Bug: Membercall rule, e.g. foo.bar(), doesn't match baz.foo.bar()

[pwnetrationguru]

span.innerHTML.replace(/"/g, '"')

is missed by ScanJS.

We need to fix rule/scan-engine and add a test.

[pauljt]

This is missed because the innerHTML rules looks only at assigning to HTML. Again I don't think we should be raising issues for rule improvement. Just work on creating an improved rule list rather than raising issues. In this case, you can add the rule: "innerHTML.replace" (without quotes). I think that should work. Makes me think that we should have a field to test a custom rule in the experiment tab though.

[pauljt]

Ok so I wrote a patch to allow testing of a custom rule, and there is actually a bug here. innerHTML.replace() Matches: innerHTML.replace(/"/g, '"') But not: foo.innerHTML.replace(/"/g, '"')

So I am renaming this to fi this bug.

[pauljt]

If you want to try with the custom rule patch, see the experiment branch.

[pwnetrationguru]

nice, i really like the experiment branch!

I think it should have a very similar format to the scan tab, so that mainly means addition of a sidebar with options like: Code Experiment and Rule Experiment

• Code Experiment - has code mirror and results table
• Rule Experiment - has 2 code mirrors, one for rule and one for code, and a results table

This allows us to keep our UI uniform, but also separates the behavior that might be unknown to the user: if I am manually putting in rule, that is the ONLY rule run in the ScanJS. I can see that being confusing for a user if they have one interface. For example, I put some examples in, one of them isn't caught, I decide to manually input a rule and all of the sudden all of the examples fail because only one rule is being run in ScanJS.scan() not N+1 rules being run (where N is the number of rules originally).

Hope that makes sense.

[pauljt]

This issue is fixed the in newscanner branch. (i.e rules of type foo.bar() are supported) e.g

{ "name": "bar.baz()", "type": "objmembercall", "parameters": "{'callee_object_name':'bar','callee_property_name':'baz'}", "testhit": "bar.baz()", "testmiss": "baz.bar();baz();", "desc": "A member expression with calls the member named 'bar' from object foo", "threat": "example", "subthreat": "example" },