2008-07-25 07:25:36 +00:00
|
|
|
/*
|
|
|
|
|
* Unit tests for regular expression processing.
|
|
|
|
|
*
|
2022-01-06 16:53:44 -08:00
|
|
|
* Copyright (C) 2013-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2019-01-25 10:15:50 -05:00
|
|
|
* Copyright (C) 2008-2013 Sourcefire, Inc.
|
2008-07-25 07:25:36 +00:00
|
|
|
*
|
|
|
|
|
* Authors: Török Edvin
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <limits.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <check.h>
|
CMake: Add CTest support to match Autotools checks
An ENABLE_TESTS CMake option is provided so that users can disable
testing if they don't want it. Instructions for how to use this
included in the INSTALL.cmake.md file.
If you run `ctest`, each testcase will write out a log file to the
<build>/unit_tests directory.
As with Autotools' make check, the test files are from test/.split
and unit_tests/.split files, but for CMake these are generated at
build time instead of at test time.
On Posix systems, sets the LD_LIBRARY_PATH so that ClamAV-compiled
libraries can be loaded when running tests.
On Windows systems, CTest will identify and collect all library
dependencies and assemble a temporarily install under the
build/unit_tests directory so that the libraries can be loaded when
running tests.
The same feature is used on Windows when using CMake to install to
collect all DLL dependencies so that users don't have to install them
manually afterwards.
Each of the CTest tests are run using a custom wrapper around Python's
unittest framework, which is also responsible for finding and inserting
valgrind into the valgrind tests on Posix systems.
Unlike with Autotools, the CMake CTest Valgrind-tests are enabled by
default, if Valgrind can be found. There's no need to set VG=1.
CTest's memcheck module is NOT supported, because we use Python to
orchestrate our tests.
Added a bunch of Windows compatibility changes to the unit tests.
These were primarily changing / to PATHSEP and making adjustments
to use Win32 C headers and ifdef out the POSIX ones which aren't
available on Windows. Also disabled a bunch of tests on Win32
that don't work on Windows, notably the mmap ones and FD-passing
(i.e. FILEDES) ones.
Add JSON_C_HAVE_INTTYPES_H definition to clamav-config.h to eliminate
warnings on Windows where json.h is included after inttypes.h because
json-c's inttypes replacement relies on it.
This is a it of a hack and may be removed if json-c fixes their
inttypes header stuff in the future.
Add preprocessor definitions on Windows to disable MSVC warnings about
CRT secure and nonstandard functions. While there may be a better
solution, this is needed to be able to see other more serious warnings.
Add missing file comment block and copyright statement for clamsubmit.c.
Also change json-c/json.h include filename to json.h in clamsubmit.c.
The directory name is not required.
Changed the hash table data integer type from long, which is poorly
defined, to size_t -- which is capable of storing a pointer. Fixed a
bunch of casts regarding this variable to eliminate warnings.
Fixed two bugs causing utf8 encoding unit tests to fail on Windows:
- The in_size variable should be the number of bytes, not the character
count. This was was causing the SHIFT_JIS (japanese codepage) to UTF8
transcoding test to only transcode half the bytes.
- It turns out that the MultiByteToWideChar() API can't transcode
UTF16-BE to UTF16-LE. The solution is to just iterate over the buffer
and flip the bytes on each uint16_t. This but was causing the UTF16-BE
to UTF8 tests to fail.
I also split up the utf8 transcoding tests into separate tests so I
could see all of the failures instead of just the first one.
Added a flags parameter to the unit test function to open testfiles
because it turns out that on Windows if a file contains the \r\n it will
replace it with just \n if you opened the file as a text file instead of
as binary. However, if we open the CBC files as binary, then a bunch of
bytecode tests fail. So I've changed the tests to open the CBC files in
the bytecode tests as text files and open all other files as binary.
Ported the feature tests from shell scripts to Python using a modified
version of our QA test-framework, which is largely compatible and will
allow us to migrate some QA tests into this repo. I'd like to add GitHub
Actions pipelines in the future so that all public PR's get some testing
before anyone has to manually review them.
The clamd --log option was missing from the help string, though it
definitely works. I've added it in this commit.
It appears that clamd.c was never clang-format'd, so this commit also
reformats clamd.c.
Some of the check_clamd tests expected the path returned by clamd to
match character for character with original path sent to clamd. However,
as we now evaluate real paths before a scan, the path returned by clamd
isn't going to match the relative (and possibly symlink-ridden) path
passed to clamdscan. I fixed this test by changing the test to search
for the basename: <signature> FOUND within the response instead of
matching the exact path.
Autotools: Link check_clamd with libclamav so we can use our utility
functions in check_clamd.c.
