From d0e121846ca2a7ee24015275ede56cf3aa671f94 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 13 Aug 2014 15:21:16 +0200 Subject: [PATCH 1/4] Missing validation for http-method in Shadow-Attributes --- app/Model/ShadowAttribute.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/Model/ShadowAttribute.php b/app/Model/ShadowAttribute.php index 5c69a9dc6..bbe566cb7 100644 --- a/app/Model/ShadowAttribute.php +++ b/app/Model/ShadowAttribute.php @@ -420,6 +420,13 @@ class ShadowAttribute extends AppModel { $returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.'; } break; + case 'http-method': + if (preg_match("#(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH)#", $value)) { + $returnValue = true; + } else { + $returnValue = 'Unknown HTTP method.'; + } + break; case 'filename': // no newline if (!preg_match("#\n#", $value)) { From 26a4f97adb052f5c44f36b4d46ee0351c2760bef Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 13 Aug 2014 15:24:22 +0200 Subject: [PATCH 2/4] Proposal validation now calls the Attribute validation method instead of using the (incorrect) duplication in ShadowAttribute --- app/Model/ShadowAttribute.php | 237 +--------------------------------- 1 file changed, 1 insertion(+), 236 deletions(-) diff --git a/app/Model/ShadowAttribute.php b/app/Model/ShadowAttribute.php index bbe566cb7..0c578643d 100644 --- a/app/Model/ShadowAttribute.php +++ b/app/Model/ShadowAttribute.php @@ -394,242 +394,7 @@ class ShadowAttribute extends AppModel { } public function validateAttributeValue($fields) { - $value = $fields['value']; - $returnValue = false; - - // check data validation - switch($this->data['ShadowAttribute']['type']) { - case 'md5': - if (preg_match("#^[0-9a-f]{32}$#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.'; - } - break; - case 'sha1': - if (preg_match("#^[0-9a-f]{40}$#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.'; - } - break; - case 'sha256': - if (preg_match("#^[0-9a-f]{64}$#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.'; - } - break; - case 'http-method': - if (preg_match("#(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH)#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Unknown HTTP method.'; - } - break; - case 'filename': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'filename|md5': - // no newline - if (preg_match("#^.+\|[0-9a-f]{32}$#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.'; - } - break; - case 'filename|sha1': - // no newline - if (preg_match("#^.+\|[0-9a-f]{40}$#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.'; - } - break; - case 'filename|sha256': - // no newline - if (preg_match("#^.+\|[0-9a-f]{64}$#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.'; - } - break; - case 'ip-src': - $parts = explode("/", $value); - // [0] = the ip - // [1] = the network address - if (count($parts) <= 2 ) { - // ipv4 and ipv6 matching - if (filter_var($parts[0],FILTER_VALIDATE_IP)) { - // ip is validated, now check if we have a valid network mask - if (empty($parts[1])) { - $returnValue = true; - } else { - if (is_numeric($parts[1]) && $parts[1] < 129) { - $returnValue = true; - } - } - } - } - if (!$returnValue) { - $returnValue = 'IP address has invalid format. Please double check the value or select "other" for a type.'; - } - break; - case 'ip-dst': - $parts = explode("/", $value); - // [0] = the ip - // [1] = the network address - if (count($parts) <= 2 ) { - // ipv4 and ipv6 matching - if (filter_var($parts[0],FILTER_VALIDATE_IP)) { - // ip is validated, now check if we have a valid network mask - if (empty($parts[1])) { - $returnValue = true; - } else { - if (is_numeric($parts[1]) && $parts[1] < 129) { - $returnValue = true; - } - } - } - } - if (!$returnValue) { - $returnValue = 'IP address has invalid format. Please double check the value or select "other" for a type.'; - } - break; - case 'named pipe': - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'hostname': - case 'domain': - if (preg_match("#^[A-Z0-9.-]+\.[A-Z]{2,4}$#i", $value)) { - $returnValue = true; - } else { - $returnValue = 'Domain name has invalid format. Please double check the value or select "other" for a type.'; - } - break; - case 'email-src': - // we don't use the native function to prevent issues with partial email addresses - if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.-]+\.