From: Mike Stepanek (mstepane) Date: Tue, 31 May 2022 17:03:11 +0000 (+0000) Subject: Pull request #3425: http_inspect: Check for empty decompressed file body for JSN X-Git-Tag: 3.1.31.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7ed5039649e14010a70e1326aefe5cf0e7f115e;p=thirdparty%2Fsnort3.git Pull request #3425: http_inspect: Check for empty decompressed file body for JSN Merge in SNORT/snort3 from ~ASERBENI/snort3:pdu_miss to master Squashed commit of the following: commit bebdb26c20002a96c5073d407889806864b21665 Author: Andrii Serbeniuk Date: Mon May 16 13:45:43 2022 +0300 http_inspect: change js processed data tracking --- diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt index 62f0c0719..6bb4ab0b8 100644 --- a/doc/reference/builtin_stubs.txt +++ b/doc/reference/builtin_stubs.txt @@ -1267,12 +1267,12 @@ Reference: CVE-2021-31166. 119:273 -This alert is raised for the following situation. During JavaScript normalization middle -PDUs can be missed and not normalized. Usually it happens when rules have file_data and -js_data ips options and fast-pattern (FP) search is applying to file_data. Some PDUs don’t -match file_data FP search and JavaScript normalization won't be executed for these PDUs. -The normalization of the following PDUs for inline/external scripts will be stopped for -current request within the flow. This alert is raised by the enhanced JavaScript normalizer. +This alert is raised for the following situation. During JavaScript normalization +some data can be lost and not normalized. Usually it happens when rules have file_data and +js_data ips options and fast-pattern (FP) search is applying to file_data. Some data +doesn’t match file_data FP search and JavaScript normalization won't be executed for it. +The following normalization for inline/external scripts will be stopped for current +request within the flow. This alert is raised by the enhanced JavaScript normalizer. 119:274 diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index cc82f33dd..23c25426c 100755 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -293,7 +293,7 @@ enum Infraction INF_CHUNK_OVER_MAXIMUM = 128, INF_LONG_HOST_VALUE = 129, INF_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 130, - INF_JS_PDU_MISS = 131, + INF_JS_DATA_LOST = 131, INF_JS_SCOPE_NEST_OVERFLOW = 132, INF_INVALID_SUBVERSION = 133, INF_VERSION_0 = 134, @@ -430,7 +430,7 @@ enum EventSid EVENT_JS_IDENTIFIER_OVERFLOW = 270, EVENT_JS_BRACKET_NEST_OVERFLOW = 271, EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 272, - EVENT_JS_PDU_MISS = 273, + EVENT_JS_DATA_LOST = 273, EVENT_JS_SCOPE_NEST_OVERFLOW = 274, EVENT_INVALID_SUBVERSION = 275, EVENT_VERSION_0 = 276, diff --git a/src/service_inspectors/http_inspect/http_flow_data.cc b/src/service_inspectors/http_inspect/http_flow_data.cc index c912067af..baacbfeb0 100644 --- a/src/service_inspectors/http_inspect/http_flow_data.cc +++ b/src/service_inspectors/http_inspect/http_flow_data.cc @@ -224,9 +224,9 @@ void HttpFlowData::garbage_collect() } #ifndef UNIT_TEST_BUILD -void HttpFlowData::reset_js_pdu_idx() +void HttpFlowData::reset_js_data_idx() { - js_pdu_idx = pdu_idx = 0; + js_data_processed_idx = js_data_idx = 0; js_data_lost_once = false; } @@ -264,11 +264,11 @@ snort::JSNormalizer& HttpFlowData::acquire_js_ctx(const HttpParaList::JsNormPara return *js_normalizer; } -bool HttpFlowData::is_pdu_missed() +bool HttpFlowData::sync_js_data_idx() { - bool pdu_missed = ((pdu_idx - js_pdu_idx) > 1); - js_pdu_idx = pdu_idx; - return pdu_missed; + bool data_missed = ((js_data_idx - js_data_processed_idx) > 1); + js_data_processed_idx = js_data_idx; + return data_missed; } void HttpFlowData::release_js_ctx() diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h index 685b30741..6fb942f6d 100644 --- a/src/service_inspectors/http_inspect/http_flow_data.h +++ b/src/service_inspectors/http_inspect/http_flow_data.h @@ -201,8 +201,8 @@ private: void delete_pipeline(); bool js_data_lost_once = false; - uint32_t pdu_idx = 0; - uint32_t js_pdu_idx = 0; + uint32_t js_data_idx = 0; + uint32_t js_data_processed_idx = 0; // *** HttpJsNorm JSIdentifierCtxBase* js_ident_ctx = nullptr; @@ -210,11 +210,11 @@ private: bool js_continue = false; bool js_built_in_event = false; - void reset_js_pdu_idx(); + void reset_js_data_idx(); void reset_js_ident_ctx(); snort::JSNormalizer& acquire_js_ctx(const HttpParaList::JsNormParam& js_norm_param); void release_js_ctx(); - bool is_pdu_missed(); + bool sync_js_data_idx(); bool cutover_on_clear = false; bool ssl_search_abandoned = false; diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc index 5e122acb2..97b8bd140 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.cc +++ b/src/service_inspectors/http_inspect/http_msg_body.cc @@ -220,7 +220,8 @@ void HttpMsgBody::analyze() else do_legacy_js_normalization(decompressed_file_body, js_norm_body); - ++session_data->pdu_idx; + if (decompressed_file_body.length() > 0) + ++session_data->js_data_idx; const int32_t detect_length = (js_norm_body.length() <= session_data->detect_depth_remaining[source_id]) ? @@ -408,10 +409,10 @@ void HttpMsgBody::do_enhanced_js_normalization(const Field& input, Field& output if ((*infractions & INF_UNKNOWN_ENCODING) or (*infractions & INF_UNSUPPORTED_ENCODING)) return; - if (session_data->is_pdu_missed()) + if (session_data->sync_js_data_idx()) { - *infractions += INF_JS_PDU_MISS; - session_data->events[HttpCommon::SRC_SERVER]->create_event(EVENT_JS_PDU_MISS); + *infractions += INF_JS_DATA_LOST; + session_data->events[HttpCommon::SRC_SERVER]->create_event(EVENT_JS_DATA_LOST); session_data->js_data_lost_once = true; return; } diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc index 2183e5539..adaf6e29a 100644 --- a/src/service_inspectors/http_inspect/http_msg_request.cc +++ b/src/service_inspectors/http_inspect/http_msg_request.cc @@ -42,7 +42,7 @@ HttpMsgRequest::HttpMsgRequest(const uint8_t* buffer, const uint16_t buf_size, get_related_sections(); session_data->release_js_ctx(); session_data->reset_js_ident_ctx(); - session_data->reset_js_pdu_idx(); + session_data->reset_js_data_idx(); } HttpMsgRequest::~HttpMsgRequest() diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 492c97242..05cfabe65 100755 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -356,7 +356,7 @@ const RuleMap HttpModule::http_events[] = { EVENT_JS_BRACKET_NEST_OVERFLOW, "excessive JavaScript bracket nesting" }, { EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS, "Consecutive commas in HTTP Accept-Encoding " "header" }, - { EVENT_JS_PDU_MISS, "missed PDUs during JavaScript normalization" }, + { EVENT_JS_DATA_LOST, "data gaps during JavaScript normalization" }, { EVENT_JS_SCOPE_NEST_OVERFLOW, "excessive JavaScript scope nesting" }, { EVENT_INVALID_SUBVERSION, "HTTP/1 version other than 1.0 or 1.1" }, { EVENT_VERSION_0, "HTTP version in start line is 0" },