2020-08-25 23:14:23 -07:00
|
|
|
#include <fcntl.h>
|
2014-02-08 00:31:12 -05:00
|
|
|
|
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
|
|
|
// libclamav
|
|
|
|
|
#include "clamav.h"
|
|
|
|
|
#include "others.h"
|
|
|
|
|
#include "mbox.h"
|
|
|
|
|
#include "message.h"
|
|
|
|
|
#include "htmlnorm.h"
|
|
|
|
|
#include "phishcheck.h"
|
|
|
|
|
#include "regex_suffix.h"
|
|
|
|
|
#include "regex_list.h"
|
|
|
|
|
#include "phish_domaincheck_db.h"
|
2021-05-27 13:15:52 -07:00
|
|
|
#include "phish_allow_list.h"
|
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
|
|
|
|
2022-08-03 20:34:48 -07:00
|
|
|
#include "clamav_rust.h"
|
|
|
|
|
|
2008-07-25 07:25:36 +00:00
|
|
|
#include "checks.h"
|
|
|
|
|
|
2008-07-29 10:59:21 +00:00
|
|
|
static size_t cb_called = 0;
|
2008-07-25 07:25:36 +00:00
|
|
|
|
2019-05-04 16:00:29 -04:00
|
|
|
static cl_error_t cb_fail(void *cbdata, const char *suffix, size_t len, const struct regex_list *regex)
|
2008-07-25 07:25:36 +00:00
|
|
|
{
|
2020-04-18 10:46:57 -04:00
|
|
|
UNUSEDPARAM(cbdata);
|
|
|
|
|
UNUSEDPARAM(suffix);
|
|
|
|
|
UNUSEDPARAM(len);
|
|
|
|
|
UNUSEDPARAM(regex);
|
|
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_abort_msg("this pattern is not supposed to have a suffix");
|
2019-05-04 16:00:29 -04:00
|
|
|
return CL_EMEM;
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|
|
|
|
|
|
2019-05-04 16:00:29 -04:00
|
|
|
static cl_error_t cb_expect_single(void *cbdata, const char *suffix, size_t len, const struct regex_list *regex)
|
2008-07-25 07:25:36 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
const char *expected = cbdata;
|
2020-04-18 10:46:57 -04:00
|
|
|
|
|
|
|
|
UNUSEDPARAM(len);
|
|
|
|
|
UNUSEDPARAM(regex);
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
cb_called++;
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(suffix && strcmp(suffix, expected) == 0,
|
2020-04-18 10:46:57 -04:00
|
|
|
"suffix mismatch, was: %s, expected: %s\n", suffix, expected);
|
2019-05-04 16:00:29 -04:00
|
|
|
return CL_SUCCESS;
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct regex_list regex;
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(empty)
|
2008-07-25 07:25:36 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
const char pattern[] = "";
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2018-12-03 12:40:13 -05:00
|
|
|
regex_t *preg;
|
|
|
|
|
|
|
|
|
|
errmsg_expected();
|
|
|
|
|
preg = malloc(sizeof(*regex.preg));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!preg, "malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
rc = cli_regex2suffix(pattern, preg, cb_fail, NULL);
|
|
|
|
|
free(preg);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(rc == REG_EMPTY, "empty pattern");
|
|
|
|
|
ck_assert_msg(cb_called == 0, "callback shouldn't be called");
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|
|
|
|
|
END_TEST
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(one)
|
2008-07-25 07:25:36 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
char pattern[] = "a";
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2018-12-03 12:40:13 -05:00
|
|
|
regex_t *preg;
|
|
|
|
|
|
|
|
|
|
preg = malloc(sizeof(*regex.preg));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!preg, "malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
rc = cli_regex2suffix(pattern, preg, cb_expect_single, pattern);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "single character pattern");
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_regfree(preg);
|
|
|
|
|
free(preg);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(cb_called == 1, "callback should be called once");
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|
|
|
|
|
END_TEST
|
|
|
|
|
|
2008-07-29 10:59:21 +00:00
|
|
|
static const char *ex1[] =
|
2018-12-03 12:40:13 -05:00
|
|
|
{"com|de", "moc", "ed", NULL};
|
2008-07-29 10:59:21 +00:00
|
|
|
static const char *ex2[] =
|
2018-12-03 12:40:13 -05:00
|
|
|
{"xd|(a|e)bc", "dx", "cba", "cbe", NULL};
|
2008-07-25 07:25:36 +00:00
|
|
|
|
|
|
|
|
static const char **tests[] = {
|
2018-12-03 12:40:13 -05:00
|
|
|
ex1,
|
|
|
|
|
ex2};
|
2008-07-25 07:25:36 +00:00
|
|
|
|
2019-05-04 16:00:29 -04:00
|
|
|
static cl_error_t cb_expect_multi(void *cbdata, const char *suffix, size_t len, const struct regex_list *r)
|
2008-07-25 07:25:36 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
const char **exp = cbdata;
|
2020-04-18 10:46:57 -04:00
|
|
|
|
|
|
|
|
UNUSEDPARAM(r);
|
|
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!exp, "expected data");
|
2018-12-03 12:40:13 -05:00
|
|
|
exp++;
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!*exp, "expected no suffix, got: %s\n", suffix);
|
2022-02-12 13:34:25 -08:00
|
|
|
ck_assert_msg(!!exp[cb_called], "expected less suffixes, but already got: %zu\n", cb_called);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(strcmp(exp[cb_called], suffix) == 0,
|
2020-04-18 10:46:57 -04:00
|
|
|
"suffix mismatch, was: %s, expected: %s\n", suffix, exp[cb_called]);
|
2022-02-12 13:34:25 -08:00
|
|
|
ck_assert_msg(strlen(suffix) == len, "incorrect suffix len, expected: %zu, got: %zu\n", strlen(suffix), len);
|
2018-12-03 12:40:13 -05:00
|
|
|
cb_called++;
|
2019-05-04 16:00:29 -04:00
|
|
|
return CL_SUCCESS;
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(test_suffix)
|
2008-07-25 07:25:36 +00:00
|
|
|
{
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2018-12-03 12:40:13 -05:00
|
|
|
regex_t *preg;
|
|
|
|
|
const char *pattern = tests[_i][0];
|
|
|
|
