From efb0a88eebd34d5320e7d06dbfa334183d776dbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Georg=20Sch=C3=B6lly?= <georg.schoelly@joesecurity.org>
Date: Tue, 4 Jun 2019 11:29:40 +0200
Subject: [PATCH] joesandbox_query.py: improve behavior in unexpected
 circumstances

---
 .../modules/expansion/joesandbox_query.py     | 49 +++++++++----------
 1 file changed, 23 insertions(+), 26 deletions(-)

diff --git a/misp_modules/modules/expansion/joesandbox_query.py b/misp_modules/modules/expansion/joesandbox_query.py
index 27ced1b..dce63ea 100644
--- a/misp_modules/modules/expansion/joesandbox_query.py
+++ b/misp_modules/modules/expansion/joesandbox_query.py
@@ -9,21 +9,7 @@ mispattributes = {'input': ['link'], 'format': 'misp_standard'}
 moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
               'description': 'Query Joe Sandbox API with a report URL to get the parsed data.',
               'module-type': ['expansion']}
-moduleconfig = ['apiurl', 'apikey', 'accept-tac']
-
-
-class _ParseError(Exception):
-    pass
-
-
-def _parse_bool(value, name="bool"):
-    if value is None or value == "":
-        return None
-    if value in ("true", "True"):
-        return True
-    if value in ("false", "False"):
-        return False
-    raise _ParseError("Cannot parse {}. Must be 'true' or 'false'".format(name))
+moduleconfig = ['apiurl', 'apikey']
 
 
 def handler(q=False):
@@ -34,21 +20,32 @@ def handler(q=False):
     apikey = request['config'].get('apikey')
     if not apikey:
         return {'error': 'No API key provided'}
+
+    url = request['attribute']['value']
+    if "/submissions/" not in url:
+        return {'error': "The URL does not point to a Joe Sandbox analysis."}
+
+    submission_id = url.split('/')[-1]  # The URL has the format https://example.net/submissions/12345
+    joe = jbxapi.JoeSandbox(apiurl=apiurl, apikey=apikey, user_agent='MISP joesandbox_query')
+
     try:
-        accept_tac = _parse_bool(request['config'].get('accept-tac'), 'accept-tac')
-    except _ParseError as e:
+        joe_info = joe.submission_info(submission_id)
+    except jbxapi.ApiError as e:
         return {'error': str(e)}
-    attribute = request['attribute']
-    joe = jbxapi.JoeSandbox(apiurl=apiurl, apikey=apikey, user_agent='MISP joesandbox_analysis', accept_tac=accept_tac)
-    joe_info = joe.submission_info(attribute['value'].split('/')[-1])
+
+    if joe_info["status"] != "finished":
+        return {'error': "The analysis has not finished yet."}
+
+    if joe_info['most_relevant_analysis'] is None:
+        return {'error': "No analysis belongs to this submission."}
+
+    analysis_webid = joe_info['most_relevant_analysis']['webid']
+
     joe_parser = JoeParser()
-    most_relevant = joe_info['most_relevant_analysis']['webid']
-    for analyse in joe_info['analyses']:
-        if analyse['webid'] == most_relevant:
-            joe_data = json.loads(joe.analysis_download(most_relevant, 'jsonfixed')[1])
-            joe_parser.parse_data(joe_data['analysis'])
-            break
+    joe_data = json.loads(joe.analysis_download(analysis_webid, 'jsonfixed')[1])
+    joe_parser.parse_data(joe_data['analysis'])
     joe_parser.finalize_results()
+
     return {'results': joe_parser.results}