diff --git a/capa/features/__init__.py b/capa/features/__init__.py index 25ad5bb4..5d59e4da 100644 --- a/capa/features/__init__.py +++ b/capa/features/__init__.py @@ -161,7 +161,7 @@ class Regex(String): class StringFactory(object): - def __new__(self, value, description): + def __new__(self, value, description=None): if value.startswith("/") and (value.endswith("/") or value.endswith("/i")): return Regex(value, description=description) return String(value, description=description) diff --git a/tests/test_rules.py b/tests/test_rules.py index b60a5503..98b06949 100644 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -162,6 +162,23 @@ def test_rule_yaml_count_range(): assert r.evaluate({Number(100): {1, 2, 3}}) == False +def test_rule_yaml_count_string(): + rule = textwrap.dedent( + """ + rule: + meta: + name: test rule + features: + - count(string(foo)): 2 + """ + ) + r = capa.rules.Rule.from_yaml(rule) + assert r.evaluate({String("foo"): {}}) == False + assert r.evaluate({String("foo"): {1}}) == False + assert r.evaluate({String("foo"): {1, 2}}) == True + assert r.evaluate({String("foo"): {1, 2, 3}}) == False + + def test_invalid_rule_feature(): with pytest.raises(capa.rules.InvalidRule): capa.rules.Rule.from_yaml(