Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Y
yara-python
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
yara-python
Commits
e58af70e
Unverified
Commit
e58af70e
authored
3 years ago
by
Steven
Committed by
GitHub
3 years ago
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add namespace, rule, and string to warning callback test (#182)
parent
17979fe3
master
…
v4.4.0
v4.3.1
v4.3.0
v4.2.3
v4.2.0
No related merge requests found
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
252 additions
and
244 deletions
+252
-244
tests.py
tests.py
+252
-244
No files found.
tests.py
View file @
e58af70e
#!/usr/local/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (c) 2007-20
14
. The YARA Authors. All Rights Reserved.
# Copyright (c) 2007-20
21
. The YARA Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
...
...
@@ -75,201 +75,201 @@ ab000000000000001a0000000000000000000000000000000100000000000000\
# The 3 possible outcomes for each pattern
[
SUCCEED
,
FAIL
,
SYNTAX_ERROR
]
=
range
(
3
)
RE_TESTS
=
[
# RE, string, expected result, expected matching
(
')'
,
''
,
SYNTAX_ERROR
),
(
'abc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'abc'
,
'xbc'
,
FAIL
),
(
'abc'
,
'axc'
,
FAIL
),
(
'abc'
,
'abx'
,
FAIL
),
(
'abc'
,
'xabcx'
,
SUCCEED
,
'abc'
),
(
'abc'
,
'ababc'
,
SUCCEED
,
'abc'
),
(
'a.c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a.b'
,
'a
\n
b'
,
FAIL
),
(
'a.*b'
,
'acc
\n
ccb'
,
FAIL
),
(
'a.{4,5}b'
,
'acc
\n
ccb'
,
FAIL
),
(
'a.b'
,
'a
\r
b'
,
SUCCEED
,
'a
\r
b'
),
(
'ab*c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab*c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'ab*bc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab*bc'
,
'abbc'
,
SUCCEED
,
'abbc'
),
(
'a.*bb'
,
'abbbb'
,
SUCCEED
,
'abbbb'
),
(
'a.*?bbb'
,
'abbbbbb'
,
SUCCEED
,
'abbb'
),
(
'a.*c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'a.*c'
,
'axyzc'
,
SUCCEED
,
'axyzc'
),
(
'ab+c'
,
'abbc'
,
SUCCEED
,
'abbc'
),
(
'ab+c'
,
'ac'
,
FAIL
),
(
'ab+'
,
'abbbb'
,
SUCCEED
,
'abbbb'
),
(
'ab+?'
,
'abbbb'
,
SUCCEED
,
'ab'
),
(
'ab+bc'
,
'abc'
,
FAIL
),
(
'ab+bc'
,
'abq'
,
FAIL
),
(
'a+b+c'
,
'aabbabc'
,
SUCCEED
,
'abc'
),
(
'ab?bc'
,
'abbbbc'
,
FAIL
),
(
'ab?c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab*?'
,
'abbb'
,
SUCCEED
,
'a'
),
(
'ab?c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab??'
,
'ab'
,
SUCCEED
,
'a'
),
(
'a(b|x)c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a(b|x)c'
,
'axc'
,
SUCCEED
,
'axc'
),
(
'a(b|.)c'
,
'axc'
,
SUCCEED
,
'axc'
),
(
'a(b|x|y)c'
,
'ayc'
,
SUCCEED
,
'ayc'
),
(
'(a+|b)*'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a|b|c|d|e'
,
'e'
,
SUCCEED
,
'e'
),
(
'(a|b|c|d|e)f'
,
'ef'
,
SUCCEED
,
'ef'
),
(
'.b{2}'
,
'abb'
,
SUCCEED
,
'abb'
),
(
'ab{1}c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab{1,2}c'
,
'abbc'
,
SUCCEED
,
'abbc'
),
(
'ab{1,}c'
,
'abbbc'
,
SUCCEED
,
'abbbc'
),
(
'ab{1,}b'
,
'ab'
,
FAIL
),
(
'ab{1}c'
,
'abbc'
,
FAIL
),
(
'ab{0,}c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'ab{0,}c'
,
'abbbc'
,
SUCCEED
,
'abbbc'
),
(
'ab{,3}c'
,
'abbbc'
,
SUCCEED
,
'abbbc'
),
(
'ab{,2}c'
,
'abbbc'
,
FAIL
),
(
'ab{4,5}bc'
,
'abbbbc'
,
FAIL
),
(
'ab{2,3}?'
