82167b0a |
/*
* Unit tests for regular expression processing.
* |
206dbaef |
* Copyright (C) 2013-2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. |
52cddcbc |
* Copyright (C) 2008-2013 Sourcefire, Inc. |
82167b0a |
*
* Authors: Török Edvin
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#include <check.h> |
b2e7c931 |
|
9e20cdf6 |
// libclamav
#include "clamav.h"
#include "others.h"
#include "mbox.h"
#include "message.h"
#include "htmlnorm.h"
#include "phishcheck.h"
#include "regex_suffix.h"
#include "regex_list.h"
#include "phish_domaincheck_db.h"
#include "phish_whitelist.h"
|
82167b0a |
#include "checks.h"
|
a497dce5 |
static size_t cb_called = 0; |
82167b0a |
|
53e3045b |
static cl_error_t cb_fail(void *cbdata, const char *suffix, size_t len, const struct regex_list *regex) |
82167b0a |
{ |
e01ba94e |
UNUSEDPARAM(cbdata);
UNUSEDPARAM(suffix);
UNUSEDPARAM(len);
UNUSEDPARAM(regex);
|
485d8dec |
ck_abort_msg("this pattern is not supposed to have a suffix"); |
53e3045b |
return CL_EMEM; |
82167b0a |
}
|
53e3045b |
static cl_error_t cb_expect_single(void *cbdata, const char *suffix, size_t len, const struct regex_list *regex) |
82167b0a |
{ |
72fd33c8 |
const char *expected = cbdata; |
e01ba94e |
UNUSEDPARAM(len);
UNUSEDPARAM(regex);
|
72fd33c8 |
cb_called++; |
485d8dec |
ck_assert_msg(suffix && strcmp(suffix, expected) == 0, |
e01ba94e |
"suffix mismatch, was: %s, expected: %s\n", suffix, expected); |
53e3045b |
return CL_SUCCESS; |
82167b0a |
}
static struct regex_list regex; |
72fd33c8 |
START_TEST(empty) |
82167b0a |
{ |
72fd33c8 |
const char pattern[] = ""; |
e01ba94e |
cl_error_t rc; |
72fd33c8 |
regex_t *preg;
errmsg_expected();
preg = malloc(sizeof(*regex.preg)); |
485d8dec |
ck_assert_msg(!!preg, "malloc"); |
72fd33c8 |
rc = cli_regex2suffix(pattern, preg, cb_fail, NULL);
free(preg); |
485d8dec |
ck_assert_msg(rc == REG_EMPTY, "empty pattern");
ck_assert_msg(cb_called == 0, "callback shouldn't be called"); |
82167b0a |
}
END_TEST
|
72fd33c8 |
START_TEST(one) |
82167b0a |
{ |
72fd33c8 |
char pattern[] = "a"; |
e01ba94e |
cl_error_t rc; |
72fd33c8 |
regex_t *preg;
preg = malloc(sizeof(*regex.preg)); |
485d8dec |
ck_assert_msg(!!preg, "malloc"); |
72fd33c8 |
rc = cli_regex2suffix(pattern, preg, cb_expect_single, pattern); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "single character pattern"); |
72fd33c8 |
cli_regfree(preg);
free(preg); |
485d8dec |
ck_assert_msg(cb_called == 1, "callback should be called once"); |
82167b0a |
}
END_TEST
|
a497dce5 |
static const char *ex1[] = |
72fd33c8 |
{"com|de", "moc", "ed", NULL}; |
a497dce5 |
static const char *ex2[] = |
72fd33c8 |
{"xd|(a|e)bc", "dx", "cba", "cbe", NULL}; |
82167b0a |
static const char **tests[] = { |
72fd33c8 |
ex1,
ex2}; |
82167b0a |
|
53e3045b |
static cl_error_t cb_expect_multi(void *cbdata, const char *suffix, size_t len, const struct regex_list *r) |
82167b0a |
{ |
72fd33c8 |
const char **exp = cbdata; |
e01ba94e |
UNUSEDPARAM(r);
|
485d8dec |
ck_assert_msg(!!exp, "expected data"); |
72fd33c8 |
exp++; |
485d8dec |
ck_assert_msg(!!*exp, "expected no suffix, got: %s\n", suffix);
