Resolve eval false-positive for gawk (chainguard-dev#301)

* Resolve eval false-positive for gawk Signed-off-by: egibs <[email protected]> * Get really specific Signed-off-by: egibs <[email protected]> * Update rules/techniques/code_eval.yara Signed-off-by: Evan Gibler <[email protected]> * Update rules/techniques/code_eval.yara Signed-off-by: Evan Gibler <[email protected]> --------- Signed-off-by: egibs <[email protected]> Signed-off-by: Evan Gibler <[email protected]> Co-authored-by: Thomas Strömberg <[email protected]>
egibs · Jul 1, 2024 · 5ecad9d · 5ecad9d
1 parent 2fc7f84
commit 5ecad9d
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara
@@ -55,7 +55,8 @@ rule php_at_eval : critical {
     hash_2017_tests = "f1a947148c092a58e354e46082b0187bce0eea38fab2a7638eb268da0752657b"
     hash_2017_mybiubiubiu_0_1_1_setup = "afd6712c7c190465c459ab1049cd559e4a2f00a5e1a4e1fe063cfefc19a330ef"
   strings:
-    $at_eval = /@eval\s{0,8}\(.{0,32}/
+    $at_eval = /@\beval\s{0,32}\(\s{0,32}(\$\w{0,32}|\.\s{0,32}"[^"]{0,32}"|\.\s{0,32}'[^']{0,32}'|\w+\(\s{0,32}\))/
+    $not_empty = "eval()"
   condition:
-    any of them
+    $at_eval and none of ($not*)
 }