,
'abbbbb'
,
SUCCEED
,
'abb'
),
(
'ab{.*}'
,
'ab{c}'
,
SUCCEED
,
'ab{c}'
),
(
'.(aa){1,2}'
,
'aaaaaaaaaa'
,
SUCCEED
,
'aaaaa'
),
(
'a.(bc.){2}'
,
'aabcabca'
,
SUCCEED
,
'aabcabca'
),
(
'(ab{1,2}c){1,3}'
,
'abbcabc'
,
SUCCEED
,
'abbcabc'
),
(
'ab(c|cc){1,3}d'
,
'abccccccd'
,
SUCCEED
,
'abccccccd'
),
(
'a[bx]c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a[bx]c'
,
'axc'
,
SUCCEED
,
'axc'
),
(
'a[0-9]*b'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a[0-9]*b'
,
'a0123456789b'
,
SUCCEED
,
'a0123456789b'
),
(
'[0-9a-f]+'
,
'0123456789abcdef'
,
SUCCEED
,
'0123456789abcdef'
),
(
'[0-9a-f]+'
,
'xyz0123456789xyz'
,
SUCCEED
,
'0123456789'
),
(
r'a[\s\S]b'
,
'a b'
,
SUCCEED
,
'a b'
),
(
r'a[\d\D]b'
,
'a1b'
,
SUCCEED
,
'a1b'
),
(
'[x-z]+'
,
'abc'
,
FAIL
),
(
'a[-]?c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'a[-b]'
,
'a-'
,
SUCCEED
,
'a-'
),
(
'a[-b]'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a[b-]'
,
'a-'
,
SUCCEED
,
'a-'
),
(
'a[b-]'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'[a-c-e]'
,
'b'
,
SUCCEED
,
'b'
),
(
'[a-c-e]'
,
'-'
,
SUCCEED
,
'-'
),
(
'[a-c-e]'
,
'd'
,
FAIL
),
(
'[b-a]'
,
''
,
SYNTAX_ERROR
),
(
'(abc'
,
''
,
SYNTAX_ERROR
),
(
'abc)'
,
''
,
SYNTAX_ERROR
),
(
'a[]b'
,
''
,
SYNTAX_ERROR
),
(
'a
\\
'
,
''
,
SYNTAX_ERROR
),
(
'a[
\\
-b]'
,
'a-'
,
SUCCEED
,
'a-'
),
(
'a[
\\
-b]'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a[
\\
'
,
''
,
SYNTAX_ERROR
),
(
'a]'
,
'a]'
,
SUCCEED
,
'a]'
),
(
'a[]]b'
,
'a]b'
,
SUCCEED
,
'a]b'
),
(
r'a[\]]b'
,
'a]b'
,
SUCCEED
,
'a]b'
),
(
'a[^bc]d'
,
'aed'
,
SUCCEED
,
'aed'
),
(
'a[^bc]d'
,
'abd'
,
FAIL
),
(
'a[^-b]c'
,
'adc'
,
SUCCEED
,
'adc'
),
(
'a[^-b]c'
,
'a-c'
,
FAIL
),
(
'a[^]b]c'
,
'a]c'
,
FAIL
),
(
'a[^]b]c'
,
'adc'
,
SUCCEED
,
'adc'
),
(
'[^ab]*'
,
'cde'
,
SUCCEED
,
'cde'
),
(
')('
,
''
,
SYNTAX_ERROR
),
(
r'a\sb'
,
'a b'
,
SUCCEED
,
'a b'
),
(
r'a\sb'
,
'a
\t
b'
,
SUCCEED
,
'a
\t
b'
),
(
r'a\sb'
,
'a
\r
b'
,
SUCCEED
,
'a
\r
b'
),
(
r'a\sb'
,
'a
\n
b'
,
SUCCEED
,
'a
\n
b'
),
(
r'a\sb'
,
'a
\v
b'
,
SUCCEED
,
'a
\v
b'
),
(
r'a\sb'
,
'a
\f
b'
,
SUCCEED
,
'a
\f
b'
),
(
r'a\Sb'
,
'a b'
,
FAIL
),
(
r'a\Sb'
,
'a
\t
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\r
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\n
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\v
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\f
b'
,
FAIL
),
(
r'\n\r\t\f\a'
,
'
\n\r\t\f\a
'
,
SUCCEED
,
'
\n\r\t\f\a
'
),
(
r'[\n][\r][\t][\f][\a]'
,
'
\n\r\t\f\a
'
,
SUCCEED
,
'
\n\r\t\f\a
'
),
(
r'\x00\x01\x02'
,
'
\x00\x01\x02
'
,
SUCCEED
,
'
\x00\x01\x02
'
),
(
r'[\x00-\x02]+'
,
'
\x00\x01\x02
'
,
SUCCEED
,
'
\x00\x01\x02
'
),
(
r'[\x00-\x02]+'
,
'
\x03\x04\x05
'
,
FAIL
),
(
r'[\x5D]'
,
']'
,
SUCCEED
,
']'
),
(
r'[\0x5A-\x5D]'
,
'
\x5B
'
,
SUCCEED
,
'
\x5B
'
),
(
r'[\x5D-\x5F]'
,
'
\x5E
'
,
SUCCEED
,
'
\x5E
'
),
(
r'[\x5C-\x5F]'
,
'
\x5E
'
,
SUCCEED
,
'
\x5E
'
),
(
r'[\x5D-\x5F]'
,
'
\x5E
'
,
SUCCEED
,
'
\x5E
'
),
(
r'a\wc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
r'a\wc'
,
'a_c'
,
SUCCEED
,
'a_c'
),
(
r'a\wc'
,
'a0c'
,
SUCCEED
,
'a0c'
),
(
r'a\wc'
,
'a*c'
,
FAIL
),
(
r'\w+'
,
'--ab_cd0123--'
,
SUCCEED
,
'ab_cd0123'
),
(
r'[\w]+'
,
'--ab_cd0123--'
,
SUCCEED
,
'ab_cd0123'
),
(
r'\D+'
,
'1234abc5678'
,
SUCCEED
,
'abc'
),
(
r'[\d]+'
,
'0123456789'
,
SUCCEED
,
'0123456789'
),
(
r'[\D]+'
,
'1234abc5678'
,
SUCCEED
,
'abc'
),
(
r'[\da-fA-F]+'
,
'123abc'
,
SUCCEED
,
'123abc'
),
(
'^(ab|cd)e'
,
'abcde'
,
FAIL
),
(
'(abc|)ef'
,
'abcdef'
,
SUCCEED
,
'ef'
),
(
'(abc|)ef'
,
'abcef'
,
SUCCEED
,
'abcef'
),
(
