Merge pull request #2967 in SNORT/snort3 from ~OSHUMEIK/snort3:js_shorten_tag to...

author Mike Stepanek (mstepane) <mstepane@cisco.com>

Thu, 8 Jul 2021 11:55:57 +0000 (11:55 +0000)

committer Mike Stepanek (mstepane) <mstepane@cisco.com>

Thu, 8 Jul 2021 11:55:57 +0000 (11:55 +0000)
author Mike Stepanek (mstepane) <mstepane@cisco.com>
Thu, 8 Jul 2021 11:55:57 +0000 (11:55 +0000)
committer Mike Stepanek (mstepane) <mstepane@cisco.com>
Thu, 8 Jul 2021 11:55:57 +0000 (11:55 +0000)
diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h

index 7b4126c777c108f923781c808d6946abd621eb6b..17c81ceaebaeac4a2caf306bc651c74e00e382c5 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -270,6 +270,7 @@ enum Infraction
      INF_JS_OPENING_TAG,
      INF_JS_CLOSING_TAG,
      INF_JS_CODE_IN_EXTERNAL,
+    INF_JS_SHORTENED_TAG,
      INF__MAX_VALUE
  };
  
@@ -397,6 +398,7 @@ enum EventSid
      EVENT_JS_OPENING_TAG = 266,
      EVENT_JS_CLOSING_TAG = 267,
      EVENT_JS_CODE_IN_EXTERNAL = 268,
+    EVENT_JS_SHORTENED_TAG = 269,
      EVENT__MAX_VALUE
  };
  
diff --git a/src/service_inspectors/http_inspect/http_js_norm.cc b/src/service_inspectors/http_inspect/http_js_norm.cc

index e1ec662a4c84338903aea827df42dbf634f4f740..b989e647729d5ea01a1533c992a3fc23f3a97e7d 100644 (file)
--- a/src/service_inspectors/http_inspect/http_js_norm.cc
+++ b/src/service_inspectors/http_inspect/http_js_norm.cc
@@ -68,6 +68,7 @@ void HttpJsNorm::configure()
      mpse_type = new SearchTool;
  
      static constexpr const char* otag_start = "<SCRIPT";
+    static constexpr const char* attr_slash = "/";
      static constexpr const char* attr_gt = ">";
      static constexpr const char* attr_src = "SRC";
      static constexpr const char* attr_js1 = "JAVASCRIPT";
@@ -75,6 +76,7 @@ void HttpJsNorm::configure()
      static constexpr const char* attr_vb = "VBSCRIPT";
  
      mpse_otag->add(otag_start, strlen(otag_start), 0);
+    mpse_attr->add(attr_slash, strlen(attr_slash), AID_SLASH);
      mpse_attr->add(attr_gt, strlen(attr_gt), AID_GT);
      mpse_attr->add(attr_src, strlen(attr_src), AID_SRC);
      mpse_attr->add(attr_js1, strlen(attr_js1), AID_JS);
@@ -181,7 +183,7 @@ void HttpJsNorm::enhanced_inline_normalize(const Field& input, Field& output,
              if (ptr >= end)
                  break;
  
-            MatchContext sctx = {ptr, true, false};
+            MatchContext sctx = {ptr, true, false, false};
  
              if (ptr[0] == '>')
                  ptr++;
@@ -192,6 +194,13 @@ void HttpJsNorm::enhanced_inline_normalize(const Field& input, Field& output,
                  ptr = sctx.next;
              }
  
+            if (sctx.is_shortened)
+            {
+                *infractions += INF_JS_SHORTENED_TAG;
+                events->create_event(EVENT_JS_SHORTENED_TAG);
+                continue;
+            }
+
              if (!sctx.is_javascript)
                  continue;
  
@@ -408,6 +417,19 @@ int HttpJsNorm::match_attr(void* pid, void*, int index, void* sctx, void*)
  
      switch (id)
      {
+    case AID_SLASH:
+        if (*(ctx->next + index) == '>')
+        {
+            ctx->is_shortened = true;
+            ctx->next += index;
+            return 1;
+        }
+        else
+        {
+            ctx->is_shortened = false;
+            return 0;
+        }
+
      case AID_GT:
          ctx->next += index;
          return 1;
@@ -431,9 +453,9 @@ int HttpJsNorm::match_attr(void* pid, void*, int index, void* sctx, void*)
          return 0;
  
      default:
-        ctx->next += index;
          ctx->is_external = false;
          ctx->is_javascript = false;
+        ctx->next += index;
          return 1;
      }
  }
diff --git a/src/service_inspectors/http_inspect/http_js_norm.h b/src/service_inspectors/http_inspect/http_js_norm.h

index 4fb1d6126a79510505c5065b6a818485c2fd30eb..38f5399849d35bf544b0099f9aa8a0956ec3f6c8 100644 (file)
--- a/src/service_inspectors/http_inspect/http_js_norm.h
+++ b/src/service_inspectors/http_inspect/http_js_norm.h
@@ -47,13 +47,14 @@ public:
      void configure();
  
  private:
-    enum AttrId { AID_GT, AID_SRC, AID_JS, AID_ECMA, AID_VB };
+    enum AttrId { AID_SLASH, AID_GT, AID_SRC, AID_JS, AID_ECMA, AID_VB };
  
      struct MatchContext
      {
          const char* next;
          bool is_javascript;
          bool is_external;
+        bool is_shortened;
      };
  
      const HttpParaList::UriParam& uri_param;
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc

index ac671f6a58793f6c6a23633e75915a7a1d52786e..af9dbdf6a91f3b6c5f20744d8cde131e8b3b47b8 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -431,6 +431,7 @@ const RuleMap HttpModule::http_events[] =
      { EVENT_JS_OPENING_TAG,             "unexpected script opening tag in JavaScript" },
      { EVENT_JS_CLOSING_TAG,             "unexpected script closing tag in JavaScript" },
      { EVENT_JS_CODE_IN_EXTERNAL,        "JavaScript code under the external script tags" },
+    { EVENT_JS_SHORTENED_TAG,           "script opening tag in a short form" },
      { 0, nullptr }
  };
author	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Thu, 8 Jul 2021 11:55:57 +0000 (11:55 +0000)
committer	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Thu, 8 Jul 2021 11:55:57 +0000 (11:55 +0000)
src/service_inspectors/http_inspect/http_enum.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_js_norm.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_js_norm.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_tables.cc		patch \| blob \| blame \| history