From 215faf1309605700cb0d40996fa5608606246e2a Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 27 Apr 2022 11:35:17 -0400 Subject: [PATCH 1/4] Replace implementation of `hasSimpleExecutableName` --- .../service/trusted_apps/validations.ts | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts index 3fee05e2f00617..7e23151b5760e2 100644 --- a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts +++ b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts @@ -34,20 +34,13 @@ export const getDuplicateFields = (entries: ConditionEntry[]) => { .map((entry) => entry[0]); }; -/* - * regex to match executable names - * starts matching from the eol of the path - * file names with a single or multiple spaces (for spaced names) - * and hyphens and combinations of these that produce complex names - * such as: - * c:\home\lib\dmp.dmp - * c:\home\lib\my-binary-app-+/ some/ x/ dmp.dmp - * /home/lib/dmp.dmp - * /home/lib/my-binary-app+-\ some\ x\ dmp.dmp +/** + * checks if the filename of a given path (if any) is a simple executable (does NOT have the + * wildcards supported by endpoing (`*` and `?`)) + * @param os + * @param type + * @param value */ -const WIN_EXEC_PATH = /\\(\w+|\w*[\w+|-]+\/ +)+\w+[\w+|-]+\.*\w+$/i; -const UNIX_EXEC_PATH = /(\/|\w*[\w+|-]+\\ +)+\w+[\w+|-]+\.*\w*$/i; - export const hasSimpleExecutableName = ({ os, type, @@ -57,10 +50,18 @@ export const hasSimpleExecutableName = ({ type: TrustedAppEntryTypes; value: string; }): boolean => { - if (type === 'wildcard') { - return os === OperatingSystem.WINDOWS ? WIN_EXEC_PATH.test(value) : UNIX_EXEC_PATH.test(value); + if (type !== 'wildcard') { + return true; } - return true; + + const separator = os === OperatingSystem.WINDOWS ? '\\' : '/'; + const lastString = value.split(separator).pop(); + + if (!lastString) { + return false; + } + + return /[\*\?]/.test(lastString) === false; }; export const isPathValid = ({ From a6a9fc65123ccc595eebcf455115fd8bcf5e660b Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 27 Apr 2022 11:41:19 -0400 Subject: [PATCH 2/4] add additional tests for `hasSimpleExecutableName()` --- .../service/trusted_apps/validations.test.ts | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts index 952a2fa234ace5..756332420466c5 100644 --- a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts @@ -558,4 +558,24 @@ describe('Executable filenames with wildcard PATHS', () => { }) ).toEqual(false); }); + + it('should return FALSE when WINDOWS wildcards paths do not have a file name', () => { + expect( + hasSimpleExecutableName({ + os: OperatingSystem.WINDOWS, + type: 'wildcard', + value: 'c:\\folder\\', + }) + ).toEqual(false); + }); + + it('should TRUE when WINDOWS wildcards paths `type` is not `wildcard`', () => { + expect( + hasSimpleExecutableName({ + os: OperatingSystem.WINDOWS, + type: 'match', + value: 'c:\\folder\\one.exe', + }) + ).toEqual(true); + }); }); From 21a90704d527f3be93a68852ec32f0479572c697 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 27 Apr 2022 13:05:33 -0400 Subject: [PATCH 3/4] change test to use a long path --- .../common/endpoint/service/trusted_apps/validations.test.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts index 756332420466c5..981a8d55a65c7b 100644 --- a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.test.ts @@ -574,7 +574,9 @@ describe('Executable filenames with wildcard PATHS', () => { hasSimpleExecutableName({ os: OperatingSystem.WINDOWS, type: 'match', - value: 'c:\\folder\\one.exe', + // Long path below is on purpose due to an issue found in the field + value: + 'C:\\ProgramData\\Package Cache\\sdjfhwojvmlowhnknblkm\\658945C6D1 992AD 576CCC0F43728A9 E60A8908A2\\658945C6D1992AD576CCC0F43728A9E60A8908A2\\Installers\\WimMountAdkSetupAmd64.exe', }) ).toEqual(true); }); From 0dc084b3eb2a1029ac32a66e49ac4d45f17649f7 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 27 Apr 2022 13:28:09 -0400 Subject: [PATCH 4/4] use code from `main` in checking for wildcard char. --- .../common/endpoint/service/trusted_apps/validations.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts index 7e23151b5760e2..72b3f5302c0187 100644 --- a/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts +++ b/x-pack/plugins/security_solution/common/endpoint/service/trusted_apps/validations.ts @@ -61,7 +61,7 @@ export const hasSimpleExecutableName = ({ return false; } - return /[\*\?]/.test(lastString) === false; + return (lastString.split('*').length || lastString.split('?').length) === 1; }; export const isPathValid = ({