Pull request #3325: JS Normalizer fix.

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:js_fix to master

Squashed commit of the following:

commit 478c1781f4c7385e48b55c7793b40ccb19cae152
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Mon Mar 28 18:38:01 2022 +0300

    utils: fix tracking variable when the output buffer is reset

diff --git a/src/utils/js_normalizer.h b/src/utils/js_normalizer.h
index 8508cd7d46e8a34c06faead827b44008f17af212..fa53bb6e3784cef818fc1fbf9d8016117955e74e 100644 (file)
--- a/src/utils/js_normalizer.h
+++ b/src/utils/js_normalizer.h
@@ -47,7 +47,7 @@ public:
     { rem_bytes = depth; }
 
     const char* take_script()
-    { return out_buf.take_data(); }
+    { tokenizer.reset_output(); return out_buf.take_data(); }
 
     const char* get_script() const
     { return out_buf.data(); }

diff --git a/src/utils/js_tokenizer.h b/src/utils/js_tokenizer.h
index be3011100806b1440cd7dd7ebfff5c4ad266ab07..e7b84d7ed1c097c27d0783424a9cb4a0d0938ff1 100644 (file)
--- a/src/utils/js_tokenizer.h
+++ b/src/utils/js_tokenizer.h
@@ -166,6 +166,9 @@ public:
 
     JSRet process(size_t& bytes_in);
 
+    void reset_output()
+    { ignored_id_pos = -1; }
+
     bool is_unescape_nesting_seen() const;
     bool is_mixed_encoding_seen() const;
 protected:
@@ -351,7 +354,7 @@ private:
         {false, false, false, false, false, false, false, false, false, false, false,}
     };
 
-    std::streampos ignored_id_pos = -1;
+    std::streampos ignored_id_pos;
     struct FunctionIdentifier
     {
         bool operator< (const FunctionIdentifier& other) const
@@ -366,7 +369,7 @@ private:
         {"unescape",            FuncType::UNESCAPE  },
         {"decodeURI",           FuncType::UNESCAPE  },
         {"decodeURIComponent",  FuncType::UNESCAPE  },
-        {"String.fromCharCode", FuncType::CHAR_CODE }        
+        {"String.fromCharCode", FuncType::CHAR_CODE }
     }};
 
     const uint32_t max_bracket_depth;

diff --git a/src/utils/js_tokenizer.l b/src/utils/js_tokenizer.l
index 727b3746bcbe003e30e014bfc51c0d52158d2fa7..da6c8bf1582c2857e6c87fea63600b80dd1f5f26 100644 (file)
--- a/src/utils/js_tokenizer.l
+++ b/src/utils/js_tokenizer.l
@@ -1339,6 +1339,7 @@ JSTokenizer::JSTokenizer(std::istream& in, std::ostream& out,
       tmp_buf(buf),
       tmp_buf_size(buf_size),
       tmp_cap_size(cap_size),
+      ignored_id_pos(-1),
       max_bracket_depth(max_bracket_depth)
 {
     scope_stack.emplace(GLOBAL);

diff --git a/src/utils/test/js_normalizer_test.cc b/src/utils/test/js_normalizer_test.cc
index 1e6230c5df9f5f99f73e2098fa7d0430008f3588..d17044a0a7c9d947db28c5d3959c7f8b5b186d7a 100644 (file)
--- a/src/utils/test/js_normalizer_test.cc
+++ b/src/utils/test/js_normalizer_test.cc
@@ -3670,6 +3670,26 @@ TEST_CASE("ignored identifier split", "[JSNormalizer]")
         NORMALIZE_T(dat5, dat6, exp7, exp8);
         NORM_COMBINED_S_2(dat5, dat6, exp9);
     }
+
+    SECTION("normalized word in the previous PDU")
+    {
+        const char dat1[] = "!foo";
+        const char dat2[] = "()";
+        const char exp1[] = "!var_0000";
+        const char exp2[] = "()";
+
+        NORMALIZE_T(dat1, dat2, exp1, exp2);
+    }
+
+    SECTION("ignored word in the previous PDU")
+    {
+        const char dat1[] = "!eval";
+        const char dat2[] = "()";
+        const char exp1[] = "!eval";
+        const char exp2[] = "()";
+
+        NORMALIZE_T(dat1, dat2, exp1, exp2);
+    }
 }
 
 TEST_CASE("Scope tracking - basic","[JSNormalizer]")