From d8f00ce5f1fe661b2c16d08d8197106562aeb548 Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Sun, 13 Jul 2025 19:44:32 -0700 Subject: [PATCH 1/9] Addresses new linter findings. --- lex.go | 2 +- parser.go | 4 ++-- rule.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lex.go b/lex.go index 05eadef..a625a9e 100644 --- a/lex.go +++ b/lex.go @@ -265,7 +265,7 @@ func lexProtocol(l *lexer) stateFn { case r == ' ': l.emit(itemProtocol, true) return lexSourceAddress - case !(unicode.IsLetter(r) || unicode.IsDigit(r) || (l.len() > 0 && r == '-')): + case !unicode.IsLetter(r) && !unicode.IsDigit(r) && !(l.len() > 0 && r == '-'): return l.errorf("invalid character %q for a rule protocol", r) } } diff --git a/parser.go b/parser.go index e189a6b..a945996 100644 --- a/parser.go +++ b/parser.go @@ -111,7 +111,7 @@ func parseContent(content string) ([]byte, error) { b = hexRE.ReplaceAllStringFunc(b, func(h string) string { - r, err := hex.DecodeString(strings.Replace(strings.Trim(h, "|"), " ", "", -1)) + r, err := hex.DecodeString(strings.ReplaceAll(strings.Trim(h, "|"), " ", "")) if err != nil { panic("invalid hexRE regexp") } @@ -408,7 +408,7 @@ func unquote(s string) string { if strings.IndexByte(s, '"') < 0 { return s } - return strings.Replace(s, `\"`, `"`, -1) + return strings.ReplaceAll(s, `\"`, `"`) } func inSlice(str string, strings []string) bool { diff --git a/rule.go b/rule.go index 086f11c..ce7f593 100644 --- a/rule.go +++ b/rule.go @@ -837,7 +837,7 @@ func (p PCRE) String() string { // escape quote signs, if necessary if bytes.IndexByte(pattern, '"') > -1 { - pattern = bytes.Replace(pattern, []byte(`"`), []byte(`\"`), -1) + pattern = bytes.ReplaceAll(pattern, []byte(`"`), []byte(`\"`)) } var s strings.Builder From fed85b709f3abfb362cb1f092bf72cbb71fe9f32 Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Sun, 13 Jul 2025 19:47:34 -0700 Subject: [PATCH 2/9] One more tweak to address lint findings. --- lex.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lex.go b/lex.go index a625a9e..c170858 100644 --- a/lex.go +++ b/lex.go @@ -265,7 +265,7 @@ func lexProtocol(l *lexer) stateFn { case r == ' ': l.emit(itemProtocol, true) return lexSourceAddress - case !unicode.IsLetter(r) && !unicode.IsDigit(r) && !(l.len() > 0 && r == '-'): + case !unicode.IsLetter(r) && !unicode.IsDigit(r) && (l.len() > 0 || r == '-'): return l.errorf("invalid character %q for a rule protocol", r) } } From d9e690d866b215459e75ed6e95b32f4be47e3233 Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Sun, 13 Jul 2025 19:58:41 -0700 Subject: [PATCH 3/9] maybe getting it right this time. maybe stop coding now. --- lex.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lex.go b/lex.go index c170858..fae70e2 100644 --- a/lex.go +++ b/lex.go @@ -265,7 +265,7 @@ func lexProtocol(l *lexer) stateFn { case r == ' ': l.emit(itemProtocol, true) return lexSourceAddress - case !unicode.IsLetter(r) && !unicode.IsDigit(r) && (l.len() > 0 || r == '-'): + case !unicode.IsLetter(r) && !unicode.IsDigit(r) && !(l.len() > 0 || r == '-'): return l.errorf("invalid character %q for a rule protocol", r) } } From 77187b0ac0beb6967f4f0bcf7fc0cc9c873d49e4 Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Sun, 13 Jul 2025 20:09:57 -0700 Subject: [PATCH 4/9] last one, srsly. --- lex.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lex.go b/lex.go index fae70e2..6d6323b 100644 --- a/lex.go +++ b/lex.go @@ -265,7 +265,7 @@ func lexProtocol(l *lexer) stateFn { case r == ' ': l.emit(itemProtocol, true) return lexSourceAddress - case !unicode.IsLetter(r) && !unicode.IsDigit(r) && !(l.len() > 0 || r == '-'): + case !unicode.IsLetter(r) && !unicode.IsDigit(r) && l.len() > 0 && r != '-': return l.errorf("invalid character %q for a rule protocol", r) } } From 1e8ee84defa3c9c59584cd014e999c059dda744c Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Sun, 13 Jul 2025 20:29:38 -0700 Subject: [PATCH 5/9] see if we can fix the fuzzer config. --- .github/workflows/fuzz.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 6ff09bf..ee308f1 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -16,7 +16,7 @@ jobs: fuzz-seconds: 600 dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v3 if: failure() with: name: artifacts From afd497e61c64d296d771631f7274fde1c47c95fc Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Sun, 13 Jul 2025 20:34:29 -0700 Subject: [PATCH 6/9] trying v4, not changing any syntax, probably still wont work. --- .github/workflows/fuzz.