ck_assert_msg(!!exp[cb_called], "expected less suffixes, but already got: %d\n", cb_called);
ck_assert_msg(strcmp(exp[cb_called], suffix) == 0, |
e01ba94e |
"suffix mismatch, was: %s, expected: %s\n", suffix, exp[cb_called]); |
485d8dec |
ck_assert_msg(strlen(suffix) == len, "incorrect suffix len, expected: %d, got: %d\n", strlen(suffix), len); |
72fd33c8 |
cb_called++; |
53e3045b |
return CL_SUCCESS; |
82167b0a |
}
|
72fd33c8 |
START_TEST(test_suffix) |
82167b0a |
{ |
e01ba94e |
cl_error_t rc; |
72fd33c8 |
regex_t *preg;
const char *pattern = tests[_i][0];
size_t n = 0;
const char **p = tests[_i];
|
485d8dec |
ck_assert_msg(!!pattern, "test pattern"); |
72fd33c8 |
preg = malloc(sizeof(*regex.preg)); |
485d8dec |
ck_assert_msg(!!preg, "malloc"); |
72fd33c8 |
rc = cli_regex2suffix(pattern, preg, cb_expect_multi, tests[_i]); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "single character pattern"); |
72fd33c8 |
cli_regfree(preg);
free(preg);
p++;
while (*p++) n++; |
485d8dec |
ck_assert_msg(cb_called == n, |
e01ba94e |
"suffix number mismatch, expected: %d, was: %d\n", n, cb_called); |
82167b0a |
}
END_TEST
static void setup(void)
{ |
72fd33c8 |
cb_called = 0; |
82167b0a |
}
static void teardown(void)
{
}
|
3dcc2d78 |
static struct regex_matcher matcher;
static void rsetup(void)
{ |
e01ba94e |
cl_error_t rc; |
7866b37c |
#ifdef USE_MPOOL |
72fd33c8 |
matcher.mempool = mpool_create(); |
563582a1 |
#endif |
72fd33c8 |
rc = init_regex_list(&matcher, 1); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "init_regex_list"); |
3dcc2d78 |
}
static void rteardown(void)
{ |
72fd33c8 |
regex_list_done(&matcher); |
7866b37c |
#ifdef USE_MPOOL |
72fd33c8 |
mpool_destroy(matcher.mempool); |
563582a1 |
#endif |
3dcc2d78 |
}
|
e01ba94e |
typedef enum rtest_result {
RTR_PHISH,
RTR_WHITELISTED,
RTR_CLEAN,
RTR_BLACKLISTED, // if 2nd db is loaded
RTR_INVALID_REGEX
} rtr_t;
|
3dcc2d78 |
static const struct rtest { |
72fd33c8 |
const char *pattern; /* NULL if not meant for whitelist testing */
const char *realurl;
const char *displayurl; |
e01ba94e |
rtr_t result; |
3dcc2d78 |
} rtests[] = { |
e01ba94e |
{NULL, "http://fake.example.com", "http://foo@key.com/", RTR_PHISH},
{NULL, "http://fake.example.com", "foo.example.com@key.com", RTR_PHISH},
{NULL, "http://fake.example.com", "foo@key.com", RTR_CLEAN},
{NULL, "http://fake.example.com", "=====key.com", RTR_PHISH},
{NULL, "http://key.com", "=====key.com", RTR_CLEAN},
{NULL, " http://key.com", "=====key.com", RTR_CLEAN},
{NULL, "http://key.com@fake.example.com", "key.com", RTR_PHISH},
{NULL, " http://key.com@fake.example.com", "key.com", RTR_PHISH},
{NULL, " http://key.com@fake.example.com ", "key.com", RTR_PHISH}, |
72fd33c8 |
/* entry taken from .wdb with a / appended */
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de", |
e01ba94e |
RTR_WHITELISTED /* should be whitelisted */}, |
72fd33c8 |
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
"http://srx.main.ebayrtm.com.evil.example.com",
"pages.ebay.de", |
e01ba94e |
RTR_PHISH}, |
72fd33c8 |
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
"www.www.ebayrtm.com?somecgi", |
e01ba94e |
"www.ebay.com/something", RTR_WHITELISTED}, |
72fd33c8 |
{NULL, |
e01ba94e |
"http://key.com", "go to key.com", RTR_CLEAN}, |
72fd33c8 |
{":.+\\.paypal\\.(com|de|fr|it)([/?].*)?:.+\\.ebay\\.(at|be|ca|ch|co\\.uk|de|es|fr|ie|in|it|nl|ph|pl|com(\\.(au|cn|hk|my|sg))?)([/?].*)?/", |
e01ba94e |
"http://www.paypal.com", "pics.ebay.com", RTR_WHITELISTED},
{NULL, "http://somefakeurl.example.com", "someotherdomain-key.com", RTR_CLEAN},
{NULL, "http://somefakeurl.example.com", "someotherdomain.key.com", RTR_PHISH}, |
319bfb51 |
{NULL, "http://malware-test.example.com/something", "test", RTR_BLACKLISTED},
{NULL, "http://phishing-test.example.com/something", "test", RTR_BLACKLISTED},
{NULL, "http://sub.malware-test.example.com/2", "test", RTR_BLACKLISTED},
{NULL, "http://sub.phishing-test.example.com/2", "test", RTR_BLACKLISTED},
{NULL, "http://user@malware-test.example.com/2", "test", RTR_BLACKLISTED},
{NULL, "http://user@phishing-test.example.com/2", "test", RTR_BLACKLISTED},
{NULL, "http://user@malware-test.example.com/2/test", "test", RTR_BLACKLISTED},
{NULL, "http://user@phishing-test.example.com/2/test", "test", RTR_BLACKLISTED},
{NULL, "http://user@malware-test.example.com/", "test", RTR_BLACKLISTED},
{NULL, "http://user@phishing-test.example.com/", "test", RTR_BLACKLISTED}, |
e01ba94e |
{NULL, "http://x.exe", "http:///x.exe", RTR_CLEAN}, |
72fd33c8 |
{".+\\.ebayrtm\\.com([/?].*)?:[^.]+\\.ebay\\.(de|com|co\\.uk)/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de", |
e01ba94e |
RTR_WHITELISTED /* should be whitelisted */}, |
72fd33c8 |
{".+\\.ebayrtm\\.com([/?].*)?:.+[r-t]\\.ebay\\.(de|com|co\\.uk)/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de", |
e01ba94e |
RTR_WHITELISTED /* should be whitelisted */}, |
72fd33c8 |
{".+\\.ebayrtm\\.com([/?].*)?:.+[r-t]\\.ebay\\.(de|com|co\\.uk)/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de", |
e01ba94e |
RTR_WHITELISTED /* should be whitelisted */},
{"[t-", "", "", RTR_INVALID_REGEX},
{NULL, "http://co.uk", "http:// co.uk", RTR_CLEAN},
{NULL, "http://co.uk", " ", RTR_CLEAN},
{NULL, "127.0.0.1", "pages.ebay.de", RTR_CLEAN}, |
72fd33c8 |
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/", |
e01ba94e |
"http://pages.ebay.de@fake.example.com", "pages.ebay.de", RTR_PHISH},
{NULL, "http://key.com", "https://key.com", RTR_PHISH},
{NULL, "http://key.com%00fake.example.com", "https://key.com", RTR_PHISH},
{NULL, "http://key.com.example.com", "key.com.invalid", RTR_PHISH}}; |
3dcc2d78 |
|
72fd33c8 |
START_TEST(regex_list_match_test) |
3dcc2d78 |
{ |
72fd33c8 |
const char *info;
const struct rtest *rtest = &rtests[_i];
char *pattern, *realurl; |
e01ba94e |
cl_error_t rc; |
72fd33c8 |
if (!rtest->pattern) { |
e01ba94e |
ck_assert_msg(rtest->result != RTR_WHITELISTED,
"whitelist test must have pattern set"); |
72fd33c8 |
/* this test entry is not meant for whitelist testing */
return;
}
|
e01ba94e |
ck_assert_msg(rtest->result == RTR_PHISH || rtest->result == RTR_WHITELISTED || rtest->result == RTR_INVALID_REGEX,
"whitelist test result must be either RTR_PHISH or RTR_WHITELISTED or RTR_INVALID_REGEX"); |
72fd33c8 |
pattern = cli_strdup(rtest->pattern); |
485d8dec |
ck_assert_msg(!!pattern, "cli_strdup"); |
72fd33c8 |
rc = regex_list_add_pattern(&matcher, pattern); |
e01ba94e |
if (rtest->result == RTR_INVALID_REGEX) { |
485d8dec |
ck_assert_msg(rc, "regex_list_add_pattern should return error"); |
72fd33c8 |
free(pattern);
return;
} else |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "regex_list_add_pattern"); |
72fd33c8 |
free(pattern);
matcher.list_loaded = 1;
rc = cli_build_regex_list(&matcher); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list"); |
72fd33c8 |
|
485d8dec |
ck_assert_msg(is_regex_ok(&matcher), "is_regex_ok"); |
72fd33c8 |
|
e2f59af3 |
realurl = cli_strdup(rtest->realurl);
rc = regex_list_match(&matcher, realurl, rtest->displayurl, NULL, 1, &info, 1); |
485d8dec |
ck_assert_msg(rc == rtest->result, "regex_list_match"); |
72fd33c8 |
/* regex_list_match is not supposed to modify realurl in this case */ |
485d8dec |
ck_assert_msg(!strcmp(realurl, rtest->realurl), "realurl altered"); |
72fd33c8 |
free(realurl); |
3dcc2d78 |
}
END_TEST
static struct cl_engine *engine; |
1126559f |
static int loaded_2 = 0;
static void psetup_impl(int load2) |
3dcc2d78 |
{ |
72fd33c8 |
FILE *f; |
e01ba94e |
cl_error_t rc; |
72fd33c8 |
unsigned signo = 0; |
4b52f390 |
|
72fd33c8 |
engine = cl_engine_new(); |
485d8dec |
ck_assert_msg(!!engine, "cl_engine_new"); |
3dcc2d78 |
|
72fd33c8 |
phishing_init(engine); |
485d8dec |
ck_assert_msg(!!engine->phishcheck, "phishing_init"); |
3dcc2d78 |
|
72fd33c8 |
rc = init_domainlist(engine); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "init_domainlist"); |
3dcc2d78 |
|
72fd33c8 |
f = fdopen(open_testfile("input/daily.pdb"), "r"); |
485d8dec |
ck_assert_msg(!!f, "fopen daily.pdb"); |
3dcc2d78 |
|
72fd33c8 |
rc = load_regex_matcher(engine, engine->domainlist_matcher, f, &signo, 0, 0, NULL, 1); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher"); |
72fd33c8 |
fclose(f); |
3dcc2d78 |
|
485d8dec |
ck_assert_msg(signo == 201, "Incorrect number of signatures: %u, expected %u", signo, 201); |
4b52f390 |
|
72fd33c8 |
if (load2) {
f = fdopen(open_testfile("input/daily.gdb"), "r"); |
485d8dec |
ck_assert_msg(!!f, "fopen daily.gdb"); |
1126559f |
|
72fd33c8 |
signo = 0;
rc = load_regex_matcher(engine, engine->domainlist_matcher, f, &signo, 0, 0, NULL, 1); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher"); |
72fd33c8 |
fclose(f); |
4b52f390 |
|
485d8dec |
ck_assert_msg(signo == 4, "Incorrect number of signatures: %u, expected %u", signo, 4); |
72fd33c8 |
}
loaded_2 = load2; |
1126559f |
|
72fd33c8 |
rc = init_whitelist(engine); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "init_whitelist"); |
3dcc2d78 |
|
72fd33c8 |
f = fdopen(open_testfile("input/daily.wdb"), "r");
signo = 0;
rc = load_regex_matcher(engine, engine->whitelist_matcher, f, &signo, 0, 1, NULL, 1); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher"); |
72fd33c8 |
fclose(f); |
3dcc2d78 |
|
485d8dec |
ck_assert_msg(signo == 31, "Incorrect number of signatures: %u, expected %u", signo, 31); |
4b52f390 |
|
72fd33c8 |
rc = cli_build_regex_list(engine->whitelist_matcher); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list"); |
