From 23ef9b3857a411c73b913d10c5bad668cff68aa0 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 17 Sep 2024 08:56:36 -0400
Subject: [PATCH] tests/luaxform: Lua transform tests

This commit adds tests for new Lua transform
- Basic transform operation
- Ensure non-existent Lua scripts are detected
- Ensure Lua scripts without transform functions are detected
- Ensure Lua scripts properly receive optional transform arguments
---
 tests/lua/lua-transform-01/README.md     |   1 +
 tests/lua/lua-transform-01/test.pcap     | Bin 0 -> 2075 bytes
 tests/lua/lua-transform-01/test.rules    |   1 +
 tests/lua/lua-transform-01/test.yaml     |  14 +++++++
 tests/lua/lua-transform-01/transform.lua |  10 +++++
 tests/lua/lua-transform-02/README.md     |   1 +
 tests/lua/lua-transform-02/test.rules    |   1 +
 tests/lua/lua-transform-02/test.yaml     |  20 +++++++++
 tests/lua/lua-transform-03/README.md     |   1 +
 tests/lua/lua-transform-03/test.rules    |   1 +
 tests/lua/lua-transform-03/test.yaml     |  20 +++++++++
 tests/lua/lua-transform-03/transform.lua |  10 +++++
 tests/lua/lua-transform-04/README.md     |   1 +
 tests/lua/lua-transform-04/test.rules    |   1 +
 tests/lua/lua-transform-04/test.yaml     |  18 +++++++++
 tests/lua/lua-transform-04/transform.lua |  13 ++++++
 tests/lua/lua-transform-05/transform.lua |   7 +---
 tests/lua/lua-transform-06/README.md     |   1 +
 tests/lua/lua-transform-06/test.rules    |   1 +
 tests/lua/lua-transform-06/test.yaml     |  16 ++++++++
 tests/lua/lua-transform-06/transform.lua |  11 +++++
 tests/lua/lua-transform-07/README.md     |   2 +
 tests/lua/lua-transform-07/test.rules    |   1 +
 tests/lua/lua-transform-07/test.yaml     |  16 ++++++++
 tests/lua/lua-transform-07/transform.lua |  49 +++++++++++++++++++++++
 25 files changed, 211 insertions(+), 6 deletions(-)
 create mode 100644 tests/lua/lua-transform-01/README.md
 create mode 100644 tests/lua/lua-transform-01/test.pcap
 create mode 100644 tests/lua/lua-transform-01/test.rules
 create mode 100644 tests/lua/lua-transform-01/test.yaml
 create mode 100644 tests/lua/lua-transform-01/transform.lua
 create mode 100644 tests/lua/lua-transform-02/README.md
 create mode 100644 tests/lua/lua-transform-02/test.rules
 create mode 100644 tests/lua/lua-transform-02/test.yaml
 create mode 100644 tests/lua/lua-transform-03/README.md
 create mode 100644 tests/lua/lua-transform-03/test.rules
 create mode 100644 tests/lua/lua-transform-03/test.yaml
