stiximport now uses temporary files to store stix data.

Set max size in config, in bytes
2016-08-12 13:53:23 +01:00 · 2016-08-12 13:53:23 +01:00 · 6db269f965
parent 0089983661
commit 6db269f965
2 changed files with 35 additions and 8 deletions
--- a/misp_modules/modules/import_mod/stiximport.py
+++ b/misp_modules/modules/import_mod/stiximport.py
@ -3,6 +3,7 @@ from stix.core import STIXPackage
 import re
 import base64
 import hashlib
+import tempfile

 misperrors = {'error': 'Error'}
 userConfig = {}
@ -12,7 +13,7 @@ moduleinfo = {'version': '0.1', 'author': 'Hannah Ward',
              'description': 'Import some stix stuff',
              'module-type': ['import']}

-moduleconfig = []
+moduleconfig = ["max_size"]


 def handler(q=False):
@ -33,29 +34,46 @@ def handler(q=False):
    if not package:
        return json.dumps({"success": 0})

+    # Get the maxsize from the config
+    # Default to 10MB
+    # (I believe the max_size arg is given  in bytes)
+    # Check if we were given a configuration
+    memsize = q.get("config", None)
+
+    # If we were, find out if there's a memsize field
+    if memsize:
+        memsize = memsize.get("max_size", 10 * 1024)
+    else:
+        memsize = 10 * 1024
+
    # Load up the package into STIX
-    package = loadPackage(package)
+    package = loadPackage(package, memsize)

    # Build all the observables
    if package.observables:
        for obs in package.observables:
            r["results"].append(buildObservable(obs))

+    # And now the threat actors
    if package.threat_actors:
        for ta in package.threat_actors:
            r["results"].append(buildActor(ta))

+    # Aaaand the indicators
    if package.indicators:
        for ind in package.indicators:
            r["results"].append(buildIndicator(ind))

+    # Are you seeing a pattern?
    if package.exploit_targets:
        for et in package.exploit_targets:
            r["results"].append(buildExploitTarget(et))

+    # LOADING STUFF
    if package.campaigns:
        for cpn in package.campaigns:
            r["results"].append(buildCampaign(cpn))
+
    # Clean up results
    # Don't send on anything that didn't have a value
    r["results"] = [x for x in r["results"] if len(x["values"]) != 0]
@ -178,19 +196,27 @@ def buildObservable(o):
        return r


-def loadPackage(data):
+def loadPackage(data, memsize=1024):
    # Write the stix package to a tmp file
-    with open("/tmp/stixdump", "w") as f:
-        f.write(data)
+
+    temp = tempfile.SpooledTemporaryFile(max_size=int(memsize), mode="w+")
+
+    temp.write(data)
+
+    # Back to the beginning so we can read it again
+    temp.seek(0)
    try:
        # Try loading it into every format we know of
        try:
-            package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
+            package = STIXPackage().from_xml(temp)
        except:
-            package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
+            # We have to seek back again
+            temp.seek(0)
+            package = STIXPackage().from_json(temp)
    except Exception:
        print("Failed to load package")
        raise ValueError("COULD NOT LOAD STIX PACKAGE!")
+    temp.close()
    return package


--- a/tests/test.py
+++ b/tests/test.py
@ -30,7 +30,8 @@ class TestModules(unittest.TestCase):
    def test_stix(self):
        with open("tests/stix.xml", "r") as f:
            data = json.dumps({"module":"stiximport",
-                    "data":str(base64.b64encode(bytes(f.read(), 'utf-8')), 'utf-8')
+                    "data":str(base64.b64encode(bytes(f.read(), 'utf-8')), 'utf-8'),
+                    "config": {"max_size": "15000"},
                   })
            response = requests.post(self.url + "query", data=data)
            print(response.json())