r'\babc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
r'abc\b'
,
'abc'
,
SUCCEED
,
'abc'
),
(
r'\babc'
,
'1abc'
,
FAIL
),
(
r'abc\b'
,
'abc1'
,
FAIL
),
(
r'abc\s\b'
,
'abc x'
,
SUCCEED
,
'abc '
),
(
r'abc\s\b'
,
'abc '
,
FAIL
),
(
r'\babc\b'
,
' abc '
,
SUCCEED
,
'abc'
),
(
r'\b\w\w\w\b'
,
' abc '
,
SUCCEED
,
'abc'
),
(
r'\w\w\w\b'
,
'abcd'
,
SUCCEED
,
'bcd'
),
(
r'\b\w\w\w'
,
'abcd'
,
SUCCEED
,
'abc'
),
(
r'\b\w\w\w\b'
,
'abcd'
,
FAIL
),
(
r'\Babc'
,
'abc'
,
FAIL
),
(
r'abc\B'
,
'abc'
,
FAIL
),
(
r'\Babc'
,
'1abc'
,
SUCCEED
,
'abc'
),
(
r'abc\B'
,
'abc1'
,
SUCCEED
,
'abc'
),
(
r'abc\s\B'
,
'abc x'
,
FAIL
),
(
r'abc\s\B'
,
'abc '
,
SUCCEED
,
'abc '
),
(
r'\w\w\w\B'
,
'abcd'
,
SUCCEED
,
'abc'
),
(
r'\B\w\w\w'
,
'abcd'
,
SUCCEED
,
'bcd'
),
(
r'\B\w\w\w\B'
,
'abcd'
,
FAIL
),
# This is allowed in most regexp engines but in order to keep the
# grammar free of shift/reduce conflicts I've decided not supporting
# it. Users can use the (abc|) form instead.
(
'(|abc)ef'
,
''
,
SYNTAX_ERROR
),
(
'((a)(b)c)(d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'(a|b)c*d'
,
'abcd'
,
SUCCEED
,
'bcd'
),
(
'(ab|ab*)bc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a([bc]*)c*'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a([bc]*)c*'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'a([bc]*)c*'
,
'a'
,
SUCCEED
,
'a'
),
(
'a([bc]*)(c*d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'a([bc]+)(c*d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'a([bc]*)(c+d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'a[bcd]*dcdcde'
,
'adcdcde'
,
SUCCEED
,
'adcdcde'
),
(
'a[bcd]+dcdcde'
,
'adcdcde'
,
FAIL
),
(
r'\((.*), (.*)\)'
,
'(a, b)'
,
SUCCEED
,
'(a, b)'
),
(
'abc|123$'
,
'abcx'
,
SUCCEED
,
'abc'
),
(
'abc|123$'
,
'123x'
,
FAIL
),
(
'abc|^123'
,
'123'
,
SUCCEED
,
'123'
),
(
'abc|^123'
,
'x123'
,
FAIL
),
(
'^abc$'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'^abc$'
,
'abcc'
,
FAIL
),
(
'^abc'
,
'abcc'
,
SUCCEED
,
'abc'
),
(
'^abc$'
,
'aabc'
,
FAIL
),
(
'abc$'
,
'aabc'
,
SUCCEED
,
'abc'
),
(
'^a(bc+|b[eh])g|.h$'
,
'abhg'
,
SUCCEED
,
'abhg'
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'effgz'
,
SUCCEED
,
'effgz'
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'ij'
,
SUCCEED
,
'ij'
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'effg'
,
FAIL
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'bcdd'
,
FAIL
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'reffgz'
,
SUCCEED
,
'effgz'
),
# Test case for issue #324
(
'whatever| x. x'
,
' xy x'
,
SUCCEED
,
' xy x'
),
# RE, string, expected result, expected matching
(
')'
,
''
,
SYNTAX_ERROR
),
(
'abc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'abc'
,
'xbc'
,
FAIL
),
(
'abc'
,
'axc'
,
FAIL
),
(
'abc'
,
'abx'
,
FAIL
),
(
'abc'
,
'xabcx'
,
SUCCEED
,
'abc'
),
(
'abc'
,
'ababc'
,
SUCCEED
,
'abc'
),
(
'a.c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a.b'
,
'a
\n
b'
,
FAIL
),
(
'a.*b'
,
'acc
\n
ccb'
,
FAIL
),
(
'a.{4,5}b'
,
'acc
\n
ccb'
,
FAIL
),
(
'a.b'
,
'a
\r
b'
,
SUCCEED
,
'a
\r
b'
),
(
'ab*c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab*c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'ab*bc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab*bc'
,
'abbc'
,
SUCCEED
,
'abbc'
),
(
'a.*bb'
,
'abbbb'
,
SUCCEED
,
'abbbb'
),
(
'a.*?bbb'
,
'abbbbbb'
,
SUCCEED
,
'abbb'
),
(
'a.*c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'a.*c'
,
'axyzc'
,
SUCCEED
,
'axyzc'
),
(
'ab+c'
,
'abbc'
,
SUCCEED
,
'abbc'
),
(
'ab+c'
,
'ac'
,
FAIL
),
(
'ab+'
,
'abbbb'
,
SUCCEED
,
'abbbb'
),
(
'ab+?'
