From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Thu, 8 Jul 2021 11:55:57 +0000 (+0000)
Subject: Merge pull request #2967 in SNORT/snort3 from ~OSHUMEIK/snort3:js_shorten_tag to... 
X-Git-Tag: 3.1.8.0~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f75190f43d9fbfbc4763badc491b304ac87e7a13;p=thirdparty%2Fsnort3.git

Merge pull request #2967 in SNORT/snort3 from ~OSHUMEIK/snort3:js_shorten_tag to master

Squashed commit of the following:

commit d853999fc0f48c55f04ab69099abfef234fe8246
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Mon Jul 5 14:32:06 2021 +0300

    http_inspect: add built-in alert for script tags in a short form
---

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index 7b4126c77..17c81ceae 100755
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -270,6 +270,7 @@ enum Infraction
     INF_JS_OPENING_TAG,
     INF_JS_CLOSING_TAG,
     INF_JS_CODE_IN_EXTERNAL,
+    INF_JS_SHORTENED_TAG,
     INF__MAX_VALUE
 };
 
@@ -397,6 +398,7 @@ enum EventSid
     EVENT_JS_OPENING_TAG = 266,
     EVENT_JS_CLOSING_TAG = 267,
     EVENT_JS_CODE_IN_EXTERNAL = 268,
+    EVENT_JS_SHORTENED_TAG = 269,
     EVENT__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http_inspect/http_js_norm.cc b/src/service_inspectors/http_inspect/http_js_norm.cc
index e1ec662a4..b989e6477 100644
--- a/src/service_inspectors/http_inspect/http_js_norm.cc
+++ b/src/service_inspectors/http_inspect/http_js_norm.cc
@@ -68,6 +68,7 @@ void HttpJsNorm::configure()
     mpse_type = new SearchTool;
 
     static constexpr const char* otag_start = "<SCRIPT";
+    static constexpr const char* attr_slash = "/";
     static constexpr const char* attr_gt = ">";
     static constexpr const char* attr_src = "SRC";
     static constexpr const char* attr_js1 = "JAVASCRIPT";
@@ -75,6 +76,7 @@ void HttpJsNorm::configure()
     static constexpr const char* attr_vb = "VBSCRIPT";
 
     mpse_otag->add(otag_start, strlen(otag_start), 0);
+    mpse_attr->add(attr_slash, strlen(attr_slash), AID_SLASH);
     mpse_attr->add(attr_gt, strlen(attr_gt), AID_GT);
     mpse_attr->add(attr_src, strlen(attr_src), AID_SRC);
     mpse_attr->add(attr_js1, strlen(attr_js1), AID_JS);
@@ -181,7 +183,7 @@ void HttpJsNorm::enhanced_inline_normalize(const Field& input, Field& output,
             if (ptr >= end)
                 break;
 
-            MatchContext sctx = {ptr, true, false};
+            MatchContext sctx = {ptr, true, false, false};
 
             if (ptr[0] == '>')
                 ptr++;
@@ -192,6 +194,13 @@ void HttpJsNorm::enhanced_inline_normalize(const Field& input, Field& output,
                 ptr = sctx.next;
             }
 
+            if (sctx.is_shortened)
+            {
+                *infractions += INF_JS_SHORTENED_TAG;
+                events->create_event(EVENT_JS_SHORTENED_TAG);
+                continue;
+            }
+
             if (!sctx.is_javascript)
                 continue;
 
@@ -408,6 +417,19 @@ int HttpJsNorm::match_attr(void* pid, void*, int index, void* sctx, void*)
 
     switch (id)
     {
+    case AID_SLASH:
+        if (*(ctx->next + index) == '>')
+        {
+            ctx->is_shortened = true;
+            ctx->next += index;
+            return 1;
+        }
+        else
+        {
+            ctx->is_shortened = false;
+            return 0;
+        }
+
     case AID_GT:
         ctx->next += index;
         return 1;
@@ -431,9 +453,9 @@ int HttpJsNorm::match_attr(void* pid, void*, int index, void* sctx, void*)
         return 0;
 
     default:
-        ctx->next += index;
         ctx->is_external = false;
         ctx->is_javascript = false;
+        ctx->next += index;
         return 1;
     }
 }
diff --git a/src/service_inspectors/http_inspect/http_js_norm.h b/src/service_inspectors/http_inspect/http_js_norm.h
index 4fb1d6126..38f539984 100644
--- a/src/service_inspectors/http_inspect/http_js_norm.h
+++ b/src/service_inspectors/http_inspect/http_js_norm.h
@@ -47,13 +47,14 @@ public:
     void configure();
 
 private:
-    enum AttrId { AID_GT, AID_SRC, AID_JS, AID_ECMA, AID_VB };
+    enum AttrId { AID_SLASH, AID_GT, AID_SRC, AID_JS, AID_ECMA, AID_VB };
 
     struct MatchContext
     {
         const char* next;
         bool is_javascript;
         bool is_external;
+        bool is_shortened;
     };
 
     const HttpParaList::UriParam& uri_param;
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index ac671f6a5..af9dbdf6a 100755
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -431,6 +431,7 @@ const RuleMap HttpModule::http_events[] =
     { EVENT_JS_OPENING_TAG,             "unexpected script opening tag in JavaScript" },
     { EVENT_JS_CLOSING_TAG,             "unexpected script closing tag in JavaScript" },
     { EVENT_JS_CODE_IN_EXTERNAL,        "JavaScript code under the external script tags" },
+    { EVENT_JS_SHORTENED_TAG,           "script opening tag in a short form" },
     { 0, nullptr }
 };