From 5ecad9d486305f0b9e532b9f4100fb88077e3880 Mon Sep 17 00:00:00 2001
From: Evan Gibler <20933572+egibs@users.noreply.github.com>
Date: Mon, 1 Jul 2024 10:25:46 -0500
Subject: [PATCH] Resolve eval false-positive for gawk (#301)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Resolve eval false-positive for gawk

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Get really specific

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update rules/techniques/code_eval.yara

Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

* Update rules/techniques/code_eval.yara

Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Thomas Strömberg <t+github@chainguard.dev>
---
 rules/techniques/code_eval.yara | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara
index 88caaac86..2a928923c 100644
--- a/rules/techniques/code_eval.yara
+++ b/rules/techniques/code_eval.yara
@@ -55,7 +55,8 @@ rule php_at_eval : critical {
     hash_2017_tests = "f1a947148c092a58e354e46082b0187bce0eea38fab2a7638eb268da0752657b"
     hash_2017_mybiubiubiu_0_1_1_setup = "afd6712c7c190465c459ab1049cd559e4a2f00a5e1a4e1fe063cfefc19a330ef"
   strings:
-    $at_eval = /@eval\s{0,8}\(.{0,32}/
+    $at_eval = /@\beval\s{0,32}\(\s{0,32}(\$\w{0,32}|\.\s{0,32}"[^"]{0,32}"|\.\s{0,32}'[^']{0,32}'|\w+\(\s{0,32}\))/
+    $not_empty = "eval()"
   condition:
-    any of them
+    $at_eval and none of ($not*)
 }