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index ee308f1..8d90f7f 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -16,7 +16,7 @@ jobs: fuzz-seconds: 600 dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: failure() with: name: artifacts From eff84366ee1a20ff8c2d58c8cebea6b242ad6503 Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Thu, 17 Jul 2025 20:07:28 -0700 Subject: [PATCH 7/9] updating to align with current CI docs https://google.github.io/oss-fuzz/getting-started/continuous-integration/ --- .github/workflows/fuzz.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 8d90f7f..1f4d189 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -3,21 +3,34 @@ on: [pull_request] jobs: Fuzzing: runs-on: ubuntu-latest + permissions: + security-events: write steps: - name: Build Fuzzers + id: build uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'gonids' + language: go dry-run: false - name: Run Fuzzers uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'gonids' + language: go fuzz-seconds: 600 dry-run: false + output-sarif: true - name: Upload Crash uses: actions/upload-artifact@v4 - if: failure() + if: failure() && steps.build.outcome == 'success' with: name: artifacts path: ./out/artifacts + - name: Upload Sarif + if: always() && steps.build.outcome == 'success' + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cifuzz-sarif/results.sarif + checkout_path: cifuzz-sarif From 2ce453f4ae1c58b6104479544108118816b910af Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Thu, 17 Jul 2025 20:16:08 -0700 Subject: [PATCH 8/9] flip `upload-sarif` to v3 to avoid Error in logs. --- .github/workflows/fuzz.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 1f4d189..39e9c99 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -29,7 +29,7 @@ jobs: path: ./out/artifacts - name: Upload Sarif if: always() && steps.build.outcome == 'success' - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: cifuzz-sarif/results.sarif From aa651afffec832d43e649e4837e486215b72aa01 Mon Sep 17 00:00:00 2001 From: Duane Howard Date: Thu, 17 Jul 2025 20:41:10 -0700 Subject: [PATCH 9/9] Removes unused lexer parameters from `parser.go` --- parser.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/parser.go b/parser.go index d64d869..64b3ba4 100644 --- a/parser.go +++ b/parser.go @@ -421,7 +421,7 @@ func inSlice(str string, strings []string) bool { } // comment decodes a comment (commented rule, or just a comment.) -func (r *Rule) comment(key item, l *lexer) error { +func (r *Rule) comment(key item) error { if key.typ != itemComment { panic("item is not a comment") } @@ -445,7 +445,7 @@ func (r *Rule) comment(key item, l *lexer) error { } // action decodes an IDS rule option based on its key. -func (r *Rule) action(key item, l *lexer) error { +func (r *Rule) action(key item) error { if key.typ != itemAction { panic("item is not an action") } @@ -457,7 +457,7 @@ func (r *Rule) action(key item, l *lexer) error { } // protocol decodes an IDS rule protocol based on its key. -func (r *Rule) protocol(key item, l *lexer) error { +func (r *Rule) protocol(key item) error { if key.typ != itemProtocol { panic("item is not a protocol") } @@ -469,7 +469,7 @@ func (r *Rule) protocol(key item, l *lexer) error { } // network decodes an IDS rule network (networks and ports) based on its key. -func (r *Rule) network(key item, l *lexer) error { +func (r *Rule) network(key item) error { // Identify if the whole network component is negated. tmp := strings.TrimPrefix(key.value, "!") negated := len(tmp) < len(key.value) @@ -598,7 +598,7 @@ func validNetworks(nets []string) bool { } // direction decodes an IDS rule direction based on its key. -func (r *Rule) direction(key item, l *lexer) error { +func (r *Rule) direction(key item) error { if key.typ != itemDirection { panic("item is not a direction") } @@ -930,7 +930,7 @@ func parseRuleAux(rule string, commented bool) (*Rule, error) { // Ignore comment ending rule. return r, nil } - err = r.comment(item, l) + err = r.comment(item) // Error here means that the comment was not a commented rule. // So we're not parsing a rule and we need to break out. if err != nil { @@ -939,13 +939,13 @@ func parseRuleAux(rule string, commented bool) (*Rule, error) { // This line was a commented rule. return r, nil case itemAction: - err = r.action(item, l) + err = r.action(item) case itemProtocol: - err = r.protocol(item, l) + err = r.protocol(item) case itemSourceAddress, itemDestinationAddress, itemSourcePort, itemDestinationPort: - err = r.network(item, l) + err = r.network(item) case itemDirection: - err = r.direction(item, l) + err = r.direction(item) case itemOptionKey: err = r.option(item, l) // We will continue to parse a rule with unsupported options.