3dcc2d78 |
|
72fd33c8 |
rc = cli_build_regex_list(engine->domainlist_matcher); |
e01ba94e |
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list"); |
3dcc2d78 |
|
485d8dec |
ck_assert_msg(is_regex_ok(engine->whitelist_matcher), "is_regex_ok");
ck_assert_msg(is_regex_ok(engine->domainlist_matcher), "is_regex_ok"); |
3dcc2d78 |
}
|
1126559f |
static void psetup(void)
{ |
72fd33c8 |
psetup_impl(0); |
1126559f |
}
static void psetup2(void)
{ |
72fd33c8 |
psetup_impl(1); |
1126559f |
}
|
3dcc2d78 |
static void pteardown(void)
{ |
72fd33c8 |
if (engine) {
cl_engine_free(engine);
}
engine = NULL; |
3dcc2d78 |
}
|
a2d14e06 |
static void do_phishing_test(const struct rtest *rtest) |
3dcc2d78 |
{ |
72fd33c8 |
char *realurl;
cli_ctx ctx;
struct cl_scan_options options;
const char *virname = NULL;
tag_arguments_t hrefs; |
e01ba94e |
cl_error_t rc; |
72fd33c8 |
memset(&ctx, 0, sizeof(ctx));
memset(&options, 0, sizeof(struct cl_scan_options));
ctx.options = &options;
realurl = cli_strdup(rtest->realurl); |
485d8dec |
ck_assert_msg(!!realurl, "cli_strdup"); |
72fd33c8 |
hrefs.count = 1;
hrefs.value = cli_malloc(sizeof(*hrefs.value)); |
485d8dec |
ck_assert_msg(!!hrefs.value, "cli_malloc"); |
72fd33c8 |
hrefs.value[0] = (unsigned char *)realurl;
hrefs.contents = cli_malloc(sizeof(*hrefs.contents)); |
485d8dec |
ck_assert_msg(!!hrefs.contents, "cli_malloc"); |
72fd33c8 |
hrefs.tag = cli_malloc(sizeof(*hrefs.tag)); |
485d8dec |
ck_assert_msg(!!hrefs.tag, "cli_malloc"); |
72fd33c8 |
hrefs.tag[0] = (unsigned char *)cli_strdup("href");
hrefs.contents[0] = (unsigned char *)cli_strdup(rtest->displayurl);
ctx.engine = engine;
ctx.virname = &virname;
rc = phishingScan(&ctx, &hrefs);
html_tag_arg_free(&hrefs); |
485d8dec |
ck_assert_msg(rc == CL_CLEAN, "phishingScan"); |
72fd33c8 |
switch (rtest->result) { |
e01ba94e |
case RTR_PHISH: |
485d8dec |
ck_assert_msg(ctx.found_possibly_unwanted, |
e01ba94e |
"this should be phishing, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
break; |
e01ba94e |
case RTR_WHITELISTED: |
485d8dec |
ck_assert_msg(!ctx.found_possibly_unwanted, |
e01ba94e |
"this should be whitelisted, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
break; |
e01ba94e |
case RTR_CLEAN: |
485d8dec |
ck_assert_msg(!ctx.found_possibly_unwanted, |
e01ba94e |
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
break; |
e01ba94e |
case RTR_BLACKLISTED: |
72fd33c8 |
if (!loaded_2) |
485d8dec |
ck_assert_msg(!ctx.found_possibly_unwanted, |
e01ba94e |
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
else { |
485d8dec |
ck_assert_msg(ctx.found_possibly_unwanted, |
e01ba94e |
"this should be blacklisted, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
if (*ctx.virname) { |
319bfb51 |
char *phishingFound = NULL;
char *detectionName = NULL;
if (strstr(rtest->realurl, "malware-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
} else if (strstr(rtest->realurl, "phishing-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
}
ck_assert_msg(detectionName != NULL, "\n\t Blacklist test case error - malware-test or phishing-test not found in: %s\n", rtest->realurl);
