Metadata Parsing Errors

[malvidin]

In a few situations, a valid rule fails to be written (using -c or -i) with the following error:

./CCCS-Yara/yara-validator/yara_file_processor.py", line 184, in strings_of_rules_to_original_file
    changed_rule_string = rule.rule_return.validated_rule.splitlines()
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'list' object has no attribute 'splitlines'

These regular expressions appear to the cause of the issue:

CCCS-Yara/yara-validator/yara_validator.py

Lines 246 to 247 in 4cca674

	meta_regex = r'^\s*meta\s*:\s*$'
	next_section = r'^\s*(?:strings|condition)\s*:\s*$'

Based on these expressions:

• meta and : must be on the same line, and be the only contents of that line.
• The following strings or condition and : must be on the same line, and be the only contents of that line.

This breaks otherwise valid rules:

rule testing 
{ meta:
    key = "value"
  condition:
    true
}

rule testing {
  meta:
    key = "value"
  strings: $re = /test/
  condition: $re
}

rule testing 
{ meta:
    key = "value"
  condition: true
}

And on the most extreme end:

rule testing { meta: key = "value" condition: true }

[cccs-rs]

I think in this case, plyara would come in handy. I have to take a look at this more in-depth to see what the original author was doing.