"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/service_inspectors/http_inspect/http_js_norm.cc" between
snort3-3.1.36.0.tar.gz and snort3-3.1.38.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

http_js_norm.cc  (snort3-3.1.36.0):http_js_norm.cc  (snort3-3.1.38.0)
skipping to change at line 42 skipping to change at line 42
#include "http_enum.h" #include "http_enum.h"
using namespace HttpEnums; using namespace HttpEnums;
using namespace snort; using namespace snort;
static const char* jsret_codes[] = static const char* jsret_codes[] =
{ {
"end of stream", "end of stream",
"script ended", "script ended",
"script continues", "script continues",
"opening tag",
"closing tag", "closing tag",
"bad token", "bad token",
"identifier overflow", "identifier overflow",
"template nesting overflow", "template nesting overflow",
"bracket nesting overflow", "bracket nesting overflow",
"scope nesting overflow", "scope nesting overflow",
"wrong closing symbol", "wrong closing symbol",
"ended in inner scope", "ended in inner scope",
"unknown" "unknown"
}; };
skipping to change at line 87 skipping to change at line 86
ptr = src_next; ptr = src_next;
return ret; return ret;
} }
HttpJsNorm::HttpJsNorm(const HttpParaList::UriParam& uri_param_, HttpJsNorm::HttpJsNorm(const HttpParaList::UriParam& uri_param_,
const HttpParaList::JsNormParam& js_norm_param_) : const HttpParaList::JsNormParam& js_norm_param_) :
uri_param(uri_param_), uri_param(uri_param_),
js_norm_param(js_norm_param_), js_norm_param(js_norm_param_),
detection_depth(UINT64_MAX),
mpse_otag(nullptr), mpse_otag(nullptr),
mpse_attr(nullptr), mpse_attr(nullptr),
mpse_type(nullptr) mpse_type(nullptr)
{} {}
HttpJsNorm::~HttpJsNorm() HttpJsNorm::~HttpJsNorm()
{ {
delete mpse_otag; delete mpse_otag;
delete mpse_attr; delete mpse_attr;
delete mpse_type; delete mpse_type;
skipping to change at line 113 skipping to change at line 111
return; return;
mpse_otag = new SearchTool; mpse_otag = new SearchTool;
mpse_attr = new SearchTool; mpse_attr = new SearchTool;
mpse_type = new SearchTool; mpse_type = new SearchTool;
static constexpr const char* otag_start = "<SCRIPT"; static constexpr const char* otag_start = "<SCRIPT";
static constexpr const char* attr_slash = "/"; static constexpr const char* attr_slash = "/";
static constexpr const char* attr_gt = ">"; static constexpr const char* attr_gt = ">";
static constexpr const char* attr_src = "SRC"; static constexpr const char* attr_src = "SRC";
static constexpr const char* attr_js1 = "JAVASCRIPT";
static constexpr const char* attr_js2 = "ECMASCRIPT"; static constexpr const char* attr_js = "JAVASCRIPT"; // legacy only
static constexpr const char* attr_vb = "VBSCRIPT"; static constexpr const char* attr_ecma = "ECMASCRIPT"; // legacy only
static constexpr const char* attr_vb = "VBSCRIPT"; // legacy only
static constexpr const size_t attrs_js_size = 15;
static constexpr const char* attrs_js[attrs_js_size] =
{
"APPLICATION/JAVASCRIPT",
"APPLICATION/ECMASCRIPT",
"APPLICATION/X-JAVASCRIPT",
"APPLICATION/X-ECMASCRIPT",
"TEXT/JAVASCRIPT",
"TEXT/JAVASCRIPT1.0",
"TEXT/JAVASCRIPT1.1",
"TEXT/JAVASCRIPT1.2",
"TEXT/JAVASCRIPT1.3",
"TEXT/JAVASCRIPT1.4",
"TEXT/JAVASCRIPT1.5",
"TEXT/ECMASCRIPT",
"TEXT/X-JAVASCRIPT",
"TEXT/X-ECMASCRIPT",
"TEXT/JSCRIPT"
};
static constexpr const size_t attrs_non_js_size = 2;
static constexpr const char* attrs_non_js[attrs_non_js_size] =
{
"TEXT/VBSCRIPT",
"APPLICATION/JSON"
};
mpse_otag->add(otag_start, strlen(otag_start), 0); mpse_otag->add(otag_start, strlen(otag_start), 0);
mpse_attr->add(attr_slash, strlen(attr_slash), AID_SLASH); mpse_attr->add(attr_slash, strlen(attr_slash), AID_SLASH);