phishingFound = strstr((const char *)*ctx.virname, detectionName);
ck_assert_msg(phishingFound != NULL, "\n\t should be: %s,\n\t but is: %s\n", detectionName, *ctx.virname); |
e01ba94e |
} |
72fd33c8 |
}
break; |
e01ba94e |
case RTR_INVALID_REGEX:
/* don't worry about it, this was tested in regex_list_match_test() */
break; |
72fd33c8 |
} |
a2d14e06 |
}
|
6ad45a29 |
static void do_phishing_test_allscan(const struct rtest *rtest)
{ |
72fd33c8 |
char *realurl;
cli_ctx ctx;
const char *virname = NULL;
tag_arguments_t hrefs; |
e01ba94e |
cl_error_t rc; |
d7979d4f |
struct cl_scan_options options; |
6ad45a29 |
|
72fd33c8 |
memset(&ctx, 0, sizeof(ctx)); |
d7979d4f |
memset(&options, 0, sizeof(struct cl_scan_options));
ctx.options = &options; |
6ad45a29 |
|
72fd33c8 |
realurl = cli_strdup(rtest->realurl); |
485d8dec |
ck_assert_msg(!!realurl, "cli_strdup"); |
72fd33c8 |
hrefs.count = 1;
hrefs.value = cli_malloc(sizeof(*hrefs.value)); |
485d8dec |
ck_assert_msg(!!hrefs.value, "cli_malloc"); |
72fd33c8 |
hrefs.value[0] = (unsigned char *)realurl;
hrefs.contents = cli_malloc(sizeof(*hrefs.contents)); |
485d8dec |
ck_assert_msg(!!hrefs.contents, "cli_malloc"); |
72fd33c8 |
hrefs.tag = cli_malloc(sizeof(*hrefs.tag)); |
485d8dec |
ck_assert_msg(!!hrefs.tag, "cli_malloc"); |
72fd33c8 |
hrefs.tag[0] = (unsigned char *)cli_strdup("href");
hrefs.contents[0] = (unsigned char *)cli_strdup(rtest->displayurl);
ctx.engine = engine;
ctx.virname = &virname;
ctx.options->general |= CL_SCAN_GENERAL_ALLMATCHES;
rc = phishingScan(&ctx, &hrefs);
html_tag_arg_free(&hrefs); |
e01ba94e |
if (rtest->result == RTR_PHISH || (loaded_2 != 0 && rtest->result == RTR_BLACKLISTED)) {
ck_assert_msg(rc == CL_VIRUS, "phishingScan returned \"%s\", expected \"%s\". \n\trealURL: %s \n\tdisplayURL: %s",
cl_strerror(rc),
cl_strerror(CL_VIRUS),
rtest->realurl, rtest->displayurl);
} else {
ck_assert_msg(rc == CL_CLEAN, "phishingScan returned \"%s\", expected \"%s\". \n\trealURL: %s \n\tdisplayURL: %s",
cl_strerror(rc),
cl_strerror(CL_CLEAN),
rtest->realurl, rtest->displayurl);
} |
72fd33c8 |
switch (rtest->result) { |
e01ba94e |
case RTR_PHISH: |
485d8dec |
ck_assert_msg(ctx.num_viruses, |
e01ba94e |
"this should be phishing, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
break; |
e01ba94e |
case RTR_WHITELISTED: |
485d8dec |
ck_assert_msg(!ctx.num_viruses, |
e01ba94e |
"this should be whitelisted, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
break; |
e01ba94e |
case RTR_CLEAN: |
485d8dec |
ck_assert_msg(!ctx.num_viruses, |
e01ba94e |
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
break; |
e01ba94e |
case RTR_BLACKLISTED: |
72fd33c8 |
if (!loaded_2) |
485d8dec |
ck_assert_msg(!ctx.num_viruses, |
e01ba94e |
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl); |
72fd33c8 |
else { |
485d8dec |
ck_assert_msg(ctx.num_viruses, |
e01ba94e |
"this should be blacklisted, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
if (*ctx.virname) { |
319bfb51 |
char *phishingFound = NULL;
char *detectionName = NULL;
if (strstr(rtest->realurl, "malware-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
} else if (strstr(rtest->realurl, "phishing-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
