|
|
|
@ -24,23 +24,89 @@ local types = require "lua_magic/types" |
|
|
|
local fun = require "fun" |
|
|
|
local lua_util = require "lua_util" |
|
|
|
|
|
|
|
local rspamd_text = require "rspamd_text" |
|
|
|
local rspamd_trie = require "rspamd_trie" |
|
|
|
|
|
|
|
local N = "lua_magic" |
|
|
|
local exports = {} |
|
|
|
-- trie object |
|
|
|
-- trie objects |
|
|
|
local compiled_patterns |
|
|
|
local compiled_short_patterns |
|
|
|
local compiled_tail_patterns |
|
|
|
-- {<str>, <match_object>, <pattern_object>} indexed by pattern number |
|
|
|
local processed_patterns = {} |
|
|
|
local short_patterns = {} |
|
|
|
local tail_patterns = {} |
|
|
|
|
|
|
|
local short_match_limit = 128 |
|
|
|
local max_short_offset = -1 |
|
|
|
local min_tail_offset = math.huge |
|
|
|
|
|
|
|
local function process_patterns(log_obj) |
|
|
|
-- Add pattern to either short patterns or to normal patterns |
|
|
|
local function add_processed(str, match, pattern) |
|
|
|
if match.position and type(match.position) == 'number' then |
|
|
|
if match.tail then |
|
|
|
-- Tail pattern |
|
|
|
tail_patterns[#tail_patterns + 1] = { |
|
|
|
str, match, pattern |
|
|
|
} |
|
|
|
if min_tail_offset > match.tail then |
|
|
|
min_tail_offset = match.tail |
|
|
|
end |
|
|
|
|
|
|
|
lua_util.debugm(N, log_obj, 'add tail pattern %s for ext %s', |
|
|
|
str, pattern.ext) |
|
|
|
elseif match.position < short_match_limit then |
|
|
|
short_patterns[#short_patterns + 1] = { |
|
|
|
str, match, pattern |
|
|
|
} |
|
|
|
lua_util.debugm(N, log_obj, 'add short pattern %s for ext %s', |
|
|
|
str, pattern.ext) |
|
|
|
|
|
|
|
if max_short_offset < match.position then |
|
|
|
max_short_offset = match.position |
|
|
|
end |
|
|
|
else |
|
|
|
processed_patterns[#processed_patterns + 1] = { |
|
|
|
str, match, pattern |
|
|
|
} |
|
|
|
|
|
|
|
lua_util.debugm(N, log_obj, 'add long pattern %s for ext %s', |
|
|
|
str, pattern.ext) |
|
|
|
end |
|
|
|
else |
|
|
|
processed_patterns[#processed_patterns + 1] = { |
|
|
|
str, match, pattern |
|
|
|
} |
|
|
|
|
|
|
|
lua_util.debugm(N, log_obj, 'add long pattern %s for ext %s', |
|
|
|
str, pattern.ext) |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
local function process_patterns() |
|
|
|
if not compiled_patterns then |
|
|
|
for _,pattern in ipairs(patterns) do |
|
|
|
for ext,pattern in pairs(patterns) do |
|
|
|
assert(types[ext], 'not found type: ' .. ext) |
|
|
|
pattern.ext = ext |
|
|
|
for _,match in ipairs(pattern.matches) do |
|
|
|
if match.string then |
|
|
|
processed_patterns[#processed_patterns + 1] = { |
|
|
|
match.string, match, pattern |
|
|
|
} |
|
|
|
if match.relative_position and not match.position then |
|
|
|
match.position = match.relative_position + #match.string |
|
|
|
end |
|
|
|
add_processed(match.string, match, pattern) |
|
|
|
elseif match.hex then |
|
|
|
local hex_table = {} |
|
|
|
|
|
|
|
for i=1,#match.hex,2 do |
|
|
|
local subc = match.hex:sub(i, i + 1) |
|
|
|
hex_table[#hex_table + 1] = string.format('\\x{%s}', subc) |
|
|
|
end |
|
|
|
|
|
|
|
if match.relative_position and not match.position then |
|
|
|
