Fix: escape escpae characters in strings

thomaspatzke · thomaspatzke · commit a1895524fce6 · 2025-12-14T23:55:03.000+01:00
diff --git a/sigma/types.py b/sigma/types.py
@@ -572,7 +572,9 @@ def convert(
         of these characters in a string will raise a SigmaValueError.
         """
         s = ""
-        escaped_chars = frozenset((wildcard_multi or "") + (wildcard_single or "") + add_escaped)
+        escaped_chars = frozenset(
+            (wildcard_multi or "") + (wildcard_single or "") + escape_char + add_escaped
+        )
 
         for c in iter(self):
             if isinstance(c, str):  # c is plain character
diff --git a/tests/test_conversion_base.py b/tests/test_conversion_base.py
@@ -426,7 +426,31 @@ def test_convert_value_str_startswith_trailing_backslash(test_backend):
                 """
             )
         )
-        == ['mappedA startswith "foobar\\"']
+        == ['mappedA startswith "foobar\\\\"']
+    )
+
+
+def test_convert_value_str_startswith_trailing_backslash_no_startswith_expression(
+    test_backend, monkeypatch
+):
+    monkeypatch.setattr(test_backend, "startswith_expression", None)
+    assert (
+        test_backend.convert(
+            SigmaCollection.from_yaml(
+                """
+                    title: Test
+                    status: test
+                    logsource:
+                        category: test_category
+                        product: test_product
+                    detection:
+                        sel:
+                            fieldA|startswith: "foobar\\\\"
+                        condition: sel
+                """
+            )
+        )
+        == ['mappedA match "foobar\\\\*"']
     )
 
 
@@ -753,7 +777,31 @@ def test_convert_value_str_contains_trailing_backslash(test_backend):
                 """
             )
         )
-        == ['mappedA contains "foobar\\"']
+        == ['mappedA contains "foobar\\\\"']
+    )
+
+
+def test_convert_value_str_contains_trailing_backslash_no_contains_expression(
+    test_backend, monkeypatch
+):
+    monkeypatch.setattr(test_backend, "contains_expression", None)
+    assert (
+        test_backend.convert(
+            SigmaCollection.from_yaml(
+                """
+                    title: Test
+                    status: test
+                    logsource:
+                        category: test_category
+                        product: test_product
+                    detection:
+                        sel:
+                            fieldA|contains: "foobar\\\\"
+                        condition: sel
+                """
+            )
+        )
+        == ['mappedA match "*foobar\\\\*"']
     )
 
 
