Pull request #3425: http_inspect: Check for empty decompressed file body for JSN

Merge in SNORT/snort3 from ~ASERBENI/snort3:pdu_miss to master

Squashed commit of the following:

commit bebdb26c20002a96c5073d407889806864b21665
Author: Andrii Serbeniuk <aserbeni@cisco.com>
Date:   Mon May 16 13:45:43 2022 +0300

    http_inspect: change js processed data tracking

diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt
index 62f0c07190626f68d049dd27cef32478c98a7844..6bb4ab0b8faaf4510033c641d7bdc64fc94dca08 100644 (file)
--- a/doc/reference/builtin_stubs.txt
+++ b/doc/reference/builtin_stubs.txt
@@ -1267,12 +1267,12 @@ Reference: CVE-2021-31166.
 
 119:273
 
-This alert is raised for the following situation. During JavaScript normalization middle
-PDUs can be missed and not normalized. Usually it happens when rules have file_data and
-js_data ips options and fast-pattern (FP) search is applying to file_data. Some PDUs don’t
-match file_data FP search and JavaScript normalization won't be executed for these PDUs.
-The normalization of the following PDUs for inline/external scripts will be stopped for
-current request within the flow. This alert is raised by the enhanced JavaScript normalizer.
+This alert is raised for the following situation. During JavaScript normalization
+some data can be lost and not normalized. Usually it happens when rules have file_data and
+js_data ips options and fast-pattern (FP) search is applying to file_data. Some data
+doesn’t match file_data FP search and JavaScript normalization won't be executed for it.
+The following normalization for inline/external scripts will be stopped for current
+request within the flow. This alert is raised by the enhanced JavaScript normalizer.
 
 119:274
 

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index cc82f33dd5a69a0d1e930d5f67bc1e244998a324..23c25426c82fe4def53575de12c2a88ec49cc8f7 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -293,7 +293,7 @@ enum Infraction
     INF_CHUNK_OVER_MAXIMUM = 128,
     INF_LONG_HOST_VALUE = 129,
     INF_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 130,
-    INF_JS_PDU_MISS = 131,
+    INF_JS_DATA_LOST = 131,
     INF_JS_SCOPE_NEST_OVERFLOW = 132,
     INF_INVALID_SUBVERSION = 133,
     INF_VERSION_0 = 134,
@@ -430,7 +430,7 @@ enum EventSid
     EVENT_JS_IDENTIFIER_OVERFLOW = 270,
     EVENT_JS_BRACKET_NEST_OVERFLOW = 271,
     EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 272,
-    EVENT_JS_PDU_MISS = 273,
+    EVENT_JS_DATA_LOST = 273,
     EVENT_JS_SCOPE_NEST_OVERFLOW = 274,
     EVENT_INVALID_SUBVERSION = 275,
     EVENT_VERSION_0 = 276,

diff --git a/src/service_inspectors/http_inspect/http_flow_data.cc b/src/service_inspectors/http_inspect/http_flow_data.cc
index c912067afb49f9a36bdd7b1c8201f286a696ec6d..baacbfeb0fb8deda26d2cb04e5c2b4937c843f6c 100644 (file)
--- a/src/service_inspectors/http_inspect/http_flow_data.cc
+++ b/src/service_inspectors/http_inspect/http_flow_data.cc
@@ -224,9 +224,9 @@ void HttpFlowData::garbage_collect()
 }
 
 #ifndef UNIT_TEST_BUILD
-void HttpFlowData::reset_js_pdu_idx()
+void HttpFlowData::reset_js_data_idx()
 {
-    js_pdu_idx = pdu_idx = 0;
+    js_data_processed_idx = js_data_idx = 0;
     js_data_lost_once = false;
 }
 
@@ -264,11 +264,11 @@ snort::JSNormalizer& HttpFlowData::acquire_js_ctx(const HttpParaList::JsNormPara
     return *js_normalizer;
 }
 
