Add new hook HookLoadFileExtended that allows plugins to supply Zeek script code to parse.

The new hooks works similar to the existing `HookLoadFile` but, additionally, allows the plugin to return a string that contains the code to be used for the file being loaded. If the plugin does so, the content of any actual file on disk will be ignored (in fact, there doesn't even need to be a file on disk in that case). This works for both Zeek scripts and signatures. There's a new test that covers the new functionality, testing loading both scripts and signatures from memory. I also manually tested that the debugger integration works, but I don't see much of a way to add a regression test for that part. We keep the existing hook as well for backwards compatibility. We could decide to deprecate it, but not sure that buys us much, so left that out. Closes #1757.
2025-10-03 23:28:20 +00:00 · 2021-09-24 12:50:27 +02:00 · 2021-09-24 12:50:27 +02:00 · 34eaf42b92
commit 34eaf42b92
parent 1efaf8d7a4
21 changed files with 1525 additions and 92 deletions
--- a/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc
+++ b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc
@ -0,0 +1,70 @@
+
+#include "Plugin.h"
+
+namespace btest::plugin::Testing_LoadFileExtended
+	{
+Plugin plugin;
+	}
+
+using namespace btest::plugin::Testing_LoadFileExtended;
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	EnableHook(zeek::plugin::HOOK_LOAD_FILE_EXT);
+
+	zeek::plugin::Configuration config;
+	config.name = "Testing::LoadFileExtended";
+	config.version.major = 0;
+	config.version.minor = 1;
+	config.version.patch = 4;
+	return config;
+	}
+
+#include <iostream>
+
+std::pair<int, std::optional<std::string>> Plugin::HookLoadFileExtended(const LoadType type,
+                                                                        const std::string& file,
+                                                                        const std::string& resolved)
+	{
+	if ( type == LoadType::SCRIPT && file == "xxx" )
+		{
+		printf("HookLoadExtended/script: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str());
+
+		return std::make_pair(1, R"(
+			event zeek_init() {
+				print "new zeek_init(): script has been replaced";
+			}
+
+			event signature_match(state: signature_state, msg: string, data: string) {
+				print msg;
+			}
+		)");
+		}
+
+	if ( type == LoadType::SCRIPT && file == "yyy" )
+		{
+		printf("HookLoadExtended/script: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str());
+
+		return std::make_pair(1, R"(
+			event zeek_init() {
+				print "new zeek_init(): script has been added";
+			}
+		)");
+		}
+
+	if ( type == LoadType::SIGNATURES && file == "abc.sig" )
+		{
+		printf("HookLoadExtended/signature: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str());
+
+		return std::make_pair(1, R"(
+		signature my-sig {
+			ip-proto == tcp
+			payload /GET \/images/
+			event "signature works!"
+			}
+		)");
+		}
+
+	return std::make_pair(-1, std::nullopt);
+	}
+
--- a/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h
+++ b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h
@ -0,0 +1,18 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Testing_LoadFileExtended {
+
+class Plugin : public zeek::plugin::Plugin
+{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+    std::pair<int, std::optional<std::string>> HookLoadFileExtended(const Plugin::LoadType type, const std::string& file, const std::string& resolved) override;
+};
+
+extern Plugin plugin;
+
+}