fix: remove references to regexp.original, add test

SigmaHQ · Feb 18, 2025 · 00ecba3 · 00ecba3
1 parent 37e0f3e
commit 00ecba3
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 8 deletions.
diff --git a/sigma/modifiers.py b/sigma/modifiers.py
@@ -128,7 +128,7 @@ def modify(
             if not val.endswith(SpecialChars.WILDCARD_MULTI):
                 val += SpecialChars.WILDCARD_MULTI
         elif isinstance(val, SigmaRegularExpression):
-            regexp_str = val.regexp.convert()
+            regexp_str = str(val.regexp)
             if regexp_str[:2] != ".*" and regexp_str[0] != "^":
                 val.regexp = SigmaString(".") + SpecialChars.WILDCARD_MULTI + val.regexp
             if regexp_str[-2:] != ".*" and regexp_str[-1] != "$":
@@ -150,7 +150,7 @@ def modify(
             if not val.endswith(SpecialChars.WILDCARD_MULTI):
                 val += SpecialChars.WILDCARD_MULTI
         elif isinstance(val, SigmaRegularExpression):
-            regexp_str = val.regexp.convert()
+            regexp_str = str(val.regexp)
             if regexp_str[-2:] != ".*" and regexp_str[-1] != "$":
                 val.regexp += SigmaString(".") + SpecialChars.WILDCARD_MULTI
             val.compile()
@@ -169,7 +169,7 @@ def modify(
             if not val.startswith(SpecialChars.WILDCARD_MULTI):
                 val = SpecialChars.WILDCARD_MULTI + val
         elif isinstance(val, SigmaRegularExpression):
-            regexp_str = val.regexp.convert()
+            regexp_str = str(val.regexp)
             if regexp_str[:2] != ".*" and regexp_str[0] != "^":
                 val.regexp = SigmaString(".") + SpecialChars.WILDCARD_MULTI + val.regexp
             val.compile()

diff --git a/sigma/types.py b/sigma/types.py
@@ -734,10 +734,10 @@ def compile(self):
             flags = 0
             for flag in self.flags:
                 flags |= self.sigma_to_python_flags[flag]
-            re.compile(self.regexp.original, flags)
+            re.compile(self.escape(), flags)
         except re.error as e:
             raise SigmaRegularExpressionError(
-                f"Regular expression '{self.regexp.original}' is invalid: {str(e)}"
+                f"Regular expression '{self.escape()}' is invalid: {str(e)}"
             ) from e
 
     def escape(
@@ -757,9 +757,10 @@ def escape(
                 if e is not None
             ]
         )
+        regexp_str = str(self.regexp)
         pos = (
             [  # determine positions of matches in regular expression
-                m.start() for m in re.finditer(r, self.regexp.original)
+                m.start() for m in re.finditer(r, regexp_str)
             ]
             if r != ""
             else []
@@ -774,7 +775,7 @@ def escape(
         else:
             prefix = ""
 
-        return prefix + escape_char.join([self.regexp.original[i:j] for i, j in ranges])
+        return prefix + escape_char.join([regexp_str[i:j] for i, j in ranges])
 
     def contains_placeholder(
         self, include: Optional[List[str]] = None, exclude: Optional[List[str]] = None
@@ -796,7 +797,7 @@ def replace_placeholders(
         Replace all occurrences of string part matching regular expression with placeholder.
         """
         return [
-            SigmaRegularExpression(regexp=sigmastr.convert(), flags=self.flags)
+            SigmaRegularExpression(regexp=str(sigmastr), flags=self.flags)
             for sigmastr in self.regexp.replace_placeholders(callback)
         ]
 

diff --git a/tests/test_conversion_base.py b/tests/test_conversion_base.py
@@ -1343,6 +1343,32 @@ def test_convert_value_regex_value_list():
     )
 
 
+def test_convert_value_regex_value_list_endswith():
+    pipeline = ProcessingPipeline(
+        [ProcessingItem(ValueListPlaceholderTransformation(["test"]))],
+        vars={"test": ["pat.*tern/foobar", "pat.*te\\rn/foobar"]},
+    )
+    backend = TextQueryTestBackend(pipeline)
+    assert (
+        backend.convert(
+            SigmaCollection.from_yaml(
+                """
+            title: Test
+            status: test
+            logsource:
+                category: test_category
+                product: test_product
+            detection:
+                sel:
+                    field|re|expand|endswith: "%test%"
+                condition: sel
+            """
+            )
+        )
+        == ["field=/.*pat.*tern\\/foo\\bar/ or field=/.*pat.*te\\\\rn\\/foo\\bar/"]
+    )
+
+
 def test_convert_value_cidr_wildcard_native_ipv4(test_backend):
     assert (
         test_backend.convert(