,
'abbbb'
,
SUCCEED
,
'ab'
),
(
'ab+bc'
,
'abc'
,
FAIL
),
(
'ab+bc'
,
'abq'
,
FAIL
),
(
'a+b+c'
,
'aabbabc'
,
SUCCEED
,
'abc'
),
(
'ab?bc'
,
'abbbbc'
,
FAIL
),
(
'ab?c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab*?'
,
'abbb'
,
SUCCEED
,
'a'
),
(
'ab?c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab??'
,
'ab'
,
SUCCEED
,
'a'
),
(
'a(b|x)c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a(b|x)c'
,
'axc'
,
SUCCEED
,
'axc'
),
(
'a(b|.)c'
,
'axc'
,
SUCCEED
,
'axc'
),
(
'a(b|x|y)c'
,
'ayc'
,
SUCCEED
,
'ayc'
),
(
'(a+|b)*'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a|b|c|d|e'
,
'e'
,
SUCCEED
,
'e'
),
(
'(a|b|c|d|e)f'
,
'ef'
,
SUCCEED
,
'ef'
),
(
'.b{2}'
,
'abb'
,
SUCCEED
,
'abb'
),
(
'ab{1}c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'ab{1,2}c'
,
'abbc'
,
SUCCEED
,
'abbc'
),
(
'ab{1,}c'
,
'abbbc'
,
SUCCEED
,
'abbbc'
),
(
'ab{1,}b'
,
'ab'
,
FAIL
),
(
'ab{1}c'
,
'abbc'
,
FAIL
),
(
'ab{0,}c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'ab{0,}c'
,
'abbbc'
,
SUCCEED
,
'abbbc'
),
(
'ab{,3}c'
,
'abbbc'
,
SUCCEED
,
'abbbc'
),
(
'ab{,2}c'
,
'abbbc'
,
FAIL
),
(
'ab{4,5}bc'
,
'abbbbc'
,
FAIL
),
(
'ab{2,3}?'
,
'abbbbb'
,
SUCCEED
,
'abb'
),
(
'ab{.*}'
,
'ab{c}'
,
SUCCEED
,
'ab{c}'
),
(
'.(aa){1,2}'
,
'aaaaaaaaaa'
,
SUCCEED
,
'aaaaa'
),
(
'a.(bc.){2}'
,
'aabcabca'
,
SUCCEED
,
'aabcabca'
),
(
'(ab{1,2}c){1,3}'
,
'abbcabc'
,
SUCCEED
,
'abbcabc'
),
(
'ab(c|cc){1,3}d'
,
'abccccccd'
,
SUCCEED
,
'abccccccd'
),
(
'a[bx]c'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a[bx]c'
,
'axc'
,
SUCCEED
,
'axc'
),
(
'a[0-9]*b'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a[0-9]*b'
,
'a0123456789b'
,
SUCCEED
,
'a0123456789b'
),
(
'[0-9a-f]+'
,
'0123456789abcdef'
,
SUCCEED
,
'0123456789abcdef'
),
(
'[0-9a-f]+'
,
'xyz0123456789xyz'
,
SUCCEED
,
'0123456789'
),
(
r'a[\s\S]b'
,
'a b'
,
SUCCEED
,
'a b'
),
(
r'a[\d\D]b'
,
'a1b'
,
SUCCEED
,
'a1b'
),
(
'[x-z]+'
,
'abc'
,
FAIL
),
(
'a[-]?c'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'a[-b]'
,
'a-'
,
SUCCEED
,
'a-'
),
(
'a[-b]'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a[b-]'
,
'a-'
,
SUCCEED
,
'a-'
),
(
'a[b-]'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'[a-c-e]'
,
'b'
,
SUCCEED
,
'b'
),
(
'[a-c-e]'
,
'-'
,
SUCCEED
,
'-'
),
(
'[a-c-e]'
,
'd'
,
FAIL
),
(
'[b-a]'
,
''
,
SYNTAX_ERROR
),
(
'(abc'
,
''
,
SYNTAX_ERROR
),
(
'abc)'
,
''
,
SYNTAX_ERROR
),
(
'a[]b'
,
''
,
SYNTAX_ERROR
),
(
'a
\\
'
,
''
,
SYNTAX_ERROR
),
(
'a[
\\
-b]'
,
'a-'
,
SUCCEED
,
'a-'
),
(
'a[
\\
-b]'
,
'ab'
,
SUCCEED
,
'ab'
),
(
'a[
\\
'
,
''
,
SYNTAX_ERROR
),
(
'a]'
,
'a]'
,
SUCCEED
,
'a]'
),
(
'a[]]b'
,
'a]b'
,
SUCCEED
,
'a]b'
),
(
r'a[\]]b'
,
'a]b'
,
SUCCEED
,
'a]b'
),
(
'a[^bc]d'
,
'aed'
,
SUCCEED
,
'aed'
),