mpse_attr->add(attr_gt, strlen(attr_gt), AID_GT); mpse_attr->add(attr_gt, strlen(attr_gt), AID_GT);
mpse_attr->add(attr_src, strlen(attr_src), AID_SRC); mpse_attr->add(attr_src, strlen(attr_src), AID_SRC);
mpse_attr->add(attr_js1, strlen(attr_js1), AID_JS);
mpse_attr->add(attr_js2, strlen(attr_js2), AID_ECMA); for (unsigned i = 0; i < attrs_js_size; ++i)
mpse_attr->add(attr_vb, strlen(attr_vb), AID_VB); mpse_attr->add(attrs_js[i], strlen(attrs_js[i]), AID_JS);
mpse_type->add(attr_js1, strlen(attr_js1), AID_JS);
mpse_type->add(attr_js2, strlen(attr_js2), AID_ECMA); for (unsigned i = 0; i < attrs_non_js_size; ++i)
mpse_attr->add(attrs_non_js[i], strlen(attrs_non_js[i]), AID_NON_JS);
mpse_type->add(attr_js, strlen(attr_js), AID_JS);
mpse_type->add(attr_ecma, strlen(attr_ecma), AID_ECMA);
mpse_type->add(attr_vb, strlen(attr_vb), AID_VB); mpse_type->add(attr_vb, strlen(attr_vb), AID_VB);
mpse_otag->prep(); mpse_otag->prep();
mpse_attr->prep(); mpse_attr->prep();
mpse_type->prep(); mpse_type->prep();
configure_once = true; configure_once = true;
} }
void HttpJsNorm::do_external(const Field& input, Field& output, void HttpJsNorm::do_external(const Field& input, Field& output,
skipping to change at line 176 skipping to change at line 207
{ {
case JSTokenizer::EOS: case JSTokenizer::EOS:
case JSTokenizer::SCRIPT_CONTINUE: case JSTokenizer::SCRIPT_CONTINUE:
break; break;
case JSTokenizer::SCRIPT_ENDED: case JSTokenizer::SCRIPT_ENDED:
case JSTokenizer::CLOSING_TAG: case JSTokenizer::CLOSING_TAG:
*infractions += INF_JS_CLOSING_TAG; *infractions += INF_JS_CLOSING_TAG;
events->create_event(EVENT_JS_CLOSING_TAG); events->create_event(EVENT_JS_CLOSING_TAG);
ssn->js_built_in_event = true; ssn->js_built_in_event = true;
break; break;
case JSTokenizer::OPENING_TAG:
*infractions += INF_JS_OPENING_TAG;
events->create_event(EVENT_JS_OPENING_TAG);
ssn->js_built_in_event = true;
break;
case JSTokenizer::BAD_TOKEN: case JSTokenizer::BAD_TOKEN:
case JSTokenizer::WRONG_CLOSING_SYMBOL: case JSTokenizer::WRONG_CLOSING_SYMBOL:
case JSTokenizer::ENDED_IN_INNER_SCOPE: case JSTokenizer::ENDED_IN_INNER_SCOPE:
*infractions += INF_JS_BAD_TOKEN; *infractions += INF_JS_BAD_TOKEN;
events->create_event(EVENT_JS_BAD_TOKEN); events->create_event(EVENT_JS_BAD_TOKEN);
ssn->js_built_in_event = true; ssn->js_built_in_event = true;
break; break;
case JSTokenizer::IDENTIFIER_OVERFLOW: case JSTokenizer::IDENTIFIER_OVERFLOW:
HttpModule::increment_peg_counts(PEG_JS_IDENTIFIER_OVERFLOW); HttpModule::increment_peg_counts(PEG_JS_IDENTIFIER_OVERFLOW);
*infractions += INF_JS_IDENTIFIER_OVERFLOW; *infractions += INF_JS_IDENTIFIER_OVERFLOW;
skipping to change at line 228 skipping to change at line 254
events->create_event(EVENT_MIXED_ENCODINGS); events->create_event(EVENT_MIXED_ENCODINGS);
} }
if (ssn->js_built_in_event) if (ssn->js_built_in_event)
break; break;
} }
debug_logf(4, http_trace, TRACE_JS_PROC, current_packet, debug_logf(4, http_trace, TRACE_JS_PROC, current_packet,
"input data was %s\n", final_portion ? "last one in PDU" : "a part of PD U"); "input data was %s\n", final_portion ? "last one in PDU" : "a part of PD U");
uint32_t data_len = std::min(detection_depth, js_ctx.script_size()); uint32_t data_len = js_ctx.script_size();
if (data_len) if (data_len)
{ {
const char* data = final_portion ? js_ctx.take_script() : js_ctx.get_scr ipt(); const char* data = final_portion ? js_ctx.take_script() : js_ctx.get_scr ipt();
if (data) if (data)
{ {
trace_logf(1, http_trace, TRACE_JS_DUMP, current_packet, trace_logf(1, http_trace, TRACE_JS_DUMP, current_packet,
"js_data[%u]: %.*s\n", data_len, data_len, data); "js_data[%u]: %.*s\n", data_len, data_len, data);
skipping to change at line 316 skipping to change at line 342
switch (ret) switch (ret)