[A-Z]{2,4}$#i", $value)) { - $returnValue = true; - } else { - $returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.'; - } - break; - case 'email-dst': - // we don't use the native function to prevent issues with partial email addresses - if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.-]+\.[A-Z]{2,4}$#i", $value)) { - $returnValue = true; - } else { - $returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.'; - } - break; - case 'email-subject': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'email-attachment': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'url': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'user-agent': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'regkey': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'regkey|value': - // no newline - if (preg_match("#(.)+\|(.)+#", $value) && !preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'vulnerability': - if (preg_match("#^(CVE-)[0-9]{4}(-)[0-9]{4,6}$#", $value)) { - $returnValue = true; - } else { - $returnValue = 'Invalid format. Expected: CVE-xxxx-xxxx.'; - } - break; - case 'AS': - case 'snort': - case 'pattern-in-file': - case 'pattern-in-traffic': - case 'pattern-in-memory': - case 'yara': - case 'attachment': - case 'malware-sample': - $returnValue = true; - break; - case 'link': - if (preg_match('#^(http|ftp)(s)?\:\/\/((([a-z|0-9|\-]{1,25})(\.)?){2,7})($|/.*$)#i', $value) && !preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'comment': - case 'text': - case 'other': - $returnValue = true; - break; - case 'target-user': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'target-email': - if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.-]+\.[A-Z]{2,4}$#i", $value)) { - $returnValue = true; - } else { - $returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.'; - } - break; - case 'target-machine': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'target-org': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'target-location': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - break; - case 'target-external': - // no newline - if (!preg_match("#\n#", $value)) { - $returnValue = true; - } - } - - return $returnValue; + return $this->Attribute->validateAttributeValue($fields); } public function getCompositeTypes() { From 97eba22b460e27ca615558c716c3564eaff2e67c Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 13 Aug 2014 15:35:22 +0200 Subject: [PATCH 3/4] Fix to the previous commit --- app/Model/ShadowAttribute.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Model/ShadowAttribute.php b/app/Model/ShadowAttribute.php index 0c578643d..2946cdf64 100644 --- a/app/Model/ShadowAttribute.php +++ b/app/Model/ShadowAttribute.php @@ -394,7 +394,7 @@ class ShadowAttribute extends AppModel { } public function validateAttributeValue($fields) { - return $this->Attribute->validateAttributeValue($fields); + return $this->Event->Attribute->validateAttributeValue($fields); } public function getCompositeTypes() { From cf3809ef74c9bf1b6a99816b5055a8d4c999a10e Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 13 Aug 2014 16:13:38 +0200 Subject: [PATCH 4/4] Further work on the previous patch --- app/Model/Attribute.php | 7 +++++-- app/Model/ShadowAttribute.php | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index bcbfda3a6..391bb69ca 100755 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -491,10 +491,13 @@ class Attribute extends AppModel { public function validateAttributeValue($fields) { $value = $fields['value']; + return $this->runValidation($value, $this->data['Attribute']['type']); + } + + public function runValidation($value, $type) { $returnValue = false; - // check data validation - switch($this->data['Attribute']['type']) { + switch($type) { case 'md5': if (preg_match("#^[0-9a-f]{32}$#", $value)) { $returnValue = true; diff --git a/app/Model/ShadowAttribute.php b/app/Model/ShadowAttribute.php index 2946cdf64..681ec69bf 100644 --- a/app/Model/ShadowAttribute.php +++ b/app/Model/ShadowAttribute.php @@ -394,7 +394,8 @@ class ShadowAttribute extends AppModel { } public function validateAttributeValue($fields) { - return $this->Event->Attribute->validateAttributeValue($fields); + $value = $fields['value']; + return $this->Event->Attribute->runValidation($value, $this->data['ShadowAttribute']['type']); } public function getCompositeTypes() {