(
'a[^bc]d'
,
'abd'
,
FAIL
),
(
'a[^-b]c'
,
'adc'
,
SUCCEED
,
'adc'
),
(
'a[^-b]c'
,
'a-c'
,
FAIL
),
(
'a[^]b]c'
,
'a]c'
,
FAIL
),
(
'a[^]b]c'
,
'adc'
,
SUCCEED
,
'adc'
),
(
'[^ab]*'
,
'cde'
,
SUCCEED
,
'cde'
),
(
')('
,
''
,
SYNTAX_ERROR
),
(
r'a\sb'
,
'a b'
,
SUCCEED
,
'a b'
),
(
r'a\sb'
,
'a
\t
b'
,
SUCCEED
,
'a
\t
b'
),
(
r'a\sb'
,
'a
\r
b'
,
SUCCEED
,
'a
\r
b'
),
(
r'a\sb'
,
'a
\n
b'
,
SUCCEED
,
'a
\n
b'
),
(
r'a\sb'
,
'a
\v
b'
,
SUCCEED
,
'a
\v
b'
),
(
r'a\sb'
,
'a
\f
b'
,
SUCCEED
,
'a
\f
b'
),
(
r'a\Sb'
,
'a b'
,
FAIL
),
(
r'a\Sb'
,
'a
\t
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\r
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\n
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\v
b'
,
FAIL
),
(
r'a\Sb'
,
'a
\f
b'
,
FAIL
),
(
r'\n\r\t\f\a'
,
'
\n\r\t\f\a
'
,
SUCCEED
,
'
\n\r\t\f\a
'
),
(
r'[\n][\r][\t][\f][\a]'
,
'
\n\r\t\f\a
'
,
SUCCEED
,
'
\n\r\t\f\a
'
),
(
r'\x00\x01\x02'
,
'
\x00\x01\x02
'
,
SUCCEED
,
'
\x00\x01\x02
'
),
(
r'[\x00-\x02]+'
,
'
\x00\x01\x02
'
,
SUCCEED
,
'
\x00\x01\x02
'
),
(
r'[\x00-\x02]+'
,
'
\x03\x04\x05
'
,
FAIL
),
(
r'[\x5D]'
,
']'
,
SUCCEED
,
']'
),
(
r'[\0x5A-\x5D]'
,
'
\x5B
'
,
SUCCEED
,
'
\x5B
'
),
(
r'[\x5D-\x5F]'
,
'
\x5E
'
,
SUCCEED
,
'
\x5E
'
),
(
r'[\x5C-\x5F]'
,
'
\x5E
'
,
SUCCEED
,
'
\x5E
'
),
(
r'[\x5D-\x5F]'
,
'
\x5E
'
,
SUCCEED
,
'
\x5E
'
),
(
r'a\wc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
r'a\wc'
,
'a_c'
,
SUCCEED
,
'a_c'
),
(
r'a\wc'
,
'a0c'
,
SUCCEED
,
'a0c'
),
(
r'a\wc'
,
'a*c'
,
FAIL
),
(
r'\w+'
,
'--ab_cd0123--'
,
SUCCEED
,
'ab_cd0123'
),
(
r'[\w]+'
,
'--ab_cd0123--'
,
SUCCEED
,
'ab_cd0123'
),
(
r'\D+'
,
'1234abc5678'
,
SUCCEED
,
'abc'
),
(
r'[\d]+'
,
'0123456789'
,
SUCCEED
,
'0123456789'
),
(
r'[\D]+'
,
'1234abc5678'
,
SUCCEED
,
'abc'
),
(
r'[\da-fA-F]+'
,
'123abc'
,
SUCCEED
,
'123abc'
),
(
'^(ab|cd)e'
,
'abcde'
,
FAIL
),
(
'(abc|)ef'
,
'abcdef'
,
SUCCEED
,
'ef'
),
(
'(abc|)ef'
,
'abcef'
,
SUCCEED
,
'abcef'
),
(
r'\babc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
r'abc\b'
,
'abc'
,
SUCCEED
,
'abc'
),
(
r'\babc'
,
'1abc'
,
FAIL
),
(
r'abc\b'
,
'abc1'
,
FAIL
),
(
r'abc\s\b'
,
'abc x'
,
SUCCEED
,
'abc '
),
(
r'abc\s\b'
,
'abc '
,
FAIL
),
(
r'\babc\b'
,
' abc '
,
SUCCEED
,
'abc'
),
(
r'\b\w\w\w\b'
,
' abc '
,
SUCCEED
,
'abc'
),
(
r'\w\w\w\b'
,
'abcd'
,
SUCCEED
,
'bcd'
),
(
r'\b\w\w\w'
,
'abcd'
,
SUCCEED
,
'abc'
),
(
r'\b\w\w\w\b'
,
'abcd'
,
FAIL
),
(
r'\Babc'
,
'abc'
,
FAIL
),
(
r'abc\B'
,
'abc'
,
FAIL
),
(
r'\Babc'
,
'1abc'
,
SUCCEED
,
'abc'
),
(
r'abc\B'
,
'abc1'
,
SUCCEED
,
'abc'
),
(
r'abc\s\B'
,
'abc x'
,
FAIL
),
(
r'abc\s\B'
,
'abc '
,
SUCCEED
,
'abc '
),
(
r'\w\w\w\B'
,
'abcd'
,
SUCCEED
,
'abc'
),
(
r'\B\w\w\w'
,
'abcd'
,
SUCCEED
,
'bcd'
),
(
r'\B\w\w\w\B'
,
'abcd'
