search

oasis-open / cti-pattern-validator

OASIS TC Open Repository: Validate patterns used to express cyber observable content in STIX Indicators
https://stix2-patterns.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
26 stars 23 forks source link

Pattern passes unexpectedly #39

Closed varnerac closed 6 years ago

varnerac commented 6 years ago

The following pattern passes with the latest version installed via pip

$ pip3 install stix2-patterns
Requirement already satisfied: stix2-patterns in /usr/local/lib/python3.6/site-packages
Requirement already satisfied: six in /usr/local/lib/python3.6/site-packages (from stix2-patterns)
Requirement already satisfied: antlr4-python3-runtime==4.7; python_version >= "3" in /usr/local/lib/python3.6/site-packages (from stix2-patterns)
$ validate-patterns
Enter a pattern to validate: [file:hashes.'SHA-256' =? 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.MD5 = 'cead3f77f6cda6ec00f57d76c9a6879f'] AND [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']

PASS: [file:hashes.'SHA-256' =? 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.MD5 = 'cead3f77f6cda6ec00f57d76c9a6879f'] AND [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']

I don't see where =? matches in patterns operator. In our STIX2 Patterns parser, this fails. Our parser has a catch-all pattern at the end that returns an unexpected token. Maybe that would fix this issue for your ANTLR implementation?

chisholm commented 6 years ago

Well that's an antlr lexer wrinkle that slipped under the radar... I would have expected the lexer to produce an error instead of silently eating the ?. Yeah, adding a default lexer rule triggers the expected error. Thanks for the catch.

gtback commented 6 years ago

@varnerac This should be fixed now, but if not, feel free to reopen.