Added warning on unknown escape sequences#1880
Merged
plusvic merged 4 commits intoAug 23, 2023
Merged
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
…ith strict-escape parameter
9e670ea to
64b3a64
Compare
plusvic
approved these changes
May 31, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Whenever user makes a mistake in escape sequence it is being silently ignored.
For example if user writes
C:\Users\\[^\\]+\\test.txtinstead of
C:\\Users\\[^\\]+\\test.txtYARA takes
\Uas an escape sequence and ignores it as there is not a rule to match (U is returned), therefore this would match strings starting withC:Usersinstead ofC:\Users.Another case where this problem would rise is even within YARA tests. There is
\0x5Avalue being escaped in range test. YARA does not support leading 0 in escaping, therefore it escapes only\0, returns0and continues with the rest being treated as a normal string. We would then get range65-93(65 is a decimal value for ASCII A and 93 for\x5D) instead of desired range91-93in decimal values. The test is not failing as the tested value is within both ranges but if you try something that should fail as a\x4Fit still passes.