rule parsing: check for balanced double quotes

If a rule option value starts with a double quote, ensure it ends with a double quote, exclusive of white space which gets trimmed anyways. Catches errors like 'filemagic:"picture" sid:5555555;' reporting that a missing semicolon may be the error.
8 years ago · 04da43d65d
parent 48b3cb0492
commit 04da43d65d
1 changed files with 37 additions and 0 deletions
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -608,6 +608,26 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
        }
    }

+    /* Validate double quoting, trimming trailing white space along the way. */
+    if (strlen(optvalue) > 0) {
+        size_t ovlen = strlen(optvalue);
+        if (ovlen && optvalue[0] == '"') {
+            for (; ovlen > 0; ovlen--) {
+                if (isblank(optvalue[ovlen - 1])) {
+                    optvalue[ovlen - 1] = '\0';
+                } else {
+                    break;
+                }
+            }
+            if (ovlen && optvalue[ovlen - 1] != '"') {
+                SCLogError(SC_ERR_INVALID_SIGNATURE,
+                    "bad option value formatting (possible missing semicolon) "
+                    "for keyword %s: \'%s\'", optname, optvalue);
+                goto error;
+            }
+        }
+    }
+
    /* setup may or may not add a new SigMatch to the list */
    if (st->Setup(de_ctx, s, strlen(optvalue) ? optvalue : NULL) < 0) {
        SCLogDebug("\"%s\" failed to setup", st->name);
@ -3585,6 +3605,21 @@ end:
    return result;
 }

+static int SigParseTestUnblanacedQuotes01(void)
+{
+    DetectEngineCtx *de_ctx;
+    Signature *s;
+
+    de_ctx = DetectEngineCtxInit();
+    FAIL_IF_NULL(de_ctx);
+    de_ctx->flags |= DE_QUIET;
+
+    s = SigInit(de_ctx, "alert http any any -> any any (msg:\"SigParseTestUnblanacedQuotes01\"; pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
+    FAIL_IF_NOT_NULL(s);
+
+    PASS;
+}
+
 #endif /* UNITTESTS */

 void SigParseRegisterTests(void)
@ -3639,5 +3674,7 @@ void SigParseRegisterTests(void)
    UtRegisterTest("SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
    UtRegisterTest("SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
    UtRegisterTest("SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
+    UtRegisterTest("SigParseTestUnblanacedQuotes01",
+        SigParseTestUnblanacedQuotes01);
 #endif /* UNITTESTS */
 }