fix: [stix2 export] Making stix2-validator happy with email additional header fields

2019-07-01 15:07:37 +02:00 · 2019-07-01 15:07:37 +02:00 · 941e9d593b
parent ec93e56187
commit 941e9d593b
2 changed files with 7 additions and 11 deletions
--- a/app/files/scripts/stix2/misp2stix2.py
+++ b/app/files/scripts/stix2/misp2stix2.py
@ -824,7 +824,7 @@ class StixBuilder():
    def resolve_email_object_observable(self, attributes, object_id):
        observable = {}
        message = defaultdict(list)
-        reply_to = []
+        additional_header = {}
        object_num = 0
        for attribute in attributes:
            self.parse_galaxies(attribute['Galaxy'], object_id)
@ -840,8 +840,6 @@ class StixBuilder():
                    else:
                        message[mapping].append(object_str)
                    object_num += 1
-                elif relation == 'reply-to':
-                    reply_to.append(attribute_value)
                elif relation == 'attachment':
                    object_str = str(object_num)
                    body = {"content_disposition": "{}; filename='{}'".format(relation, attribute_value),
@ -849,11 +847,9 @@ class StixBuilder():
                    message['body_multipart'].append(body)
                    observable[object_str] = {'type': 'file', 'name': attribute_value}
                    object_num += 1
-                elif relation == 'x-mailer':
-                    if 'additional_header_fields' in message:
-                        message['additional_header_fields']['X-Mailer'] = attribute_value
-                    else:
-                        message['additional_header_fields'] = {'X-Mailer': attribute_value}
+                elif relation in ('x-mailer', 'reply-to'):
+                    key = '-'.join([part.capitalize() for part in relation.split('-')])
+                    additional_header[key] = attribute_value
                else:
                    message[mapping] = attribute_value
            except Exception:
@ -862,8 +858,8 @@ class StixBuilder():
                    message[mapping] = {'value': attribute_value, 'data': attribute['data']}
                else:
                    message[mapping] = attribute_value
-        if reply_to and 'additional_header_fields' in message:
-            message['additional_header_fields']['Reply-To'] = reply_to
+        if additional_header:
+            message['additional_header_fields'] = additional_header
        message['type'] = 'email-message'
        if 'body_multipart' in message:
            message['is_multipart'] = True
--- a/app/files/scripts/stix2/misp2stix2_mapping.py
+++ b/app/files/scripts/stix2/misp2stix2_mapping.py
@ -188,7 +188,7 @@ def pattern_regkey_value(_, attribute_value):

 def observable_reply_to(_, attribute_value):
    return {'0': {'type': 'email-addr', 'value': attribute_value},
-            '1': {'type': 'email-message', 'additional_header_fields': {'Reply-To': ['0']}, 'is_multipart': 'false'}}
+            '1': {'type': 'email-message', 'additional_header_fields': {'Reply-To': '0'}, 'is_multipart': 'false'}}

 def pattern_reply_to(_, attribute_value):
    return "[email-message:additional_header_fields.reply_to = '{}']".format(attribute_value)