|
size_t n = 0;
|
|
|
|
|
const char **p = tests[_i];
|
|
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!pattern, "test pattern");
|
2018-12-03 12:40:13 -05:00
|
|
|
preg = malloc(sizeof(*regex.preg));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!preg, "malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
rc = cli_regex2suffix(pattern, preg, cb_expect_multi, tests[_i]);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "single character pattern");
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_regfree(preg);
|
|
|
|
|
free(preg);
|
|
|
|
|
p++;
|
|
|
|
|
while (*p++) n++;
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(cb_called == n,
|
2022-02-12 13:34:25 -08:00
|
|
|
"suffix number mismatch, expected: %zu, was: %zu\n", n, cb_called);
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
|
|
static void setup(void)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
cb_called = 0;
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void teardown(void)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
2008-07-25 16:03:04 +00:00
|
|
|
static struct regex_matcher matcher;
|
|
|
|
|
|
|
|
|
|
static void rsetup(void)
|
|
|
|
|
{
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2008-11-04 10:40:24 +00:00
|
|
|
#ifdef USE_MPOOL
|
2018-12-03 12:40:13 -05:00
|
|
|
matcher.mempool = mpool_create();
|
2008-11-03 19:26:57 +00:00
|
|
|
#endif
|
2018-12-03 12:40:13 -05:00
|
|
|
rc = init_regex_list(&matcher, 1);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "init_regex_list");
|
2008-07-25 16:03:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void rteardown(void)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
regex_list_done(&matcher);
|
2008-11-04 10:40:24 +00:00
|
|
|
#ifdef USE_MPOOL
|
2018-12-03 12:40:13 -05:00
|
|
|
mpool_destroy(matcher.mempool);
|
2008-11-03 19:26:57 +00:00
|
|
|
#endif
|
2008-07-25 16:03:04 +00:00
|
|
|
}
|
|
|
|
|
|
2020-04-18 10:46:57 -04:00
|
|
|
typedef enum rtest_result {
|
|
|
|
|
RTR_PHISH,
|
2021-05-27 13:15:52 -07:00
|
|
|
RTR_ALLOWED,
|
2020-04-18 10:46:57 -04:00
|
|
|
RTR_CLEAN,
|
2021-05-27 13:15:52 -07:00
|
|
|
RTR_BLOCKED, // if 2nd db is loaded
|
2020-04-18 10:46:57 -04:00
|
|
|
RTR_INVALID_REGEX
|
|
|
|
|
} rtr_t;
|
|
|
|
|
|
2008-07-25 16:03:04 +00:00
|
|
|
static const struct rtest {
|
2021-05-27 13:15:52 -07:00
|
|
|
const char *pattern; /* NULL if not meant for allow list testing */
|
2018-12-03 12:40:13 -05:00
|
|
|
const char *realurl;
|
|
|
|
|
const char *displayurl;
|
2020-04-18 10:46:57 -04:00
|
|
|
rtr_t result;
|
2008-07-25 16:03:04 +00:00
|
|
|
} rtests[] = {
|
2020-04-18 10:46:57 -04:00
|
|
|
{NULL, "http://fake.example.com", "http://foo@key.com/", RTR_PHISH},
|
|
|
|
|
{NULL, "http://fake.example.com", "foo.example.com@key.com", RTR_PHISH},
|
|
|
|
|
{NULL, "http://fake.example.com", "foo@key.com", RTR_CLEAN},
|
|
|
|
|
{NULL, "http://fake.example.com", "=====key.com", RTR_PHISH},
|
|
|
|
|
{NULL, "http://key.com", "=====key.com", RTR_CLEAN},
|
|
|
|
|
{NULL, " http://key.com", "=====key.com", RTR_CLEAN},
|
|
|
|
|
{NULL, "http://key.com@fake.example.com", "key.com", RTR_PHISH},
|
|
|
|
|
{NULL, " http://key.com@fake.example.com", "key.com", RTR_PHISH},
|
|
|
|
|
{NULL, " http://key.com@fake.example.com ", "key.com", RTR_PHISH},
|
2018-12-03 12:40:13 -05:00
|
|
|
/* entry taken from .wdb with a / appended */
|
|
|
|
|
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
|
|
|
|
|
"http://srx.main.ebayrtm.com",
|
|
|
|
|
"pages.ebay.de",
|
2021-05-27 13:15:52 -07:00
|
|
|
RTR_ALLOWED /* should be allowed */},
|
2018-12-03 12:40:13 -05:00
|
|
|
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
|
|
|
|
|
"http://srx.main.ebayrtm.com.evil.example.com",
|
|
|
|
|
"pages.ebay.de",
|
2020-04-18 10:46:57 -04:00
|
|
|
RTR_PHISH},
|
2018-12-03 12:40:13 -05:00
|
|
|
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
|
|
|
|
|
"www.www.ebayrtm.com?somecgi",
|
2021-05-27 13:15:52 -07:00
|
|
|
"www.ebay.com/something", RTR_ALLOWED},
|
2018-12-03 12:40:13 -05:00
|
|
|
{NULL,
|
2020-04-18 10:46:57 -04:00
|
|
|
"http://key.com", "go to key.com", RTR_CLEAN},
|
2018-12-03 12:40:13 -05:00
|
|
|
{":.+\\.paypal\\.(com|de|fr|it)([/?].*)?:.+\\.ebay\\.(at|be|ca|ch|co\\.uk|de|es|fr|ie|in|it|nl|ph|pl|com(\\.(au|cn|hk|my|sg))?)([/?].*)?/",
|
2022-05-16 21:29:25 -04:00
|
|
|
"http://www.paypal.com", "pics.ebay.com", RTR_INVALID_REGEX},
|
2020-04-18 10:46:57 -04:00
|
|
|
{NULL, "http://somefakeurl.example.com", "someotherdomain-key.com", RTR_CLEAN},
|
|
|
|
|
{NULL, "http://somefakeurl.example.com", "someotherdomain.key.com", RTR_PHISH},
|
2021-05-27 13:15:52 -07:00
|
|
|
{NULL, "http://malware-test.example.com/something", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://phishing-test.example.com/something", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://sub.malware-test.example.com/2", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://sub.phishing-test.example.com/2", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://user@malware-test.example.com/2", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://user@phishing-test.example.com/2", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://user@malware-test.example.com/2/test", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://user@phishing-test.example.com/2/test", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://user@malware-test.example.com/", "test", RTR_BLOCKED},
|
|
|
|
|
{NULL, "http://user@phishing-test.example.com/", "test", RTR_BLOCKED},
|
2020-04-18 10:46:57 -04:00