,
FAIL
),
# This is allowed in most regexp engines but in order to keep the
# grammar free of shift/reduce conflicts I've decided not supporting
# it. Users can use the (abc|) form instead.
(
'(|abc)ef'
,
''
,
SYNTAX_ERROR
),
(
'((a)(b)c)(d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'(a|b)c*d'
,
'abcd'
,
SUCCEED
,
'bcd'
),
(
'(ab|ab*)bc'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a([bc]*)c*'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'a([bc]*)c*'
,
'ac'
,
SUCCEED
,
'ac'
),
(
'a([bc]*)c*'
,
'a'
,
SUCCEED
,
'a'
),
(
'a([bc]*)(c*d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'a([bc]+)(c*d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'a([bc]*)(c+d)'
,
'abcd'
,
SUCCEED
,
'abcd'
),
(
'a[bcd]*dcdcde'
,
'adcdcde'
,
SUCCEED
,
'adcdcde'
),
(
'a[bcd]+dcdcde'
,
'adcdcde'
,
FAIL
),
(
r'\((.*), (.*)\)'
,
'(a, b)'
,
SUCCEED
,
'(a, b)'
),
(
'abc|123$'
,
'abcx'
,
SUCCEED
,
'abc'
),
(
'abc|123$'
,
'123x'
,
FAIL
),
(
'abc|^123'
,
'123'
,
SUCCEED
,
'123'
),
(
'abc|^123'
,
'x123'
,
FAIL
),
(
'^abc$'
,
'abc'
,
SUCCEED
,
'abc'
),
(
'^abc$'
,
'abcc'
,
FAIL
),
(
'^abc'
,
'abcc'
,
SUCCEED
,
'abc'
),
(
'^abc$'
,
'aabc'
,
FAIL
),
(
'abc$'
,
'aabc'
,
SUCCEED
,
'abc'
),
(
'^a(bc+|b[eh])g|.h$'
,
'abhg'
,
SUCCEED
,
'abhg'
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'effgz'
,
SUCCEED
,
'effgz'
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'ij'
,
SUCCEED
,
'ij'
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'effg'
,
FAIL
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'bcdd'
,
FAIL
),
(
'(bc+d$|ef*g.|h?i(j|k))'
,
'reffgz'
,
SUCCEED
,
'effgz'
),
# Test case for issue #324
(
'whatever| x. x'
,
' xy x'
,
SUCCEED
,
' xy x'
),
]
def
warnings_callback
(
warning_type
,
message
):
global
warnings_callback_called
global
warnings_callback_called
,
warnings_callback_message
warnings_callback_called
=
warning_type
warnings_callback_message
=
message
class
TestYara
(
unittest
.
TestCase
):
...
...
@@ -277,19 +277,19 @@ class TestYara(unittest.TestCase):
def
assertTrueRules
(
self
,
rules
,
data
=
'dummy'
):
for
r
in
rules
:
r
=
yara
.
compile
(
source
=
r
)
self
.
assertTrue
(
r
.
match
(
data
=
data
))
r
=
yara
.
compile
(
source
=
r
)
self
.
assertTrue
(
r
.
match
(
data
=
data
))
def
assertFalseRules
(
self
,
rules
,
data
=
'dummy'
):
for
r
in
rules
:
r
=
yara
.
compile
(
source
=
r
)
self
.
assertFalse
(
r
.
match
(
data
=
data
))
r
=
yara
.
compile
(
source
=
r
)
self
.
assertFalse
(
r
.
match
(
data
=
data
))
def
assertSyntaxError
(
self
,
rules
):
for
r
in
rules
:
self
.
assertRaises
(
yara
.
SyntaxError
,
yara
.
compile
,
source
=
r
)
self
.
assertRaises
(
yara
.
SyntaxError
,
yara
.
compile
,
source
=
r
)
def
runReTest
(
self
,
test
):
...
...
@@ -300,19 +300,19 @@ class TestYara(unittest.TestCase):
source
=
'rule test { strings: $a = /
%
s/ condition: $a }'
%
regexp
if
expected_result
==
SYNTAX_ERROR
:
self
.
assertRaises
(
yara
.
SyntaxError
,
yara
.
compile
,
source
=
source
)
self
.
assertRaises
(
yara
.
SyntaxError
,
yara
.
compile
,
source
=
source
)
else
:
rule
=
yara
.
compile
(
source
=
source
)
matches
=
rule
.
match
(
data
=
string
)
if
expected_result
==
SUCCEED
:
self
.
assertTrue
(
matches
)
_
,
_
,
matching_string
=
matches
[
0
]
.
strings
[
0
]
if
sys
.
version_info
[
0
]
>=
3
:
self
.
assertTrue
(
matching_string
==
bytes
(
test
[
3
],
'utf-8'
))
rule
=
yara
.
compile
(
source
=
source
)
matches
=
rule
.
match
(
data
=
string
)
if
expected_result
==
SUCCEED
:
self
.
assertTrue
(
matches
)
_
,
_
,
matching_string
=
matches
[
0
]
.
strings
[
0
]
if
sys
.
version_info
[
0
]
>=
3
:
self
.
assertTrue
(
matching_string
==
bytes
(
test
[
3
],
'utf-8'
))
else
:
self
.
assertTrue
(
matching_string
==
test
[
3
])
else
:
self
.
assertTrue
(
matching_string
==
test
[
3
])
else
:
self
.
assertFalse
(
matches
)
self
.
assertFalse
(
matches
)
def
testBooleanOperators
(
self
):
...
...