match.position = match.relative_position + #match.hex / 2 |
|
|
|
end |
|
|
|
add_processed(table.concat(hex_table), match, pattern) |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
@ -49,18 +115,26 @@ local function process_patterns() |
|
|
|
fun.map(function(t) return t[1] end, processed_patterns)), |
|
|
|
rspamd_trie.flags.re |
|
|
|
) |
|
|
|
compiled_short_patterns = rspamd_trie.create(fun.totable( |
|
|
|
fun.map(function(t) return t[1] end, short_patterns)), |
|
|
|
rspamd_trie.flags.re |
|
|
|
) |
|
|
|
compiled_tail_patterns = rspamd_trie.create(fun.totable( |
|
|
|
fun.map(function(t) return t[1] end, tail_patterns)), |
|
|
|
rspamd_trie.flags.re |
|
|
|
) |
|
|
|
|
|
|
|
lua_util.debugm(N, rspamd_config, 'compiled %s patterns', |
|
|
|
#processed_patterns) |
|
|
|
lua_util.debugm(N, log_obj, |
|
|
|
'compiled %s (%s short; %s long; %s tail) patterns', |
|
|
|
#processed_patterns + #short_patterns + #tail_patterns, |
|
|
|
#short_patterns, #processed_patterns, #tail_patterns) |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
exports.detect = function(input, log_obj) |
|
|
|
process_patterns() |
|
|
|
local res = {} |
|
|
|
local matches = compiled_patterns:match(input) |
|
|
|
local function match_chunk(input, tlen, offset, trie, processed_tbl, log_obj, res) |
|
|
|
local matches = trie:match(input) |
|
|
|
|
|
|
|
if not log_obj then log_obj = rspamd_config end |
|
|
|
local last = tlen |
|
|
|
|
|
|
|
local function add_result(match, pattern) |
|
|
|
if not res[pattern.ext] then |
|
|
|
@ -77,7 +151,7 @@ exports.detect = function(input, log_obj) |
|
|
|
end |
|
|
|
|
|
|
|
for npat,matched_positions in pairs(matches) do |
|
|
|
local pat_data = processed_patterns[npat] |
|
|
|
local pat_data = processed_tbl[npat] |
|
|
|
local pattern = pat_data[3] |
|
|
|
local match = pat_data[2] |
|
|
|
|
|
|
|
@ -99,6 +173,10 @@ exports.detect = function(input, log_obj) |
|
|
|
expected = expected[2] |
|
|
|
end |
|
|
|
|
|
|
|
-- Tail match |
|
|
|
if expected < 0 then |
|
|
|
expected = last + expected + 1 |
|
|
|
end |
|
|
|
return cmp(pos, expected) |
|
|
|
end |
|
|
|
-- Single position |
|
|
|
@ -106,23 +184,39 @@ exports.detect = function(input, log_obj) |
|
|
|
local position = match.position |
|
|
|
|
|
|
|
for _,pos in ipairs(matched_positions) do |
|
|
|
if match_position(pos, position) then |
|
|
|
lua_util.debugm(N, log_obj, 'found match %s at offset %s(from %s)', |
|
|
|
pattern.ext, pos, offset) |
|
|
|
if match_position(pos + offset, position) then |
|
|
|
add_result(match, pattern) |
|
|
|
break |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
-- Match all positions |
|
|
|
if match.positions then |
|
|
|
local all_right = true |
|
|
|
for _,position in ipairs(match.positions) do |
|
|
|
local matched = false |
|
|
|
for _,pos in ipairs(matched_positions) do |
|
|
|
if match_position(pos, position) then |
|
|
|
add_result(match, pattern) |
|
|
|
if not match_position(pos + offset, position) then |
|
|
|
matched = true |
|
|
|
break |
|
|
|
end |
|
|
|
end |
|
|
|
if not matched then |
|
|
|
all_right = false |
|
|
|
break |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