|
|
|
{NULL, "http://x.exe", "http:///x.exe", RTR_CLEAN},
|
2018-12-03 12:40:13 -05:00
|
|
|
{".+\\.ebayrtm\\.com([/?].*)?:[^.]+\\.ebay\\.(de|com|co\\.uk)/",
|
|
|
|
|
"http://srx.main.ebayrtm.com",
|
|
|
|
|
"pages.ebay.de",
|
2021-05-27 13:15:52 -07:00
|
|
|
RTR_ALLOWED /* should be allowed */},
|
2018-12-03 12:40:13 -05:00
|
|
|
{".+\\.ebayrtm\\.com([/?].*)?:.+[r-t]\\.ebay\\.(de|com|co\\.uk)/",
|
|
|
|
|
"http://srx.main.ebayrtm.com",
|
|
|
|
|
"pages.ebay.de",
|
2021-05-27 13:15:52 -07:00
|
|
|
RTR_ALLOWED /* should be allowed */},
|
2018-12-03 12:40:13 -05:00
|
|
|
{".+\\.ebayrtm\\.com([/?].*)?:.+[r-t]\\.ebay\\.(de|com|co\\.uk)/",
|
|
|
|
|
"http://srx.main.ebayrtm.com",
|
|
|
|
|
"pages.ebay.de",
|
2021-05-27 13:15:52 -07:00
|
|
|
RTR_ALLOWED /* should be allowed */},
|
2020-04-18 10:46:57 -04:00
|
|
|
{"[t-", "", "", RTR_INVALID_REGEX},
|
|
|
|
|
{NULL, "http://co.uk", "http:// co.uk", RTR_CLEAN},
|
|
|
|
|
{NULL, "http://co.uk", " ", RTR_CLEAN},
|
|
|
|
|
{NULL, "127.0.0.1", "pages.ebay.de", RTR_CLEAN},
|
2018-12-03 12:40:13 -05:00
|
|
|
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
|
2020-04-18 10:46:57 -04:00
|
|
|
"http://pages.ebay.de@fake.example.com", "pages.ebay.de", RTR_PHISH},
|
|
|
|
|
{NULL, "http://key.com", "https://key.com", RTR_PHISH},
|
|
|
|
|
{NULL, "http://key.com%00fake.example.com", "https://key.com", RTR_PHISH},
|
|
|
|
|
{NULL, "http://key.com.example.com", "key.com.invalid", RTR_PHISH}};
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(regex_list_match_test)
|
2008-07-25 16:03:04 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
const char *info;
|
|
|
|
|
const struct rtest *rtest = &rtests[_i];
|
|
|
|
|
char *pattern, *realurl;
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
if (!rtest->pattern) {
|
2021-05-27 13:15:52 -07:00
|
|
|
ck_assert_msg(rtest->result != RTR_ALLOWED,
|
|
|
|
|
"Allow list test must have pattern set");
|
|
|
|
|
/* this test entry is not meant for allow_list testing */
|
2018-12-03 12:40:13 -05:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
ck_assert_msg(rtest->result == RTR_PHISH || rtest->result == RTR_ALLOWED || rtest->result == RTR_INVALID_REGEX,
|
|
|
|
|
"Allow list test result must be either RTR_PHISH or RTR_ALLOWED or RTR_INVALID_REGEX");
|
2018-12-03 12:40:13 -05:00
|
|
|
pattern = cli_strdup(rtest->pattern);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!pattern, "cli_strdup");
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
rc = regex_list_add_pattern(&matcher, pattern);
|
2020-04-18 10:46:57 -04:00
|
|
|
if (rtest->result == RTR_INVALID_REGEX) {
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(rc, "regex_list_add_pattern should return error");
|
2018-12-03 12:40:13 -05:00
|
|
|
free(pattern);
|
|
|
|
|
return;
|
|
|
|
|
} else
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "regex_list_add_pattern");
|
2018-12-03 12:40:13 -05:00
|
|
|
free(pattern);
|
|
|
|
|
|
|
|
|
|
matcher.list_loaded = 1;
|
|
|
|
|
|
|
|
|
|
rc = cli_build_regex_list(&matcher);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list");
|
2018-12-03 12:40:13 -05:00
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(is_regex_ok(&matcher), "is_regex_ok");
|
2018-12-03 12:40:13 -05:00
|
|
|
|
2020-07-24 08:32:47 -07:00
|
|
|
realurl = cli_strdup(rtest->realurl);
|
|
|
|
|
rc = regex_list_match(&matcher, realurl, rtest->displayurl, NULL, 1, &info, 1);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(rc == rtest->result, "regex_list_match");
|
2018-12-03 12:40:13 -05:00
|
|
|
/* regex_list_match is not supposed to modify realurl in this case */
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!strcmp(realurl, rtest->realurl), "realurl altered");
|
2018-12-03 12:40:13 -05:00
|
|
|
free(realurl);
|
2008-07-25 16:03:04 +00:00
|
|
|
}
|
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
|
|
static struct cl_engine *engine;
|
2008-08-01 14:50:22 +00:00
|
|
|
static int loaded_2 = 0;
|
|
|
|
|
|
|
|
|
|
static void psetup_impl(int load2)
|
2008-07-25 16:03:04 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
FILE *f;
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2018-12-03 12:40:13 -05:00
|
|
|
unsigned signo = 0;
|
2009-03-06 09:09:06 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
engine = cl_engine_new();
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!engine, "cl_engine_new");
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
phishing_init(engine);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!engine->phishcheck, "phishing_init");
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
rc = init_domain_list(engine);
|
|
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "init_domain_list");
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2021-07-16 13:43:28 -07:00
|
|
|
f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.pdb", O_RDONLY | O_BINARY), "r");
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!f, "fopen daily.pdb");
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
rc = load_regex_matcher(engine, engine->domain_list_matcher, f, &signo, 0, 0, NULL, 1);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher");
|
2018-12-03 12:40:13 -05:00
|
|
|
fclose(f);
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(signo == 201, "Incorrect number of signatures: %u, expected %u", signo, 201);
|
2009-03-06 09:09:06 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (load2) {
|
2021-07-16 13:43:28 -07:00
|
|
|
f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.gdb", O_RDONLY | O_BINARY), "r");
