From: Mike Stepanek (mstepane) Date: Fri, 6 May 2022 17:51:06 +0000 (+0000) Subject: Pull request #3412: Hardening JS Normalizer. X-Git-Tag: 3.1.30.0~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fab4e2c4f8f9cc1ab91545c374351fb09a8447b;p=thirdparty%2Fsnort3.git Pull request #3412: Hardening JS Normalizer. Merge in SNORT/snort3 from ~OSHUMEIK/snort3:js_unescape_tracking to master Squashed commit of the following: commit 8120cbb49d9ba15b395cc9eb64b7766fb466f5f9 Author: Oleksii Shumeiko Date: Wed May 4 19:54:30 2022 +0300 utils: turn debug-build assertion into a product-build code This removes a redundant assert and adds a test to show that such input could be handled. --- diff --git a/src/utils/js_tokenizer.l b/src/utils/js_tokenizer.l index 24c5f78af..fea92f9ee 100644 --- a/src/utils/js_tokenizer.l +++ b/src/utils/js_tokenizer.l @@ -1933,22 +1933,18 @@ JSTokenizer::FuncType JSTokenizer::detect_func_type() return FuncType::GENERAL; case IDENTIFIER: - { - FuncType ret = FuncType::GENERAL; - - if (meta_type() == ScopeMetaType::FUNCTION) - return ret; + if (meta_type() == ScopeMetaType::FUNCTION or ignored_id_pos < 0) + return FuncType::GENERAL; - if (ignored_id_pos >= 0) { + char tail[256]; std::streambuf* pbuf = yyout.rdbuf(); std::streamsize size = pbuf->pubseekoff(0, yyout.cur, yyout.out) - ignored_id_pos; - assert(size >= 0); - char tail[256]; - assert((size_t)size <= sizeof(tail)); - size = std::min((size_t)size, sizeof(tail)); + if (size <= 0) + return FuncType::GENERAL; + size = std::min((size_t)size, sizeof(tail)); pbuf->pubseekoff(-size, yyout.cur, yyout.out); pbuf->sgetn(tail, size); @@ -1957,15 +1953,13 @@ JSTokenizer::FuncType JSTokenizer::detect_func_type() if ((unsigned)size == (unsigned)id.identifier.size() && memcmp(tail, id.identifier.data(), size) == 0) { - ret = id.type; pbuf->pubseekoff(-size, yyout.cur, yyout.out); - - break; + return id.type; } } + + return FuncType::GENERAL; } - return ret; - } default: return FuncType::NOT_FUNC; diff --git a/src/utils/test/js_unescape_test.cc b/src/utils/test/js_unescape_test.cc index ee58b1137..64833687c 100644 --- a/src/utils/test/js_unescape_test.cc +++ b/src/utils/test/js_unescape_test.cc @@ -1288,5 +1288,30 @@ TEST_CASE("Mixed input", "[JSNormalizer]") } } +TEST_CASE("Internal limits", "[JSNormalizer]") +{ + SECTION("output tail size") + { + test_normalization( + "function v(e){return new String(/^(?:(?:(?:https?|ftp):)?\\/\\/)(?" + ":\\S+(?::\\S*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3})(?!(?:169\\.2" + "54|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2\\d|3[0-1])(?:" + "\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3])(?:\\.(?:1?" + "\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\d\\d|2[0-4]\\" + "d|25[0-4]))|(?:(?:[a-z 0-9\\u0061-\\u007a][a-z 0-9\\u0061-\\u007a_" + "-]{0,62})?[a-z 0-9\\u0061-\\u007a]\\.)+(?:[a-z \\u0061-\\u007a]{2," + "}\\.?))(?::\\d{2,5})?(?:[/?#]\\S*)?$/i).test(e)}", + "function var_0000(var_0001){return new String(/^(?:(?:(?:https?|ft" + "p):)?\\/\\/)(?:\\S+(?::\\S*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3}" + ")(?!(?:169\\.254|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2" + "\\d|3[0-1])(?:\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3" + "])(?:\\.(?:1?\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\" + "d\\d|2[0-4]\\d|25[0-4]))|(?:(?:[a-z 0-9a-z][a-z 0-9a-z_-]{0,62})?[" + "a-z 0-9a-z]\\.)+(?:[a-z a-z]{2,}\\.?))(?::\\d{2,5})?(?:[/?#]\\S*)?" + "$/i).test(var_0001)}" + ); + } +} + #endif // CATCH_TEST_BUILD