fix: fix backtracking in IsEscaped()

coreruleset · Jul 15, 2024 · d388fa1 · d388fa1
1 parent acf3379
commit d388fa1
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/utils/utils.go b/utils/utils.go
@@ -5,7 +5,7 @@ package utils
 
 func IsEscaped(input string, position int) bool {
 	escapeCounter := 0
-	for backtrackIndex := position - 1; backtrackIndex >= 0; backtrackIndex++ {
+	for backtrackIndex := position - 1; backtrackIndex >= 0; backtrackIndex-- {
 		if input[backtrackIndex] != '\\' {
 			break
 		}

diff --git a/utils/utils_test.go b/utils/utils_test.go
@@ -0,0 +1,42 @@
+// Copyright 2024 OWASP ModSecurity Core Rule Set Project
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+)
+
+type utilsTestSuite struct {
+	suite.Suite
+}
+
+func TestRunUtilsTestSuite(t *testing.T) {
+	suite.Run(t, new(utilsTestSuite))
+}
+
+func (s *utilsTestSuite) TestIsEscaped() {
+	s.True(IsEscaped(`abc\(de`, 4))
+	s.True(IsEscaped(`\(abc`, 1))
+	s.True(IsEscaped(`abc\(`, 4))
+}
+
+func (s *utilsTestSuite) TestIsEscaped_Backslashes() {
+	s.True(IsEscaped(`abc\\de`, 4))
+	s.True(IsEscaped(`\\abc`, 1))
+	s.True(IsEscaped(`abc\\`, 4))
+}
+
+func (s *utilsTestSuite) TestIsEscaped_Not() {
+	s.False(IsEscaped(`abc\\(de`, 5))
+	s.False(IsEscaped(`\\(abc`, 2))
+	s.False(IsEscaped(`abc\\(`, 5))
+}
+
+func (s *utilsTestSuite) TestIsEscaped_Not_Backslashes() {
+	s.False(IsEscaped(`abc\\\de`, 5))
+	s.False(IsEscaped(`\\\abc`, 2))
+	s.False(IsEscaped(`abc\\\`, 5))
+}