Skip to content

Optimize xpath usage in phishing_blue_button_file_sharing.yml#4832

Merged
IndiaAce merged 2 commits into
mainfrom
jkatzman/phishing-blue-button-has-style-xpath-prefilter
Jul 8, 2026
Merged

Optimize xpath usage in phishing_blue_button_file_sharing.yml#4832
IndiaAce merged 2 commits into
mainfrom
jkatzman/phishing-blue-button-has-style-xpath-prefilter

Conversation

@thunderkatz

@thunderkatz thunderkatz commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Description

If an anchor or its subnodes doesn't have styling, there's no point in running a style-matching regex over its contents. xpath can do this filtering much faster than regex based on the actual attributes of the nodes, with the added bonus that it doesn't have to materialize a navigator for non-matching nodes.

Unlike previous attempts (#4804 and #4817), this one should also be logic neutral, since the regex can (and should) only really match the contents of a style attribute anyway.

Associated samples

n/a

Associated hunts

90d hunt: https://platform.sublime.security/hunts/019f4282-89e2-797b-8292-87f0572b0331
2 results, both the same campaign, actor put style element text in the anchor but didn't actually put them in a style= attribute, so the new xpath filter doesn't grab them. However, given that browsers also don't render those style elements without the actual attribute, I think that makes the rule match the actual output better. Even without this low severity rule, 4 other medium severity rules still match.

Screenshot (insights)

n/a

…e regex

Confirmed against the actual incident message: it has 29,414 <a href> tags
(only 174 unique after dedup -- the same handful of links repeated
thousands of times), and only 1 of those 29,414 anchors has a style
attribute anywhere in its subtree. filter()'s regex ran against all 29,414
regardless, since none are excluded by link count, href scheme, or domain.

Adding [@Style or .//@Style] to the xpath query prunes anchors with zero
chance of matching before any node construction or regex work happens,
without touching the existing regex/domain-check logic at all. Benchmarked
at ~24x faster than the original on the real message (388ms -> 16ms),
outperforming even a full xpath-predicate rewrite of the regex logic,
likely because it's a plain attribute-existence check rather than a
translate()+contains() string comparison.
@github-actions github-actions Bot added the review-needed Indicates that a PR is waiting for review label Jul 8, 2026
@thunderkatz thunderkatz marked this pull request as ready for review July 8, 2026 16:15
@thunderkatz thunderkatz requested a review from a team July 8, 2026 16:15
@thunderkatz thunderkatz requested a review from a team as a code owner July 8, 2026 16:15
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Shared Samples Sync - Action Required

This PR was not automatically synced to shared-samples because the author is not a member of the sublime-security organization.

To enable syncing, an organization member can comment /update-shared-samples on this PR.

Once triggered, the rules will be synced on the next scheduled run (every 10 minutes).

@IndiaAce IndiaAce added this pull request to the merge queue Jul 8, 2026
Merged via the queue into main with commit 47373cc Jul 8, 2026
5 checks passed
@IndiaAce IndiaAce deleted the jkatzman/phishing-blue-button-has-style-xpath-prefilter branch July 8, 2026 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants