From 7e0846c92dfdf6efe79e988de3b1a82a54d592d8 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 24 May 2024 11:09:36 -0600
Subject: [PATCH] test: add lua test for blocked lua library

---
 tests/lua/lua-blocked-function-1/README.md    |   1 +
 tests/lua/lua-blocked-function-1/ioopen.lua   |   9 +++++
 tests/lua/lua-blocked-function-1/pcall.lua    |   9 +++++
 tests/lua/lua-blocked-function-1/test.rules   |   3 ++
 tests/lua/lua-blocked-function-1/test.yaml    |  34 ++++++++++++++++++
 .../lua/lua-blocked-function-1/testmyids.pcap | Bin 0 -> 1104 bytes
 6 files changed, 56 insertions(+)
 create mode 100644 tests/lua/lua-blocked-function-1/README.md
 create mode 100644 tests/lua/lua-blocked-function-1/ioopen.lua
 create mode 100644 tests/lua/lua-blocked-function-1/pcall.lua
 create mode 100644 tests/lua/lua-blocked-function-1/test.rules
 create mode 100644 tests/lua/lua-blocked-function-1/test.yaml
 create mode 100644 tests/lua/lua-blocked-function-1/testmyids.pcap

diff --git a/tests/lua/lua-blocked-function-1/README.md b/tests/lua/lua-blocked-function-1/README.md
new file mode 100644
index 000000000..f886733b9
--- /dev/null
+++ b/tests/lua/lua-blocked-function-1/README.md
@@ -0,0 +1 @@
+Test for a Lua rule calling a function in a blocked library, "io".
diff --git a/tests/lua/lua-blocked-function-1/ioopen.lua b/tests/lua/lua-blocked-function-1/ioopen.lua
new file mode 100644
index 000000000..87fd7b6ee
--- /dev/null
+++ b/tests/lua/lua-blocked-function-1/ioopen.lua
@@ -0,0 +1,9 @@
+function init(args)
+   local requires = {}
+   return requires
+end
+
+function match(args)
+   local file = io.open("/dev/null")
+   return 1
+end
diff --git a/tests/lua/lua-blocked-function-1/pcall.lua b/tests/lua/lua-blocked-function-1/pcall.lua
new file mode 100644
index 000000000..526718daa
--- /dev/null
+++ b/tests/lua/lua-blocked-function-1/pcall.lua
@@ -0,0 +1,9 @@
+function init(args)
+   local requires = {}
+   return requires
+end
+
+function match(args)
+   pcall(function() error("error") end)
+   return 1
+end
diff --git a/tests/lua/lua-blocked-function-1/test.rules b/tests/lua/lua-blocked-function-1/test.rules
new file mode 100644
index 000000000..8dbd0c64d
--- /dev/null
+++ b/tests/lua/lua-blocked-function-1/test.rules
@@ -0,0 +1,3 @@
+alert http any any -> any any (msg:"TEST"; content:"uid=0"; lua:ioopen.lua; sid:1; rev:1;)
+alert http any any -> any any (msg:"TEST"; content:"uid=0"; lua:pcall.lua; sid:2; rev:1;)
+
diff --git a/tests/lua/lua-blocked-function-1/test.yaml b/tests/lua/lua-blocked-function-1/test.yaml
new file mode 100644
index 000000000..9a22d692f
--- /dev/null
+++ b/tests/lua/lua-blocked-function-1/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-rules=true
+  - --set logging.outputs.1.file.type=json
+
+checks:
+  - filter:
+      filename: suricata.log
+      count: 1
+      match:
+        engine.message.__startswith: "Lua script failed to run successfully"
+        engine.message.__endswith: "attempt to index a nil value (global 'io')"
+  - filter:
+        filename: suricata.log
+        count: 1
+        match:
+          engine.message.__startswith: "Lua script failed to run successfully"
+          engine.message.__endswith: "Blocked Lua function called: pcall"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.detect.lua.errors: 2
+
+        # Doesn't match up with errors as the call to the "io"
+        # function isn't blocked, it simply doesn't exist.
+        stats.detect.lua.blocked_function_errors: 1
diff --git a/tests/lua/lua-blocked-function-1/testmyids.pcap b/tests/lua/lua-blocked-function-1/testmyids.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..868c57e59394515e398bfe1c893685a57ee9c2db
GIT binary patch
literal 1104
zc-noEO-vI(7>2(s6>!MLVxn@Ka6)9;-K9TtsfL35gtA)c8skB9-7amF?l!xN*rO*B
zJ@^w(kf21-3rPG4#)~9+G||L(@M0ng;Y7TUcy(qs4cIi@<lD@AlX>#a`@P>jzFPEw
zAND>!Fyw#d&+vu!Py8@S*0kWrF}CsV_fNNX7KfT)5FjD{?1R3>AGc6|X&GO7Ik%R8
z^q1?G=w*29vjQL90{Hv~-uQjZD9{ktpnayHp^1{eK5K$gWKYXudVH761N4E|7&j=D
z(jmQ;SlwNoBXnQs@KW~fx<{_ijy`XKC?Q2_>Fkg<T%8ZAbovN!J{^FqE6988HA0ys
zfZ1A<vi!@X^w*@c!B+2QfZ;&}hwzA^q(eebV9|(aI})CmnF%_&?G(#}tR2+MB8$%3
zy2T}Px<QV$X=^GJ3x>OcJd2W=rk6;wGt|i<7ExIjpCU*QMTuHgb!;c8Rpa3*tLBNc
zOgg}%E@vuZrL30M2;yWww5nOmiS2&MI>*;!wK1v9g8-GsVUg$Y*%XUTtBx+=A*;}Z
z#Tb^=GC2{Vn2$=4s3Zt@SXNk+(XAW0CE;XA)$%%v##GzkWHVcsEa+JY%cjwVg$N#1
z4a$vSv720#A`$QQprYm^+%EJ8T2DBxa$<}Ni!niqObV(N*7){{Z``<Q<aArYSIfk3
z77dt&Lp<ijbR*~FCEOj~>nY_D(e3CrolxE>PEog~3)z!=hh>`1ah%(~w#@00UD>)r
z;fRrS68GE9%7dz`WL9@q7D(cDCSG{scvqjY=~C|3q_h&sibpxL&ejXafEy6;|Dmod
i5R#H^Wl|Go_6MYwu<9t<auwaHQlt>xBllg)0RI4S^+V?X

literal 0
Hc-jL100001

-- 
2.47.2