23374838686

Committed 21 Mar 2026 07:29AM UTC coverage: 59.341% (-20.0%) from 79.315%

Build # 23374838686

Build Type

Pull #15075

github

Committed by

web-flow

Commit Message

Merge 90b4e834f into 6587e363a

Pull Request Pull Request #15075: Stack 8001 v16.4

Coverage Stats

38 of 70 new or added lines in 10 files covered. (54.29%)

34165 existing lines in 563 files now uncovered.

119621 of 201584 relevant lines covered (59.34%)

650666.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

76.92

/rust/src/detect/transforms/urldecode.rs

/* Copyright (C) 2024 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
    DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
    SCDetectSignatureAddTransform, SCInspectionBufferCheckAndExpand, SCInspectionBufferTruncate,
    SCTransformTableElmt, Signature,
};

use std::os::raw::{c_int, c_void};
use std::ptr;

static mut G_TRANSFORM_URL_DECODE_ID: c_int = 0;

unsafe extern "C" fn url_decode_setup(
    _de: *mut DetectEngineCtx, s: *mut Signature, _opt: *const std::os::raw::c_char,
) -> c_int {
    return SCDetectSignatureAddTransform(s, G_TRANSFORM_URL_DECODE_ID, ptr::null_mut());
}

fn hex_value(i: u8) -> Option<u8> {
    match i {
        0x30..=0x39 => Some(i - 0x30),
        0x41..=0x46 => Some(i - 0x41 + 10),
        0x61..=0x66 => Some(i - 0x61 + 10),
        _ => None,
    }
}
fn url_decode_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
    let mut state = (0u8, 0u8);
    let mut nb = 0;
    for &i in input.iter() {
        if state.0 > 0 {
            if let Some(v) = hex_value(i) {
                if state.0 == 1 {
                    state = (2, i);
                } else {
                    output[nb] = v | (hex_value(state.1).unwrap() << 4);
                    nb += 1;
                    state = (0u8, 0u8);
                }
            } else {
                output[nb] = b'%';
                nb += 1;
                if state.0 > 1 {
                    output[nb] = state.1;
                    nb += 1;
                }
                output[nb] = i;
                nb += 1;
                state = (0u8, 0u8);
            }
        } else if i == b'%' {
            state = (1u8, 0u8);
        } else {
            if i == b'+' {
                output[nb] = b' ';
            } else {
                output[nb] = i;
            }
            nb += 1;
        }
    }
    if state.0 > 0 {
        output[nb] = b'%';
        nb += 1;
        if state.0 == 2 {
            output[nb] = state.1;
            nb += 1;
        }
    }
    return nb as u32;
}

unsafe extern "C" fn url_decode_transform(
    _det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
    let input = (*buffer).inspect;
    let input_len = (*buffer).inspect_len;
    if input.is_null() || input_len == 0 {
        return;
    }
    let input = build_slice!(input, input_len as usize);

    let output = SCInspectionBufferCheckAndExpand(buffer, input_len);
    if output.is_null() {
        // allocation failure
        return;
    }
    let output = std::slice::from_raw_parts_mut(output, input_len as usize);

    let out_len = url_decode_transform_do(input, output);

    SCInspectionBufferTruncate(buffer, out_len);
}

#[no_mangle]
pub unsafe extern "C" fn DetectTransformUrlDecodeRegister() {
    let kw = SCTransformTableElmt {
        name: b"url_decode\0".as_ptr() as *const libc::c_char,
        desc: b"modify buffer to decode urlencoded data before inspection\0".as_ptr()
            as *const libc::c_char,
        url: b"/rules/transforms.html#url-decode\0".as_ptr() as *const libc::c_char,
        Setup: Some(url_decode_setup),
        flags: SIGMATCH_NOOPT,
        Transform: Some(url_decode_transform),
        Free: None,
        TransformValidate: None,
        TransformId: None,
    };
    G_TRANSFORM_URL_DECODE_ID = SCDetectHelperTransformRegister(&kw);
    if G_TRANSFORM_URL_DECODE_ID < 0 {
        SCLogWarning!("Failed registering transform dot_prefix");
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_url_decode_transform() {
        let mut buf = Vec::new();
        buf.extend_from_slice(b"Suricata%20is+%27%61wesome%21%27%25%30%30%ZZ%4");
        let mut out = vec![0; buf.len()];
        let nb = url_decode_transform_do(&buf, &mut out);
        assert_eq!(&out[..nb as usize], b"Suricata is 'awesome!'%00%ZZ%4");
        // test in place
        let still_buf = unsafe { std::slice::from_raw_parts(buf.as_ptr(), buf.len()) };
        let nb = url_decode_transform_do(still_buf, &mut buf);
        assert_eq!(&still_buf[..nb as usize], b"Suricata is 'awesome!'%00%ZZ%4");
    }
}

