Pattern passes unexpectedly
varnerac opened this issue · comments
The following pattern passes with the latest version installed via pip
$ pip3 install stix2-patterns
Requirement already satisfied: stix2-patterns in /usr/local/lib/python3.6/site-packages
Requirement already satisfied: six in /usr/local/lib/python3.6/site-packages (from stix2-patterns)
Requirement already satisfied: antlr4-python3-runtime==4.7; python_version >= "3" in /usr/local/lib/python3.6/site-packages (from stix2-patterns)
$ validate-patterns
Enter a pattern to validate: [file:hashes.'SHA-256' =? 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.MD5 = 'cead3f77f6cda6ec00f57d76c9a6879f'] AND [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']
PASS: [file:hashes.'SHA-256' =? 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.MD5 = 'cead3f77f6cda6ec00f57d76c9a6879f'] AND [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']
I don't see where =? matches in patterns operator. In our STIX2 Patterns parser, this fails. Our parser has a catch-all pattern at the end that returns an unexpected token. Maybe that would fix this issue for your ANTLR implementation?
Well that's an antlr lexer wrinkle that slipped under the radar... I would have expected the lexer to produce an error instead of silently eating the ?. Yeah, adding a default lexer rule triggers the expected error. Thanks for the catch.
