Address false positives with dojo.js and YUI (#1018)

egibs · web-flow · commit eb7c927592e1 · 2025-06-26T21:05:29.000-05:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/rules/anti-static/obfuscation/padding.yara b/rules/anti-static/obfuscation/padding.yara
@@ -9,6 +9,11 @@ rule msxml2_http: critical {
     $not_fileapi  = "MSXML2.XMLHttp.3.0\")}catch(c){b=new ActiveXObject(\"Microsoft.XMLHTTP\")}return b},isArray:l,support:{dnd:s&&\"ondrop\"i"
     $not_i18next1 = "i18nextHttpBackend"
     $not_i18next2 = "u[\"User-Agent\"]=\"i18next-http-backend (node/\".concat(S.process.version,\"; \")"
+    $not_yui1     = "Copyright (c) 2008, Yahoo! Inc. All rights reserved."
+    $not_yui2     = "http://developer.yahoo.net/yui/license.txt"
+    $not_yui3     = "version: 2.6.0"
+    $not_yui4     = "YAHOO.util.Connect={_msxml_progid:[\"Microsoft.XMLHTTP\",\"MSXML2.XMLHTTP.3.0\",\"MSXML2.XMLHTTP\"]"
+    $not_yui5     = "if(typeof YAHOO==\"undefined\"||!YAHOO){var YAHOO={};}YAHOO.namespace=function()"
 
   condition:
     filesize < 128KB and $a and !a > 32 and none of ($not*)
diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara
@@ -46,10 +46,11 @@ rule js_eval_response: critical {
   strings:
     $val = /eval\(\w{0,16}\.responseText\)/
 
-    $not_ejs = /EJS\.|EJS=/
+    $not_dojo = /dojo(\-|\_|x)/
+    $not_ejs  = /EJS\.|EJS=/
 
   condition:
-    filesize < 1MB and any of ($val*) and not #not_ejs > 0
+    filesize < 1MB and any of ($val*) and not #not_ejs > 0 and not #not_dojo > 0
 }
 
 rule js_eval_near_enough_fromChar: medium {
