YARA-1806: Fix removing of parts of rules in tokenstream #206
Conversation
src/types/rule.cpp
Outdated
| @@ -276,6 +276,10 @@ const Meta* Rule::getMetaWithName(const std::string& key) const | |||
| */ | |||
| TokenIt Rule::getFirstTokenIt() const | |||
| { | |||
| if (_mod_private.has_value()) | |||
There was a problem hiding this comment.
Wouldn't this assume that there is a specific order in which rule modifiers are specified? But YARA grammar allows to specify both private global and global private.
There was a problem hiding this comment.
Yes, I assumed that private comes before global, which is a mistake, thank you very much for noticing! Will fix that.
src/types/rule.cpp
Outdated
| @@ -276,6 +276,30 @@ const Meta* Rule::getMetaWithName(const std::string& key) const | |||
| */ | |||
| TokenIt Rule::getFirstTokenIt() const | |||
| { | |||
| if (isPrivate() && isGlobal()) | |||
There was a problem hiding this comment.
This feels like a workaround for the problem. What if the new modifier is added? Are we going to list out all the possible combinations? Why not storing the modifiers in some sort of containers. Whenever the first token is requested just the first token is returned from the container.
There was a problem hiding this comment.
Thank you for pointing this out. I have changed the way we work with modifiers so it should be much easier now to add more rule modifiers. Please see the last commit.
Removing all relevant tokens when deleting YARA rule from
YaraFileinstance.