Merge pull request #1916 from jan-cerny/rhbz2126882

evgenyz · web-flow · commit bd49a1f600d6 · 2023-01-19T11:55:59.000+01:00
Fix error when processing OVAL filters
diff --git a/src/OVAL/oval_sexp.c b/src/OVAL/oval_sexp.c
@@ -770,11 +770,10 @@ int oval_state_to_sexp(void *sess, struct oval_state *state, SEXP_t **out_sexp)
 			var = oval_entity_get_variable(ent);
 			dt = oval_entity_get_datatype(ent);
 
-			if (oval_varref_elm_to_sexp(sess, var, dt, &val_lst, NULL) != 0)
-				goto fail;
-
-			SEXP_list_add(ste_ent, val_lst);
-			SEXP_free(val_lst);
+			if (oval_varref_elm_to_sexp(sess, var, dt, &val_lst, NULL) == 0) {
+				SEXP_list_add(ste_ent, val_lst);
+				SEXP_free(val_lst);
+			}
 		}
 
 		SEXP_list_add(ste, ste_ent);
diff --git a/tests/API/OVAL/unittests/CMakeLists.txt b/tests/API/OVAL/unittests/CMakeLists.txt
@@ -30,6 +30,7 @@ add_oscap_test("test_skip_valid.sh")
 add_oscap_test("test_state_check_existence.sh")
 add_oscap_test("test_statetype_operator.sh")
 add_oscap_test("test_variable_conversion.sh")
+add_oscap_test("test_variable_in_filter.sh")
 add_oscap_test("test_without_syschars.sh")
 add_oscap_test("test_xmlns_missing.sh")
 add_oscap_test("test_xsinil_envv58_pid.sh")
diff --git a/tests/API/OVAL/unittests/test_variable_in_filter.sh b/tests/API/OVAL/unittests/test_variable_in_filter.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+result=`mktemp`
+stdout=`mktemp`
+stderr=`mktemp`
+echo "secret_key" > /tmp/key_file
+
+$OSCAP oval eval --results "$result" "$srcdir/test_variable_in_filter.xml" > "$stdout" 2> "$stderr"
+grep "Failed to convert OVAL state to SEXP" "$stderr" && exit 1
+assert_exists 1 '//oval_results/results/system/definitions/definition[@result="true"]'
+assert_exists 0 '//oval_results/results/system/definitions/definition[@result!="true"]'
+
+rm -f "$result" "$stdout" "$stderr" /tmp/key_file
diff --git a/tests/API/OVAL/unittests/test_variable_in_filter.xml b/tests/API/OVAL/unittests/test_variable_in_filter.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0"?>
+<oval:oval_definitions xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+  <oval:generator>
+    <ns2:product_name>jcerny</ns2:product_name>
+    <ns2:product_version>2.0</ns2:product_version>
+    <ns2:schema_version>5.11</ns2:schema_version>
+    <ns2:timestamp>2023-01-10T14:25:10</ns2:timestamp>
+  </oval:generator>
+  <oval:definitions>
+    <oval:definition class="compliance" id="oval:x:def:1" version="1">
+      <oval:metadata>
+        <oval:title>Test rhbz#2126882</oval:title>
+        <oval:description>This definition contains a filter that references a variable that depends on an entity that does not exist on the system.</oval:description>
+      </oval:metadata>
+      <oval:criteria operator="AND">
+        <oval:criterion comment="file_test" test_ref="oval:x:tst:1"/>
+      </oval:criteria>
+    </oval:definition>
+  </oval:definitions>
+  <oval:tests>
+    <ns3:file_test check="all" comment="file_test" id="oval:x:tst:1" version="1">
+      <ns3:object object_ref="oval:x:obj:1"/>
+    </ns3:file_test>
+  </oval:tests>
+  <oval:objects>
+    <ns3:file_object comment="object with a filter" id="oval:x:obj:1" version="1">
+      <ns3:path>/tmp</ns3:path>
+      <ns3:filename operation="pattern match">^key_file$</ns3:filename>
+      <oval:filter action="exclude">oval:x:ste:1</oval:filter>
+    </ns3:file_object>
+    <ns4:textfilecontent54_object comment="object that doesn't exist, used in variable that is used in filter" id="oval:x:obj:2" version="1" >
+      <ns4:filepath>/nonexistent</ns4:filepath>
+      <ns4:pattern operation="pattern match">^ssh_keys:\w+:(\w+):.*</ns4:pattern>
+      <ns4:instance datatype="int" operation="equals">1</ns4:instance>
+    </ns4:textfilecontent54_object>
+  </oval:objects>
+  <oval:states>
+    <ns3:file_state comment="state used in filter, references a variable" id="oval:x:ste:1" version="1">
+      <ns3:path>/tmp</ns3:path>
+      <ns3:filename operation="pattern match">^key_file$</ns3:filename>
+      <ns3:group_id datatype="int" var_ref="oval:x:var:1"/>
+      <ns3:user_id datatype="int">0</ns3:user_id>
+      <ns3:suid datatype="boolean">false</ns3:suid>
+      <ns3:sgid datatype="boolean">false</ns3:sgid>
+      <ns3:sticky datatype="boolean">false</ns3:sticky>
+      <ns3:uexec datatype="boolean">false</ns3:uexec>
+      <ns3:gwrite datatype="boolean">false</ns3:gwrite>
+      <ns3:gexec datatype="boolean">false</ns3:gexec>
+      <ns3:oread datatype="boolean">false</ns3:oread>
+      <ns3:owrite datatype="boolean">false</ns3:owrite>
+      <ns3:oexec datatype="boolean">false</ns3:oexec>
+    </ns3:file_state>
+  </oval:states>
+  <oval:variables>
+    <oval:local_variable id="oval:x:var:1" datatype="int" version="1" comment="variable used in state, referencing object that doesn't exist">
+      <oval:object_component item_field="subexpression" object_ref="oval:x:obj:2"/>
+    </oval:local_variable>
+  </oval:variables>
+</oval:oval_definitions>
