Merge remote-tracking branch 'origin/topic/awelzel/move-disabling-analyzer-out-of-global'

* origin/topic/awelzel/move-disabling-analyzer-out-of-global: analyzer: Move disabling_analyzer() hook into Analyzer module
2025-10-02 06:38:20 +00:00 · 2023-01-31 14:48:56 +01:00 · 2023-01-31 14:48:56 +01:00 · be44c642e1
commit be44c642e1
parent 023daf4ba8 26b1558cd1
7 changed files with 81 additions and 21 deletions
--- a/3
+++ b/3
@ -274,6 +274,9 @@ Changed Functionality
 Deprecated Functionality
 ------------------------

+- The global ``disabling_analyzer()`` hook has been deprecated and replaced
+  with ``Analyzer::disabling_analyzer()`` that has the same semantics.
+
 - The ``analyzer_confirmation`` and ``analyzer_violation`` events have been
  deprecated in favor of the more generic ``analyzer_confirmation_info`` and
  ``analyzer_violation_info`` events.
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -597,23 +597,32 @@ type fa_metadata: record {
 	inferred: bool &default=T;
 };

-## A hook taking a connection, analyzer tag and analyzer id that can be
-## used to veto disabling analyzers. Specifically, an analyzer can be prevented
-## from being disabled by using a :zeek:see:`break` statement within the hook.
-## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call.
-##
-## Scripts implementing this hook should have other logic that will eventually
-## disable the analyzer for the given connection. That is, if a script vetoes
-## disabling an analyzer, it takes responsibility for a later call to
-## :zeek:see:`disable_analyzer`, which may be never.
-##
-## c: The connection
-##
-## atype: The type / tag of the analyzer being disabled.
-##
-## aid: The analyzer ID.
-type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count);
+## Same as :zeek:see:`Analyzer::disabling_analyzer`, but deprecated due
+## to living in the global namespace.
+type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef &deprecated="Remove in v6.1. Use Analyzer::disabling_analyzer() instead.";

+module Analyzer;
+export {
+	## A hook taking a connection, analyzer tag and analyzer id that can be
+	## used to veto disabling protocol analyzers. Specifically, an analyzer
+	## can be prevented from being disabled by using a :zeek:see:`break`
+	## statement within the hook.
+	## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call.
+	##
+	## Scripts implementing this hook should have other logic that will eventually
+	## disable the analyzer for the given connection. That is, if a script vetoes
+	## disabling an analyzer, it takes responsibility for a later call to
+	## :zeek:see:`disable_analyzer`, which may be never.
+	##
+	## c: The connection
+	##
+	## atype: The type / tag of the analyzer being disabled.
+	##
+	## aid: The analyzer ID.
+	type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef;
+}
+
+module GLOBAL;
 ## Fields of a SYN packet.
 ##
 ## .. zeek:see:: connection_SYN_packet
--- a/src/zeek.bif
+++ b/src/zeek.bif
@ -4697,7 +4697,10 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 		return zeek::val_mgr->False();
 		}

+	// Remove in v6.1: Global disabling_analyzer is to be removed.
 	static auto disabling_analyzer_hook = id::find_func("disabling_analyzer");
+	static auto analyzer_disabling_analyzer_hook = id::find_func("Analyzer::disabling_analyzer");
+
 	if ( disabling_analyzer_hook )
 		{
 		auto hook_rval = disabling_analyzer_hook->Invoke(c->GetVal(), a->GetAnalyzerTag().AsVal(),
@ -4706,6 +4709,14 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 			return zeek::val_mgr->False();
 		}

+	if ( analyzer_disabling_analyzer_hook )
+		{
+		auto hook_rval = analyzer_disabling_analyzer_hook->Invoke(c->GetVal(), a->GetAnalyzerTag().AsVal(),
+		                                                 zeek::val_mgr->Count(aid));
+		if ( hook_rval && ! hook_rval->AsBool() )
+			return zeek::val_mgr->False();
+		}
+
 	if ( prevent )
 		a->Parent()->PreventChildren(a->GetAnalyzerTag());

--- a/testing/btest/Baseline/bifs.disable_analyzer-hook-module/out
+++ b/testing/btest/Baseline/bifs.disable_analyzer-hook-module/out
@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+http_request, GET, /style/enhanced.css
+prevent disabling
+F
+http_request, GET, /script/urchin.js
+prevent disabling
+F
+http_request, GET, /images/template/screen/bullet_utility.png
+prevent disabling
+F
+http_request, GET, /images/template/screen/key-point-top.png
+prevent disabling
+F
+http_request, GET, /projects/calendar/images/header-sunbird.png
+prevent disabling
+F
--- a/testing/btest/bifs/disable_analyzer-hook-module.zeek
+++ b/testing/btest/bifs/disable_analyzer-hook-module.zeek
@ -0,0 +1,21 @@
+# @TEST-DOC: Hook Analyzer::disabling_analyzer in a module
+# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/http
+
+module MyHTTP;
+
+
+# Prevent disabling all analyzers.
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
+	{
+	print("prevent disabling");
+	break;
+	}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+	{
+	print "http_request", method, original_URI;
+	print disable_analyzer(c$id, current_analyzer(), T, T);
+	}
--- a/testing/btest/bifs/disable_analyzer-hook.zeek
+++ b/testing/btest/bifs/disable_analyzer-hook.zeek
@ -6,7 +6,7 @@

 global msg_count: table[conn_id] of count &default=0;

-event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
 	{
 	if ( atype != Analyzer::ANALYZER_HTTP )
 		return;
@ -15,7 +15,7 @@ event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	}

 # Prevent disabling all analyzers.
-hook disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	if ( msg_count[c$id] < 4 )
 		{
--- a/testing/btest/scripts/base/protocols/ssl/prevent-disable-analyzer.test
+++ b/testing/btest/scripts/base/protocols/ssl/prevent-disable-analyzer.test
@ -17,7 +17,7 @@ global encrypted_data_wanted = 4;

 # Prevent disabling the SSL analyzer for this connection until we've seen encrypted_data_wanted
 # encrypted data events on it. Our ssl_encrypted_data event handler has the inverse condition.
-hook disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	print "disabling_analyzer", c$id, atype, aid;
 	if ( atype != Analyzer::ANALYZER_SSL || ! c?$ssl )
@ -37,9 +37,9 @@ event ssl_established(c: connection)
 	print "established", c$id;
 	}

-event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
 	{
-	print "analyzer_confirmation", c$id, atype, aid;
+	print "analyzer_confirmation", info$c$id, atype, info$aid;
 	}

 event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)