-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
os_regex: refuse to compile empty PCRE2 pattern. #1826
os_regex: refuse to compile empty PCRE2 pattern. #1826
Conversation
The `OSPcre2_Compile` function should refuse to compile empty patterns and instead return an error. This avoids an off-by-one error that can occur later in the function when an assumption is made that the pattern is always >= 1 characters long. A distinct error code `OS_REGEX_PATTERN_EMPTY` (10) is added to `os_regex/os_regex.h` to be returned by `OSPcre2_Compile` for empty patterns similar to the `OS_REGEX_PATTERN_NULL` error.
The `os_regex` PCRE2 code has been updated to return an error when asked to compile an empty pattern. As a result the empty `<program_name_pcre2>` element in the example `decoder.xml` config for the `"pam"` decoder needs to be removed or it will prompt an error from `ossec-analysisd` when it tries to compile the PCRE2 pattern.
Based on the CI failure I think the change to the Was the empty Please advise. Thanks! |
I just played with the pam decoder a bit to try and figure out what's going on. It's been a long day though, so this may be totally stupid. I also haven't spent much time inside of analysisd, and did not test with the submitted changes. Finally, if I just write program_name, assume I mean program_name_pcre2. It looks like the 2 "pam" decoders end up being an OR. If the program_name is Removing the empty program_name from the second decoder causes a failure (like the one in CI). I assume this is because analysisd doesn't start looking for the pam string after program_name, but at the beginning of the log message. This seems odd to me, but it's what we have.
Using a program_name_pcre2 of
Based on a quick grep, this is the only instance of an empty program_name_pcre2. I think it would be safe to modify the decoder to use |
I appreciate you digging in @ddpbsd. Thanks!
That makes sense 👍
I don't have access to my test environment at the moment to run the unit tests but I've pushed a commit (6b5995d) to this branch adding a |
CI is satisfied 🎉 If you folks are happy with this fix/line of reasoning I think the branch is ready to go. |
Thanks! I've pinged @atomicturtle to look it over and make sure I'm not totally off base with everything. But I think it'll be fine to merge. |
Yeah theres no issue here, we havent started merging over to the pcre2 regexes and this does nothing less than enforce better discipline when we start that project up in earnest. And props to your awesome username, how in the world did you get that?? Let us know if you want an invite to our slack: slack@ossec.net |
😆 Thanks :-) Right place at the right time. |
The
OSPcre2_Compile
function should refuse to compile empty patterns and instead return an error. This avoids an off-by-one error that can occur later in the function when an assumption is made that the pattern is always >= 1 characters long.A distinct error code
OS_REGEX_PATTERN_EMPTY
(10) is added toos_regex/os_regex.h
to be returned byOSPcre2_Compile
for empty patterns similar to theOS_REGEX_PATTERN_NULL
error.Since the
os_regex
PCRE2 code is updated to return an error when asked to compile an empty pattern the empty<program_name_pcre2>
element in the exampledecoder.xml
config forthe
"pam"
decoder also needs to be updated or it will prompt an error fromossec-analysisd
when it tries to compile the PCRE2 pattern. Using.*
as the program name PCRE2 regex has (what I think is) the intended effect of the two PAM decoders.Resolves #1811