Pull request #3412: Hardening JS Normalizer.

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:js_unescape_tracking to master

Squashed commit of the following:

commit 8120cbb49d9ba15b395cc9eb64b7766fb466f5f9
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Wed May 4 19:54:30 2022 +0300

    utils: turn debug-build assertion into a product-build code

    This removes a redundant assert and adds a test to show that such input could be handled.

diff --git a/src/utils/js_tokenizer.l b/src/utils/js_tokenizer.l
index 24c5f78af68042e3f55604a51d16f3ddf9f21ef1..fea92f9ee2bba21e0dd808d53bb57f578337d9ee 100644 (file)
--- a/src/utils/js_tokenizer.l
+++ b/src/utils/js_tokenizer.l
@@ -1933,22 +1933,18 @@ JSTokenizer::FuncType JSTokenizer::detect_func_type()
         return FuncType::GENERAL;
 
     case IDENTIFIER:
-    {
-        FuncType ret = FuncType::GENERAL;
-
-        if (meta_type() == ScopeMetaType::FUNCTION)
-            return ret;
+        if (meta_type() == ScopeMetaType::FUNCTION or ignored_id_pos < 0)
+            return FuncType::GENERAL;
 
-        if (ignored_id_pos >= 0)
         {
+            char tail[256];
             std::streambuf* pbuf = yyout.rdbuf();
             std::streamsize size = pbuf->pubseekoff(0, yyout.cur, yyout.out) - ignored_id_pos;
-            assert(size >= 0);
 
-            char tail[256];
-            assert((size_t)size <= sizeof(tail));
-            size = std::min((size_t)size, sizeof(tail));
+            if (size <= 0)
+                return FuncType::GENERAL;
 
+            size = std::min((size_t)size, sizeof(tail));
             pbuf->pubseekoff(-size, yyout.cur, yyout.out);
             pbuf->sgetn(tail, size);
 
@@ -1957,15 +1953,13 @@ JSTokenizer::FuncType JSTokenizer::detect_func_type()
                 if ((unsigned)size == (unsigned)id.identifier.size() &&
                     memcmp(tail, id.identifier.data(), size) == 0)
                 {
-                    ret = id.type;
                     pbuf->pubseekoff(-size, yyout.cur, yyout.out);
-
-                    break;
+                    return id.type;
                 }
             }
+
+            return FuncType::GENERAL;
         }
-        return ret;
-    }
 
     default:
         return FuncType::NOT_FUNC;

diff --git a/src/utils/test/js_unescape_test.cc b/src/utils/test/js_unescape_test.cc
index ee58b113774130c9bdc10211e3ce8e6570cdcb44..64833687cac8acf88053f7d58ebe5ce4256e9e47 100644 (file)
--- a/src/utils/test/js_unescape_test.cc
+++ b/src/utils/test/js_unescape_test.cc
@@ -1288,5 +1288,30 @@ TEST_CASE("Mixed input", "[JSNormalizer]")
     }
 }
 
+TEST_CASE("Internal limits", "[JSNormalizer]")
+{
+    SECTION("output tail size")
+    {
+        test_normalization(
+            "function v(e){return new String(/^(?:(?:(?:https?|ftp):)?\\/\\/)(?"
+            ":\\S+(?::\\S*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3})(?!(?:169\\.2"
+            "54|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2\\d|3[0-1])(?:"
+            "\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3])(?:\\.(?:1?"
+            "\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\d\\d|2[0-4]\\"
+            "d|25[0-4]))|(?:(?:[a-z 0-9\\u0061-\\u007a][a-z 0-9\\u0061-\\u007a_"
+            "-]{0,62})?[a-z 0-9\\u0061-\\u007a]\\.)+(?:[a-z \\u0061-\\u007a]{2,"
+            "}\\.?))(?::\\d{2,5})?(?:[/?#]\\S*)?$/i).test(e)}",
+            "function var_0000(var_0001){return new String(/^(?:(?:(?:https?|ft"
+            "p):)?\\/\\/)(?:\\S+(?::\\S*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3}"
+            ")(?!(?:169\\.254|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2"
+            "\\d|3[0-1])(?:\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3"
+            "])(?:\\.(?:1?\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\"
+            "d\\d|2[0-4]\\d|25[0-4]))|(?:(?:[a-z 0-9a-z][a-z 0-9a-z_-]{0,62})?["
+            "a-z 0-9a-z]\\.)+(?:[a-z a-z]{2,}\\.?))(?::\\d{2,5})?(?:[/?#]\\S*)?"
+            "$/i).test(var_0001)}"
+        );
+    }
+}
+
 #endif // CATCH_TEST_BUILD