From 2fc5b9fc8e9ae7ccec2acc9fa7b69a4a88c10ccd Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 7 May 2024 10:43:27 -0600
Subject: [PATCH] test: lua-rule-errors

Test for correct behvaior when a Lua rule crashes.

On crash, a Lua script should not result in a match when negation is
applied. Also test for:
- error stat
- one time logging per thread

Ticket: #6940
---
 tests/lua/lua-bad-script/README.md    |   5 +++
 tests/lua/lua-bad-script/error.lua    |   8 +++++
 tests/lua/lua-bad-script/logging.yaml |  11 +++++++
 tests/lua/lua-bad-script/match.lua    |   7 ++++
 tests/lua/lua-bad-script/nomatch.lua  |   7 ++++
 tests/lua/lua-bad-script/test.pcap    | Bin 0 -> 876 bytes
 tests/lua/lua-bad-script/test.rules   |   3 ++
 tests/lua/lua-bad-script/test.yaml    |  44 ++++++++++++++++++++++++++
 8 files changed, 85 insertions(+)
 create mode 100644 tests/lua/lua-bad-script/README.md
 create mode 100644 tests/lua/lua-bad-script/error.lua
 create mode 100644 tests/lua/lua-bad-script/logging.yaml
 create mode 100644 tests/lua/lua-bad-script/match.lua
 create mode 100644 tests/lua/lua-bad-script/nomatch.lua
 create mode 100644 tests/lua/lua-bad-script/test.pcap
 create mode 100644 tests/lua/lua-bad-script/test.rules
 create mode 100644 tests/lua/lua-bad-script/test.yaml

diff --git a/tests/lua/lua-bad-script/README.md b/tests/lua/lua-bad-script/README.md
new file mode 100644
index 000000000..ab8807813
--- /dev/null
+++ b/tests/lua/lua-bad-script/README.md
@@ -0,0 +1,5 @@
+Test that a crashed rule script does not alert when negated.
+
+Also tests:
+- one time logging for a script that crashes
+- stat increment each time a script crashes
diff --git a/tests/lua/lua-bad-script/error.lua b/tests/lua/lua-bad-script/error.lua
new file mode 100644
index 000000000..d81ffb833
--- /dev/null
+++ b/tests/lua/lua-bad-script/error.lua
@@ -0,0 +1,8 @@
+function init(args)
+   return {}
+end
+
+function match(args)
+   foobar()
+   return 0
+end
diff --git a/tests/lua/lua-bad-script/logging.yaml b/tests/lua/lua-bad-script/logging.yaml
new file mode 100644
index 000000000..00517325a
--- /dev/null
+++ b/tests/lua/lua-bad-script/logging.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+    - file:
+        enabled: yes
+        level: info
+        filename: suricata.json
+        type: json
diff --git a/tests/lua/lua-bad-script/match.lua b/tests/lua/lua-bad-script/match.lua
new file mode 100644
index 000000000..c93265458
--- /dev/null
+++ b/tests/lua/lua-bad-script/match.lua
@@ -0,0 +1,7 @@
+function init(args)
+   return {}
+end
+
+function match(args)
+   return 1
+end
diff --git a/tests/lua/lua-bad-script/nomatch.lua b/tests/lua/lua-bad-script/nomatch.lua
new file mode 100644
index 000000000..a3bafe15b
--- /dev/null
+++ b/tests/lua/lua-bad-script/nomatch.lua
@@ -0,0 +1,7 @@
+function init(args)
+   return {}
+end
+
+function match(args)
+   return 0
+end
diff --git a/tests/lua/lua-bad-script/test.pcap b/tests/lua/lua-bad-script/test.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5c9ee35b3925845257e32c31a4312dca5ccc1a3a
GIT binary patch
literal 876
zc-p&ic+)~A1{MYcU}0bclCF<k!g*HmF$4nHAj}{t&dc`w#_6uN3*9&vTp1Xg=X5zR
zI0&|X;Sylv24cpG>lsWL^u=;!t_JF7gqX#doRgWFSE8Go#-37?Uyzhv!JM3*3zBAZ
z16mL&%F2)kR0hHjqaoISEeMX22U&2;A7nVl5(ZPC753-qXRdB+0GU9*f&)BIMfwaZ
zCZPqQAPeKR@G$rSg?zF3$bOyz$ilWHn2!!A0)3<{mci?f@DXcLPJVJWhGp(R!|Qz+
z8A5?dLa`a{KJPFC(D0+%VTLzt0vc{CR<Q0hqXN`$My}-il+@h(yzJCU=DgGr28ahV
z1)wnlvZTU^nE@yP#u!1C76<mhF>6GS0sRnUdX(269Ar#*d;knCR<Jub8Mq-zn9>ao
z2p!Oeh9U<8i>{TMBFGJ*?d%LuK%ppXZt#gy1iK*w;Rc{rEwpc}dyR-TY#xQh7vp9I
zmW<|8=^j9vG=6d7Nr6k&fNZM21PjuKN{|$28A((M1X(ceHz&Rns08+k55g-zE9@2H
NEh9-wfx3_s2mn|@#v=d#

literal 0
Hc-jL100001

diff --git a/tests/lua/lua-bad-script/test.rules b/tests/lua/lua-bad-script/test.rules
new file mode 100644
index 000000000..89cfb3299
--- /dev/null
+++ b/tests/lua/lua-bad-script/test.rules
@@ -0,0 +1,3 @@
+alert udp any any -> any any (msg:"MATCH"; lua:match.lua; sid:1; rev:1;)
+alert udp any any -> any any (msg:"NOMATCH"; lua:!nomatch.lua; sid:2; rev:1;)
+alert udp any any -> any any (msg:"ERROR"; lua:!error.lua; sid:3; rev:1;)
diff --git a/tests/lua/lua-bad-script/test.yaml b/tests/lua/lua-bad-script/test.yaml
new file mode 100644
index 000000000..765da4c2a
--- /dev/null
+++ b/tests/lua/lua-bad-script/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_LUA
+
+args:
+   - --set default-rule-path=${TEST_DIR}
+   - --set security.lua.allow-rules=true
+   - --include ${TEST_DIR}/logging.yaml
+
+   # Run single threaded so all Lua errors occur on the same thread so
+   # we can test one-time logging per thread.
+   - --runmode single
+
+checks:
+  - filter:
+      count: 8
+      match:
+        alert.signature_id: 1
+
+  - filter:
+      count: 8
+      match:
+        alert.signature_id: 2
+
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 3
+
+  # PCAP has 8 packets, which means 8 Lua failures.
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.detect.lua.errors: 8
+
+  # The Lua failure should only be logged once.
+  - filter:
+      filename: suricata.json
+      count: 1
+      match:
+        event_type: engine
+        engine.message.__find: Lua script failed to run successfully
-- 
2.47.2