Improved code detection accuracy

Model/Detector/Language.php

@@ -89,7 +89,7 @@ public function encodeQuery($fieldName, $fieldValue, &$threats)
                 ]
             ], [
                 'id' => static::RESCODE_SCRIPT_INJECTION,
-                'reason' => __('Javascript brainfuck detected'),
+                'reason' => __('JS-fuck detected'),
                 'regex' => [
                     '!\\s*!\\s*\\[\\s*\\]' => DetectorInterface::SCORE_CRITICAL_MATCH,
                     '\\+\\s*\\[\\s*\\]' => DetectorInterface::SCORE_CRITICAL_MATCH,
@@ -100,34 +100,33 @@ public function encodeQuery($fieldName, $fieldValue, &$threats)
         $this->detectorRegex->scanRegex($this, $regex, $fieldValue, $threats);
 
         $encoded = [];
-        if (preg_match('/\b(?:and|or|xor|not)\b/i', $fieldValue)) {
+        if (preg_match('/\b(?:and|or|xor|not)\b/i', $fieldValue, $matches)) {
             $encoded[] = 'L'; // Logical match
         }
-        if (preg_match('/\![^=]/i', $fieldValue)) {
+        if (preg_match('/\![^=]/i', $fieldValue, $matches)) {
             $encoded[] = 'L'; // Logical match
         }
-        if (preg_match('/[^\|&](?:&&|\|\|)[^\|&]/', $fieldValue)) {
+        if (preg_match('/[^\|&](?:&&|\|\|)[^\|&]/', $fieldValue, $matches)) {
             $encoded[] = 'L'; // Logical match
         }
-        if (preg_match('/[^\.:](?:\.|\->|::)[^\.:]/i', $fieldValue)) {
+        if (preg_match('/(?:\w|\)|\]|\/)\\s*(?:\.|\->|::)\\s*(\w|_)/i', $fieldValue, $matches)) {
             $encoded[] = 'M'; // Method call match
         }
-        if (preg_match('/[^=]=[^~=]/i', $fieldValue)) {
+        if (preg_match('/(?:=<>~)/i', $fieldValue, $matches)) {
             $encoded[] = 'E'; // Assignment match
         }
-        if (preg_match('/(?:<|>|<=|>=|==|===|!=|==|<=>|=~)/i', $fieldValue)) {
-            $encoded[] = 'C'; // Comparison match
-        }
-        if (preg_match('/(?:\+|\-|%|\||&|<<|>>|~|\^|\*)=?/i', $fieldValue)) {
+        if (preg_match('/(?:\+|\-|%|\||&|<<|>>|~|\^|\*)=?/i', $fieldValue, $matches)) {
             $encoded[] = 'O'; // Operation match
         }
-        if (preg_match('/(?:\{|\[|\(|\)|\]|\})/i', $fieldValue)) {
+        if (preg_match('/(?:\{|\})/i', $fieldValue, $matches)) {
             $encoded[] = 'F'; // Function match
         }
+        if (preg_match('/(?:\[|\(|\)|\])/i', $fieldValue, $matches)) {
+            $encoded[] = 'P'; // Parenthesis match
+        }
 
         $encoded = array_unique($encoded);
         sort($encoded);
-
         $encoded = implode('', $encoded);
 
         return $encoded;
@@ -143,13 +142,13 @@ protected function evaluateEncodedQuery($encodedQuery, array &$threats)
         if (
             (strlen($encodedQuery) > 2)
         ) {
-            if (preg_match('/.*E.*F/', $encodedQuery) ||
-                preg_match('/.*F.*L/', $encodedQuery) ||
-                ($encodedQuery > 3)
+            if (preg_match('/.*F.*M.*P/', $encodedQuery) ||
+                preg_match('/.*F.*L.*P/', $encodedQuery) ||
+                strlen($encodedQuery > 4)
             ) {
                 $score = DetectorInterface::SCORE_CRITICAL_MATCH;
             } else {
-                $score = DetectorInterface::SCORE_SUSPICIOUS_MATCH;
+                $score = DetectorInterface::SCORE_HIGH_PROBABILITY_MATCH;
             }
 
             $threat = $this->threatInterfaceFactory->create();

Model/Detector/SqlInjection.php

@@ -506,27 +506,6 @@ protected function evaluateEncodedQuery($encodedQuery, array &$threats)
         ];
 
         $this->detectorRegex->scanRegex($this, $regex, $encodedQuery, $threats);
-
-//        if (strlen($encodedQuery) > 4) {
-//            $neutralTokens = substr_count($encodedQuery, '0') + substr_count($encodedQuery, '1');
-//            if ($neutralTokens < strlen($encodedQuery) / 2) {
-//                $score = DetectorInterface::SCORE_HIGH_PROBABILITY_MATCH;
-//                $score += substr_count($encodedQuery, '#') * DetectorInterface::SCORE_HIGH_PROBABILITY_MATCH;
-//                $score += substr_count($encodedQuery, 'X') * DetectorInterface::SCORE_HIGH_PROBABILITY_MATCH;
-//                $score += substr_count($encodedQuery, '=') * DetectorInterface::SCORE_HIGH_PROBABILITY_MATCH;
-//                $score += substr_count($encodedQuery, '+') * DetectorInterface::SCORE_HIGH_PROBABILITY_MATCH;
-//
-//                $threat = $this->threatInterfaceFactory->create();
-//                $threat
-//                    ->setDetector($this)
-//                    ->setId(static::RESCODE_SQLI_INJECTION)
-//                    ->setAdditional(['encoded' => $encodedQuery])
-//                    ->setReason(__('Suspicious commands sequence'))
-//                    ->setScore($score);
-//
-//                $threats[] = $threat;
-//            }
-//        }
     }
 
     /**

Test/Integration/Model/IpsTest.php

@@ -50,7 +50,7 @@ public function testMySQLInjectionAttackPatterns()
 1' or '1'='1
 1'or'1'='1
 fake@ema'or'il.nl'='il.nl
-1 and user_name() = 'dbo'
+1 and CONCAT(username, '') = 'dbo'
 '; desc admin_user; --
 1' and entity_id = '1
 ' or username is not NULL or username = '
@@ -69,8 +69,6 @@ public function testMySQLInjectionAttackPatterns()
 %20or%20x=x
 23 OR 1=1
 %27%20or%201=1
-%2A%28%7C%28mail%3D%2A%29%29
-%2A%28%7C%28objectclass%3D%2A%29%29
 '||'6
 admin' or '
 ' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
@@ -324,6 +322,8 @@ public function testXssInjections()
 [[#%3Cscript%3Ealert(1)%3C/script%3E|
 a{b:`function(){alert(1)}()`;}
 "><style type=text/less>a{b:`function(){alert(1)}()`;}</style>
+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
+eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0(1)',2,2,'alert|'.split('|'),0,{}))
 __EOF__
 );
 
@@ -369,6 +369,7 @@ public function testNonDangerousContents()
             'I would like to test; Any way?',
             "I'dd like to test this phrase or another one I'll find",
             '123',
+            "Talking about dots.this should. be a dotted. phrase.",
             'A composed-word should not trigger',
             'This is a normal phrase(should not trigger); But I need to check it and test!',
             'someone could -- write this',

etc/module.xml

@@ -21,6 +21,6 @@
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
-    <module name="MSP_Shield" setup_version="2.0.2">
+    <module name="MSP_Shield" setup_version="2.0.3">
     </module>
 </config>