Skip to content

chore: sync upstream changes (1c788083)#73

Merged
willdurand merged 26 commits into
amofrom
sync/upstream-1c788083
Jun 29, 2026
Merged

chore: sync upstream changes (1c788083)#73
willdurand merged 26 commits into
amofrom
sync/upstream-1c788083

Conversation

@willdurand

Copy link
Copy Markdown
Member

fixes #72

plusvic and others added 26 commits June 18, 2026 16:32
Replaces the direct `_meta: Option` argument in module `main` functions with a `ModuleContext` parameter.

This provides a more extensible and structured way for modules to access scan-related context and module-specific metadata. Modules can now retrieve their associated metadata via `ctx.get_module_metadata("module_name")`.
This also includes a minor refactoring to use a `module_by_name` helper.
The new `zip` module enables YARA rules to extract metadata from ZIP archives, such as filenames, compression methods, and sizes of individual entries. This enhances YARA's ability to analyze compressed files by providing structured access to their contents.
…e (#685)

Bumps [undici](https://github.com/nodejs/undici) from 7.24.1 to 7.28.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.1...v7.28.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Implement modules `olecf` and `vba`. The former allows inspecting OLE-CF files, the latter allows to extract VBA macros from document.s 

---------

Co-authored-by: David Magnotti <78613347+davidmagnotti@users.noreply.github.com>
…ming modifiers (#689)

The header constraints optimization introduced in #676 prunes a pattern at
scan time when the file header can't satisfy the bytes the pattern requires
at offset 0 (e.g. `$a at 0`). The bytes were taken from the pattern's literal
text, ignoring its modifiers.

For patterns with the `xor`, `nocase`, `wide`, `base64` or `base64wide`
modifiers, the bytes that actually appear in the scanned data differ from the
literal text (they are XORed with a key, case-folded, interleaved with zeroes
or base64-encoded). Deriving a header constraint from the literal text in
those cases is incorrect: it requires the file to start with the plaintext
bytes, so a legitimate match at offset 0 gets pruned and the rule fails to
match.

For example, this rule did not match a file starting with "Hello" XORed with
key 0x01, even though the match is exactly at offset 0:

```
rule t { strings: $a = "Hello" xor condition: $a at 0 }
```

---------

Co-authored-by: Victor M. Alvarez <vmalvarez@virustotal.com>
Add the machine types from the current Microsoft PE format spec that
were missing from the `Machine` enum: ALPHA, ALPHA64/AXP64, ARM64EC,
ARM64X, LOONGARCH32/64, R3000(BE), R10000, RISCV32/64/128. Enable
allow_alias since AXP64 shares value 0x0284 with ALPHA64.

Values taken from the Microsoft PE format documentation:
https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types

* tests: fix test case.

---------

Co-authored-by: Victor M. Alvarez <vmalvarez@virustotal.com>
Add a debug assertion to ensure that all `PatternFlags` are explicitly accounted for when determining if a pattern can be used to derive a header constraint. This helps prevent future regressions if new flags are added without considering their impact on this logic.
Single-byte patterns, such as `$a = "a"` or `{ 01 }`, can be very inefficient to scan as they match every occurrence of that byte. Previously, only repetitions of 0x00, 0x90, or 0xff were flagged as slow.
…ed binary data.

When `Rules::deserialize` is used for deserializing rules from binary data, we must guarantee that the binary data is not manipulated by untrusted third-parties as this poses a security risk. With these changes the risks are not eliminated, but they are mitigated by making sure that your program will panic in such cases, and don't produce undefined behavior.
@willdurand willdurand merged commit cfaaa33 into amo Jun 29, 2026
1 check passed
@willdurand willdurand deleted the sync/upstream-1c788083 branch June 29, 2026 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Upstream sync failed: merge conflict (1c788083)

4 participants