]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
Pull request #3441: JSN: disabled 119:267 alert for single line comments
authorMike Stepanek (mstepane) <mstepane@cisco.com>
Tue, 31 May 2022 14:52:35 +0000 (14:52 +0000)
committerMike Stepanek (mstepane) <mstepane@cisco.com>
Tue, 31 May 2022 14:52:35 +0000 (14:52 +0000)
Merge in SNORT/snort3 from ~ASERBENI/snort3:comment_end_tag to master

Squashed commit of the following:

commit 3b00f92820e2e658e1d1088aadf0a2155da86a14
Author: Andrii Serbeniuk <aserbeni@cisco.com>
Date:   Wed May 25 14:24:06 2022 +0300

    utils: allow script closing tag in single-line comments

    A closing tag placed in a single line comment will end the inline script

src/service_inspectors/http_inspect/dev_notes.txt
src/utils/js_tokenizer.l
src/utils/test/js_normalizer_test.cc

index 1faa274148433e810f230fd6b0e0ee68dec190f2..be626dbb3bacd44cd7071f906d4100ce8296b5f6 100755 (executable)
@@ -320,7 +320,7 @@ JS Normalizer's syntax parser follows ECMA-262 standard. For various features,
 tracking of variable scope and individual brackets is done in accordance to the standard.
 Additionally, Normalizer enforces standard limits on HTML content in JavaScript:
  * no nesting tags allowed, i.e. two opening tags in a row
- * script closing tag is not allowed in string literal, comment, regular expression literal, etc.
+ * script closing tag is not allowed in string literals, block comments, regular expression literals, etc.
 
 If source JavaScript is syntactically incorrect (containing a bad token, brackets mismatch,
 HTML-tags, etc) Normalizer fires corresponding built-in rule and abandons the current script,
index 4a1ab9228fdd75dafadaa8908931133b55465d40..ae3a832d03b9f8285663d4f8b2fa854e633c0997 100644 (file)
@@ -1084,10 +1084,11 @@ ALL_UNICODE    [\0-\x7F]|[\xC2-\xDF][\x80-\xBF]|(\xE0[\xA0-\xBF]|[\xE1-\xEF][\x8
 <char_code>{LINE_COMMENT_START}               { BEGIN(char_code_lcomm); }
 <lcomm>{LINE_COMMENT_END1}                    { BEGIN(regst); newline_found = true; }
 <lcomm>{LINE_COMMENT_END2}                    { BEGIN(regst); newline_found = true; }
+<lcomm>{LINE_COMMENT_END4}                    { if (!ext_script) { BEGIN(regst); EXEC(html_closing_script_tag()) } }
 <char_code_lcomm>{LINE_COMMENT_END1}          { BEGIN(char_code); newline_found = true; }
 <char_code_lcomm>{LINE_COMMENT_END2}          { BEGIN(char_code); newline_found = true; }
+<char_code_lcomm>{LINE_COMMENT_END4}          { if (!ext_script) { BEGIN(regst); RETURN(CLOSING_TAG) } }
 <lcomm,char_code_lcomm>{LINE_COMMENT_END3}    { if (!ext_script) { BEGIN(regst); RETURN(OPENING_TAG) } }
-<lcomm,char_code_lcomm>{LINE_COMMENT_END4}    { if (!ext_script) { BEGIN(regst); RETURN(CLOSING_TAG) } }
 <lcomm,char_code_lcomm>{LINE_COMMENT_SKIP}    { /* skip */ }
 <lcomm,char_code_lcomm><<EOF>>                { RETURN(SCRIPT_CONTINUE) }
 
index f0b6c4c01cf89a33889a8db4657e3fa6c0ea11f0..c35144adda44e903758755547c0f2edf993140cf 100644 (file)
@@ -2015,17 +2015,17 @@ TEST_CASE("nested script tags", "[JSNormalizer]")
     SECTION("close tag within single-line comment - start")
     {
         NORMALIZE(unexpected_tag_buf16);
-        VALIDATE_FAIL(unexpected_tag_buf16, unexpected_tag_expected16, JSTokenizer::CLOSING_TAG, 22);
+        VALIDATE_FAIL(unexpected_tag_buf16, unexpected_tag_expected16, JSTokenizer::SCRIPT_ENDED, 22);
     }
     SECTION("close tag within single-line comment - mid")
     {
         NORMALIZE(unexpected_tag_buf17);
-        VALIDATE_FAIL(unexpected_tag_buf17, unexpected_tag_expected17, JSTokenizer::CLOSING_TAG, 34);
+        VALIDATE_FAIL(unexpected_tag_buf17, unexpected_tag_expected17, JSTokenizer::SCRIPT_ENDED, 34);
     }
     SECTION("close tag within single-line comment - end")
     {
         NORMALIZE(unexpected_tag_buf18);
-        VALIDATE_FAIL(unexpected_tag_buf18, unexpected_tag_expected18, JSTokenizer::CLOSING_TAG, 32);
+        VALIDATE_FAIL(unexpected_tag_buf18, unexpected_tag_expected18, JSTokenizer::SCRIPT_ENDED, 32);
     }
     SECTION("close tag within multi-line comment - start")
     {