gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-23 15:37:37 -08:00
Code Issues Packages Projects Releases Wiki Activity

rules: fix bug in string counting

Browse Source 
closes #241
This commit is contained in:
William Ballenthin
2020-08-16 21:38:13 -06:00
parent b084f7cb9b
commit d3dad3a66a
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
capa/features/__init__.py
View File

@@ -161,7 +161,7 @@ class Regex(String):
class StringFactory(object): class StringFactory(object):
def __new__(self, value, description): def __new__(self, value, description=None):
if value.startswith("/") and (value.endswith("/") or value.endswith("/i")): if value.startswith("/") and (value.endswith("/") or value.endswith("/i")):
return Regex(value, description=description) return Regex(value, description=description)
return String(value, description=description) return String(value, description=description)

17
tests/test_rules.py
View File

@@ -162,6 +162,23 @@ def test_rule_yaml_count_range():
assert r.evaluate({Number(100): {1, 2, 3}}) == False assert r.evaluate({Number(100): {1, 2, 3}}) == False
def test_rule_yaml_count_string():
rule = textwrap.dedent(
"""
rule:
meta:
name: test rule
features:
- count(string(foo)): 2
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({String("foo"): {}}) == False
assert r.evaluate({String("foo"): {1}}) == False
assert r.evaluate({String("foo"): {1, 2}}) == True
assert r.evaluate({String("foo"): {1, 2, 3}}) == False
def test_invalid_rule_feature(): def test_invalid_rule_feature():
with pytest.raises(capa.rules.InvalidRule): with pytest.raises(capa.rules.InvalidRule):
capa.rules.Rule.from_yaml( capa.rules.Rule.from_yaml(