yara: avoid scanning special files that could hang (#5971)

osquery/tables/yara/tests/yara_tests.cpp

@@ -24,11 +24,9 @@ const std::string alwaysFalse = "rule always_false { condition: false }";
 
 class YARATest : public testing::Test {
  protected:
-  void SetUp() override {
-  }
+  void SetUp() override {}
 
-  void TearDown() override {
-  }
+  void TearDown() override {}
 
   Row scanFile(const std::string& ruleContent) {
     YR_RULES* rules = nullptr;
@@ -80,4 +78,22 @@ TEST_F(YARATest, test_match_false) {
   // Should have 0 count
   EXPECT_TRUE(r["count"] == "0");
 }
+
+TEST_F(YARATest, should_skip_file) {
+  // pretty much any regular file should be scanned
+
+  EXPECT_FALSE(yaraShouldSkipFile("/any/file/here", S_IFREG));
+
+  // should skip devices, pipes, sockets, directories, etc.
+
+  EXPECT_TRUE(yaraShouldSkipFile("/any/file/here", S_IFCHR));
+  EXPECT_TRUE(yaraShouldSkipFile("/any/file/here", S_IFDIR));
+#ifdef __APPLE__
+  EXPECT_TRUE(yaraShouldSkipFile("/any/file/here", S_IFLNK));
+  EXPECT_TRUE(yaraShouldSkipFile("/any/file/here", S_IFSOCK));
+  EXPECT_TRUE(yaraShouldSkipFile("/any/file/here", S_IFBLK));
+  EXPECT_TRUE(yaraShouldSkipFile("/any/file/here", S_IFIFO));
+#endif
+}
+
 } // namespace osquery

osquery/tables/yara/yara.cpp

@@ -114,8 +114,14 @@ QueryData genYara(QueryContext& context) {
             resolveFilePattern(pattern, patterns, GLOB_FILES | GLOB_NO_CANON);
         if (status.ok()) {
           for (const auto& resolved : patterns) {
+            struct stat sb;
+            if (0 != stat(resolved.c_str(), &sb)) {
+              continue; // failed to stat
+            }
+
             // Check that each resolved path is readable.
-            if (isReadable(resolved)) {
+            if (isReadable(resolved) &&
+                !yaraShouldSkipFile(resolved, sb.st_mode)) {
               paths.insert(resolved);
             }
           }

osquery/tables/yara/yara_utils.cpp

@@ -16,6 +16,15 @@
 
 namespace osquery {
 
+bool yaraShouldSkipFile(const std::string& path, mode_t st_mode) {
+  // avoid special files /dev/x , /proc/x, FIFO's named-pipes, etc.
+  if ((st_mode & S_IFMT) != S_IFREG) {
+    return true;
+  }
+
+  return false;
+}
+
 /**
  * The callback used when there are compilation problems in the rules.
  */
@@ -310,4 +319,4 @@ Status YARAConfigParserPlugin::update(const std::string& source,
 
 /// Call the simple YARA ConfigParserPlugin "yara".
 REGISTER(YARAConfigParserPlugin, "config_parser", "yara");
-}
+} // namespace osquery

osquery/tables/yara/yara_utils.h

@@ -10,6 +10,7 @@
 #include <boost/property_tree/ptree.hpp>
 
 #include <osquery/config/config.h>
+#include <osquery/filesystem/fileops.h>
 #include <osquery/tables.h>
 #include <osquery/utils/config/default_paths.h>
 
@@ -36,6 +37,11 @@ Status handleRuleFiles(const std::string& category,
                        const pt::ptree& rule_files,
                        std::map<std::string, YR_RULES*>& rules);
 
+/**
+ * Avoid scanning files that could cause hangs or issues.
+ */
+bool yaraShouldSkipFile(const std::string& path, mode_t st_mode);
+
 int YARACallback(int message, void* message_data, void* user_data);
 
 /**
@@ -69,4 +75,4 @@ class YARAConfigParserPlugin : public ConfigParserPlugin {
   /// Store the signatures and file_paths and compile the rules.
   Status update(const std::string& source, const ParserConfig& config) override;
 };
-}
+} // namespace osquery