}
ck_assert_msg(detectionName != NULL, "\n\t Blacklist test case error - malware-test or phishing-test not found in: %s\n", rtest->realurl);
phishingFound = strstr((const char *)*ctx.virname, detectionName);
ck_assert_msg(phishingFound != NULL, "\n\t should be: %s,\n\t but is: %s\n", detectionName, *ctx.virname); |
e01ba94e |
} |
72fd33c8 |
}
break; |
e01ba94e |
case RTR_INVALID_REGEX:
/* don't worry about it, this was tested in regex_list_match_test() */
break; |
72fd33c8 |
} |
6ad45a29 |
}
|
72fd33c8 |
START_TEST(phishingScan_test) |
a2d14e06 |
{ |
72fd33c8 |
do_phishing_test(&rtests[_i]); |
3dcc2d78 |
}
END_TEST |
6ad45a29 |
|
72fd33c8 |
START_TEST(phishingScan_test_allscan) |
6ad45a29 |
{ |
72fd33c8 |
do_phishing_test_allscan(&rtests[_i]); |
6ad45a29 |
}
END_TEST |
3dcc2d78 |
|
4e46d65d |
static struct uc {
const char *in;
const char *host;
const char *path;
} uc[] = {
{":example/%25%32%35", "example/", "%25"},
{":example/%25%32%35%25%32%35", "example/", "%25%25"},
{":example/abc%25%32%35asd", "example/", "abc%25asd"}, |
72fd33c8 |
{":www.example.com/", "www.example.com/", ""},
{":%31%32%37%2e%30%2e%30%2e%31/%2E%73%65%63%75%72%65/%77%77%77%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d/",
"127.0.0.1/", ".secure/www.example.com/"}, |
4e46d65d |
{":127.0.0.1/uploads/%20%20%20%20/.verify/.blah=abcd-ef=gh/", |
72fd33c8 |
"127.0.0.1/", "uploads/%20%20%20%20/.verify/.blah=abcd-ef=gh/"}, |
4e46d65d |
{"http://example%23.com/%61%40%62%252B", |
72fd33c8 |
"example%23.com/", "a@b+"},
{"http://example.com/blah/..", "example.com/", ""},
{"http://example.com/blah/../x", "example.com/", "x"},
{"http://example.com/./a", "example.com/", "a"}}; |
4e46d65d |
|
72fd33c8 |
START_TEST(test_url_canon) |
4e46d65d |
{ |
72fd33c8 |
char urlbuff[1024 + 3];
char *host = NULL; |
a1c9ad2c |
const char *path = NULL; |
4e46d65d |
size_t host_len, path_len;
struct uc *u = &uc[_i];
cli_url_canon(u->in, strlen(u->in), urlbuff, sizeof(urlbuff), &host, &host_len, &path, &path_len); |
485d8dec |
ck_assert_msg(!!host && !!path, "null results\n");
ck_assert_msg(!strcmp(u->host, host), "host incorrect: %s\n", host);
ck_assert_msg(!strcmp(u->path, path), "path incorrect: %s\n", path); |
4e46d65d |
}
END_TEST |
2bc065d4 |
static struct regex_test {
const char *regex;
const char *text;
int match;
} rg[] = {
{"\\.exe$", "test.exe", 1},
{"\\.exe$", "test.eXe", 0},
{"(?i)\\.exe$", "test.exe", 1}, |
72fd33c8 |
{"(?i)\\.exe$", "test.eXe", 1}}; |
2bc065d4 |
|
72fd33c8 |
START_TEST(test_regexes) |
2bc065d4 |
{
regex_t reg;
struct regex_test *tst = &rg[_i];
int match;
|
485d8dec |
ck_assert_msg(cli_regcomp(®, tst->regex, REG_EXTENDED | REG_NOSUB) == 0, "cli_regcomp"); |
2bc065d4 |
match = (cli_regexec(®, tst->text, 0, NULL, 0) == REG_NOMATCH) ? 0 : 1; |
485d8dec |
ck_assert_msg(match == tst->match, "cli_regexec failed for %s and %s\n", tst->regex, tst->text); |
2bc065d4 |
cli_regfree(®);
}
END_TEST |
4e46d65d |
|
a2d14e06 |
START_TEST(phishing_fake_test)
{ |
72fd33c8 |
char buf[4096];
FILE *f = fdopen(open_testfile("input/daily.pdb"), "r"); |
485d8dec |
ck_assert_msg(!!f, "fopen daily.pdb"); |
72fd33c8 |
while (fgets(buf, sizeof(buf), f)) {
struct rtest rtest;
const char *pdb = strchr(buf, ':'); |
485d8dec |
ck_assert_msg(!!pdb, "missing : in pdb"); |
72fd33c8 |
rtest.realurl = pdb;
rtest.displayurl = pdb; |
e01ba94e |
rtest.result = RTR_CLEAN; |
72fd33c8 |
do_phishing_test(&rtest);
rtest.realurl = "http://fake.example.com";
rtest.result = 0;
do_phishing_test(&rtest);
}
fclose(f); |
a2d14e06 |
}
END_TEST
|
6ad45a29 |
START_TEST(phishing_fake_test_allscan)
{ |
72fd33c8 |
char buf[4096];
FILE *f = fdopen(open_testfile("input/daily.pdb"), "r"); |
485d8dec |
ck_assert_msg(!!f, "fopen daily.pdb"); |
72fd33c8 |
while (fgets(buf, sizeof(buf), f)) {
struct rtest rtest;
const char *pdb = strchr(buf, ':'); |
485d8dec |
ck_assert_msg(!!pdb, "missing : in pdb"); |
72fd33c8 |
rtest.realurl = pdb;
rtest.displayurl = pdb; |
e01ba94e |
rtest.result = RTR_CLEAN; |
72fd33c8 |
do_phishing_test_allscan(&rtest);
rtest.realurl = "http://fake.example.com";
rtest.result = 0;
do_phishing_test_allscan(&rtest);
}
fclose(f); |
6ad45a29 |
}
END_TEST
|
82167b0a |
Suite *test_regex_suite(void)
{ |
72fd33c8 |
Suite *s = suite_create("regex");
TCase *tc_api, *tc_matching, *tc_phish, *tc_phish2, *tc_regex;
tc_api = tcase_create("cli_regex2suffix");
suite_add_tcase(s, tc_api);
tcase_add_checked_fixture(tc_api, setup, teardown);
tcase_add_test(tc_api, empty);
tcase_add_test(tc_api, one); |
485d8dec |
|
72fd33c8 |
tcase_add_loop_test(tc_api, test_suffix, 0, sizeof(tests) / sizeof(tests[0])); |
485d8dec |
|
72fd33c8 |
tc_matching = tcase_create("regex_list");
suite_add_tcase(s, tc_matching);
tcase_add_checked_fixture(tc_matching, rsetup, rteardown); |
485d8dec |
|
72fd33c8 |
tcase_add_loop_test(tc_matching, regex_list_match_test, 0, sizeof(rtests) / sizeof(rtests[0])); |
485d8dec |
|
72fd33c8 |
tc_phish = tcase_create("phishingScan");
suite_add_tcase(s, tc_phish);
tcase_add_unchecked_fixture(tc_phish, psetup, pteardown); |
485d8dec |
|
72fd33c8 |
tcase_add_loop_test(tc_phish, phishingScan_test, 0, sizeof(rtests) / sizeof(rtests[0]));
tcase_add_loop_test(tc_phish, phishingScan_test_allscan, 0, sizeof(rtests) / sizeof(rtests[0])); |
485d8dec |
|
72fd33c8 |
tcase_add_test(tc_phish, phishing_fake_test);
tcase_add_test(tc_phish, phishing_fake_test_allscan); |
3dcc2d78 |
|
72fd33c8 |
tc_phish2 = tcase_create("phishingScan with 2 dbs");
suite_add_tcase(s, tc_phish2);
tcase_add_unchecked_fixture(tc_phish2, psetup2, pteardown); |
485d8dec |
|
72fd33c8 |
tcase_add_loop_test(tc_phish2, phishingScan_test, 0, sizeof(rtests) / sizeof(rtests[0]));
tcase_add_loop_test(tc_phish2, phishingScan_test_allscan, 0, sizeof(rtests) / sizeof(rtests[0])); |
485d8dec |
|
72fd33c8 |
tcase_add_test(tc_phish2, phishing_fake_test);
tcase_add_test(tc_phish2, phishing_fake_test_allscan); |
485d8dec |
|
72fd33c8 |
tcase_add_loop_test(tc_phish, test_url_canon, 0, sizeof(uc) / sizeof(uc[0])); |
485d8dec |
|
72fd33c8 |
tc_regex = tcase_create("cli_regcomp/execute");
suite_add_tcase(s, tc_regex); |
485d8dec |
|
72fd33c8 |
tcase_add_loop_test(tc_regex, test_regexes, 0, sizeof(rg) / sizeof(rg[0])); |
485d8dec |
|
72fd33c8 |
return s; |
82167b0a |
} |