@@ -392,7 +392,7 @@ class TestYara(unittest.TestCase):
'rule test { condition: 8 >> 2 == 2 }'
,
'rule test { condition: 1 << 3 == 8 }'
,
'rule test { condition: 1 | 3 ^ 3 == 1 | (3 ^ 3) }'
])
])
self
.
assertFalseRules
([
'rule test { condition: ~0xAA ^ 0x5A & 0xFF == 0x0F }'
,
...
...
@@ -527,41 +527,41 @@ class TestYara(unittest.TestCase):
],
PE32_FILE
)
self
.
assertTrueRules
([
'rule test { strings: $a = { 31 32 [-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [-] 33 34 [-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [1] 34 35 [2] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [1-] 34 35 [1-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [0-3] 34 35 [1-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [0-2] 35 [1-] 37 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [-] 33 34 [-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [1] 34 35 [2] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [1-] 34 35 [1-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [0-3] 34 35 [1-] 38 39 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [0-2] 35 [1-] 37 38 39 } condition: $a }'
,
],
'123456789'
)
self
.
assertTrueRules
([
'rule test { strings: $a = { 31 32 [-] 38 39 } condition: all of them }'
,
'rule test { strings: $a = { 31 32 [-] 38 39 } condition: all of them }'
,
],
'123456789'
)
self
.
assertFalseRules
([
'rule test { strings: $a = { 31 32 [-] 32 33 } condition: $a }'
,
'rule test { strings: $a = { 35 36 [-] 31 32 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [2-] 34 35 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [0-3] 37 38 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [-] 32 33 } condition: $a }'
,
'rule test { strings: $a = { 35 36 [-] 31 32 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [2-] 34 35 } condition: $a }'
,
'rule test { strings: $a = { 31 32 [0-3] 37 38 } condition: $a }'
,
],
'123456789'
)
self
.
assertSyntaxError
([
'rule test { strings: $a = { 01 [0] 02 } condition: $a }'
,
'rule test { strings: $a = { [-] 01 02 } condition: $a }'
,
'rule test { strings: $a = { 01 02 [-] } condition: $a }'
,
'rule test { strings: $a = { 01 02 ([-] 03 | 04) } condition: $a }'
,
'rule test { strings: $a = { 01 02 (03 [-] | 04) } condition: $a }'
,
'rule test { strings: $a = { 01 02 (03 | 04 [-]) } condition: $a }'
'rule test { strings: $a = { 01 [0] 02 } condition: $a }'
,
'rule test { strings: $a = { [-] 01 02 } condition: $a }'
,
'rule test { strings: $a = { 01 02 [-] } condition: $a }'
,
'rule test { strings: $a = { 01 02 ([-] 03 | 04) } condition: $a }'
,
'rule test { strings: $a = { 01 02 (03 [-] | 04) } condition: $a }'
,
'rule test { strings: $a = { 01 02 (03 | 04 [-]) } condition: $a }'
])
rules
=
yara
.
compile
(
source
=
'rule test { strings: $a = { 61 [0-3] (62|63) } condition: $a }'
)
matches
=
rules
.
match
(
data
=
'abbb'
)
if
sys
.
version_info
[
0
]
>=
3
:
self
.
assertTrue
(
matches
[
0
]
.
strings
==
[(
0
,
'$a'
,
bytes
(
'ab'
,
'utf-8'
))])
self
.
assertTrue
(
matches
[
0
]
.
strings
==
[(
0
,
'$a'
,
bytes
(
'ab'
,
'utf-8'
))])
else
:
self
.
assertTrue
(
matches
[
0
]
.
strings
==
[(
0
,
'$a'
,
'ab'
)])
self
.
assertTrue
(
matches
[
0
]
.
strings
==
[(
0
,
'$a'
,
'ab'
)])
def
testCount
(
self
):
...
...
@@ -699,7 +699,7 @@ class TestYara(unittest.TestCase):
'rule test { condition: entrypoint >= 0 }'
,
])
# This test ensures that anything after the NULL character is stripped.
# This test ensures that anything after the NULL character is stripped.
def
testMetaNull
(
self
):
r
=
yara
.
compile
(
source
=
r'rule test { meta: a = "foo\x00bar\x80" condition: true }'
)
...
...
@@ -876,11 +876,11 @@ class TestYara(unittest.TestCase):
if
sys
.
version_info
[
0
]
>=
3
:
self
.
assertTrue
(
yara
.
compile
(
source
=
"rule test { condition: true}"
,
externals
=
{
'foo'
:
u'
\u6765\u6613\u7f51\u7edc\u79d1
'
}))
externals
=
{
'foo'
:
u'
\u6765\u6613\u7f51\u7edc\u79d1
'
}))
else
:
self
.
assertRaises
(
UnicodeEncodeError
,
yara
.
compile
,
source
=
"rule test { condition: true}"
,
externals
=
{
'foo'
:
u'
\u6765\u6613\u7f51\u7edc\u79d1
'
})
externals
=
{
'foo'
:
u'
\u6765\u6613\u7f51\u7edc\u79d1
'
})
def
testCallbackAll
(
self
):
global
rule_data
...
...
@@ -891,7 +891,6 @@ class TestYara(unittest.TestCase):
rule_data
.
append
(
data
)
return
yara
.
CALLBACK_CONTINUE
r
=
yara
.
compile
(
source
=
'rule t { condition: true } rule f { condition: false }'
)
r
.
match
(
data
=
'dummy'
,
callback
=
callback
,
which_callbacks
=
yara
.
