-
-
Save nbareil/452845cc310557caa6e19a0379dc4ed5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import glob | |
| import unittest | |
| import re | |
| from libads import ADS # Our Python library for parsing https://github.com/palantir/alerting-detection-strategy-framework | |
| class ADSTester(unittest.TestCase): | |
| def setUp(self): | |
| self.filenames = glob.glob("S*.md") | |
| def test_splunk_no_escaped_wildcard(self): | |
| escaped_wildcard = re.compile(r"(?<!\\)\\\*") | |
| for fn in self.filenames: | |
| a = ADS(fn) | |
| alerts = a.get_splunk_alerts() | |
| for alert in alerts: | |
| with self.subTest(filename=fn): | |
| assert escaped_wildcard.search(alert.query) == None | |
| def test_splunk_bad_string_escape(self): | |
| esc_str = re.compile(r"(?<!\\)\\[a-zaA-Z0-9]+") | |
| for fn in self.filenames: | |
| a = ADS(fn) | |
| alerts = a.get_splunk_alerts() | |
| for alert in alerts: | |
| with self.subTest(filename=fn): | |
| for cmd in alert.query.split("|"): | |
| if re.match(r"^\s*(regex|rex)\s", cmd): | |
| # ignore real regexp commands | |
| continue | |
| assert not esc_str.search(cmd) | |
| def test_splunk_unbalanced_quotes(self): | |
| for fn in self.filenames: | |
| a = ADS(fn) | |
| alerts = a.get_splunk_alerts() | |
| for alert in alerts: | |
| count = 0 | |
| with self.subTest(filename=fn): | |
| prev = alert.query[0] | |
| for char in alert.query[1:]: | |
| if char == '"' and prev != "\\": | |
| count += 1 | |
| prev = char | |
| assert (count % 2) == 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment