diff --git a/stix2/properties.py b/stix2/properties.py index d236ba2..9f8849b 100644 --- a/stix2/properties.py +++ b/stix2/properties.py @@ -558,9 +558,13 @@ class EnumProperty(StringProperty): class PatternProperty(StringProperty): + def __init__(self, spec_version=stix2.DEFAULT_VERSION, **kwargs): + self.spec_version = spec_version + super(PatternProperty, self).__init__(**kwargs) + def clean(self, value): cleaned_value = super(PatternProperty, self).clean(value) - errors = run_validator(cleaned_value) + errors = run_validator(cleaned_value, self.spec_version) if errors: raise ValueError(str(errors[0])) diff --git a/stix2/test/v20/test_indicator.py b/stix2/test/v20/test_indicator.py index b2836e5..8fe8d5d 100644 --- a/stix2/test/v20/test_indicator.py +++ b/stix2/test/v20/test_indicator.py @@ -192,3 +192,36 @@ def test_invalid_indicator_pattern(): assert excinfo.value.cls == stix2.v20.Indicator assert excinfo.value.prop_name == 'pattern' assert 'mismatched input' in excinfo.value.reason + + +def test_indicator_stix21_invalid_pattern(): + now = dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc) + epoch = dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc) + + ind1 = stix2.v21.Indicator( + type="indicator", + id=INDICATOR_ID, + created=now, + modified=now, + pattern="[EXISTS windows-registry-key:values]", + pattern_type="stix", + valid_from=epoch, + indicator_types=['malicious-activity'], + ) + + assert ind1.id == INDICATOR_ID + assert ind1.pattern == "[EXISTS windows-registry-key:values]" + + with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo: + stix2.v20.Indicator( + type="indicator", + id=INDICATOR_ID, + created=now, + modified=now, + pattern="[EXISTS windows-registry-key:values]", + valid_from=epoch, + labels=["malicious-activity"], + ) + + assert excinfo.value.cls == stix2.v20.Indicator + assert "FAIL: Error found at line 1:8. no viable alternative at input 'EXISTS" in str(excinfo.value) diff --git a/stix2/test/v21/test_indicator.py b/stix2/test/v21/test_indicator.py index d786000..ff5c7cc 100644 --- a/stix2/test/v21/test_indicator.py +++ b/stix2/test/v21/test_indicator.py @@ -251,3 +251,36 @@ def test_indicator_with_custom_embed_objs_extra_props_error(): assert excinfo.value.cls == stix2.v21.Indicator assert excinfo.value.properties == ['bad_custom_prop'] assert str(excinfo.value) == "Unexpected properties for Indicator: (bad_custom_prop)." + + +def test_indicator_stix20_invalid_pattern(): + now = dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc) + epoch = dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc) + + ind1 = stix2.v20.Indicator( + type="indicator", + id=INDICATOR_ID, + created=now, + modified=now, + pattern="[win-registry-key:key = 'hkey_local_machine\\\\foo\\\\bar'] WITHIN 5 SECONDS WITHIN 6 SECONDS", + valid_from=epoch, + labels=["malicious-activity"], + ) + + assert ind1.id == INDICATOR_ID + assert ind1.pattern == "[win-registry-key:key = 'hkey_local_machine\\\\foo\\\\bar'] WITHIN 5 SECONDS WITHIN 6 SECONDS" + + with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo: + stix2.v21.Indicator( + type="indicator", + id=INDICATOR_ID, + created=now, + modified=now, + pattern="[win-registry-key:key = 'hkey_local_machine\\\\foo\\\\bar'] WITHIN 5 SECONDS WITHIN 6 SECONDS", + pattern_type="stix", + valid_from=epoch, + indicator_types=['malicious-activity'], + ) + + assert excinfo.value.cls == stix2.v21.Indicator + assert "FAIL: The same qualifier is used more than once" in str(excinfo.value) diff --git a/stix2/v20/sdo.py b/stix2/v20/sdo.py index 44fe6fd..c1f480d 100644 --- a/stix2/v20/sdo.py +++ b/stix2/v20/sdo.py @@ -124,7 +124,7 @@ class Indicator(STIXDomainObject): ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')), ('name', StringProperty()), ('description', StringProperty()), - ('pattern', PatternProperty(required=True)), + ('pattern', PatternProperty(required=True, spec_version='2.0')), ('valid_from', TimestampProperty(default=lambda: NOW)), ('valid_until', TimestampProperty()), ('kill_chain_phases', ListProperty(KillChainPhase)), diff --git a/stix2/v21/sdo.py b/stix2/v21/sdo.py index b775833..250d4a1 100644 --- a/stix2/v21/sdo.py +++ b/stix2/v21/sdo.py @@ -200,7 +200,7 @@ class Indicator(STIXDomainObject): ('name', StringProperty()), ('description', StringProperty()), ('indicator_types', ListProperty(StringProperty, required=True)), - ('pattern', PatternProperty(required=True)), + ('pattern', PatternProperty(required=True, spec_version='2.1')), ('pattern_type', StringProperty(required=True)), ('pattern_version', StringProperty()), ('valid_from', TimestampProperty(default=lambda: NOW, required=True)),