CALLBACK_ALL
)
...
...
@@ -949,10 +948,10 @@ class TestYara(unittest.TestCase):
self
.
assertTrue
(
len
(
m
)
==
2
)
if
sys
.
version_info
[
0
]
<
3
:
self
.
assertTrue
(
m
[
0
]
<
m
[
1
])
self
.
assertTrue
(
m
[
0
]
!=
m
[
1
])
self
.
assertFalse
(
m
[
0
]
>
m
[
1
])
self
.
assertFalse
(
m
[
0
]
==
m
[
1
])
self
.
assertTrue
(
m
[
0
]
<
m
[
1
])
self
.
assertTrue
(
m
[
0
]
!=
m
[
1
])
self
.
assertFalse
(
m
[
0
]
>
m
[
1
])
self
.
assertFalse
(
m
[
0
]
==
m
[
1
])
def
testComments
(
self
):
...
...
@@ -990,13 +989,13 @@ class TestYara(unittest.TestCase):
'import "tests" rule test { condition: tests.fsum(1.0,2.0) == 3.0}'
,
'import "tests" rule test { condition: tests.fsum(1.0,2.0,3.0) == 6.0}'
,
'import "tests" rule test { condition: tests.length("dummy") == 5}'
,
])
])
self
.
assertFalseRules
([
'import "tests" rule test { condition: tests.struct_array[0].i == 1 }'
,
'import "tests" rule test { condition: tests.isum(1,1) == 3}'
,
'import "tests" rule test { condition: tests.fsum(1.0,1.0) == 3.0}'
,
])
])
def
testIntegerFunctions
(
self
):
...
...
@@ -1007,7 +1006,7 @@ class TestYara(unittest.TestCase):
'rule test { condition: uint8be(0) == 0xAA}'
,
'rule test { condition: uint16be(0) == 0xAABB}'
,
'rule test { condition: uint32be(0) == 0xAABBCCDD}'
,
],
b
'
\xAA\xBB\xCC\xDD
'
)
],
b
'
\xAA\xBB\xCC\xDD
'
)
def
testStringIO
(
self
):
...
...
@@ -1040,11 +1039,11 @@ class TestYara(unittest.TestCase):
r1
.
match
(
data
=
''
,
modules_callback
=
callback
)
if
sys
.
version_info
[
0
]
>=
3
:
self
.
assertTrue
(
data
[
'constants'
][
'foo'
]
==
bytes
(
'foo'
,
'utf-8'
))
self
.
assertTrue
(
data
[
'constants'
][
'empty'
]
==
bytes
(
''
,
'utf-8'
))
self
.
assertTrue
(
data
[
'constants'
][
'foo'
]
==
bytes
(
'foo'
,
'utf-8'
))
self
.
assertTrue
(
data
[
'constants'
][
'empty'
]
==
bytes
(
''
,
'utf-8'
))
else
:
self
.
assertTrue
(
data
[
'constants'
][
'foo'
]
==
'foo'
)
self
.
assertTrue
(
data
[
'constants'
][
'empty'
]
==
''
)
self
.
assertTrue
(
data
[
'constants'
][
'foo'
]
==
'foo'
)
self
.
assertTrue
(
data
[
'constants'
][
'empty'
]
==
''
)
self
.
assertTrue
(
data
[
'constants'
][
'one'
]
==
1
)
self
.
assertTrue
(
data
[
'constants'
][
'two'
]
==
2
)
...
...
@@ -1059,7 +1058,7 @@ class TestYara(unittest.TestCase):
'''
)
for
i
,
r
in
enumerate
(
rules
,
start
=
1
):
self
.
assertTrue
(
r
.
identifier
==
'test
%
d'
%
i
)
self
.
assertTrue
(
r
.
identifier
==
'test
%
d'
%
i
)
it
=
iter
(
rules
)
r
=
next
(
it
)
...
...
@@ -1099,14 +1098,23 @@ class TestYara(unittest.TestCase):
self
.
assertTrue
(
r
.
match
(
data
=
data
))
def
testWarningCallback
(
self
):
global
warnings_callback_called
global
warnings_callback_called
,
warnings_callback_message
warnings_callback_called
=
False
r
=
yara
.
compile
(
source
=
'rule x { strings: $x = "X" condition: $x }'
)
warnings_callback_message
=
None
r
=
yara
.
compile
(
sources
=
{
'ns1'
:
'rule x { strings: $x = "X" condition: $x }'
})
data
=
memoryview
(
b
"X"
*
1000099
)
r
.
match
(
data
=
data
,
warnings_callback
=
warnings_callback
)
self
.
assertTrue
(
warnings_callback_called
,
yara
.
CALLBACK_TOO_MANY_MATCHES
)
self
.
assertTrue
(
warnings_callback_called
==
yara
.
CALLBACK_TOO_MANY_MATCHES
)
self
.
assertTrue
(
warnings_callback_message
==
(
"ns1"
,
"x"
,
"$x"
))
self
.
assertTrue
(
warnings_callback_message
.
namespace
==
"ns1"
)
self
.
assertTrue
(
warnings_callback_message
.
rule
==
"x"
)
self
.
assertTrue
(
warnings_callback_message
.
string
==
"$x"
)
if
__name__
==
"__main__"
:
unittest
.
main
()
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
