From 4624e66cdd2742cdd41e32f0e9921583a25e47d9 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Tue, 8 Sep 2020 09:38:13 -0400
Subject: [PATCH] detect/transform: Validator for compress-ws

This commit adds a buffer validator for compress whitespace. Buffers
containing two or more consecutive whitespace characters are invalid
with this transform.
---
 src/detect-transform-compress-whitespace.c | 65 +++++++++++++++++++++-
 1 file changed, 62 insertions(+), 3 deletions(-)

diff --git a/src/detect-transform-compress-whitespace.c b/src/detect-transform-compress-whitespace.c
index e03f918c10..0c720fb0f6 100644
--- a/src/detect-transform-compress-whitespace.c
+++ b/src/detect-transform-compress-whitespace.c
@@ -39,6 +39,8 @@ static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *, Signature
 static void DetectTransformCompressWhitespaceRegisterTests(void);
 #endif
 static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options);
+static bool TransformCompressWhitespaceValidate(
+        const uint8_t *content, uint16_t content_len, void *options);
 
 void DetectTransformCompressWhitespaceRegister(void)
 {
@@ -50,6 +52,8 @@ void DetectTransformCompressWhitespaceRegister(void)
         "/rules/transforms.html#compress-whitespace";
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Transform =
         TransformCompressWhitespace;
+    sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].TransformValidate =
+            TransformCompressWhitespaceValidate;
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Setup =
         DetectTransformCompressWhitespaceSetup;
 #ifdef UNITTESTS
@@ -75,6 +79,30 @@ static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *de_ctx, Sign
     SCReturnInt(r);
 }
 
+/*
+ *  \brief Validate content bytes to see if it's compatible with this transform
+ *  \param content Byte array to check for compatibility
+ *  \param content_len Number of bytes to check
+ *  \param options Ignored
+ *  \retval false If the string contains spaces
+ *  \retval true Otherwise.
+ */
+static bool TransformCompressWhitespaceValidate(
+        const uint8_t *content, uint16_t content_len, void *options)
+{
+    if (content) {
+        for (uint32_t i = 0; i < content_len; i++) {
+            if (!isspace(*content++)) {
+                continue;
+            }
+            if ((i + 1) < content_len && isspace(*content)) {
+                return false;
+            }
+        }
+    }
+    return true;
+}
+
 static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
 {
     const uint8_t *input = buffer->inspect;
@@ -132,7 +160,7 @@ static int DetectTransformCompressWhitespaceTest01(void)
     uint32_t input_len = strlen((char *)input);
 
     InspectionBuffer buffer;
-    InspectionBufferInit(&buffer, 8);
+    InspectionBufferInit(&buffer, 9);
     InspectionBufferSetup(&buffer, input, input_len);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     TransformCompressWhitespace(&buffer, NULL);
@@ -147,7 +175,7 @@ static int DetectTransformCompressWhitespaceTest02(void)
     uint32_t input_len = strlen((char *)input);
 
     InspectionBuffer buffer;
-    InspectionBufferInit(&buffer, 8);
+    InspectionBufferInit(&buffer, 9);
     InspectionBufferSetup(&buffer, input, input_len);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     TransformDoubleWhitespace(&buffer);
@@ -160,11 +188,42 @@ static int DetectTransformCompressWhitespaceTest02(void)
     PASS;
 }
 
+static int DetectTransformCompressWhitespaceTest03(void)
+{
+    const uint8_t *input = (const uint8_t *)" A B C D  ";
+    uint32_t input_len = strlen((char *)input);
+
+    InspectionBuffer buffer;
+    InspectionBufferInit(&buffer, 10);
+    InspectionBufferSetup(&buffer, input, input_len);
+    PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
+    FAIL_IF(TransformCompressWhitespaceValidate(buffer.inspect, buffer.inspect_len, NULL));
+    PASS;
+}
+
+static int DetectTransformCompressWhitespaceTest04(void)
+{
+    const uint8_t *input = (const uint8_t *)" A B C D ";
+    uint32_t input_len = strlen((char *)input);
+
+    InspectionBuffer buffer;
+    InspectionBufferInit(&buffer, 9);
+    InspectionBufferSetup(&buffer, input, input_len);
+    TransformDoubleWhitespace(&buffer);
+    PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
+    FAIL_IF(TransformCompressWhitespaceValidate(buffer.inspect, buffer.inspect_len, NULL));
+    PASS;
+}
+
 static void DetectTransformCompressWhitespaceRegisterTests(void)
 {
     UtRegisterTest("DetectTransformCompressWhitespaceTest01",
             DetectTransformCompressWhitespaceTest01);
     UtRegisterTest("DetectTransformCompressWhitespaceTest02",
             DetectTransformCompressWhitespaceTest02);
+    UtRegisterTest(
+            "DetectTransformCompressWhitespaceTest03", DetectTransformCompressWhitespaceTest03);
+    UtRegisterTest(
+            "DetectTransformCompressWhitespaceTest04", DetectTransformCompressWhitespaceTest04);
 }
-#endif
\ No newline at end of file
+#endif
-- 
2.47.2