Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Docinfo oletools #2143

Merged
merged 16 commits into from
Mar 4, 2024
Merged

Docinfo oletools #2143

merged 16 commits into from
Mar 4, 2024

Conversation

federicofantini
Copy link
Contributor

Description

  • added support for password detection during ole file decryption
  • added extraction of cve in KNOWN_CLSIDS oletools data

Type of change

  • Bug fix (non-breaking change which fixes an issue).
  • New feature (non-breaking change which adds functionality).
  • Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

  • I have read and understood the rules about how to Contribute to this project
  • The pull request is for the branch develop
  • A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
    • I strictly followed the documentation "How to create a Plugin"
    • Usage file was updated.
    • Advanced-Usage was updated (in case the plugin provides additional optional configuration).
    • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
    • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
    • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
    • If you created a new analyzer and it is free (does not require API keys), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
    • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
    • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
  • If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
  • If the GUI has been modified:
    • I have a provided a screenshot of the result in the PR.
    • I have created new frontend tests for the new component or updated existing ones.

code-review-doctor[bot]
code-review-doctor bot suggested changes Feb 14, 2024
View reviewed changes
Copy link
Contributor

@code-review-doctor code-review-doctor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some things to consider. View full project report here.

api_app/analyzers_manager/file_analyzers/doc_info.py Outdated
@@ -168,6 +172,25 @@ def analyze_for_follina_cve(self) -> List[str]:
hits += re.findall(r"mhtml:(https?://.*?)!", target)
return hits

def analyze_for_cve(self) -> Dict:
pattern = r"CVE-\d{4}-\d{4,7}"
cve = dict()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
cve = dict()
cve = {}

Using dict literal syntax is simpler and computationally quicker. Read more.

mlodic
mlodic reviewed Feb 14, 2024
View reviewed changes
api_app/analyzers_manager/file_analyzers/doc_info.py Outdated
Comment on lines 182 to 192
if matches := re.findall(pattern, clsid_text):
for match in matches:
if match in cve:
if clsid in cve[match]:
cve[match][clsid].append(clsid_text)
cve[match][clsid] = list(set(cve[match][clsid])) # uniq
else:
cve[match][clsid] = [clsid_text]
else:
cve[match] = {clsid: [clsid_text]}
return cve
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would take all texts where there is at least the "CVE" word, then I would extract the CVE numbers if they are available. In this way you can extract even the cases when the descripion just says "probable related to CVEs..."

@mlodic mlodic merged commit cc9e035 into develop Mar 4, 2024
12 checks passed
@mlodic mlodic deleted the docinfo_oletools branch March 22, 2024 16:36
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@code-review-doctor code-review-doctor[bot] code-review-doctor[bot] requested changes

@0ssigeno 0ssigeno 0ssigeno approved these changes

@mlodic mlodic mlodic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@federicofantini @0ssigeno @mlodic