 create mode 100644 tests/lua/lua-transform-03/transform.lua
 create mode 100644 tests/lua/lua-transform-04/README.md
 create mode 100644 tests/lua/lua-transform-04/test.rules
 create mode 100644 tests/lua/lua-transform-04/test.yaml
 create mode 100644 tests/lua/lua-transform-04/transform.lua
 create mode 100644 tests/lua/lua-transform-06/README.md
 create mode 100644 tests/lua/lua-transform-06/test.rules
 create mode 100644 tests/lua/lua-transform-06/test.yaml
 create mode 100644 tests/lua/lua-transform-06/transform.lua
 create mode 100644 tests/lua/lua-transform-07/README.md
 create mode 100644 tests/lua/lua-transform-07/test.rules
 create mode 100644 tests/lua/lua-transform-07/test.yaml
 create mode 100644 tests/lua/lua-transform-07/transform.lua

diff --git a/tests/lua/lua-transform-01/README.md b/tests/lua/lua-transform-01/README.md
new file mode 100644
index 000000000..9326f3a9d
--- /dev/null
+++ b/tests/lua/lua-transform-01/README.md
@@ -0,0 +1 @@
+Lua transform test: returns input buffer in uppercase. The rule will match on the uppercase output
diff --git a/tests/lua/lua-transform-01/test.pcap b/tests/lua/lua-transform-01/test.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b9eec15c8218b9bbcafb992452f367e7bf334bd5
GIT binary patch
literal 2075
zcmbW2dr%Wc9LF~SAsohuQWX?&XVl@D%YzHTNtK9(C?M&O0tFRga*!+Ga)b*3>{M!1
zs*Y9Z;0vjCY|*OVd!{}B9TZ1elv>*kgB|QprdB(mt+uwd&|O}ZK>LR`*_+(%-sktd
z{e6GCx0_CVBnF;f_=*ESgdPsn9?S+MQm_pD#|;?Lc6)a5>5a3}L=vzVfH?eH;PteN
zctuGOYEjm$f?!$V@{I*}@(FQY-wHnf#Gd2Mh&(*JL?Q{HH<Sr@%u_r-*CF~+^o-j8
zcOXVTJr>jByq^4s$v8r=>{daqG=CC`;5abJdgnq6rq4n&31PjKaS_u|ByX(yIU+Aa
zRNO}CrUrHQxaoEvx?h<L(PpC+7}Sf&m}oAQf=y^yaC0Y$)(jAz93GSCFCplSBZ-ET
zR3lU{#f&+dw-*W|Z{?xhXf!BPq)JNYQ5OwWN>ZaFRb-5cRw>aXC0;LN9CB?g!=ce+
zdns$PnG_mQ2}6=iW|kA|h1Pj+2`4Z%h&o_OD$GETY!#Iq6$-UHZ)4J#)rqX2&_vE9
zBcotQqTZOC6aj5)9s?5?bDljE##<fsd`1x+O)5!B9TQDbFx8Y}a<GFhNeQjl%<zJI
zF=w`0ST2`_xuq;00WD09%_J~G<1`FYgh`2bJI66*fwglq%wrf{ZnCjOXcFod&}Yb#
z7%o?^(on5_(Pu2-85)|9Ue;{FuPTb=E|*K5V|V1soemp=BQq8$Ati8P>?koqsUBq_
zN>hhT)TnhckzeBS@^fV}(82i*BnG9q9vcV~OAs*wWf?d3RAaC9o4$Qys>{#yn+K)(
zNbks0vzAxUXN1pD>lnd|?!2k6&}G4K-u{2($NQDXjiLM|R-XTKv~u4HDfmka`kVV&
zh#zWBVB*CMV-o#AN0|RGu?ermkRhR3se~zsQX-Xc6fq7Oa=9#5jIA1l-MR>+orXrM
zGXg3#aGAXb%~va-axP72XetsWBpcn6D=@`^!Ybt3UJML5fr^Ui?;O)M8FGW&#W)y?
zd|?R<4SEBzzlMyFtDLKyoZzHLRiu<iGda+pn@wK?8fjeYqM2JHIMV=loHc4)>y+ag
zehrW2dVUHY=d3HAQPj=^MXl9tm{1Zf&(n5yDp;O2UE9;POYuiVbIsjj`B#_Bh7*!?