{ {
case JSTokenizer::EOS: case JSTokenizer::EOS:
js_ctx.reset_depth(); js_ctx.reset_depth();
break; break;
case JSTokenizer::SCRIPT_ENDED: case JSTokenizer::SCRIPT_ENDED:
break; break;
case JSTokenizer::SCRIPT_CONTINUE: case JSTokenizer::SCRIPT_CONTINUE:
break; break;
case JSTokenizer::OPENING_TAG:
*infractions += INF_JS_OPENING_TAG;
events->create_event(EVENT_JS_OPENING_TAG);
break;
case JSTokenizer::CLOSING_TAG: case JSTokenizer::CLOSING_TAG:
*infractions += INF_JS_CLOSING_TAG; *infractions += INF_JS_CLOSING_TAG;
events->create_event(EVENT_JS_CLOSING_TAG); events->create_event(EVENT_JS_CLOSING_TAG);
break; break;
case JSTokenizer::BAD_TOKEN: case JSTokenizer::BAD_TOKEN:
case JSTokenizer::WRONG_CLOSING_SYMBOL: case JSTokenizer::WRONG_CLOSING_SYMBOL:
case JSTokenizer::ENDED_IN_INNER_SCOPE: case JSTokenizer::ENDED_IN_INNER_SCOPE:
*infractions += INF_JS_BAD_TOKEN; *infractions += INF_JS_BAD_TOKEN;
events->create_event(EVENT_JS_BAD_TOKEN); events->create_event(EVENT_JS_BAD_TOKEN);
break; break;
skipping to change at line 364 skipping to change at line 386
if (js_ctx.is_unescape_nesting_seen()) if (js_ctx.is_unescape_nesting_seen())
{ {
*infractions += INF_JS_OBFUSCATION_EXCD; *infractions += INF_JS_OBFUSCATION_EXCD;
events->create_event(EVENT_JS_OBFUSCATION_EXCD); events->create_event(EVENT_JS_OBFUSCATION_EXCD);
} }
if (js_ctx.is_mixed_encoding_seen()) if (js_ctx.is_mixed_encoding_seen())
{ {
*infractions += INF_MIXED_ENCODINGS; *infractions += INF_MIXED_ENCODINGS;
events->create_event(EVENT_MIXED_ENCODINGS); events->create_event(EVENT_MIXED_ENCODINGS);
} }
if (js_ctx.is_opening_tag_seen())
{
*infractions += INF_JS_OPENING_TAG;
events->create_event(EVENT_JS_OPENING_TAG);
}
script_continue = ret == JSTokenizer::SCRIPT_CONTINUE; script_continue = ret == JSTokenizer::SCRIPT_CONTINUE;
} }
ssn->js_continue = script_continue; ssn->js_continue = script_continue;
if (!alive_ctx(ssn)) if (!alive_ctx(ssn))
return; return;
debug_logf(4, http_trace, TRACE_JS_PROC, current_packet, debug_logf(4, http_trace, TRACE_JS_PROC, current_packet,
"input data was %s\n", final_portion ? "last one in PDU" : "a part of PD U"); "input data was %s\n", final_portion ? "last one in PDU" : "a part of PD U");
auto js_ctx = ssn->js_normalizer; auto js_ctx = ssn->js_normalizer;
uint32_t data_len = std::min(detection_depth, js_ctx->script_size()); uint32_t data_len = js_ctx->script_size();
if (data_len) if (data_len)
{ {
const char* data = final_portion ? js_ctx->take_script() : js_ctx->get_s cript(); const char* data = final_portion ? js_ctx->take_script() : js_ctx->get_s cript();
if (data) if (data)
{ {
trace_logf(1, http_trace, TRACE_JS_DUMP, current_packet, trace_logf(1, http_trace, TRACE_JS_DUMP, current_packet,
"js_data[%u]: %.*s\n", data_len, data_len, data); "js_data[%u]: %.*s\n", data_len, data_len, data);
skipping to change at line 564 skipping to change at line 591
case AID_SRC: case AID_SRC:
c = ctx->next + index; c = ctx->next + index;
while (*c == ' ') c++; while (*c == ' ') c++;
ctx->is_external = ctx->is_external || *c == '='; ctx->is_external = ctx->is_external || *c == '=';
return 0; return 0;
case AID_JS: case AID_JS:
ctx->is_javascript = true; ctx->is_javascript = true;
return 0; return 0;
case AID_ECMA: case AID_NON_JS:
ctx->is_javascript = true;
return 0;
case AID_VB:
ctx->is_javascript = false; ctx->is_javascript = false;
return 0; return 0;
default: default:
assert(false); assert(false);
ctx->is_external = false; ctx->is_external = false;
ctx->is_javascript = false; ctx->is_javascript = false;
return 1; return 1;
} }
} }
 End of changes. 11 change blocks. 
26 lines changed or deleted 49 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)