From 941e9d593bcead9325ad0d4b209d637b6e319a53 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Mon, 1 Jul 2019 15:07:37 +0200
Subject: [PATCH] fix: [stix2 export] Making stix2-validator happy with email
 additional header fields

---
 app/files/scripts/stix2/misp2stix2.py         | 16 ++++++----------
 app/files/scripts/stix2/misp2stix2_mapping.py |  2 +-
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/app/files/scripts/stix2/misp2stix2.py b/app/files/scripts/stix2/misp2stix2.py
index af86350e3..ff8d96165 100644
--- a/app/files/scripts/stix2/misp2stix2.py
+++ b/app/files/scripts/stix2/misp2stix2.py
@@ -824,7 +824,7 @@ class StixBuilder():
     def resolve_email_object_observable(self, attributes, object_id):
         observable = {}
         message = defaultdict(list)
-        reply_to = []
+        additional_header = {}
         object_num = 0
         for attribute in attributes:
             self.parse_galaxies(attribute['Galaxy'], object_id)
@@ -840,8 +840,6 @@ class StixBuilder():
                     else:
                         message[mapping].append(object_str)
                     object_num += 1
-                elif relation == 'reply-to':
-                    reply_to.append(attribute_value)
                 elif relation == 'attachment':
                     object_str = str(object_num)
                     body = {"content_disposition": "{}; filename='{}'".format(relation, attribute_value),
@@ -849,11 +847,9 @@ class StixBuilder():
                     message['body_multipart'].append(body)
                     observable[object_str] = {'type': 'file', 'name': attribute_value}
                     object_num += 1
-                elif relation == 'x-mailer':
-                    if 'additional_header_fields' in message:
-                        message['additional_header_fields']['X-Mailer'] = attribute_value
-                    else:
-                        message['additional_header_fields'] = {'X-Mailer': attribute_value}
+                elif relation in ('x-mailer', 'reply-to'):
+                    key = '-'.join([part.capitalize() for part in relation.split('-')])
+                    additional_header[key] = attribute_value
                 else:
                     message[mapping] = attribute_value
             except Exception:
@@ -862,8 +858,8 @@ class StixBuilder():
                     message[mapping] = {'value': attribute_value, 'data': attribute['data']}
                 else:
                     message[mapping] = attribute_value
-        if reply_to and 'additional_header_fields' in message:
-            message['additional_header_fields']['Reply-To'] = reply_to
+        if additional_header:
+            message['additional_header_fields'] = additional_header
         message['type'] = 'email-message'
         if 'body_multipart' in message:
             message['is_multipart'] = True
diff --git a/app/files/scripts/stix2/misp2stix2_mapping.py b/app/files/scripts/stix2/misp2stix2_mapping.py
index 9770ba84b..be402f1be 100644
--- a/app/files/scripts/stix2/misp2stix2_mapping.py
+++ b/app/files/scripts/stix2/misp2stix2_mapping.py
@@ -188,7 +188,7 @@ def pattern_regkey_value(_, attribute_value):
 
 def observable_reply_to(_, attribute_value):
     return {'0': {'type': 'email-addr', 'value': attribute_value},
-            '1': {'type': 'email-message', 'additional_header_fields': {'Reply-To': ['0']}, 'is_multipart': 'false'}}
+            '1': {'type': 'email-message', 'additional_header_fields': {'Reply-To': '0'}, 'is_multipart': 'false'}}
 
 def pattern_reply_to(_, attribute_value):
     return "[email-message:additional_header_fields.reply_to = '{}']".format(attribute_value)