z59-vm;J@dGeSD-=<mDXz9$YjBg-qQNa5VpoJ(Bw19qZOVqptrRqz{l}9y63Lskr{m
zS=rHUb=G^J{ai@Af90vP3^p`v6O`RwzNc~NH<PNed_E+ob}ha0^S6#?l+9}3%6frV
z2cI`*whF09Q;t(@-@?n|eJoo))6F>9ldyf&%E`g8E%(j`R(<dDCP<H2pAfV4^r4^+
z)W(HtlYS_Uz2V!wG%#`FpIwp;uy^m-FBZ)EnP~Q)FKv(e?e@$sE3f(Ps(o!PA6psP
zmCiR$XDy!wPL`Z0DC&N+%(Ct9s;P^Ls!i*4KA-H62R&VPumNt~f5FjPH|;^@oi!cL
z)4qOO9dW<q&VE;?s%78q>hIdc+bSQ<seRW^ud6=bWNOZrpIVVV+4O$2o+LY}&CeWQ
z9)GtwamuCkj?9ynXL5bzw^uH9_B0Bx=267en$Cv$=B(}sEv-4Ht2nY`-!#27prvr)
zW9p#fP<NonHM>d|zPYBU0uATt;lu9fzdT84yf?jbQPTZ-bdurf`U=&;(7rILivQyX
zD8Jb&wYQeZy!$MJ`vR(iQnWWTVPaF|OA{wbfW>EcUl=BK{)^~duYl5=?B4<AkE~aF
nE84r-$|i!2yolj?y@GXOjiozZLSq~H>Ko|b0~YTQ8n65Vvf-dz

literal 0
HcmV?d00001

diff --git a/tests/lua/lua-transform-01/test.rules b/tests/lua/lua-transform-01/test.rules
new file mode 100644
index 000000000..0f33f6085
--- /dev/null
+++ b/tests/lua/lua-transform-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP";  sid:1; rev:1;)
diff --git a/tests/lua/lua-transform-01/test.yaml b/tests/lua/lua-transform-01/test.yaml
new file mode 100644
index 000000000..5a80f136c
--- /dev/null
+++ b/tests/lua/lua-transform-01/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 8
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-rules=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        http.url: /exec_post.php
diff --git a/tests/lua/lua-transform-01/transform.lua b/tests/lua/lua-transform-01/transform.lua
new file mode 100644
index 000000000..5742bd900
--- /dev/null
+++ b/tests/lua/lua-transform-01/transform.lua
@@ -0,0 +1,10 @@
+-- Arguments supported
+local bytes_key = "bytes"
+local offset_key = "offset"
+function transform(input_len, input, argc, args)
+    local bytes = input_len
+    local offset = 0
+
+    local sub = string.sub(input, offset + 1, offset + bytes)
+    return string.upper(sub), bytes
+end
diff --git a/tests/lua/lua-transform-02/README.md b/tests/lua/lua-transform-02/README.md
new file mode 100644
index 000000000..10c8d07e3
--- /dev/null
+++ b/tests/lua/lua-transform-02/README.md
@@ -0,0 +1 @@
+Lua transform: Ensure non-existent lua scripts are detected.
diff --git a/tests/lua/lua-transform-02/test.rules b/tests/lua/lua-transform-02/test.rules
new file mode 100644
index 000000000..c16f5a495
--- /dev/null
+++ b/tests/lua/lua-transform-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST"; http.uri; luaxform:no_filetransform.lua;content:"EXEC_POST.PHP";  sid:1; rev:1;)
diff --git a/tests/lua/lua-transform-02/test.yaml b/tests/lua/lua-transform-02/test.yaml
new file mode 100644
index 000000000..fcfed6b23
--- /dev/null
+++ b/tests/lua/lua-transform-02/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-rules=true
+  - --set logging.outputs.1.file.type=json
+  - -T
+
+exit-code: 1
+
+pcap: false
+checks:
+  - filter:
+      count: 1
+      filename: suricata.log
+      match:
+        event_type: engine
+        engine.message.__startswith: "couldn't load file"
+        engine.message.__find: "no_filetransform.lua: No such file or directory"
diff --git a/tests/lua/lua-transform-03/README.md b/tests/lua/lua-transform-03/README.md
new file mode 100644
index 000000000..136e5918e
--- /dev/null
+++ b/tests/lua/lua-transform-03/README.md
@@ -0,0 +1 @@
+Lua transform test: ensure lua script has a transform function
diff --git a/tests/lua/lua-transform-03/test.rules b/tests/lua/lua-transform-03/test.rules
new file mode 100644
index 000000000..0f33f6085
--- /dev/null