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!f, "fopen daily.gdb");
|
2008-08-01 14:50:22 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
signo = 0;
|
2021-05-27 13:15:52 -07:00
|
|
|
rc = load_regex_matcher(engine, engine->domain_list_matcher, f, &signo, 0, 0, NULL, 1);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher");
|
2018-12-03 12:40:13 -05:00
|
|
|
fclose(f);
|
2009-03-06 09:09:06 +00:00
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(signo == 4, "Incorrect number of signatures: %u, expected %u", signo, 4);
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
|
|
|
|
loaded_2 = load2;
|
2008-08-01 14:50:22 +00:00
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
rc = init_allow_list(engine);
|
|
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "init_allow_list");
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2021-07-16 13:43:28 -07:00
|
|
|
f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.wdb", O_RDONLY | O_BINARY), "r");
|
2018-12-03 12:40:13 -05:00
|
|
|
signo = 0;
|
2021-05-27 13:15:52 -07:00
|
|
|
rc = load_regex_matcher(engine, engine->allow_list_matcher, f, &signo, 0, 1, NULL, 1);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher");
|
2018-12-03 12:40:13 -05:00
|
|
|
fclose(f);
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(signo == 31, "Incorrect number of signatures: %u, expected %u", signo, 31);
|
2009-03-06 09:09:06 +00:00
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
rc = cli_build_regex_list(engine->allow_list_matcher);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list");
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
rc = cli_build_regex_list(engine->domain_list_matcher);
|
2020-04-18 10:46:57 -04:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list");
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
ck_assert_msg(is_regex_ok(engine->allow_list_matcher), "is_regex_ok");
|
|
|
|
|
ck_assert_msg(is_regex_ok(engine->domain_list_matcher), "is_regex_ok");
|
2008-07-25 16:03:04 +00:00
|
|
|
}
|
|
|
|
|
|
2008-08-01 14:50:22 +00:00
|
|
|
static void psetup(void)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
psetup_impl(0);
|
2008-08-01 14:50:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void psetup2(void)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
psetup_impl(1);
|
2008-08-01 14:50:22 +00:00
|
|
|
}
|
|
|
|
|
|
2008-07-25 16:03:04 +00:00
|
|
|
static void pteardown(void)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
if (engine) {
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
}
|
|
|
|
|
engine = NULL;
|
2008-07-25 16:03:04 +00:00
|
|
|
}
|
|
|
|
|
|
2008-07-29 15:37:23 +00:00
|
|
|
static void do_phishing_test(const struct rtest *rtest)
|
2008-07-25 16:03:04 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
char *realurl;
|
|
|
|
|
cli_ctx ctx;
|
|
|
|
|
struct cl_scan_options options;
|
|
|
|
|
const char *virname = NULL;
|
|
|
|
|
tag_arguments_t hrefs;
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
memset(&ctx, 0, sizeof(ctx));
|
|
|
|
|
memset(&options, 0, sizeof(struct cl_scan_options));
|
|
|
|
|
ctx.options = &options;
|
|
|
|
|
|
|
|
|
|
realurl = cli_strdup(rtest->realurl);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!realurl, "cli_strdup");
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
hrefs.count = 1;
|
|
|
|
|
hrefs.value = cli_malloc(sizeof(*hrefs.value));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!hrefs.value, "cli_malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
hrefs.value[0] = (unsigned char *)realurl;
|
|
|
|
|
hrefs.contents = cli_malloc(sizeof(*hrefs.contents));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!hrefs.contents, "cli_malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
hrefs.tag = cli_malloc(sizeof(*hrefs.tag));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!hrefs.tag, "cli_malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
hrefs.tag[0] = (unsigned char *)cli_strdup("href");
|
|
|
|
|
hrefs.contents[0] = (unsigned char *)cli_strdup(rtest->displayurl);
|
|
|
|
|
|
2022-08-03 20:34:48 -07:00
|
|
|
ctx.engine = engine;
|
|
|
|
|
ctx.evidence = evidence_new();
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
rc = phishingScan(&ctx, &hrefs);
|
|
|
|
|
|
|
|
|
|
html_tag_arg_free(&hrefs);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(rc == CL_CLEAN, "phishingScan");
|
2018-12-03 12:40:13 -05:00
|
|
|
switch (rtest->result) {
|
2020-04-18 10:46:57 -04:00
|
|
|
case RTR_PHISH:
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(evidence_num_indicators_type(ctx.evidence, IndicatorType_PotentiallyUnwanted),
|
2020-04-18 10:46:57 -04:00
|
|
|
"this should be phishing, realURL: %s, displayURL: %s",
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2021-05-27 13:15:52 -07:00
|
|
|
case RTR_ALLOWED:
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(!evidence_num_indicators_type(ctx.evidence, IndicatorType_PotentiallyUnwanted),
|
2021-05-27 13:15:52 -07:00
|
|
|
"this should be allowed, realURL: %s, displayURL: %s",
|
2020-04-18 10:46:57 -04:00
|
|
|
rtest->realurl, rtest->displayurl);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2020-04-18 10:46:57 -04:00
|
|
|
case RTR_CLEAN:
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(!evidence_num_indicators_type(ctx.evidence, IndicatorType_PotentiallyUnwanted),
|
2020-04-18 10:46:57 -04:00
|
|
|
"this should be clean, realURL: %s, displayURL: %s",
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2021-05-27 13:15:52 -07:00
