Fixed the type transformation when the given value is a SigmaExpansion

SigmaHQ · Mar 3, 2025 · 6053406 · 6053406
1 parent df4b67d
commit 6053406
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,4 +6,5 @@ dist/
 docs/_build
 coverage.xml
 .python-version
-.idea
+.idea
+.venv
diff --git a/sigma/processing/transformations/values.py b/sigma/processing/transformations/values.py
@@ -25,6 +25,7 @@
 from sigma.types import (
     Placeholder,
     SigmaBool,
+    SigmaExpansion,
     SigmaNull,
     SigmaNumber,
     SigmaRegularExpression,
@@ -361,11 +362,25 @@ class ConvertTypeTransformation(ValueTransformation):
 
     target_type: Literal["str", "num"]
 
-    def apply_value(self, field: str, val: SigmaType) -> Optional[Union[SigmaString, SigmaNumber]]:
+    def apply_value(
+        self, field: str, val: SigmaType
+    ) -> Optional[Union[SigmaString, SigmaNumber, SigmaExpansion]]:
         if self.target_type == "str":
+            if isinstance(val, SigmaExpansion):
+                for i, entry in enumerate(val.values):
+                    val.values[i] = SigmaString(str(entry))
+
+                return val
+
             return SigmaString(str(val))
         elif self.target_type == "num":
             try:
+                if isinstance(val, SigmaExpansion):
+                    for i, entry in enumerate(val.values):
+                        val.values[i] = SigmaNumber(str(entry))
+
+                    return val
+
                 return SigmaNumber(str(val))
             except SigmaValueError:
                 raise SigmaValueError(f"Value '{val}' can't be converted to number for {str(self)}")

diff --git a/tests/test_processing_transformations.py b/tests/test_processing_transformations.py
@@ -61,6 +61,7 @@
 from sigma.types import (
     Placeholder,
     SigmaBool,
+    SigmaExpansion,
     SigmaNull,
     SigmaNumber,
     SigmaQueryExpression,
@@ -1800,6 +1801,27 @@ def test_convert_type_transformation_str_to_num_no_number():
         transformation.apply_detection_item(detection_item)
 
 
+def test_convert_type_transformation_expansion_num_to_str():
+    transformation = ConvertTypeTransformation("str")
+    detection_item = SigmaDetectionItem("field", [], [SigmaExpansion(values=[SigmaNumber(123)])])
+    transformation.apply_detection_item(detection_item)
+    assert detection_item.value[0] == SigmaExpansion(values=[SigmaString("123")])
+
+
+def test_convert_type_transformation_expansion_str_to_num():
+    transformation = ConvertTypeTransformation("num")
+    detection_item = SigmaDetectionItem("field", [], [SigmaExpansion(values=[SigmaString("123")])])
+    transformation.apply_detection_item(detection_item)
+    assert detection_item.value[0] == SigmaExpansion(values=[SigmaNumber(123)])
+
+
+def test_convert_type_transformation_expansion_str_to_num_no_number():
+    transformation = ConvertTypeTransformation("num")
+    detection_item = SigmaDetectionItem("field", [], [SigmaExpansion(values=[SigmaString("abc")])])
+    with pytest.raises(SigmaValueError, match="can't be converted to number"):
+        transformation.apply_detection_item(detection_item)
+
+
 def test_set_state(dummy_pipeline, sigma_rule: SigmaRule):
     transformation = SetStateTransformation("testkey", "testvalue")
     transformation.set_processing_item(