+++ b/tests/lua/lua-transform-03/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP";  sid:1; rev:1;)
diff --git a/tests/lua/lua-transform-03/test.yaml b/tests/lua/lua-transform-03/test.yaml
new file mode 100644
index 000000000..eff429553
--- /dev/null
+++ b/tests/lua/lua-transform-03/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-rules=true
+  - --set logging.outputs.1.file.type=json
+  - -T
+
+pcap: false
+
+exit-code: 1
+
+checks:
+  - filter:
+      count: 1
+      filename: suricata.log
+      match:
+        engine.message.__find: "no transform function in script"
+        event_type: engine
diff --git a/tests/lua/lua-transform-03/transform.lua b/tests/lua/lua-transform-03/transform.lua
new file mode 100644
index 000000000..9d10d9f76
--- /dev/null
+++ b/tests/lua/lua-transform-03/transform.lua
@@ -0,0 +1,10 @@
+-- Arguments supported
+local bytes_key = "bytes"
+local offset_key = "offset"
+function no_transform(input_len, input, argc, args)
+    local bytes = input_len
+    local offset = 0
+
+    local sub = string.sub(input, offset + 1, offset + bytes)
+    return string.upper(sub), bytes
+end
diff --git a/tests/lua/lua-transform-04/README.md b/tests/lua/lua-transform-04/README.md
new file mode 100644
index 000000000..ae099cc78
--- /dev/null
+++ b/tests/lua/lua-transform-04/README.md
@@ -0,0 +1 @@
+Ensure Lua transform receives optional transform function arguments
diff --git a/tests/lua/lua-transform-04/test.rules b/tests/lua/lua-transform-04/test.rules
new file mode 100644
index 000000000..2224c83df
--- /dev/null
+++ b/tests/lua/lua-transform-04/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 0, offset 2;content:"EXEC_POST.PHP";  sid:1; rev:1;)
diff --git a/tests/lua/lua-transform-04/test.yaml b/tests/lua/lua-transform-04/test.yaml
new file mode 100644
index 000000000..65b944fec
--- /dev/null
+++ b/tests/lua/lua-transform-04/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 8
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-rules=true
+
+pcap: ../lua-transform-01/test.pcap
+
+checks:
+
+  - shell:
+      args: grep  "1 item.*  bytes 0" stdout | wc -l | xargs
+      expect: 1
+
+  - shell:
+      args: grep  "2 item.*  offset 2" stdout| wc -l | xargs
+      expect: 1
diff --git a/tests/lua/lua-transform-04/transform.lua b/tests/lua/lua-transform-04/transform.lua
new file mode 100644
index 000000000..a5338de63
--- /dev/null
+++ b/tests/lua/lua-transform-04/transform.lua
@@ -0,0 +1,13 @@
+-- Arguments supported
+local bytes_key = "bytes"
+local offset_key = "offset"
+function transform(input_len, input, argc, args)
+    offset = 0
+    bytes = input_len
+    for i, item in ipairs(args) do
+        print(i .. " item: " .. item)
+    end
+
+    local sub = string.sub(input, offset + 1, offset + bytes)
+    return string.upper(sub), bytes
+end
diff --git a/tests/lua/lua-transform-05/transform.lua b/tests/lua/lua-transform-05/transform.lua
index fc7f577c4..e338d1651 100644
--- a/tests/lua/lua-transform-05/transform.lua
+++ b/tests/lua/lua-transform-05/transform.lua
@@ -1,8 +1,3 @@
-function init (args)
-    local needs = {}
-    return needs
-end
-
 function transform(input_len, input, argc, args)
-    return nil
+    return nil, 0
 end
diff --git a/tests/lua/lua-transform-06/README.md b/tests/lua/lua-transform-06/README.md
new file mode 100644
index 000000000..423cac594
--- /dev/null
+++ b/tests/lua/lua-transform-06/README.md
@@ -0,0 +1 @@
+Lua transform test: transform function returns 1 parameter when 2 are required.
