From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Tue, 29 Mar 2022 10:27:42 +0000 (+0000)
Subject: Pull request #3325: JS Normalizer fix.
X-Git-Tag: 3.1.27.0~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca73d18f12c0cc648505fe0585290b73558796ef;p=thirdparty%2Fsnort3.git

Pull request #3325: JS Normalizer fix.

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:js_fix to master

Squashed commit of the following:

commit 478c1781f4c7385e48b55c7793b40ccb19cae152
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Mon Mar 28 18:38:01 2022 +0300

    utils: fix tracking variable when the output buffer is reset
---

diff --git a/src/utils/js_normalizer.h b/src/utils/js_normalizer.h
index 8508cd7d4..fa53bb6e3 100644
--- a/src/utils/js_normalizer.h
+++ b/src/utils/js_normalizer.h
@@ -47,7 +47,7 @@ public:
     { rem_bytes = depth; }
 
     const char* take_script()
-    { return out_buf.take_data(); }
+    { tokenizer.reset_output(); return out_buf.take_data(); }
 
     const char* get_script() const
     { return out_buf.data(); }
diff --git a/src/utils/js_tokenizer.h b/src/utils/js_tokenizer.h
index be3011100..e7b84d7ed 100644
--- a/src/utils/js_tokenizer.h
+++ b/src/utils/js_tokenizer.h
@@ -166,6 +166,9 @@ public:
 
     JSRet process(size_t& bytes_in);
 
+    void reset_output()
+    { ignored_id_pos = -1; }
+
     bool is_unescape_nesting_seen() const;
     bool is_mixed_encoding_seen() const;
 protected:
@@ -351,7 +354,7 @@ private:
         {false, false, false, false, false, false, false, false, false, false, false,}
     };
 
-    std::streampos ignored_id_pos = -1;
+    std::streampos ignored_id_pos;
     struct FunctionIdentifier
     {
         bool operator< (const FunctionIdentifier& other) const
@@ -366,7 +369,7 @@ private:
         {"unescape",            FuncType::UNESCAPE  },
         {"decodeURI",           FuncType::UNESCAPE  },
         {"decodeURIComponent",  FuncType::UNESCAPE  },
-        {"String.fromCharCode", FuncType::CHAR_CODE }        
+        {"String.fromCharCode", FuncType::CHAR_CODE }
     }};
 
     const uint32_t max_bracket_depth;
diff --git a/src/utils/js_tokenizer.l b/src/utils/js_tokenizer.l
index 727b3746b..da6c8bf15 100644
--- a/src/utils/js_tokenizer.l
+++ b/src/utils/js_tokenizer.l
@@ -1339,6 +1339,7 @@ JSTokenizer::JSTokenizer(std::istream& in, std::ostream& out,
       tmp_buf(buf),
       tmp_buf_size(buf_size),
       tmp_cap_size(cap_size),
+      ignored_id_pos(-1),
       max_bracket_depth(max_bracket_depth)
 {
     scope_stack.emplace(GLOBAL);
diff --git a/src/utils/test/js_normalizer_test.cc b/src/utils/test/js_normalizer_test.cc
index 1e6230c5d..d17044a0a 100644
--- a/src/utils/test/js_normalizer_test.cc
+++ b/src/utils/test/js_normalizer_test.cc
@@ -3670,6 +3670,26 @@ TEST_CASE("ignored identifier split", "[JSNormalizer]")
         NORMALIZE_T(dat5, dat6, exp7, exp8);
         NORM_COMBINED_S_2(dat5, dat6, exp9);
     }
+
+    SECTION("normalized word in the previous PDU")
+    {
+        const char dat1[] = "!foo";
+        const char dat2[] = "()";
+        const char exp1[] = "!var_0000";
+        const char exp2[] = "()";
+
+        NORMALIZE_T(dat1, dat2, exp1, exp2);
+    }
+
+    SECTION("ignored word in the previous PDU")
+    {
+        const char dat1[] = "!eval";
+        const char dat2[] = "()";
+        const char exp1[] = "!eval";
+        const char exp2[] = "()";
+
+        NORMALIZE_T(dat1, dat2, exp1, exp2);
+    }
 }
 
 TEST_CASE("Scope tracking - basic","[JSNormalizer]")