|
|
|
case RTR_BLOCKED:
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!loaded_2)
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(!evidence_num_indicators_type(ctx.evidence, IndicatorType_PotentiallyUnwanted),
|
2020-04-18 10:46:57 -04:00
|
|
|
"this should be clean, realURL: %s, displayURL: %s",
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
2018-12-03 12:40:13 -05:00
|
|
|
else {
|
2022-08-03 20:34:48 -07:00
|
|
|
const char *viruname = NULL;
|
|
|
|
|
|
|
|
|
|
ck_assert_msg(evidence_num_indicators_type(ctx.evidence, IndicatorType_PotentiallyUnwanted),
|
2021-05-27 13:15:52 -07:00
|
|
|
"this should be blocked, realURL: %s, displayURL: %s",
|
2020-04-18 10:46:57 -04:00
|
|
|
rtest->realurl, rtest->displayurl);
|
2022-08-03 20:34:48 -07:00
|
|
|
|
|
|
|
|
virname = cli_get_last_virus_str(&ctx);
|
|
|
|
|
if (NULL != virname) {
|
2020-07-15 08:39:32 -07:00
|
|
|
char *phishingFound = NULL;
|
|
|
|
|
char *detectionName = NULL;
|
|
|
|
|
if (strstr(rtest->realurl, "malware-test")) {
|
|
|
|
|
detectionName = "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
|
|
|
|
|
|
|
|
|
|
} else if (strstr(rtest->realurl, "phishing-test")) {
|
|
|
|
|
detectionName = "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
|
|
|
|
|
}
|
2021-05-27 13:15:52 -07:00
|
|
|
ck_assert_msg(detectionName != NULL, "\n\t Block list test case error - malware-test or phishing-test not found in: %s\n", rtest->realurl);
|
2022-08-03 20:34:48 -07:00
|
|
|
phishingFound = strstr((const char *)virname, detectionName);
|
|
|
|
|
ck_assert_msg(phishingFound != NULL, "\n\t should be: %s,\n\t but is: %s\n", detectionName, virname);
|
2020-04-18 10:46:57 -04:00
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
|
|
|
|
break;
|
2020-04-18 10:46:57 -04:00
|
|
|
case RTR_INVALID_REGEX:
|
|
|
|
|
/* don't worry about it, this was tested in regex_list_match_test() */
|
|
|
|
|
break;
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
2022-08-03 20:34:48 -07:00
|
|
|
|
|
|
|
|
evidence_free(ctx.evidence);
|
2008-07-29 15:37:23 +00:00
|
|
|
}
|
|
|
|
|
|
2012-10-18 14:12:58 -07:00
|
|
|
static void do_phishing_test_allscan(const struct rtest *rtest)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
char *realurl;
|
|
|
|
|
cli_ctx ctx;
|
|
|
|
|
const char *virname = NULL;
|
|
|
|
|
tag_arguments_t hrefs;
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_error_t rc;
|
2022-08-03 20:34:48 -07:00
|
|
|
cl_error_t verdict = CL_CLEAN;
|
2018-07-20 22:28:48 -04:00
|
|
|
struct cl_scan_options options;
|
2012-10-18 14:12:58 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
memset(&ctx, 0, sizeof(ctx));
|
2018-07-20 22:28:48 -04:00
|
|
|
memset(&options, 0, sizeof(struct cl_scan_options));
|
|
|
|
|
ctx.options = &options;
|
2012-10-18 14:12:58 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
realurl = cli_strdup(rtest->realurl);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!realurl, "cli_strdup");
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
hrefs.count = 1;
|
|
|
|
|
hrefs.value = cli_malloc(sizeof(*hrefs.value));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!hrefs.value, "cli_malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
hrefs.value[0] = (unsigned char *)realurl;
|
|
|
|
|
hrefs.contents = cli_malloc(sizeof(*hrefs.contents));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!hrefs.contents, "cli_malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
hrefs.tag = cli_malloc(sizeof(*hrefs.tag));
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!hrefs.tag, "cli_malloc");
|
2018-12-03 12:40:13 -05:00
|
|
|
hrefs.tag[0] = (unsigned char *)cli_strdup("href");
|
|
|
|
|
hrefs.contents[0] = (unsigned char *)cli_strdup(rtest->displayurl);
|
|
|
|
|
|
2022-08-03 20:34:48 -07:00
|
|
|
ctx.engine = engine;
|
|
|
|
|
ctx.evidence = evidence_new();
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
rc = phishingScan(&ctx, &hrefs);
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(rc == CL_SUCCESS || rc == CL_VIRUS, "phishingScan failed with error code: %s (%u)",
|
|
|
|
|
cl_strerror(rc),
|
|
|
|
|
rc);
|
|
|
|
|
|
|
|
|
|
// phishingScan() doesn't check the number of alerts. When using CL_SCAN_GENERAL_ALLMATCHES
|
|
|
|
|
// or if using `CL_SCAN_GENERAL_HEURISTIC_PRECEDENCE` and `cli_append_potentially_unwanted()`
|
|
|
|
|
// we need to count the number of alerts manually to determine the verdict.
|
|
|
|
|
if (0 < evidence_num_alerts(ctx.evidence)) {
|
|
|
|
|
verdict = CL_VIRUS;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
|
2021-05-27 13:15:52 -07:00
|
|
|
if (rtest->result == RTR_PHISH || (loaded_2 != 0 && rtest->result == RTR_BLOCKED)) {
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(verdict == CL_VIRUS, "phishingScan returned \"%s\", expected \"%s\". \n\trealURL: %s \n\tdisplayURL: %s",
|
|
|
|
|
cl_strerror(verdict),
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_strerror(CL_VIRUS),
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
|
|
|
|
} else {
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(verdict == CL_CLEAN, "phishingScan returned \"%s\", expected \"%s\". \n\trealURL: %s \n\tdisplayURL: %s",
|
|
|
|
|
cl_strerror(verdict),
|
2020-04-18 10:46:57 -04:00
|
|
|
cl_strerror(CL_CLEAN),
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
|
|
|
|
}
|
2022-08-03 20:34:48 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
switch (rtest->result) {
|
2020-04-18 10:46:57 -04:00
|
|
|
case RTR_PHISH:
