Skip to content

Add throw for empty strings in rules with modifier contains, startwith, and endswith #860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Mar 6, 2024
Merged

Add throw for empty strings in rules with modifier contains, startwith, and endswith #860

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6093bdb
add validation for empty strings with contains, startswith and endswi…
jowg-amazon Feb 16, 2024
460f406
throw exception if empty string with contains, startswith, or endswith
jowg-amazon Feb 17, 2024
db4a584
change var name
jowg-amazon Feb 17, 2024
b1bf251
add modifiers to log
jowg-amazon Feb 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionItem.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
import org.opensearch.securityanalytics.rules.modifiers.SigmaModifierFacade;
import org.opensearch.securityanalytics.rules.modifiers.SigmaValueModifier;
import org.opensearch.securityanalytics.rules.types.SigmaNull;
import org.opensearch.securityanalytics.rules.types.SigmaString;
import org.opensearch.securityanalytics.rules.types.SigmaType;
import org.opensearch.securityanalytics.rules.types.SigmaTypeFacade;
import org.opensearch.securityanalytics.rules.utils.AnyOneOf;
Expand Down Expand Up @@ -111,7 +112,14 @@ public static <T> SigmaDetectionItem fromMapping(String key, Either<T, List<T>>

List<SigmaType> sigmaTypes = new ArrayList<>();
for (T v: values) {
sigmaTypes.add(SigmaTypeFacade.sigmaType(v));
SigmaType sigmaType = SigmaTypeFacade.sigmaType(v);
// throws an error if sigmaType is an empty string and the modifier is "contains" or "startswith" or "endswith"
boolean invalidModifierWithEmptyString = modifierIds.contains("contains") || modifierIds.contains("startswith") || modifierIds.contains("endswith");
if (sigmaType.getClass().equals(SigmaString.class) && v.toString().isEmpty() && invalidModifierWithEmptyString) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What will happen to the other values? Should we skip the empty strings and use values which are present in the list?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided to throw an exception instead of skipping the empty string here because if we allowed the rule creation to go through, the empty string would still appear in the rule itself but could not be turned into a meaningful/correct query.

Instead we added additional parsing logic on the front end to ensure that empty strings get parsed out when creating a rule from the UI. This PR is an additional check if the rule gets created from the API directly.

throw new SigmaValueError("Cannot create rule with empty string and given modifier(s)");
} else {
sigmaTypes.add(sigmaType);
}
}

return new SigmaDetectionItem(field, modifiers, sigmaTypes, null, null, true);
Expand Down
72 changes: 72 additions & 0 deletions src/test/java/org/opensearch/securityanalytics/rules/backend/QueryBackendTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -907,6 +907,78 @@ public void testConvertUnboundValuesAsWildcard() throws IOException, SigmaError
Assert.assertEquals("((mappedA: \"value1\") OR (mappedA: \"value2\") OR (mappedA: \"value3\")) OR (test*)", queries.get(0).toString());
}

public void testConvertSkipEmptyStringStartsWithModifier() throws IOException, SigmaError {
OSQueryBackend queryBackend = testBackend();
Assert.assertThrows(SigmaValueError.class, () -> {
queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|startswith: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
});
}

public void testConvertSkipEmptyStringEndsWithModifier() throws IOException, SigmaError {
OSQueryBackend queryBackend = testBackend();
Assert.assertThrows(SigmaValueError.class, () -> {
queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|endswith: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
});
}

public void testConvertSkipEmptyStringContainsModifier() throws IOException, SigmaError {
OSQueryBackend queryBackend = testBackend();
Assert.assertThrows(SigmaValueError.class, () -> {
queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|contains: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
});
}

private OSQueryBackend testBackend() throws IOException {
return new OSQueryBackend(testFieldMapping, false, true);
}
Expand Down