diff --git a/README.md b/README.md index d669c53..32e8f15 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ page with an interesting URL, you can click the bookmarklet and see the URL "unf ### Local Python Install -1. Install via pip: `pip install dfir-unfurl` +1. Install via pip: `pip install dfir-unfurl[all]` After Unfurl is installed, you can run use it via the web app or command-line: @@ -87,6 +87,3 @@ optional arguments: If using Docker as above, run: ``docker exec unfurl python -m unittest discover -s unfurl/tests`` - -## Legal Bit -This is not an officially supported Google product. diff --git a/unfurl/__init__.py b/unfurl/__init__.py index 4c0e18e..ada6cde 100644 --- a/unfurl/__init__.py +++ b/unfurl/__init__.py @@ -13,7 +13,7 @@ # limitations under the License. __author__ = "Ryan Benson" -__version__ = "20241120" +__version__ = "20241121" __email__ = "ryan@dfir.blog" import logging diff --git a/unfurl/parsers/parse_protobuf.py b/unfurl/parsers/parse_protobuf.py index bbc4561..d541b03 100644 --- a/unfurl/parsers/parse_protobuf.py +++ b/unfurl/parsers/parse_protobuf.py @@ -125,8 +125,10 @@ def parse_protobuf_into_nodes(pb_value_dict, pb_types, edge_type=None): urlsafe_b64_m = utils.urlsafe_b64_re.fullmatch(node.value) standard_b64_m = utils.standard_b64_re.fullmatch(node.value) hex_m = utils.hex_re.fullmatch(node.value) - all_digits_m = utils.digits_re.fullmatch(node.value) - all_letters_m = utils.letters_re.fullmatch(node.value) + # Updating to all letters/digits and forward slashes, to catch URL paths that may, + # by some chance, validly decode as protobuf, but really aren't. + all_digits_m = utils.digits_and_slash_re.fullmatch(node.value) + all_letters_m = utils.letters_and_slash_re.fullmatch(node.value) if hex_m and not (all_digits_m or all_letters_m): decoded = bytes.fromhex(node.value) diff --git a/unfurl/utils.py b/unfurl/utils.py index 9eca63d..d9beed5 100644 --- a/unfurl/utils.py +++ b/unfurl/utils.py @@ -24,6 +24,8 @@ hex_re = re.compile(r'([A-F0-9]{2})+', flags=re.IGNORECASE) digits_re = re.compile(r'\d+') letters_re = re.compile(r'[A-Z]+', flags=re.IGNORECASE) +digits_and_slash_re = re.compile(r'[0-9/]+') +letters_and_slash_re = re.compile(r'[A-Z/]+', flags=re.IGNORECASE) float_re = re.compile(r'\d+\.\d+') mac_addr_re = re.compile(r'(?P[0-9A-Fa-f]{12}|([0-9A-Fa-f]:){6})') cisco_7_re = re.compile(r'\d{2}[A-F0-9]{4,}', re.IGNORECASE)