Skip to content

Commit

Permalink
Don't print values if they're already string-like
Browse files Browse the repository at this point in the history
  • Loading branch information
@bradleyjkemp
bradleyjkemp committed Mar 29, 2023
1 parent 47169b1 commit 65353ca
Showing 1 changed file with 21 additions and 10 deletions.
31 changes: 21 additions & 10 deletions evaluator/modifiers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ func baseComparator(actual interface{}, expected interface{}) (bool, error) {
return true, nil
default:
// The Sigma spec defines that by default comparisons are case-insensitive
return strings.EqualFold(fmt.Sprint(actual), fmt.Sprint(expected)), nil
return strings.EqualFold(coerceString(actual), coerceString(expected)), nil
}
}

Expand All @@ -29,43 +29,43 @@ var modifiers = map[string]valueModifier{
"contains": func(_ valueComparator) valueComparator {
return func(actual interface{}, expected interface{}) (bool, error) {
// The Sigma spec defines that by default comparisons are case-insensitive
return strings.Contains(strings.ToLower(fmt.Sprint(actual)), strings.ToLower(fmt.Sprint(expected))), nil
return strings.Contains(strings.ToLower(coerceString(actual)), strings.ToLower(coerceString(expected))), nil
}
},
"endswith": func(_ valueComparator) valueComparator {
return func(actual interface{}, expected interface{}) (bool, error) {
// The Sigma spec defines that by default comparisons are case-insensitive
return strings.HasSuffix(strings.ToLower(fmt.Sprint(actual)), strings.ToLower(fmt.Sprint(expected))), nil
return strings.HasSuffix(strings.ToLower(coerceString(actual)), strings.ToLower(coerceString(expected))), nil
}
},
"startswith": func(_ valueComparator) valueComparator {
return func(actual interface{}, expected interface{}) (bool, error) {
return strings.HasPrefix(strings.ToLower(fmt.Sprint(actual)), strings.ToLower(fmt.Sprint(expected))), nil
return strings.HasPrefix(strings.ToLower(coerceString(actual)), strings.ToLower(coerceString(expected))), nil
}
},
"base64": func(next valueComparator) valueComparator {
return func(actual interface{}, expected interface{}) (bool, error) {
return next(actual, base64.StdEncoding.EncodeToString([]byte(fmt.Sprint(expected))))
return next(actual, base64.StdEncoding.EncodeToString([]byte(coerceString(expected))))
}
},
"re": func(_ valueComparator) valueComparator {
return func(actual interface{}, expected interface{}) (bool, error) {
re, err := regexp.Compile(fmt.Sprint(expected))
re, err := regexp.Compile(coerceString(expected))
if err != nil {
return false, err
}

return re.MatchString(fmt.Sprint(actual)), nil
return re.MatchString(coerceString(actual)), nil
}
},
"cidr": func(_ valueComparator) valueComparator {
return func(actual interface{}, expected interface{}) (bool, error) {
_, cidr, err := net.ParseCIDR(fmt.Sprint(expected))
_, cidr, err := net.ParseCIDR(coerceString(expected))
if err != nil {
return false, err
}

ip := net.ParseIP(fmt.Sprint(actual))
ip := net.ParseIP(coerceString(actual))
return cidr.Contains(ip), nil
}
},
Expand Down Expand Up @@ -95,6 +95,17 @@ var modifiers = map[string]valueModifier{
},
}

func coerceString(v interface{}) string {
switch vv := v.(type) {
case string:
return vv
case []byte:
return string(vv)
default:
return fmt.Sprint(vv)
}
}

// coerceNumeric makes both operands into the widest possible number of the same type
func coerceNumeric(left, right interface{}) (interface{}, interface{}, error) {
leftV := reflect.ValueOf(left)
Expand Down Expand Up @@ -155,4 +166,4 @@ func compareNumeric(left, right interface{}) (gt, gte, lt, lte bool, err error)
err = fmt.Errorf("internal, please report! coerceNumeric returned unexpected types %T and %T", left, right)
return
}
}
}

0 comments on commit 65353ca

Please sign in to comment.