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(evidence_num_alerts(ctx.evidence),
|
2020-04-18 10:46:57 -04:00
|
|
|
"this should be phishing, realURL: %s, displayURL: %s",
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2021-05-27 13:15:52 -07:00
|
|
|
case RTR_ALLOWED:
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(!evidence_num_alerts(ctx.evidence),
|
2021-05-27 13:15:52 -07:00
|
|
|
"this should be allowed, realURL: %s, displayURL: %s",
|
2020-04-18 10:46:57 -04:00
|
|
|
rtest->realurl, rtest->displayurl);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2020-04-18 10:46:57 -04:00
|
|
|
case RTR_CLEAN:
|
2022-08-03 20:34:48 -07:00
|
|
|
ck_assert_msg(!evidence_num_alerts(ctx.evidence),
|
2020-04-18 10:46:57 -04:00
|
|
|
"this should be clean, realURL: %s, displayURL: %s",
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2021-05-27 13:15:52 -07:00
|
|
|
case RTR_BLOCKED:
|
2022-08-03 20:34:48 -07:00
|
|
|
if (!loaded_2) {
|
|
|
|
|
ck_assert_msg(!evidence_num_alerts(ctx.evidence),
|
2020-04-18 10:46:57 -04:00
|
|
|
"this should be clean, realURL: %s, displayURL: %s",
|
|
|
|
|
rtest->realurl, rtest->displayurl);
|
2022-08-03 20:34:48 -07:00
|
|
|
} else {
|
|
|
|
|
const char *viruname = NULL;
|
|
|
|
|
|
|
|
|
|
ck_assert_msg(evidence_num_alerts(ctx.evidence),
|
2021-05-27 13:15:52 -07:00
|
|
|
"this should be blocked, realURL: %s, displayURL: %s",
|
2020-04-18 10:46:57 -04:00
|
|
|
rtest->realurl, rtest->displayurl);
|
2022-08-03 20:34:48 -07:00
|
|
|
|
|
|
|
|
virname = cli_get_last_virus_str(&ctx);
|
|
|
|
|
if (NULL != virname) {
|
2020-07-15 08:39:32 -07:00
|
|
|
char *phishingFound = NULL;
|
|
|
|
|
char *detectionName = NULL;
|
|
|
|
|
if (strstr(rtest->realurl, "malware-test")) {
|
|
|
|
|
detectionName = "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
|
|
|
|
|
|
|
|
|
|
} else if (strstr(rtest->realurl, "phishing-test")) {
|
|
|
|
|
detectionName = "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
|
|
|
|
|
}
|
2021-05-27 13:15:52 -07:00
|
|
|
ck_assert_msg(detectionName != NULL, "\n\t Block list test case error - malware-test or phishing-test not found in: %s\n", rtest->realurl);
|
2022-08-03 20:34:48 -07:00
|
|
|
phishingFound = strstr(virname, detectionName);
|
|
|
|
|
ck_assert_msg(phishingFound != NULL, "\n\t should be: %s,\n\t but is: %s\n", detectionName, virname);
|
2020-04-18 10:46:57 -04:00
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
|
|
|
|
break;
|
2020-04-18 10:46:57 -04:00
|
|
|
case RTR_INVALID_REGEX:
|
|
|
|
|
/* don't worry about it, this was tested in regex_list_match_test() */
|
|
|
|
|
break;
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
2022-08-03 20:34:48 -07:00
|
|
|
|
|
|
|
|
html_tag_arg_free(&hrefs);
|
|
|
|
|
|
|
|
|
|
evidence_free(ctx.evidence);
|
2012-10-18 14:12:58 -07:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(phishingScan_test)
|
2008-07-29 15:37:23 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
do_phishing_test(&rtests[_i]);
|
2008-07-25 16:03:04 +00:00
|
|
|
}
|
|
|
|
|
END_TEST
|
2012-10-18 14:12:58 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(phishingScan_test_allscan)
|
2012-10-18 14:12:58 -07:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
do_phishing_test_allscan(&rtests[_i]);
|
2012-10-18 14:12:58 -07:00
|
|
|
}
|
|
|
|
|
END_TEST
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2009-02-18 14:54:16 +00:00
|
|
|
static struct uc {
|
|
|
|
|
const char *in;
|
|
|
|
|
const char *host;
|
|
|
|
|
const char *path;
|
|
|
|
|
} uc[] = {
|
|
|
|
|
{":example/%25%32%35", "example/", "%25"},
|
|
|
|
|
{":example/%25%32%35%25%32%35", "example/", "%25%25"},
|
|
|
|
|
{":example/abc%25%32%35asd", "example/", "abc%25asd"},
|
2018-12-03 12:40:13 -05:00
|
|
|
{":www.example.com/", "www.example.com/", ""},
|
|
|
|
|
{":%31%32%37%2e%30%2e%30%2e%31/%2E%73%65%63%75%72%65/%77%77%77%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d/",
|
|
|
|
|
"127.0.0.1/", ".secure/www.example.com/"},
|
2009-02-18 14:54:16 +00:00
|
|
|
{":127.0.0.1/uploads/%20%20%20%20/.verify/.blah=abcd-ef=gh/",
|
2018-12-03 12:40:13 -05:00
|
|
|
"127.0.0.1/", "uploads/%20%20%20%20/.verify/.blah=abcd-ef=gh/"},
|
2009-02-18 14:54:16 +00:00
|
|
|
{"http://example%23.com/%61%40%62%252B",
|
2018-12-03 12:40:13 -05:00
|
|
|
"example%23.com/", "a@b+"},
|
|
|
|
|
{"http://example.com/blah/..", "example.com/", ""},
|
|
|
|
|
{"http://example.com/blah/../x", "example.com/", "x"},
|
|
|
|
|
{"http://example.com/./a", "example.com/", "a"}};
|
2009-02-18 14:54:16 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(test_url_canon)
|
2009-02-18 14:54:16 +00:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
char urlbuff[1024 + 3];
|
|
|
|
|
char *host = NULL;
|
2009-02-19 08:50:04 +00:00
|
|
|
const char *path = NULL;
|
2009-02-18 14:54:16 +00:00
|
|
|
size_t host_len, path_len;
|
|
|
|
|
struct uc *u = &uc[_i];
|
|
|
|
|
|
|
|
|
|
cli_url_canon(u->in, strlen(u->in), urlbuff, sizeof(urlbuff), &host, &host_len, &path, &path_len);
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!host && !!path, "null results\n");
|
|
|
|
|
ck_assert_msg(!strcmp(u->host, host), "host incorrect: %s\n", host);
|
|
|
|
|
ck_assert_msg(!strcmp(u->path, path), "path incorrect: %s\n", path);
|
2009-02-18 14:54:16 +00:00
|
|
|
}
|
|
|
|
|
END_TEST
|
2009-05-15 11:53:22 +00:00
|
|
|
|
|
|
|
|
static struct regex_test {
|
|
|
|
|
const char *regex;
|
|
|
|
|
const char *text;
|
|
|
|
|
int match;
|
|
|
|
|
} rg[] = {
|
|
|
|
|
{"\\.exe$", "test.exe", 1},
|
|
|
|
|
{"\\.exe$", "test.eXe", 0},
|
|
|
|
|
{"(?i)\\.exe$", "test.exe", 1},
|
2018-12-03 12:40:13 -05:00
|
|
|
{"(?i)\\.exe$", "test.eXe", 1}};
|
2009-05-15 11:53:22 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
START_TEST(test_regexes)
|
2009-05-15 11:53:22 +00:00
|
|
|
{
|
|
|
|
|
regex_t reg;
|
|
|
|
|
struct regex_test *tst = &rg[_i];
|
|
|
|
|
int match;
|
|
|
|
|
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(cli_regcomp(®, tst->regex, REG_EXTENDED | REG_NOSUB) == 0, "cli_regcomp");
|
2009-05-15 11:53:22 +00:00
|
|
|
match = (cli_regexec(®, tst->text, 0, NULL, 0) == REG_NOMATCH) ? 0 : 1;
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(match == tst->match, "cli_regexec failed for %s and %s\n", tst->regex, tst->text);
|
2009-05-15 11:53:22 +00:00
|
|
|
cli_regfree(®);
|
|
|
|
|
}
|
|
|
|
|
END_TEST
|
2009-02-18 14:54:16 +00:00
|
|
|
|
2008-07-29 15:37:23 +00:00
|
|
|
START_TEST(phishing_fake_test)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
char buf[4096];
|
2021-07-16 13:43:28 -07:00
|
|
|
FILE *f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.pdb", O_RDONLY | O_BINARY), "r");
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!f, "fopen daily.pdb");
|
2018-12-03 12:40:13 -05:00
|
|
|
while (fgets(buf, sizeof(buf), f)) {
|
|
|
|
|
struct rtest rtest;
|
|
|
|
|
const char *pdb = strchr(buf, ':');
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!pdb, "missing : in pdb");
|
2018-12-03 12:40:13 -05:00
|
|
|
rtest.realurl = pdb;
|
|
|
|
|
rtest.displayurl = pdb;
|
2020-04-18 10:46:57 -04:00
|
|
|
rtest.result = RTR_CLEAN;
|
2018-12-03 12:40:13 -05:00
|
|
|
do_phishing_test(&rtest);
|
|
|
|
|
rtest.realurl = "http://fake.example.com";
|
|
|
|
|
rtest.result = 0;
|
|
|
|
|
do_phishing_test(&rtest);
|
|
|
|
|
}
|
|
|
|
|
fclose(f);
|
2008-07-29 15:37:23 +00:00
|
|
|
}
|
|
|
|
|
END_TEST
|
|
|
|
|
|
2012-10-18 14:12:58 -07:00
|
|
|
START_TEST(phishing_fake_test_allscan)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
char buf[4096];
|
2021-07-16 13:43:28 -07:00
|
|
|
FILE *f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.pdb", O_RDONLY | O_BINARY), "r");
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!f, "fopen daily.pdb");
|
2018-12-03 12:40:13 -05:00
|
|
|
while (fgets(buf, sizeof(buf), f)) {
|
|
|
|
|
struct rtest rtest;
|
|
|
|
|
const char *pdb = strchr(buf, ':');
|
2020-01-15 08:14:23 -08:00
|
|
|
ck_assert_msg(!!pdb, "missing : in pdb");
|
2018-12-03 12:40:13 -05:00
|
|
|
rtest.realurl = pdb;
|
|
|
|
|
rtest.displayurl = pdb;
|
2020-04-18 10:46:57 -04:00
|
|
|
rtest.result = RTR_CLEAN;
|
2018-12-03 12:40:13 -05:00
|
|
|
do_phishing_test_allscan(&rtest);
|
|
|
|
|
rtest.realurl = "http://fake.example.com";
|
|
|
|
|
rtest.result = 0;
|
|
|
|
|
do_phishing_test_allscan(&rtest);
|
|
|
|
|
}
|
|
|
|
|
fclose(f);
|
2012-10-18 14:12:58 -07:00
|
|
|
}
|
|
|
|
|
END_TEST
|
|
|
|
|
|
2008-07-25 07:25:36 +00:00
|
|
|
Suite *test_regex_suite(void)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
Suite *s = suite_create("regex");
|
|
|
|
|
TCase *tc_api, *tc_matching, *tc_phish, *tc_phish2, *tc_regex;
|
|
|
|
|
|
|
|
|
|
tc_api = tcase_create("cli_regex2suffix");
|
|
|
|
|
suite_add_tcase(s, tc_api);
|
|
|
|
|
tcase_add_checked_fixture(tc_api, setup, teardown);
|
|
|
|
|
tcase_add_test(tc_api, empty);
|
|
|
|
|
tcase_add_test(tc_api, one);
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_loop_test(tc_api, test_suffix, 0, sizeof(tests) / sizeof(tests[0]));
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tc_matching = tcase_create("regex_list");
|
|
|
|
|
suite_add_tcase(s, tc_matching);
|
|
|
|
|
tcase_add_checked_fixture(tc_matching, rsetup, rteardown);
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_loop_test(tc_matching, regex_list_match_test, 0, sizeof(rtests) / sizeof(rtests[0]));
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tc_phish = tcase_create("phishingScan");
|
|
|
|
|
suite_add_tcase(s, tc_phish);
|
|
|
|
|
tcase_add_unchecked_fixture(tc_phish, psetup, pteardown);
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_loop_test(tc_phish, phishingScan_test, 0, sizeof(rtests) / sizeof(rtests[0]));
|
|
|
|
|
tcase_add_loop_test(tc_phish, phishingScan_test_allscan, 0, sizeof(rtests) / sizeof(rtests[0]));
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_test(tc_phish, phishing_fake_test);
|
|
|
|
|
tcase_add_test(tc_phish, phishing_fake_test_allscan);
|
2008-07-25 16:03:04 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tc_phish2 = tcase_create("phishingScan with 2 dbs");
|
|
|
|
|
suite_add_tcase(s, tc_phish2);
|
|
|
|
|
tcase_add_unchecked_fixture(tc_phish2, psetup2, pteardown);
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_loop_test(tc_phish2, phishingScan_test, 0, sizeof(rtests) / sizeof(rtests[0]));
|
|
|
|
|
tcase_add_loop_test(tc_phish2, phishingScan_test_allscan, 0, sizeof(rtests) / sizeof(rtests[0]));
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_test(tc_phish2, phishing_fake_test);
|
|
|
|
|
tcase_add_test(tc_phish2, phishing_fake_test_allscan);
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_loop_test(tc_phish, test_url_canon, 0, sizeof(uc) / sizeof(uc[0]));
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tc_regex = tcase_create("cli_regcomp/execute");
|
|
|
|
|
suite_add_tcase(s, tc_regex);
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
tcase_add_loop_test(tc_regex, test_regexes, 0, sizeof(rg) / sizeof(rg[0]));
|
2020-01-15 08:14:23 -08:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
return s;
|
2008-07-25 07:25:36 +00:00
|
|
|
}
|