feat: implement ACLs for module fields (#243)

Allow controlling the access to certain fields in a module using compiler features. This introduces a `Compiler::enable_feature` method that allows enabling features with arbitrary names. These features can be used in the `.proto` file that defines a YARA-X module for controlling whether a structure field is accesible or not. You can force a field to become accessible only when one more features has been enabled in the compiler.

Author: plusvic

Cargo.lock

@@ -77,11 +77,11 @@ num-derive = "0.4.2"
 p256 = "0.13.2"
 p384 = "0.13.0"
 pretty_assertions = "1.4.0"
-protobuf = "3.5.1"
-protobuf-codegen = "3.5.1"
-protobuf-json-mapping = "3.5.1"
-protobuf-parse = "3.5.1"
-protobuf-support = "3.5.1"
+protobuf = "3.7.1"
+protobuf-codegen = "3.7.1"
+protobuf-json-mapping = "3.7.1"
+protobuf-parse = "3.7.1"
+protobuf-support = "3.7.1"
 quanta = "0.12.3"
 rayon = "1.10.0"
 regex-syntax = "0.8.4"

Cargo.toml

@@ -273,6 +273,56 @@ enum YRX_RESULT yrx_compiler_add_source_with_origin(struct YRX_COMPILER *compile
 enum YRX_RESULT yrx_compiler_ignore_module(struct YRX_COMPILER *compiler,
                                            const char *module);
 
+// Enables a feature on this compiler.
+//
+// When defining the structure of a module in a `.proto` file, you can
+// specify that certain fields are accessible only when one or more
+// features are enabled. For example, the snippet below shows the
+// definition of a field named `requires_foo_and_bar`, which can be
+// accessed only when both features "foo" and "bar" are enabled.
+//
+// ```protobuf
+// optional uint64 requires_foo_and_bar = 500 [
+//   (yara.field_options) = {
+//     acl: [
+//       {
+//         allow_if: "foo",
+//         error_title: "foo is required",
+//         error_label: "this field was used without foo"
+//       },
+//       {
+//         allow_if: "bar",
+//         error_title: "bar is required",
+//         error_label: "this field was used without bar"
+//       }
+//     ]
+//   }
+// ];
+// ```
+//
+// If some of the required features are not enabled, using this field in
+// a YARA rule will cause an error while compiling the rules. The error
+// looks like:
+//
+// ```text
+// error[E034]: foo is required
+//  --> line:5:29
+//   |
+// 5 |  test_proto2.requires_foo_and_bar == 0
+//   |              ^^^^^^^^^^^^^^^^^^^^ this field was used without foo
+//   |
+// ```
+//
+// Notice that both the title and label in the error message are defined
+// in the .proto file.
+//
+// # Important
+//
+// This API is hidden from the public documentation because it is unstable
+// and subject to change.
+enum YRX_RESULT yrx_compiler_enable_feature(struct YRX_COMPILER *compiler,
+                                            const char *feature);
+
 // Tell the compiler that a YARA module can't be used.
 //
 // Import statements for the banned module will cause an error. The error

capi/include/yara_x.h

@@ -159,6 +159,75 @@ pub unsafe extern "C" fn yrx_compiler_ignore_module(
     YRX_RESULT::SUCCESS
 }
 