-bool HttpFlowData::is_pdu_missed()
+bool HttpFlowData::sync_js_data_idx()
 {
-    bool pdu_missed = ((pdu_idx - js_pdu_idx) > 1);
-    js_pdu_idx = pdu_idx;
-    return pdu_missed;
+    bool data_missed = ((js_data_idx - js_data_processed_idx) > 1);
+    js_data_processed_idx = js_data_idx;
+    return data_missed;
 }
 
 void HttpFlowData::release_js_ctx()

diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h
index 685b3074101b21f4d82791e130d1aa1a5d8aaba6..6fb942f6ded9577164a6c7d4ebf194095c380812 100644 (file)
--- a/src/service_inspectors/http_inspect/http_flow_data.h
+++ b/src/service_inspectors/http_inspect/http_flow_data.h
@@ -201,8 +201,8 @@ private:
     void delete_pipeline();
 
     bool js_data_lost_once = false;
-    uint32_t pdu_idx = 0;
-    uint32_t js_pdu_idx = 0;
+    uint32_t js_data_idx = 0;
+    uint32_t js_data_processed_idx = 0;
 
     // *** HttpJsNorm
     JSIdentifierCtxBase* js_ident_ctx = nullptr;
@@ -210,11 +210,11 @@ private:
     bool js_continue = false;
     bool js_built_in_event = false;
 
-    void reset_js_pdu_idx();
+    void reset_js_data_idx();
     void reset_js_ident_ctx();
     snort::JSNormalizer& acquire_js_ctx(const HttpParaList::JsNormParam& js_norm_param);
     void release_js_ctx();
-    bool is_pdu_missed();
+    bool sync_js_data_idx();
 
     bool cutover_on_clear = false;
     bool ssl_search_abandoned = false;

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 5e122acb227a27cc96b018bb8e6a152b8ca4f32f..97b8bd140a9f33162bcc92cbb1107f722fe9986f 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -220,7 +220,8 @@ void HttpMsgBody::analyze()
             else
                 do_legacy_js_normalization(decompressed_file_body, js_norm_body);
 
-            ++session_data->pdu_idx;
+            if (decompressed_file_body.length() > 0)
+                ++session_data->js_data_idx;
 
             const int32_t detect_length =
                 (js_norm_body.length() <= session_data->detect_depth_remaining[source_id]) ?
@@ -408,10 +409,10 @@ void HttpMsgBody::do_enhanced_js_normalization(const Field& input, Field& output
     if ((*infractions & INF_UNKNOWN_ENCODING) or (*infractions & INF_UNSUPPORTED_ENCODING))
         return;
 
-    if (session_data->is_pdu_missed())
+    if (session_data->sync_js_data_idx())
     {
-        *infractions += INF_JS_PDU_MISS;
-        session_data->events[HttpCommon::SRC_SERVER]->create_event(EVENT_JS_PDU_MISS);
+        *infractions += INF_JS_DATA_LOST;
+        session_data->events[HttpCommon::SRC_SERVER]->create_event(EVENT_JS_DATA_LOST);
         session_data->js_data_lost_once = true;
         return;
     }

diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc
index 2183e5539491d00ade54496e4e8708e838a2e27d..adaf6e29a70d02a97e7137eeb9eaa49f2898463f 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_request.cc
+++ b/src/service_inspectors/http_inspect/http_msg_request.cc
@@ -42,7 +42,7 @@ HttpMsgRequest::HttpMsgRequest(const uint8_t* buffer, const uint16_t buf_size,
     get_related_sections();
     session_data->release_js_ctx();
     session_data->reset_js_ident_ctx();
-    session_data->reset_js_pdu_idx();
+    session_data->reset_js_data_idx();
 }
 
 HttpMsgRequest::~HttpMsgRequest()

diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index 492c97242926ae1f569b331d7a49ed84dfe80dec..05cfabe6563ac3fcd59eb1f8def5f944418a14db 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -356,7 +356,7 @@ const RuleMap HttpModule::http_events[] =
     { EVENT_JS_BRACKET_NEST_OVERFLOW,   "excessive JavaScript bracket nesting" },
     { EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS, "Consecutive commas in HTTP Accept-Encoding "
                                         "header" },
-    { EVENT_JS_PDU_MISS,                "missed PDUs during JavaScript normalization" },
+    { EVENT_JS_DATA_LOST,               "data gaps during JavaScript normalization" },
     { EVENT_JS_SCOPE_NEST_OVERFLOW,     "excessive JavaScript scope nesting" },
     { EVENT_INVALID_SUBVERSION,         "HTTP/1 version other than 1.0 or 1.1" },
     { EVENT_VERSION_0,                  "HTTP version in start line is 0" },