1 //--------------------------------------------------------------------------
2 // Copyright (C) 2016-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation.  You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 //--------------------------------------------------------------------------
18 // http_js_norm.h author Tom Peters <thopeter@cisco.com>
19 
20 #ifndef HTTP_JS_NORM_H
21 #define HTTP_JS_NORM_H
22 
23 #include <cstring>
24 
25 #include "search_engines/search_tool.h"
26 
27 #include "http_field.h"
28 #include "http_flow_data.h"
29 #include "http_event.h"
30 #include "http_module.h"
31 
32 //-------------------------------------------------------------------------
33 // HttpJsNorm class
34 //-------------------------------------------------------------------------
35 
36 class HttpJsNorm
37 {
38 public:
39     HttpJsNorm(const HttpParaList::UriParam&, int64_t normalization_depth,
40         int32_t identifier_depth, uint8_t max_template_nesting, uint32_t max_bracket_depth,
41         uint32_t max_scope_depth, const std::unordered_set<std::string>& ignored_ids);
42     ~HttpJsNorm();
43 
set_detection_depth(size_t depth)44     void set_detection_depth(size_t depth)
45     { detection_depth = depth; }
46 
47     void do_legacy(const Field& input, Field& output, HttpInfractions*, HttpEventGen*,
48         int max_javascript_whitespaces) const;
49     void do_inline(const Field& input, Field& output, HttpInfractions*, HttpFlowData*, bool) const;
50     void do_external(const Field& input, Field& output, HttpInfractions*, HttpFlowData*, bool) const;
51 
52     void configure();
53 
54 private:
55     enum AttrId { AID_SLASH, AID_GT, AID_SRC, AID_JS, AID_ECMA, AID_VB };
56 
57     struct MatchContext
58     {
59         const char* next;
60         bool is_javascript;
61         bool is_external;
62         bool is_shortened;
63     };
64 
65     const HttpParaList::UriParam& uri_param;
66     size_t detection_depth;
67     int64_t normalization_depth;
68     int32_t identifier_depth;
69     uint8_t max_template_nesting;
70     uint32_t max_bracket_depth;
71     uint32_t max_scope_depth;
72     const std::unordered_set<std::string>& ignored_ids;
73     bool configure_once = false;
74 
75     snort::SearchTool* mpse_otag;
76     snort::SearchTool* mpse_attr;
77     snort::SearchTool* mpse_type; // legacy only
78 
79     static int search_js_found(void*, void*, int index, void*, void*);  // legacy only
80     static int search_html_found(void* id, void*, int, void*, void*); // legacy only
81     static int match_otag(void*, void*, int, void*, void*);
82     static int match_attr(void*, void*, int, void*, void*);
83 
alive_ctx(const HttpFlowData * ssn)84     bool alive_ctx(const HttpFlowData* ssn) const
85     { return ssn->js_normalizer; }
86 };
87 
88 #endif
89 
90