+/// Enables a feature on this compiler.
+///
+/// When defining the structure of a module in a `.proto` file, you can
+/// specify that certain fields are accessible only when one or more
+/// features are enabled. For example, the snippet below shows the
+/// definition of a field named `requires_foo_and_bar`, which can be
+/// accessed only when both features "foo" and "bar" are enabled.
+///
+/// ```protobuf
+/// optional uint64 requires_foo_and_bar = 500 [
+///   (yara.field_options) = {
+///     acl: [
+///       {
+///         allow_if: "foo",
+///         error_title: "foo is required",
+///         error_label: "this field was used without foo"
+///       },
+///       {
+///         allow_if: "bar",
+///         error_title: "bar is required",
+///         error_label: "this field was used without bar"
+///       }
+///     ]
+///   }
+/// ];
+/// ```
+///
+/// If some of the required features are not enabled, using this field in
+/// a YARA rule will cause an error while compiling the rules. The error
+/// looks like:
+///
+/// ```text
+/// error[E034]: foo is required
+///  --> line:5:29
+///   |
+/// 5 |  test_proto2.requires_foo_and_bar == 0
+///   |              ^^^^^^^^^^^^^^^^^^^^ this field was used without foo
+///   |
+/// ```
+///
+/// Notice that both the title and label in the error message are defined
+/// in the .proto file.
+///
+/// # Important
+///
+/// This API is hidden from the public documentation because it is unstable
+/// and subject to change.
+#[no_mangle]
+pub unsafe extern "C" fn yrx_compiler_enable_feature(
+    compiler: *mut YRX_COMPILER,
+    feature: *const c_char,
+) -> YRX_RESULT {
+    let compiler = if let Some(compiler) = compiler.as_mut() {
+        compiler
+    } else {
+        return YRX_RESULT::INVALID_ARGUMENT;
+    };
+
+    let feature = if let Ok(module) = CStr::from_ptr(feature).to_str() {
+        module
+    } else {
+        return YRX_RESULT::INVALID_ARGUMENT;
+    };
+
+    compiler.inner.enable_feature(feature);
+
+    YRX_RESULT::SUCCESS
+}
+
 /// Tell the compiler that a YARA module can't be used.
 ///
 /// Import statements for the banned module will cause an error. The error

capi/src/compiler.rs

@@ -3,7 +3,7 @@ use crate::compiler::{
     yrx_compiler_build, yrx_compiler_create, yrx_compiler_define_global_bool,
     yrx_compiler_define_global_float, yrx_compiler_define_global_int,
     yrx_compiler_define_global_str, yrx_compiler_destroy,
-    yrx_compiler_new_namespace,
+    yrx_compiler_enable_feature, yrx_compiler_new_namespace,
 };
 use crate::{
     yrx_buffer_destroy, yrx_last_error, yrx_rule_identifier,
@@ -139,6 +139,9 @@ fn capi() {
             some_str.as_ptr(),
         );
 
+        let feature = CString::new(b"foo").unwrap();
+        yrx_compiler_enable_feature(compiler, feature.as_ptr());
+
         let namespace = CString::new(b"foo").unwrap();
         yrx_compiler_new_namespace(compiler, namespace.as_ptr());
         yrx_compiler_add_source(compiler, src.as_ptr());

capi/src/tests.rs

@@ -178,6 +178,7 @@ pub fn scan() -> Command {
                 .help("Abort scanning after the given number of seconds")
                 .value_parser(value_parser!(u64).range(1..))
         )
+
 }
 
 #[cfg(feature = "rules-profiling")]

cli/src/commands/scan.rs

@@ -51,6 +51,16 @@ func IgnoreModule(module string) CompileOption {
 	}
 }
 
+// WithFeature enables a feature while compiling rules.
+//
+// NOTE: This API is still experimental and subject to change.
+func WithFeature(feature string) CompileOption {
+	return func(c *Compiler) error {
+		c.features = append(c.features, feature)
+		return nil
+	}
+}
+
 // BanModule is an option for [NewCompiler] and [Compile] that allows
 // banning the use of a given module.
 //
@@ -223,6 +233,7 @@ type Compiler struct {
 	ignoredModules     map[string]bool
 	bannedModules      map[string]bannedModule
 	vars               map[string]interface{}
+	features           []string
 }
 
