yara-x 1.15.0

A pure Rust implementation of YARA.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210

use std::str::from_utf8;

use regex::bytes::Regex;

use yara_x_parser::Span;
use yara_x_parser::cst::{CSTStream, Event, SyntaxKind};

/// This type hooks into a stream of [`cst::Event`] and invokes a callback for
/// each comment that suppresses a warning.
///
/// YARA users can suppress specific warnings by adding specially formatted
/// comments in rules' code. For example:
///
/// ```text
/// // suppress: text_as_hex
/// rule dummy {
///   ...
/// }
/// ```
///
/// In the example above, the `text_as_hex` warning will be suppressed for the
/// entire `dummy` rule. Similarly, in the following example, the `invariant_expr`
/// warning will be suppressed for the expression `true`:
///
/// ```text
/// rule dummy {
///   condition:
///      // suppress: invariant_expr
///      true
/// }
/// ```
///
/// The purpose of [`WarningSuppressionHook`] is to detect these suppression
/// comments and call a user-provided function with the corresponding warning
/// identifier and the span of code where the suppression applies. This mechanism
/// allows determining whether a warning should be emitted.
///
pub(crate) struct WarningSuppressionHook<'src, I, F>
where
    I: Iterator<Item = Event>,
    F: FnMut(&'src str, Span),
{
    /// Input stream.
    cst_stream: CSTStream<'src, I>,
    /// Hook function.
    f: Option<F>,
    /// Regex used for finding warning suppression comments.
    suppress_re: Regex,
    /// The starting and ending offsets of the line of code being processed.
    /// This is set to `None` after every line break.
    line_span: Option<Span>,
    /// Comments already seen in the stream of CST events that may not a have
    /// a code span assigned yet.
    pending_comments: Vec<PendingComment<'src>>,
}

#[derive(Debug)]
struct PendingComment<'src> {
    /// Comment's text.
    text: &'src [u8],
    /// Span of code that the comment refers to.
    code_span: Option<Span>,
}

impl<'src, I, F> WarningSuppressionHook<'src, I, F>
where
    I: Iterator<Item = Event>,
    F: FnMut(&'src str, Span),
{
    /// Sets the hook function to `f`.
    ///
    /// The function receives two arguments, the warning identifier and the
    /// span of code for which the warning must be suppressed.
    pub fn hook(mut self, f: F) -> Self {
        self.f = Some(f);
        self
    }
}

impl<'src, I, F, C> From<C> for WarningSuppressionHook<'src, I, F>
where
    C: Into<CSTStream<'src, I>>,
    I: Iterator<Item = Event>,
    F: FnMut(&'src str, Span),
{
    fn from(cst_events: C) -> Self {
        Self {
            f: None,
            line_span: None,
            cst_stream: cst_events.into(),
            suppress_re: Regex::new(r"suppress: (\w+)").unwrap(),
            pending_comments: vec![],
        }
    }
}

impl<'src, I, F> Iterator for WarningSuppressionHook<'src, I, F>
where
    I: Iterator<Item = Event>,
    F: FnMut(&'src str, Span),
{
    type Item = Event;

    fn next(&mut self) -> Option<Self::Item> {
        let event = self.cst_stream.next()?;

        match event {
            Event::Token { kind: SyntaxKind::WHITESPACE, .. } => {
                // do nothing
            }
            Event::Token { kind: SyntaxKind::NEWLINE, .. }
            | Event::End { kind: SyntaxKind::SOURCE_FILE, .. } => {
                self.pending_comments.retain_mut(|comment| {
                    if comment.code_span.is_none() {
                        comment.code_span = self.line_span.clone();
                    }
                    if let Some(code_span) = &comment.code_span
                        && let Some(hook) = &mut self.f
                        && let Some(warning_id) = self
                            .suppress_re
                            .captures(comment.text)
                            .and_then(|captures| captures.get(1))
                            .map(|m| m.as_bytes())
                            .and_then(|m| from_utf8(m).ok())
                    {
                        hook(warning_id, code_span.clone());
                    }
                    comment.code_span.is_none()
                });
                self.line_span = None;
            }
            Event::Token { kind: SyntaxKind::COMMENT, ref span } => {
                self.pending_comments.push(PendingComment {
                    text: self.cst_stream.source().get(span.range()).unwrap(),
                    code_span: self.line_span.clone(),
                });
            }
            Event::Token { ref span, .. } => {
                if let Some(current_span) = &mut self.line_span {
                    self.line_span = Some(current_span.combine(span));
                } else {
                    self.line_span = Some(span.clone())
                };
            }
            Event::Begin { kind, ref span }
                if kind == SyntaxKind::RULE_DECL
                    || kind == SyntaxKind::PATTERN_DEF =>
            {
                for comment in self
                    .pending_comments
                    .iter_mut()
                    .filter(|p| p.code_span.is_none())
                {
                    comment.code_span = Some(span.clone());
                }
            }
            _ => {}
        }

        Some(event)
    }
}

#[cfg(test)]
mod tests {
    use std::collections::HashMap;

    use yara_x_parser::cst::Event;
    use yara_x_parser::{Parser, Span};

    use crate::compiler::wsh::WarningSuppressionHook;

    #[test]
    fn warning_suppression() {
        let parser = Parser::new(
            b"
// suppress: foo
rule test_1 { // suppress: bar
    // suppress: baz
    condition: true
}

// suppress: foo
rule test_2 { strings: /* suppress: bar */ $a = { 00 01 } condition: true }
        ",
        );

        let mut map: HashMap<&str, Vec<Span>> = HashMap::new();

        let cst =
            WarningSuppressionHook::from(parser).hook(|warning, span| {
                map.entry(warning).or_default().push(span);
            });

        let _ = cst.collect::<Vec<Event>>();

        let expected: HashMap<_, _> = vec![
            // foo is suppressed for the whole rules test_1 and test_2
            ("foo", vec![Span(18..91), Span(110..185)]),
            // bar is suppressed for "rule test_1 {" and "rule test_2 { strings: "
            ("bar", vec![Span(18..31), Span(110..132)]),
            // baz is suppressed for "condition: true"
            ("baz", vec![Span(74..89)]),
        ]
        .into_iter()
        .collect();

        assert_eq!(map, expected);
    }
}