From 00ecba3ec1ce785430d6a6962fd7263f22c4e4c8 Mon Sep 17 00:00:00 2001 From: Yann Pellegrin Date: Tue, 18 Feb 2025 09:00:14 +0100 Subject: [PATCH] fix: remove references to regexp.original, add test --- sigma/modifiers.py | 6 +++--- sigma/types.py | 11 ++++++----- tests/test_conversion_base.py | 26 ++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/sigma/modifiers.py b/sigma/modifiers.py index 8488095..38e05d3 100644 --- a/sigma/modifiers.py +++ b/sigma/modifiers.py @@ -128,7 +128,7 @@ def modify( if not val.endswith(SpecialChars.WILDCARD_MULTI): val += SpecialChars.WILDCARD_MULTI elif isinstance(val, SigmaRegularExpression): - regexp_str = val.regexp.convert() + regexp_str = str(val.regexp) if regexp_str[:2] != ".*" and regexp_str[0] != "^": val.regexp = SigmaString(".") + SpecialChars.WILDCARD_MULTI + val.regexp if regexp_str[-2:] != ".*" and regexp_str[-1] != "$": @@ -150,7 +150,7 @@ def modify( if not val.endswith(SpecialChars.WILDCARD_MULTI): val += SpecialChars.WILDCARD_MULTI elif isinstance(val, SigmaRegularExpression): - regexp_str = val.regexp.convert() + regexp_str = str(val.regexp) if regexp_str[-2:] != ".*" and regexp_str[-1] != "$": val.regexp += SigmaString(".") + SpecialChars.WILDCARD_MULTI val.compile() @@ -169,7 +169,7 @@ def modify( if not val.startswith(SpecialChars.WILDCARD_MULTI): val = SpecialChars.WILDCARD_MULTI + val elif isinstance(val, SigmaRegularExpression): - regexp_str = val.regexp.convert() + regexp_str = str(val.regexp) if regexp_str[:2] != ".*" and regexp_str[0] != "^": val.regexp = SigmaString(".") + SpecialChars.WILDCARD_MULTI + val.regexp val.compile() diff --git a/sigma/types.py b/sigma/types.py index 97da9b8..8a5f0f2 100644 --- a/sigma/types.py +++ b/sigma/types.py @@ -734,10 +734,10 @@ def compile(self): flags = 0 for flag in self.flags: flags |= self.sigma_to_python_flags[flag] - re.compile(self.regexp.original, flags) + re.compile(self.escape(), flags) except re.error as e: raise SigmaRegularExpressionError( - f"Regular expression '{self.regexp.original}' is invalid: {str(e)}" + f"Regular expression '{self.escape()}' is invalid: {str(e)}" ) from e def escape( @@ -757,9 +757,10 @@ def escape( if e is not None ] ) + regexp_str = str(self.regexp) pos = ( [ # determine positions of matches in regular expression - m.start() for m in re.finditer(r, self.regexp.original) + m.start() for m in re.finditer(r, regexp_str) ] if r != "" else [] @@ -774,7 +775,7 @@ def escape( else: prefix = "" - return prefix + escape_char.join([self.regexp.original[i:j] for i, j in ranges]) + return prefix + escape_char.join([regexp_str[i:j] for i, j in ranges]) def contains_placeholder( self, include: Optional[List[str]] = None, exclude: Optional[List[str]] = None @@ -796,7 +797,7 @@ def replace_placeholders( Replace all occurrences of string part matching regular expression with placeholder. """ return [ - SigmaRegularExpression(regexp=sigmastr.convert(), flags=self.flags) + SigmaRegularExpression(regexp=str(sigmastr), flags=self.flags) for sigmastr in self.regexp.replace_placeholders(callback) ] diff --git a/tests/test_conversion_base.py b/tests/test_conversion_base.py index 2a57a61..f4583b8 100644 --- a/tests/test_conversion_base.py +++ b/tests/test_conversion_base.py @@ -1343,6 +1343,32 @@ def test_convert_value_regex_value_list(): ) +def test_convert_value_regex_value_list_endswith(): + pipeline = ProcessingPipeline( + [ProcessingItem(ValueListPlaceholderTransformation(["test"]))], + vars={"test": ["pat.*tern/foobar", "pat.*te\\rn/foobar"]}, + ) + backend = TextQueryTestBackend(pipeline) + assert ( + backend.convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: test_category + product: test_product + detection: + sel: + field|re|expand|endswith: "%test%" + condition: sel + """ + ) + ) + == ["field=/.*pat.*tern\\/foo\\bar/ or field=/.*pat.*te\\\\rn\\/foo\\bar/"] + ) + + def test_convert_value_cidr_wildcard_native_ipv4(test_backend): assert ( test_backend.convert(