 // NewCompiler creates a new compiler.
@@ -231,6 +242,7 @@ func NewCompiler(opts ...CompileOption) (*Compiler, error) {
 		ignoredModules: make(map[string]bool),
 		bannedModules:  make(map[string]bannedModule),
 		vars:           make(map[string]interface{}),
+		features:       make([]string, 0),
 	}
 
 	for _, opt := range opts {
@@ -266,6 +278,9 @@ func (c *Compiler) initialize() error {
 	for name, _ := range c.ignoredModules {
 		c.ignoreModule(name)
 	}
+	for _, feature := range c.features {
+		c.enableFeature(feature)
+	}
 	for name, v := range c.bannedModules {
 		c.banModule(name, v.errTitle, v.errMsg)
 	}
@@ -335,6 +350,18 @@ func (c *Compiler) AddSource(src string, opts ...SourceOption) error {
 	return nil
 }
 
+// enableFeature enables a compiler feature.
+// See: [WithFeature].
+func (c *Compiler) enableFeature(feature string) {
+	cFeature := C.CString(feature)
+	defer C.free(unsafe.Pointer(cFeature))
+	result := C.yrx_compiler_enable_feature(c.cCompiler, cFeature)
+	if result != C.SUCCESS {
+		panic("yrx_compiler_enable_feature failed")
+	}
+	runtime.KeepAlive(c)
+}
+
 // ignoreModule tells the compiler to ignore the module with the given name.
 //
 // Any YARA rule using the module will be ignored, as well as rules that depends

go/compiler.go

@@ -145,6 +145,29 @@ func TestError(t *testing.T) {
 	assert.EqualError(t, err, expected)
 }
 
+func TestCompilerFeatures(t *testing.T) {
+	rules := `import "test_proto2" rule test { condition: test_proto2.requires_foo_and_bar }`
+
+	_, err := Compile(rules)
+	assert.EqualError(t, err, `error[E100]: foo is required
+ --> line:1:57
+  |
+1 | import "test_proto2" rule test { condition: test_proto2.requires_foo_and_bar }
+  |                                                         ^^^^^^^^^^^^^^^^^^^^ this field was used without foo
+  |`)
+
+	_, err = Compile(rules, WithFeature("foo"))
+	assert.EqualError(t, err, `error[E100]: bar is required
+ --> line:1:57
+  |
+1 | import "test_proto2" rule test { condition: test_proto2.requires_foo_and_bar }
+  |                                                         ^^^^^^^^^^^^^^^^^^^^ this field was used without bar
+  |`)
+
+	_, err = Compile(rules, WithFeature("foo"), WithFeature("bar"))
+	assert.NoError(t, err)
+}
+
 func TestErrors(t *testing.T) {
 	c, err := NewCompiler()
 	assert.NoError(t, err)

go/compiler_test.go

@@ -208,19 +208,6 @@ func (r *Rules) Destroy() {
 	runtime.SetFinalizer(r, nil)
 }
 
-// This is the callback called by yrx_rules_iterate, when Rules.GetRules is
-// called.
-//
-//export onRule
-func onRule(rule *C.YRX_RULE, handle C.uintptr_t) {
-	h := cgo.Handle(handle)
-	rules, ok := h.Value().(*[]*Rule)
-	if !ok {
-		panic("onRule didn't receive a *[]Rule")
-	}
-	*rules = append(*rules, newRule(rule))
-}
-
 // Slice returns a slice with all the individual rules contained in this
 // set of compiled rules.
 func (r *Rules) Slice() []*Rule {

go/main.go

@@ -1,7 +1,9 @@
-use itertools::Itertools;
 use std::mem::size_of;
 use std::rc::Rc;
 
+use itertools::Itertools;
+use rustc_hash::FxHashSet;
+
 use yara_x_parser::ast::{Ident, WithSpan};
 
 use crate::compiler::errors::{CompileError, UnknownPattern};
@@ -41,6 +43,9 @@ pub(crate) struct CompileContext<'a, 'src, 'sym> {
     /// Warnings generated during the compilation.
     pub warnings: &'a mut Warnings,
 
+    /// Enabled features. See [`crate::Compiler::enable_feature`] for details.
+    pub features: &'a FxHashSet<String>,
+
     /// Stack of variables. These are local variables used during the
     /// evaluation of rule conditions, for example for storing loop variables.
     pub vars: VarStack,