From ae4c2ec82df47306a186010313e0eedfe59f386f Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 22 Apr 2026 22:15:00 +0300 Subject: [PATCH] fix: parenthesize s_type checks in capa2yara so kid.name guard applies to And/Or/Not uniformly Without parentheses, Python's operator precedence caused `kid.name != "Some"` to only guard the `Not` branch; `And` and `Or` kids named `"Some"` would bypass the Some-handling block and enter recursive convert_rule unguarded. --- CHANGELOG.md | 1 + scripts/capa2yara.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f08c78e..47d40316 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,7 @@ - fix: correct wrong dict key in VMRay _compute_monitor_threads assertion (used thread_id instead of process_id) @williballenthin fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin - fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin +- fix: parenthesize s_type checks in capa2yara.py so kid.name != "Some" guard applies to And/Or/Not uniformly @williballenthin (SURF-86) - fix: correct operator precedence in FeatureRegexRegistryControlSetMatchIncomplete to avoid false positives on unrelated currentcontrolset patterns @williballenthin (SURF-85) - fix: FeatureRegexRegistryControlSetMatchIncomplete now checks all Regex features instead of returning after the first @williballenthin (SURF-84) - fix: MissingStaticScope and MissingDynamicScope lint checks guard against absent scopes dict to prevent TypeError @williballenthin (SURF-83) diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py index 0315d60e..a2df8b75 100644 --- a/scripts/capa2yara.py +++ b/scripts/capa2yara.py @@ -414,7 +414,7 @@ def convert_rule(rule, rulename, cround, depth): # this is "x or more". could be coded for strings TODO return "BREAK", "Some aka x or more (TODO)", rule_comment, incomplete - if s_type == "And" or s_type == "Or" or s_type == "Not" and kid.name != "Some": + if (s_type == "And" or s_type == "Or" or s_type == "Not") and kid.name != "Some": logger.info("doing bool with recursion: %r", kid) logger.info("kid coming: %r", kid.name) # logger.info("grandchildren: " + repr(kid.children))