1	/* Copyright (C) 2024 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	use crate::detect::SIGMATCH_NOOPT;
19	use suricata_sys::sys::{
20	DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
21	SCDetectSignatureAddTransform, SCInspectionBufferCheckAndExpand, SCInspectionBufferTruncate,
22	SCTransformTableElmt, Signature,
23	};
24
25	use std::os::raw::{c_int, c_void};
26	use std::ptr;
27
28	static mut G_TRANSFORM_URL_DECODE_ID: c_int = 0;
29
30	unsafe extern "C" fn url_decode_setup(	14,146✔
31	_de: mut DetectEngineCtx, s: mut Signature, _opt: *const std::os::raw::c_char,	14,146✔
32	) -> c_int {	14,146✔
33	return SCDetectSignatureAddTransform(s, G_TRANSFORM_URL_DECODE_ID, ptr::null_mut());	14,146✔
34	}	14,146✔
35
36	fn hex_value(i: u8) -> Option<u8> {	51✔
37	match i {	51✔
38	0x30..=0x39 => Some(i - 0x30),	51✔
39	0x41..=0x46 => Some(i - 0x41 + 10),	12✔
40	0x61..=0x66 => Some(i - 0x61 + 10),	×
UNCOV 41	_ => None,	×
42	}
43	}	51✔
44	fn url_decode_transform_do(input: &[u8], output: &mut [u8]) -> u32 {	259✔
45	let mut state = (0u8, 0u8);	259✔
46	let mut nb = 0;	259✔
47	for &i in input.iter() {	38,990✔
48	if state.0 > 0 {	38,990✔
49	if let Some(v) = hex_value(i) {	34✔
50	if state.0 == 1 {	34✔
51	state = (2, i);	17✔
52	} else {	17✔
53	output[nb] = v \| (hex_value(state.1).unwrap() << 4);	17✔
54	nb += 1;	17✔
55	state = (0u8, 0u8);	17✔
56	}	17✔
57	} else {
UNCOV 58	output[nb] = b'%';	×
UNCOV 59	nb += 1;	×
UNCOV 60	if state.0 > 1 {	×
61	output[nb] = state.1;	×
62	nb += 1;	×
UNCOV 63	}	×
UNCOV 64	output[nb] = i;	×
UNCOV 65	nb += 1;	×
UNCOV 66	state = (0u8, 0u8);	×
67	}
68	} else if i == b'%' {	38,956✔
69	state = (1u8, 0u8);	17✔
70	} else {	17✔
71	if i == b'+' {	38,939✔
UNCOV 72	output[nb] = b' ';	×
73	} else {	38,939✔
74	output[nb] = i;	38,939✔
75	}	38,939✔
76	nb += 1;	38,939✔
77	}
78	}
79	if state.0 > 0 {	259✔
UNCOV 80	output[nb] = b'%';	×
UNCOV 81	nb += 1;	×
UNCOV 82	if state.0 == 2 {	×
UNCOV 83	output[nb] = state.1;	×
UNCOV 84	nb += 1;	×
UNCOV 85	}	×
86	}	259✔
87	return nb as u32;	259✔
88	}	259✔
89
90	unsafe extern "C" fn url_decode_transform(	259✔
91	_det: mut DetectEngineThreadCtx, buffer: mut InspectionBuffer, _ctx: *mut c_void,	259✔
92	) {	259✔
93	let input = (*buffer).inspect;	259✔
94	let input_len = (*buffer).inspect_len;	259✔
95	if input.is_null() \|\| input_len == 0 {	259✔
96	return;	×
97	}	259✔
98	let input = build_slice!(input, input_len as usize);	259✔
99		259✔
100	let output = SCInspectionBufferCheckAndExpand(buffer, input_len);	259✔
101	if output.is_null() {	259✔
102	// allocation failure
103	return;	×
104	}	259✔
105	let output = std::slice::from_raw_parts_mut(output, input_len as usize);	259✔
106		259✔
107	let out_len = url_decode_transform_do(input, output);	259✔
108		259✔
109	SCInspectionBufferTruncate(buffer, out_len);	259✔
110	}	259✔
111
112	#[no_mangle]
113	pub unsafe extern "C" fn DetectTransformUrlDecodeRegister() {	3✔
114	let kw = SCTransformTableElmt {	3✔
115	name: b"url_decode\0".as_ptr() as *const libc::c_char,	3✔
116	desc: b"modify buffer to decode urlencoded data before inspection\0".as_ptr()	3✔
117	as *const libc::c_char,	3✔
118	url: b"/rules/transforms.html#url-decode\0".as_ptr() as *const libc::c_char,	3✔
119	Setup: Some(url_decode_setup),	3✔
120	flags: SIGMATCH_NOOPT,	3✔
121	Transform: Some(url_decode_transform),	3✔
122	Free: None,	3✔
123	TransformValidate: None,	3✔
124	TransformId: None,	3✔
125	};	3✔
126	G_TRANSFORM_URL_DECODE_ID = SCDetectHelperTransformRegister(&kw);	3✔
127	if G_TRANSFORM_URL_DECODE_ID < 0 {	3✔
128	SCLogWarning!("Failed registering transform dot_prefix");	×
129	}	3✔
130	}	3✔
131
132	#[cfg(test)]
133	mod tests {
134	use super::*;
135
136	#[test]
137	fn test_url_decode_transform() {
138	let mut buf = Vec::new();
139	buf.extend_from_slice(b"Suricata%20is+%27%61wesome%21%27%25%30%30%ZZ%4");
140	let mut out = vec![0; buf.len()];
141	let nb = url_decode_transform_do(&buf, &mut out);
142	assert_eq!(&out[..nb as usize], b"Suricata is 'awesome!'%00%ZZ%4");
143	// test in place
144	let still_buf = unsafe { std::slice::from_raw_parts(buf.as_ptr(), buf.len()) };
145	let nb = url_decode_transform_do(still_buf, &mut buf);
146	assert_eq!(&still_buf[..nb as usize], b"Suricata is 'awesome!'%00%ZZ%4");
147	}
148	}

OISF / suricata / 23374838686

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous