diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d1d5359..7843c33 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,8 +4,3 @@ repos: rev: 24.4.2 hooks: - id: black - # It is recommended to specify the latest version of Python - # supported by your project here, or alternatively use - # pre-commit's default_language_version, see - # https://pre-commit.com/#top_level-default_language_version - language_version: python3.11 \ No newline at end of file diff --git a/sigma/modifiers.py b/sigma/modifiers.py index ebe40d7..8488095 100644 --- a/sigma/modifiers.py +++ b/sigma/modifiers.py @@ -394,7 +394,9 @@ class SigmaExpandModifier(SigmaValueModifier): specific list item or lookup by the processing pipeline. """ - def modify(self, val: Union[SigmaString, SigmaRegularExpression]) -> Union[SigmaString, SigmaRegularExpression]: + def modify( + self, val: Union[SigmaString, SigmaRegularExpression] + ) -> Union[SigmaString, SigmaRegularExpression]: return val.insert_placeholders() diff --git a/sigma/processing/transformations/placeholder.py b/sigma/processing/transformations/placeholder.py index bd0e690..078581d 100644 --- a/sigma/processing/transformations/placeholder.py +++ b/sigma/processing/transformations/placeholder.py @@ -56,7 +56,9 @@ def __post_init__(self): def apply_value( self, field: str, val: Union[SigmaString, SigmaRegularExpression] - ) -> Union[SigmaString, Iterable[SigmaString], SigmaRegularExpression, Iterable[SigmaRegularExpression]]: + ) -> Union[ + SigmaString, Iterable[SigmaString], SigmaRegularExpression, Iterable[SigmaRegularExpression] + ]: if val.contains_placeholder(self.include, self.exclude): return val.replace_placeholders(self.placeholder_replacements_base) else: diff --git a/sigma/types.py b/sigma/types.py index 6e45e5c..97da9b8 100644 --- a/sigma/types.py +++ b/sigma/types.py @@ -705,7 +705,11 @@ class SigmaRegularExpression(SigmaType): SigmaRegularExpressionFlag.DOTALL: "s", } - def __init__(self, regexp: Union[str, SigmaString], flags: Optional[Set[SigmaRegularExpressionFlag]] = None): + def __init__( + self, + regexp: Union[str, SigmaString], + flags: Optional[Set[SigmaRegularExpressionFlag]] = None, + ): if isinstance(regexp, str): regexp = SigmaString(regexp) @@ -771,10 +775,12 @@ def escape( prefix = "" return prefix + escape_char.join([self.regexp.original[i:j] for i, j in ranges]) - - def contains_placeholder(self, include: Optional[List[str]] = None, exclude: Optional[List[str]] = None) -> bool: + + def contains_placeholder( + self, include: Optional[List[str]] = None, exclude: Optional[List[str]] = None + ) -> bool: return self.regexp.contains_placeholder(include, exclude) - + def insert_placeholders(self) -> "SigmaRegularExpression": """ Replace %something% placeholders with Placeholder stub objects that can be later handled by the processing @@ -783,17 +789,18 @@ def insert_placeholders(self) -> "SigmaRegularExpression": self.regexp = self.regexp.insert_placeholders() return self - def replace_placeholders(self, callback: Callable[[Placeholder], Iterator[Union[str, SpecialChars, Placeholder]]]) -> List["SigmaRegularExpression"]: + def replace_placeholders( + self, callback: Callable[[Placeholder], Iterator[Union[str, SpecialChars, Placeholder]]] + ) -> List["SigmaRegularExpression"]: """ Replace all occurrences of string part matching regular expression with placeholder. """ return [ - SigmaRegularExpression( - regexp=sigmastr.convert(), - flags=self.flags - ) for sigmastr in self.regexp.replace_placeholders(callback) + SigmaRegularExpression(regexp=sigmastr.convert(), flags=self.flags) + for sigmastr in self.regexp.replace_placeholders(callback) ] + @dataclass class SigmaCIDRExpression(NoPlainConversionMixin, SigmaType): """CIDR IP address range expression type""" diff --git a/tests/test_conversion_base.py b/tests/test_conversion_base.py index 5d379bf..2a57a61 100644 --- a/tests/test_conversion_base.py +++ b/tests/test_conversion_base.py @@ -14,7 +14,7 @@ FieldMappingTransformation, QueryExpressionPlaceholderTransformation, SetStateTransformation, - ValueListPlaceholderTransformation + ValueListPlaceholderTransformation, ) from sigma.exceptions import SigmaPlaceholderError, SigmaTypeError, SigmaValueError import pytest @@ -1323,9 +1323,10 @@ def test_convert_value_regex_value_list(): vars={"test": ["pat.*tern/foobar", "pat.*te\\rn/foobar"]}, ) backend = TextQueryTestBackend(pipeline) - assert backend.convert( - SigmaCollection.from_yaml( - """ + assert ( + backend.convert( + SigmaCollection.from_yaml( + """ title: Test status: test logsource: @@ -1336,8 +1337,10 @@ def test_convert_value_regex_value_list(): field|re|expand: "%test%" condition: sel """ + ) ) - ) == ["field=/pat.*tern\\/foo\\bar/ or field=/pat.*te\\\\rn\\/foo\\bar/"] + == ["field=/pat.*tern\\/foo\\bar/ or field=/pat.*te\\\\rn\\/foo\\bar/"] + ) def test_convert_value_cidr_wildcard_native_ipv4(test_backend): diff --git a/tests/test_modifiers.py b/tests/test_modifiers.py index cb247e4..aa642a8 100644 --- a/tests/test_modifiers.py +++ b/tests/test_modifiers.py @@ -493,7 +493,9 @@ def test_expand(dummy_detection_item): def test_expand_re(dummy_detection_item): - assert SigmaExpandModifier(dummy_detection_item, []).modify(SigmaRegularExpression("test%var%test")).regexp.s == ( + assert SigmaExpandModifier(dummy_detection_item, []).modify( + SigmaRegularExpression("test%var%test") + ).regexp.s == ( "test", Placeholder("var"), "test",