Skip to content

Commit ad3f5a5

Browse files
jowg-amazonjowg-amazon
authored
Add throw for empty strings in rules with modifier contains, startwith, and endswith (#860) (#896)
* add validation for empty strings with contains, startswith and endswith modifiers * throw exception if empty string with contains, startswith, or endswith * change var name * add modifiers to log --------- Signed-off-by: Joanne Wang <[email protected]>
1 parent 26c06e7 commit ad3f5a5

File tree

2 files changed

+81
-1
lines changed

2 files changed

+81
-1
lines changed

src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionItem.java

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import org.opensearch.securityanalytics.rules.modifiers.SigmaModifierFacade;
1919
import org.opensearch.securityanalytics.rules.modifiers.SigmaValueModifier;
2020
import org.opensearch.securityanalytics.rules.types.SigmaNull;
21+
import org.opensearch.securityanalytics.rules.types.SigmaString;
2122
import org.opensearch.securityanalytics.rules.types.SigmaType;
2223
import org.opensearch.securityanalytics.rules.types.SigmaTypeFacade;
2324
import org.opensearch.securityanalytics.rules.utils.AnyOneOf;
@@ -111,7 +112,14 @@ public static <T> SigmaDetectionItem fromMapping(String key, Either<T, List<T>>
111112

112113
List<SigmaType> sigmaTypes = new ArrayList<>();
113114
for (T v: values) {
114-
sigmaTypes.add(SigmaTypeFacade.sigmaType(v));
115+
SigmaType sigmaType = SigmaTypeFacade.sigmaType(v);
116+
// throws an error if sigmaType is an empty string and the modifier is "contains" or "startswith" or "endswith"
117+
boolean invalidModifierWithEmptyString = modifierIds.contains("contains") || modifierIds.contains("startswith") || modifierIds.contains("endswith");
118+
if (sigmaType.getClass().equals(SigmaString.class) && v.toString().isEmpty() && invalidModifierWithEmptyString) {
119+
throw new SigmaValueError("Cannot create rule with empty string and given modifier(s): " + modifierIds);
120+
} else {
121+
sigmaTypes.add(sigmaType);
122+
}
115123
}
116124

117125
return new SigmaDetectionItem(field, modifiers, sigmaTypes, null, null, true);

src/test/java/org/opensearch/securityanalytics/rules/backend/QueryBackendTests.java

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -907,6 +907,78 @@ public void testConvertUnboundValuesAsWildcard() throws IOException, SigmaError
907907
Assert.assertEquals("((mappedA: \"value1\") OR (mappedA: \"value2\") OR (mappedA: \"value3\")) OR (test*)", queries.get(0).toString());
908908
}
909909

910+
public void testConvertSkipEmptyStringStartsWithModifier() throws IOException, SigmaError {
911+
OSQueryBackend queryBackend = testBackend();
912+
Assert.assertThrows(SigmaValueError.class, () -> {
913+
queryBackend.convertRule(SigmaRule.fromYaml(
914+
" title: Test\n" +
915+
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
916+
" status: test\n" +
917+
" level: critical\n" +
918+
" description: Detects QuarksPwDump clearing access history in hive\n" +
919+
" author: Florian Roth\n" +
920+
" date: 2017/05/15\n" +
921+
" logsource:\n" +
922+
" category: test_category\n" +
923+
" product: test_product\n" +
924+
" detection:\n" +
925+
" sel:\n" +
926+
" fieldA1|startswith: \n" +
927+
" - value1\n" +
928+
" - value2\n" +
929+
" - ''\n" +
930+
" condition: sel", false));
931+
});
932+
}
933+
934+
public void testConvertSkipEmptyStringEndsWithModifier() throws IOException, SigmaError {
935+
OSQueryBackend queryBackend = testBackend();
936+
Assert.assertThrows(SigmaValueError.class, () -> {
937+
queryBackend.convertRule(SigmaRule.fromYaml(
938+
" title: Test\n" +
939+
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
940+
" status: test\n" +
941+
" level: critical\n" +
942+
" description: Detects QuarksPwDump clearing access history in hive\n" +
943+
" author: Florian Roth\n" +
944+
" date: 2017/05/15\n" +
945+
" logsource:\n" +
946+
" category: test_category\n" +
947+
" product: test_product\n" +
948+
" detection:\n" +
949+
" sel:\n" +
950+
" fieldA1|endswith: \n" +
951+
" - value1\n" +
952+
" - value2\n" +
953+
" - ''\n" +
954+
" condition: sel", false));
955+
});
956+
}
957+
958+
public void testConvertSkipEmptyStringContainsModifier() throws IOException, SigmaError {
959+
OSQueryBackend queryBackend = testBackend();
960+
Assert.assertThrows(SigmaValueError.class, () -> {
961+
queryBackend.convertRule(SigmaRule.fromYaml(
962+
" title: Test\n" +
963+
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
964+
" status: test\n" +
965+
" level: critical\n" +
966+
" description: Detects QuarksPwDump clearing access history in hive\n" +
967+
" author: Florian Roth\n" +
968+
" date: 2017/05/15\n" +
969+
" logsource:\n" +
970+
" category: test_category\n" +
971+
" product: test_product\n" +
972+
" detection:\n" +
973+
" sel:\n" +
974+
" fieldA1|contains: \n" +
975+
" - value1\n" +
976+
" - value2\n" +
977+
" - ''\n" +
978+
" condition: sel", false));
979+
});
980+
}
981+
910982
private OSQueryBackend testBackend() throws IOException {
911983
return new OSQueryBackend(testFieldMapping, false, true);
912984
}

0 commit comments

Comments
 (0)