suricata
detect-transform-urldecode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Philippe Antoine <p.antoine@catenacyber.fr>
22  *
23  * Implements the url_decode transform keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
31 #include "detect-parse.h"
33 
34 #include "util-unittest.h"
35 #include "util-print.h"
36 
37 static int DetectTransformUrlDecodeSetup (DetectEngineCtx *, Signature *, const char *);
38 #ifdef UNITTESTS
39 static void DetectTransformUrlDecodeRegisterTests(void);
40 #endif
41 
42 static void TransformUrlDecode(InspectionBuffer *buffer, void *options);
43 
45 {
48  "modify buffer to decode urlencoded data before inspection";
49  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].url = "/rules/transforms.html#url-decode";
51  TransformUrlDecode;
53  DetectTransformUrlDecodeSetup;
54 #ifdef UNITTESTS
56  DetectTransformUrlDecodeRegisterTests;
57 #endif
58 
60 }
61 
62 /**
63  * \internal
64  * \brief Apply the transform keyword to the last pattern match
65  * \param det_ctx detection engine ctx
66  * \param s signature
67  * \param nullstr should be null
68  * \retval 0 ok
69  * \retval -1 failure
70  */
71 static int DetectTransformUrlDecodeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
72 {
73  SCEnter();
75  SCReturnInt(r);
76 }
77 
78 // util function so as to ease reuse sometimes
79 static bool BufferUrlDecode(const uint8_t *input, const uint32_t input_len, uint8_t *output, uint32_t *output_size)
80 {
81  bool changed = false;
82  uint8_t *oi = output;
83  //PrintRawDataFp(stdout, input, input_len);
84  for (uint32_t i = 0; i < input_len; i++) {
85  if (input[i] == '%') {
86  if (i + 2 < input_len) {
87  if ((isxdigit(input[i+1])) && (isxdigit(input[i+2]))) {
88  // Decode %HH encoding.
89  *oi = (input[i+1] >= 'A' ? ((input[i+1] & 0xdf) - 'A') + 10 : (input[i+1] - '0')) << 4;
90  *oi |= (input[i+2] >= 'A' ? ((input[i+2] & 0xdf) - 'A') + 10 : (input[i+2] - '0'));
91  oi++;
92  // one more increment before looping
93  i += 2;
94  changed = true;
95  } else {
96  // leaves incorrect percent
97  // does not handle unicode %u encoding
98  *oi++ = input[i];
99  }
100  } else {
101  // leaves trailing incomplete percent
102  *oi++ = input[i];
103  }
104  } else if (input[i] == '+') {
105  *oi++ = ' ';
106  changed = true;
107  } else {
108  *oi++ = input[i];
109  }
110  }
111  *output_size = oi - output;
112  return changed;
113 }
114 
115 static void TransformUrlDecode(InspectionBuffer *buffer, void *options)
116 {
117  uint32_t output_size;
118  bool changed;
119 
120  const uint8_t *input = buffer->inspect;
121  const uint32_t input_len = buffer->inspect_len;
122  uint8_t output[input_len]; // we can only shrink
123 
124  changed = BufferUrlDecode(input, input_len, output, &output_size);
125 
126  if (changed) {
127  InspectionBufferCopy(buffer, output, output_size);
128  }
129 }
130 
131 #ifdef UNITTESTS
132 static int DetectTransformUrlDecodeTest01(void)
133 {
134  const uint8_t *input = (const uint8_t *)"Suricata%20is+%27%61wesome%21%27%25%30%30%ZZ%4";
135  uint32_t input_len = strlen((char *)input);
136 
137  InspectionBuffer buffer;
138  InspectionBufferInit(&buffer, 8);
139  InspectionBufferSetup(&buffer, input, input_len);
140  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
141  TransformUrlDecode(&buffer, NULL);
142  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
143  FAIL_IF (buffer.inspect_len != strlen("Suricata is 'awesome!'%00%ZZ%4"));
144  FAIL_IF (memcmp(buffer.inspect, "Suricata is 'awesome!'%00%ZZ%4", buffer.inspect_len) != 0);
145  InspectionBufferFree(&buffer);
146  PASS;
147 }
148 
149 static int DetectTransformUrlDecodeTest02(void)
150 {
151  const char rule[] = "alert http any any -> any any (http.request_body; url_decode; content:\"mail=test@oisf.net\"; sid:1;)";
152  ThreadVars th_v;
153  DetectEngineThreadCtx *det_ctx = NULL;
154  memset(&th_v, 0, sizeof(th_v));
155 
159  FAIL_IF_NULL(s);
161  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
162  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
164  PASS;
165 }
166 
167 static void DetectTransformUrlDecodeRegisterTests(void)
168 {
169  UtRegisterTest("DetectTransformUrlDecodeTest01",
170  DetectTransformUrlDecodeTest01);
171  UtRegisterTest("DetectTransformUrlDecodeTest02",
172  DetectTransformUrlDecodeTest02);
173 }
174 #endif
SigTableElmt_::url
const char * url
Definition: detect.h:1214
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigTableElmt_::name
const char * name
Definition: detect.h:1211
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
InspectionBuffer
Definition: detect.h:344
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DETECT_TRANSFORM_URL_DECODE
@ DETECT_TRANSFORM_URL_DECODE
Definition: detect-engine-register.h:299
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
detect-engine-prefilter.h
util-unittest.h
InspectionBufferInit
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
Definition: detect-engine.c:1110
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition: detect-engine.c:1156
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2361
DetectTransformUrlDecodeRegister
void DetectTransformUrlDecodeRegister(void)
Definition: detect-transform-urldecode.c:44
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1120
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *, void *context)
Definition: detect.h:1192
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:347
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:345
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform, void *options)
Definition: detect-parse.c:1455
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1380
detect-transform-urldecode.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine.c:1127
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203