From d3dad3a66ade6e74fbd2d75cdb2df7099741eeaf Mon Sep 17 00:00:00 2001
From: William Ballenthin <william.ballenthin@fireeye.com>
Date: Sun, 16 Aug 2020 21:38:13 -0600
Subject: [PATCH] rules: fix bug in string counting

closes #241
---
 capa/features/__init__.py |  2 +-
 tests/test_rules.py       | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/capa/features/__init__.py b/capa/features/__init__.py
index 25ad5bb4..5d59e4da 100644
--- a/capa/features/__init__.py
+++ b/capa/features/__init__.py
@@ -161,7 +161,7 @@ class Regex(String):
 
 
 class StringFactory(object):
-    def __new__(self, value, description):
+    def __new__(self, value, description=None):
         if value.startswith("/") and (value.endswith("/") or value.endswith("/i")):
             return Regex(value, description=description)
         return String(value, description=description)
diff --git a/tests/test_rules.py b/tests/test_rules.py
index b60a5503..98b06949 100644
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -162,6 +162,23 @@ def test_rule_yaml_count_range():
     assert r.evaluate({Number(100): {1, 2, 3}}) == False
 
 
+def test_rule_yaml_count_string():
+    rule = textwrap.dedent(
+        """
+        rule:
+            meta:
+                name: test rule
+            features:
+                - count(string(foo)): 2
+        """
+    )
+    r = capa.rules.Rule.from_yaml(rule)
+    assert r.evaluate({String("foo"): {}}) == False
+    assert r.evaluate({String("foo"): {1}}) == False
+    assert r.evaluate({String("foo"): {1, 2}}) == True
+    assert r.evaluate({String("foo"): {1, 2, 3}}) == False
+
+
 def test_invalid_rule_feature():
     with pytest.raises(capa.rules.InvalidRule):
         capa.rules.Rule.from_yaml(