From ebd6a1bb602e47366212061b59fe3c89d5aa79cb Mon Sep 17 00:00:00 2001 From: Attila Szakacs Date: Wed, 18 Sep 2024 12:48:23 +0200 Subject: [PATCH] xml/filterx-parse-windows-eventlog-xml: add quick validation Signed-off-by: Attila Szakacs --- .../xml/filterx-parse-windows-eventlog-xml.c | 61 ++++++++++++++++--- .../test_filterx_parse_windows_eventlog_xml.c | 2 + 2 files changed, 54 insertions(+), 9 deletions(-) diff --git a/modules/xml/filterx-parse-windows-eventlog-xml.c b/modules/xml/filterx-parse-windows-eventlog-xml.c index 85b62e10f..ccb8d3d3e 100644 --- a/modules/xml/filterx-parse-windows-eventlog-xml.c +++ b/modules/xml/filterx-parse-windows-eventlog-xml.c @@ -148,25 +148,67 @@ _collect_attrs(const gchar **attribute_names, const gchar **attribute_values, state->has_named_data = TRUE; } -static void -_push_position(FilterXParseWEVTState *state, const gchar *element_name) +static gboolean +_has_valid_schema_url(const gchar **attribute_names, const gchar **attribute_values, GError **error) +{ + if (!attribute_names[0]) + return FALSE; + + if (g_strcmp0(attribute_names[0], "xmlns") != 0) + return FALSE; + + if (g_strcmp0(attribute_values[0], "http://schemas.microsoft.com/win/2004/08/events/event") != 0) + { + _set_error(error, "unexpected schema URL: %s", attribute_values[0]); + return FALSE; + } + + if (attribute_names[1]) + { + _set_error(error, "unexpected attribute in Event, number of attributes must be 1, got: %s", attribute_names[1]); + return FALSE; + } + + return TRUE; +} + +static gboolean +_is_root_elem_valid(const gchar *element_name, const gchar **attribute_names, const gchar **attribute_values, + GError **error) +{ + if (g_strcmp0(element_name, "Event") != 0) + { + _set_error(error, "unexpected Windows EventLog XML root element: %s, expected \"Event\"", element_name); + return FALSE; + } + + if (!_has_valid_schema_url(attribute_names, attribute_values, error)) + return FALSE; + + return TRUE; +} + +static gboolean +_push_position(FilterXParseWEVTState *state, const gchar *element_name, + const gchar **attribute_names, const gchar **attribute_values, GError **error) { switch (state->position) { case WEVT_POS_NONE: - if (g_strcmp0(element_name, "Event") == 0) - state->position = WEVT_POS_EVENT; - break; + if (!_is_root_elem_valid(element_name, attribute_names, attribute_values, error)) + return FALSE; + state->position = WEVT_POS_EVENT; + return TRUE; case WEVT_POS_EVENT: if (g_strcmp0(element_name, "EventData") == 0) state->position = WEVT_POS_EVENT_DATA; - break; + return TRUE; case WEVT_POS_EVENT_DATA: if (g_strcmp0(element_name, "Data") == 0) state->position = WEVT_POS_DATA; - break; + return TRUE; case WEVT_POS_DATA: - break; + return TRUE; default: g_assert_not_reached(); } @@ -229,7 +271,8 @@ _start_elem(FilterXGeneratorFunctionParseXml *s, FilterXParseWEVTState *state = (FilterXParseWEVTState *) st; XmlElemContext *last_elem_context = xml_elem_context_stack_peek_last(state->super.xml_elem_context_stack); - _push_position(state, element_name); + if (!_push_position(state, element_name, attribute_names, attribute_values, error)) + return; if (!_has_wevt_event_data_attr(attribute_names, state, error)) { diff --git a/modules/xml/tests/test_filterx_parse_windows_eventlog_xml.c b/modules/xml/tests/test_filterx_parse_windows_eventlog_xml.c index fa477ec81..01a74b0e7 100644 --- a/modules/xml/tests/test_filterx_parse_windows_eventlog_xml.c +++ b/modules/xml/tests/test_filterx_parse_windows_eventlog_xml.c @@ -182,6 +182,8 @@ Test(filterx_parse_windows_eventlog_xml, invalid_inputs) { _assert_parse_event_data_fail("foo\n"); _assert_parse_event_data_fail("foo\n"); + _assert_parse_fail(""); + _assert_parse_fail(""); } static void