Metadata Parsing Errors

[malvidin]

In a few situations, a valid rule fails to be written (using -c or -i) with the following error:

./CCCS-Yara/yara-validator/yara_file_processor.py", line 184, in strings_of_rules_to_original_file
    changed_rule_string = rule.rule_return.validated_rule.splitlines()
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'list' object has no attribute 'splitlines'

These regular expressions appear to the cause of the issue: https://github.com/CybercentreCanada/CCCS-Yara/blob/4cca67453bee31e5cc4a2522b5aa9b1f6a488268/yara-validator/yara_validator.py#L246-L247

Based on these expressions:

• meta and : must be on the same line, and be the only contents of that line.
• The following strings or condition and : must be on the same line, and be the only contents of that line.

This breaks otherwise valid rules:

rule testing 
{ meta:
    key = "value"
  condition:
    true
}

rule testing {
  meta:
    key = "value"
  strings: $re = /test/
  condition: $re
}

rule testing 
{ meta:
    key = "value"
  condition: true
}

And on the most extreme end:

rule testing { meta: key = "value" condition: true }

[cccs-rs]

I think in this case, plyara would come in handy. I have to take a look at this more in-depth to see what the original author was doing.