Fix false-positives in http_parser.rb-0.8.0/ext/ruby_http_parser/vend…

…or/http-parser/test.c (#720) * improve http false positives * refresh testdata * Add test
chainguard-dev · Dec 18, 2024 · 892d94a · 892d94a
1 parent d21305b
commit 892d94a
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 7 deletions.
diff --git a/rules/evasion/net/http_443.yara b/rules/evasion/net/http_443.yara
@@ -3,11 +3,14 @@ rule http_port_443: high {
     description = "hardcoded HTTP site on port 443 (HTTPS)"
 
   strings:
-    $http_443      = /http:\/\/[\w\.]{0,32}:443[\/\w\-\?\.]{0,32}/
-    $not_test      = "assertEqual"
-    $not_example   = "http://example.com:443"
-    $not_localhost = "http://localhost:443"
-    $not_foo       = "http://foo.com:443/"
+    $http_443       = /http:\/\/[\w\.]{0,32}:443[\/\w\-\?\.]{0,32}/
+    $not_test       = "assertEqual"
+    $not_example    = "http://example.com:443"
+    $not_localhost  = "http://localhost:443"
+    $not_foo        = "http://foo.com:443/"
+    $not_empty      = "http://:443/"
+    $not_slash_test = "/test" fullword
+    $not_unit_test  = "unit test"
 
   condition:
     $http_443 and none of ($not*)

diff --git a/rules/net/http/content-length.yara b/rules/net/http/content-length.yara
@@ -14,8 +14,12 @@ rule content_length_hardcoded: high {
     description = "Sets HTTP content length to hard-coded value"
 
   strings:
-    $ref = /Content-Length: \d{2,13}/ fullword
+    $ref              = /Content-Length: \d{2,13}/ fullword
+    $not_test_parse   = "test_parse"
+    $not_slash_test   = "/test" fullword
+    $not_test_message = "test_message"
+    $not_unit_test    = "unit test"
 
   condition:
-    $ref
+    $ref and none of ($not*)
 }
diff --git a/rules/net/ip/host_port.yara b/rules/net/ip/host_port.yara
@@ -75,6 +75,11 @@ rule hardcoded_host_port_over_10k: high {
     $not_example_com          = "example.com:"
     $not_mygateway            = "mygateway.com:"
     $not_mymachine            = "mymachine.com:"
+    $not_ruby_http            = "http://hypnotoad.org:1234?hail=all"
+    $not_test_parse           = "test_parse"
+    $not_slash_test           = "/test" fullword
+    $not_test_message         = "test_message"
+    $not_unit_test            = "unit test"
 
   condition:
     any of ($h*) and none of ($not*)

diff --git a/tests/c/clean/ruby_http_parser/test.c.simple b/tests/c/clean/ruby_http_parser/test.c.simple
@@ -0,0 +1,23 @@
+# c/clean/ruby_http_parser/test.c: medium
+c2/tool_transfer/os: low
+crypto/openssl: medium
+data/compression/gzip: low
+data/compression/zlib: low
+data/embedded/base64_url: medium
+data/embedded/pem_certificate: low
+data/random/insecure: low
+impact/remote_access/agent: medium
+net/download/fetch: medium
+net/http/accept_encoding: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/request: low
+net/http/websocket: medium
+net/ip/host_port: medium
+net/socket/send: low
+net/udp/kcp: medium
+net/udp/upnp: medium
+net/url/embedded: low
+net/url/encode: medium