Skip to content

render: don't assume prior matches exist within thread #2612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 4, 2025
Merged

render: don't assume prior matches exist within thread #2612

merged 6 commits into from
Mar 4, 2025

Conversation

mike-hunhoff
Copy link
Collaborator

No description provided.

@mike-hunhoff mike-hunhoff requested a review from a team February 24, 2025 17:47
github-actions[bot]
github-actions bot previously requested changes Feb 24, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add bug fixes, new features, breaking changes and anything else you think is worthwhile mentioning to the master (unreleased) section of CHANGELOG.md. If no CHANGELOG update is needed add the following to the PR description: [x] No CHANGELOG update needed

@github-actions github-actions bot dismissed their stale review February 24, 2025 17:49

CHANGELOG updated or no update needed, thanks! 😄

mike-hunhoff
mike-hunhoff commented Feb 24, 2025
View reviewed changes
@williballenthin
Copy link
Collaborator

i don't quite understand the scenario that leads to this. can you share an example?

@mike-hunhoff mike-hunhoff mentioned this pull request Mar 3, 2025
Closed
@mike-hunhoff
Copy link
Collaborator Author

i don't quite understand the scenario that leads to this. can you share an example?

Our test sample tests/data/dynamic/cape/v2.2/0000a65749f5902c4d82ffa701198038f0b4870b00a27cfca109f8f933476d82.json.gz triggers this bug after recent capa rule updates.

This bug is triggered when the rendering logic attempts to render a result containing a namespace match for host-interaction/process/create where two rules within this namespace, create process on Windows and create process suspended, match as capabilities. The logic corrected here assumes all of the matched namespace rules are within the same thread as the result being rendered. create process on Windows is matched in the same thread as the result being rendered but create process suspended is not matched in the same thread as the result being rendered. Therefore, an exception is triggered when create process suspended is processed and matches_in_thread is empty, because there are no matches for the rule in the same thread as the result being rendered.

williballenthin
williballenthin approved these changes Mar 3, 2025
View reviewed changes
@mike-hunhoff mike-hunhoff merged commit 7ecf292 into master Mar 4, 2025
27 checks passed
@mike-hunhoff mike-hunhoff deleted the fix/render/exception branch March 4, 2025 00:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@williballenthin williballenthin williballenthin approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mike-hunhoff @williballenthin