    case AID_ECMA:
-        ctx->is_javascript = true;
-        return 0;
-
-    case AID_VB:
+    case AID_NON_JS:
         ctx->is_javascript = false;
         return 0;
 

diff --git a/src/service_inspectors/http_inspect/http_js_norm.h b/src/service_inspectors/http_inspect/http_js_norm.h
index e6261fd9d4796e61f7f0a02814df2439be92a243..d8550a157a28d16cea56dacbfe6e516529c2ffaa 100644 (file)
--- a/src/service_inspectors/http_inspect/http_js_norm.h
+++ b/src/service_inspectors/http_inspect/http_js_norm.h
@@ -51,7 +51,7 @@ public:
     void configure();
 
 private:
-    enum AttrId { AID_SLASH, AID_GT, AID_SRC, AID_JS, AID_ECMA, AID_VB };
+    enum AttrId { AID_SLASH, AID_GT, AID_SRC, AID_JS, AID_NON_JS, AID_ECMA, AID_VB };
 
     struct MatchContext
     {