MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #327 from zaphodef/cuckooimport 

fix: prevent symlink attacks
pull/328/head v2.4.114
Alexandre Dulaunoy 2019-08-22 11:33:59 +02:00 committed by GitHub
parent 0f2c1ece38 b2ab727f9b
commit 30d9567e8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
misp_modules/modules/import_mod/cuckooimport.py
View File

@ -3,6 +3,7 @@ import base64
import io import io
import logging import logging
import posixpath import posixpath
import stat
import tarfile import tarfile
import zipfile import zipfile
from pymisp import MISPEvent, MISPObject, MISPAttribute from pymisp import MISPEvent, MISPObject, MISPAttribute
@ -241,6 +242,10 @@ class CuckooParser():
self.files = { self.files = {
info.filename: z.open(info) info.filename: z.open(info)
for info in z.filelist for info in z.filelist
# only extract the regular files and dirs, we don't
# want any symbolic link
if stat.S_ISREG(info.external_attr >> 16)
or stat.S_ISDIR(info.external_attr >> 16)
} }
else: else:
# the archive was probably downloaded from the API # the archive was probably downloaded from the API
@ -249,6 +254,9 @@ class CuckooParser():
self.files = { self.files = {
info.name: f.extractfile(info) info.name: f.extractfile(info)
for info in f.getmembers() for info in f.getmembers()
# only extract the regular files and dirs, we don't
# want any symbolic link
if info.isreg() or info.isdir()
} }
# We want to keep the order of the keys of sub-dicts in the report, # We want to keep the order of the keys of sub-dicts in the report,