diff --git a/tests/lua/lua-transform-06/test.rules b/tests/lua/lua-transform-06/test.rules
new file mode 100644
index 000000000..0f33f6085
--- /dev/null
+++ b/tests/lua/lua-transform-06/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP";  sid:1; rev:1;)
diff --git a/tests/lua/lua-transform-06/test.yaml b/tests/lua/lua-transform-06/test.yaml
new file mode 100644
index 000000000..f564e8ccf
--- /dev/null
+++ b/tests/lua/lua-transform-06/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-rules=true
+
+pcap: ../lua-transform-01/test.pcap
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        http.url: /exec_post.php
diff --git a/tests/lua/lua-transform-06/transform.lua b/tests/lua/lua-transform-06/transform.lua
new file mode 100644
index 000000000..d4710283c
--- /dev/null
+++ b/tests/lua/lua-transform-06/transform.lua
@@ -0,0 +1,11 @@
+-- Arguments supported
+local bytes_key = "bytes"
+local offset_key = "offset"
+function transform(input_len, input, argc, args)
+    local bytes = input_len
+    local offset = 0
+
+    local sub = string.sub(input, offset + 1, offset + bytes)
+    -- Note -- only one value is returned when 2 are expected: buffer, byte-count
+    return string.upper(sub)
+end
diff --git a/tests/lua/lua-transform-07/README.md b/tests/lua/lua-transform-07/README.md
new file mode 100644
index 000000000..c9f52c1b7
--- /dev/null
+++ b/tests/lua/lua-transform-07/README.md
@@ -0,0 +1,2 @@
+Ensure Lua transform receives optional transform function arguments. The Lua transform script
+is also provided as an example in the documentation.
diff --git a/tests/lua/lua-transform-07/test.rules b/tests/lua/lua-transform-07/test.rules
new file mode 100644
index 000000000..58cd4ab47
--- /dev/null
+++ b/tests/lua/lua-transform-07/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 12, offset 2;content:"XEC_POST.PHP";  sid:1; rev:1;)
diff --git a/tests/lua/lua-transform-07/test.yaml b/tests/lua/lua-transform-07/test.yaml
new file mode 100644
index 000000000..f58bfd940
--- /dev/null
+++ b/tests/lua/lua-transform-07/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-rules=true
+
+pcap: ../lua-transform-01/test.pcap
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/lua/lua-transform-07/transform.lua b/tests/lua/lua-transform-07/transform.lua
new file mode 100644
index 000000000..da95b1b7d
--- /dev/null
+++ b/tests/lua/lua-transform-07/transform.lua
@@ -0,0 +1,49 @@
+function init()
+end
+
+local function get_value(item, key)
+   if string.find(item, key) then
+	   local _, value = string.match(item, "(%a+)%s*(%d*)")
+	   if value ~= "" then
+		   return tonumber(value)
+	   end
+   end
+
+   return nil
+end
+
+-- Arguments supported
+local bytes_key = "bytes"
+local offset_key = "offset"
+function transform(input_len, input, argc, args)
+   local bytes = input_len
+   local offset = 0
+
+   -- Look for optional bytes and offset arguments
+   for i, item in ipairs(args) do
+	   local value = get_value(item, bytes_key)
+	   if value ~= nil then
+		   bytes = value
+	   else
+		   value = get_value(item, offset_key)
+		   if value ~= nil then
+			   offset = value
+		   end
+	   end
+   end
+
+   local str_len = #input
+   if offset < 0 or offset > str_len then
+	   print("offset is out of bounds: " .. offset)
+	   return nil
+   end
+
+   local avail_len = str_len - offset
+   if bytes < 0 or bytes > avail_len then
+       print("invalid bytes " ..  bytes .. " or bytes exceeds available  length " .. avail_len)
+	   return nil
+   end
+
+   local sub = string.sub(input, offset + 1, offset + bytes)
+   return string.upper(sub), bytes
+end