if all_right then |
|
|
|
add_result(match, pattern) |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
local function process_detected(res) |
|
|
|
local extensions = lua_util.keys(res) |
|
|
|
|
|
|
|
if #extensions > 0 then |
|
|
|
@ -130,6 +224,72 @@ exports.detect = function(input, log_obj) |
|
|
|
return res[ex1] > res[ex2] |
|
|
|
end) |
|
|
|
|
|
|
|
return extensions,res[extensions[1]] |
|
|
|
end |
|
|
|
|
|
|
|
return nil |
|
|
|
end |
|
|
|
|
|
|
|
exports.detect = function(input, log_obj) |
|
|
|
if not log_obj then log_obj = rspamd_config end |
|
|
|
process_patterns(log_obj) |
|
|
|
|
|
|
|
local res = {} |
|
|
|
|
|
|
|
if type(input) == 'string' then |
|
|
|
-- Convert to rspamd_text |
|
|
|
input = rspamd_text.fromstring(input) |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
if type(input) == 'userdata' then |
|
|
|
local inplen = #input |
|
|
|
|
|
|
|
-- Check tail matches |
|
|
|
if inplen > min_tail_offset then |
|
|
|
local tail = input:span(inplen - min_tail_offset, min_tail_offset) |
|
|
|
match_chunk(tail, inplen, inplen - min_tail_offset, |
|
|
|
compiled_tail_patterns, tail_patterns, log_obj, res) |
|
|
|
end |
|
|
|
|
|
|
|
-- Try short match |
|
|
|
local head = input:span(1, math.min(max_short_offset, inplen)) |
|
|
|
match_chunk(head, inplen, 0, |
|
|
|
compiled_short_patterns, short_patterns, log_obj, res) |
|
|
|
|
|
|
|
-- Check if we have enough data or go to long patterns |
|
|
|
local extensions,confidence = process_detected(res) |
|
|
|
|
|
|
|
if extensions and #extensions > 0 and confidence > 30 then |
|
|
|
-- We are done on short patterns |
|
|
|
return extensions[1],types[extensions[1]] |
|
|
|
end |
|
|
|
|
|
|
|
-- No way, let's check data in chunks or just the whole input if it is small enough |
|
|
|
if #input > exports.chunk_size * 3 then |
|
|
|
-- Chunked version as input is too long |
|
|
|
local chunk1, chunk2 = |
|
|
|
input:span(1, exports.chunk_size * 2), |
|
|
|
input:span(inplen - exports.chunk_size, exports.chunk_size) |
|
|
|
local offset1, offset2 = 0, inplen - exports.chunk_size |
|
|
|
|
|
|
|
match_chunk(chunk1, inplen, |
|
|
|
offset1, compiled_patterns, processed_patterns, log_obj, res) |
|
|
|
match_chunk(chunk2, inplen, |
|
|
|
offset2, compiled_patterns, processed_patterns, log_obj, res) |
|
|
|
else |
|
|
|
-- Input is short enough to match it at all |
|
|
|
match_chunk(input, inplen, 0, |
|
|
|
compiled_patterns, processed_patterns, log_obj, res) |
|
|
|
end |
|
|
|
else |
|
|
|
-- Table input is NYI |
|
|
|
assert(0, 'table input for match') |
|
|
|
end |
|
|
|
|
|
|
|
local extensions = process_detected(res) |
|
|
|
|
|
|
|
if extensions and #extensions > 0 then |
|
|
|
return extensions[1],types[extensions[1]] |
|
|
|
end |
|
|
|
|
|
|
|
@ -137,4 +297,8 @@ exports.detect = function(input, log_obj) |
|
|
|
return nil |
|
|
|
end |
|
|
|
|
|
|
|
-- This parameter specifies how many bytes are checked in the input |
|
|
|
-- Rspamd checks 2 chunks at start and 1 chunk at the end |
|
|
|
exports.chunk_size = 32768 |
|
|
|
|
|
|
|
return exports |
korgoth1
6 years ago