inspectFile: False-positive match fixed (#1311)

The operator checks script exit code only and ignores the output.
As the result, false-positive match occurs.

internal/operators/inspect_file.go

@@ -32,11 +32,11 @@ func (o *inspectFile) Evaluate(tx plugintypes.TransactionState, value string) bo
 	defer cancel()
 	// Add /bin/bash to context?
 	cmd := exec.CommandContext(ctx, o.path, value)
-	_, err := cmd.CombinedOutput()
+	output, err := cmd.CombinedOutput()
 	if ctx.Err() == context.DeadlineExceeded || err != nil {
 		return false
 	}
-	return true
+	return len(output) > 0 && output[0] != '1'
 }
 
 func init() {

internal/operators/inspect_file_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 )
 
-func TestInspectFile(t *testing.T) {
+func TestInspectFileExitCode(t *testing.T) {
 	existCommand := "/bin/echo"
 	if runtime.GOOS == "windows" {
 		existCommand = "C:\\Windows\\system32\\tasklist.exe"
@@ -48,3 +48,38 @@ func TestInspectFile(t *testing.T) {
 		})
 	}
 }
+
+func TestInspectFileOutput(t *testing.T) {
+	existCommand := "/bin/echo"
+	if runtime.GOOS == "windows" {
+		// TODO: Add support for this platform.
+		t.Skip("Skipping test on Windows")
+	}
+
+	ipf, err := newInspectFile(plugintypes.OperatorOptions{Arguments: existCommand})
+	if err != nil {
+		t.Error("cannot init inspectfile operator")
+	}
+
+	tests := []struct {
+		output string
+		match  bool
+	}{
+		{
+			output: "1 clamscan: OK",
+			match:  false,
+		},
+		{
+			output: "0 clamscan: FOUND",
+			match:  true,
+		},
+	}
+	for _, tc := range tests {
+		tt := tc
+		t.Run(tt.output, func(t *testing.T) {
+			if want, have := tt.match, ipf.Evaluate(nil, tt.output); want != have {
+				t.Errorf("inspectfile output '%s': want %t, have %t", tt.output, want, have)
+			}
+		})
+	}
+}