Skip to content

Commit dff64c1

Browse files
jowg-amazongithub-actions[bot]
jowg-amazon
authored and
github-actions[bot]
committed
Add throw for empty strings in rules with modifier contains, startwith, and endswith (#860)
* add validation for empty strings with contains, startswith and endswith modifiers Signed-off-by: Joanne Wang <[email protected]> * throw exception if empty string with contains, startswith, or endswith Signed-off-by: Joanne Wang <[email protected]> * change var name Signed-off-by: Joanne Wang <[email protected]> * add modifiers to log Signed-off-by: Joanne Wang <[email protected]> --------- Signed-off-by: Joanne Wang <[email protected]> (cherry picked from commit f4ee7bb)
1 parent 3428248 commit dff64c1

File tree

2 files changed

+81
-1
lines changed

2 files changed

+81
-1
lines changed

src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionItem.java

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import org.opensearch.securityanalytics.rules.modifiers.SigmaModifierFacade;
1919
import org.opensearch.securityanalytics.rules.modifiers.SigmaValueModifier;
2020
import org.opensearch.securityanalytics.rules.types.SigmaNull;
21+
import org.opensearch.securityanalytics.rules.types.SigmaString;
2122
import org.opensearch.securityanalytics.rules.types.SigmaType;
2223
import org.opensearch.securityanalytics.rules.types.SigmaTypeFacade;
2324
import org.opensearch.securityanalytics.rules.utils.AnyOneOf;
@@ -111,7 +112,14 @@ public static <T> SigmaDetectionItem fromMapping(String key, Either<T, List<T>>
111112

112113
List<SigmaType> sigmaTypes = new ArrayList<>();
113114
for (T v: values) {
114-
sigmaTypes.add(SigmaTypeFacade.sigmaType(v));
115+
SigmaType sigmaType = SigmaTypeFacade.sigmaType(v);
116+
// throws an error if sigmaType is an empty string and the modifier is "contains" or "startswith" or "endswith"
117+
boolean invalidModifierWithEmptyString = modifierIds.contains("contains") || modifierIds.contains("startswith") || modifierIds.contains("endswith");
118+
if (sigmaType.getClass().equals(SigmaString.class) && v.toString().isEmpty() && invalidModifierWithEmptyString) {
119+
throw new SigmaValueError("Cannot create rule with empty string and given modifier(s): " + modifierIds);
120+
} else {
121+
sigmaTypes.add(sigmaType);
122+
}
115123
}
116124

117125
return new SigmaDetectionItem(field, modifiers, sigmaTypes, null, null, true);

src/test/java/org/opensearch/securityanalytics/rules/backend/QueryBackendTests.java

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -901,6 +901,78 @@ public void testConvertUnboundValuesAsWildcard() throws IOException, SigmaError
901901
Assert.assertEquals("((mappedA: \"value1\") OR (mappedA: \"value2\") OR (mappedA: \"value3\")) OR (test*)", queries.get(0).toString());
902902
}
903903

904+
public void testConvertSkipEmptyStringStartsWithModifier() throws IOException, SigmaError {
905+
OSQueryBackend queryBackend = testBackend();
906+
Assert.assertThrows(SigmaValueError.class, () -> {
907+
queryBackend.convertRule(SigmaRule.fromYaml(
908+
" title: Test\n" +
909+
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
910+
" status: test\n" +
911+
" level: critical\n" +
912+
" description: Detects QuarksPwDump clearing access history in hive\n" +
913+
" author: Florian Roth\n" +
914+
" date: 2017/05/15\n" +
915+
" logsource:\n" +
916+
" category: test_category\n" +
917+
" product: test_product\n" +
918+
" detection:\n" +
919+
" sel:\n" +
920+
" fieldA1|startswith: \n" +
921+
" - value1\n" +
922+
" - value2\n" +
923+
" - ''\n" +
924+
" condition: sel", false));
925+
});
926+
}
927+
928+
public void testConvertSkipEmptyStringEndsWithModifier() throws IOException, SigmaError {
929+
OSQueryBackend queryBackend = testBackend();
930+
Assert.assertThrows(SigmaValueError.class, () -> {
931+
queryBackend.convertRule(SigmaRule.fromYaml(
932+
" title: Test\n" +
933+
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
934+
" status: test\n" +
935+
" level: critical\n" +
936+
" description: Detects QuarksPwDump clearing access history in hive\n" +
937+
" author: Florian Roth\n" +
938+
" date: 2017/05/15\n" +
939+
" logsource:\n" +
940+
" category: test_category\n" +
941+
" product: test_product\n" +
942+
" detection:\n" +
943+
" sel:\n" +
944+
" fieldA1|endswith: \n" +
945+
" - value1\n" +
946+
" - value2\n" +
947+
" - ''\n" +
948+
" condition: sel", false));
949+
});
950+
}
951+
952+
public void testConvertSkipEmptyStringContainsModifier() throws IOException, SigmaError {
953+
OSQueryBackend queryBackend = testBackend();
954+
Assert.assertThrows(SigmaValueError.class, () -> {
955+
queryBackend.convertRule(SigmaRule.fromYaml(
956+
" title: Test\n" +
957+
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
958+
" status: test\n" +
959+
" level: critical\n" +
960+
" description: Detects QuarksPwDump clearing access history in hive\n" +
961+
" author: Florian Roth\n" +
962+
" date: 2017/05/15\n" +
963+
" logsource:\n" +
964+
" category: test_category\n" +
965+
" product: test_product\n" +
966+
" detection:\n" +
967+
" sel:\n" +
968+
" fieldA1|contains: \n" +
969+
" - value1\n" +
970+
" - value2\n" +
971+
" - ''\n" +
972+
" condition: sel", false));
973+
});
974+
}
975+
904976
private OSQueryBackend testBackend() throws IOException {
905977
return new OSQueryBackend("others_proxy", true, true);
906978
}

0 commit comments

Comments
 (0)