Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tighten b64+proto parsing to filter out all digits or all number path… #207

Merged
merged 1 commit into from
Nov 21, 2024
Merged

Tighten b64+proto parsing to filter out all digits or all number path… #207

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ page with an interesting URL, you can click the bookmarklet and see the URL "unf

### Local Python Install

1. Install via pip: `pip install dfir-unfurl`
1. Install via pip: `pip install dfir-unfurl[all]`

After Unfurl is installed, you can run use it via the web app or command-line:

Expand Down Expand Up @@ -87,6 +87,3 @@ optional arguments:

If using Docker as above, run:
``docker exec unfurl python -m unittest discover -s unfurl/tests``

## Legal Bit
This is not an officially supported Google product.
2 changes: 1 addition & 1 deletion unfurl/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# limitations under the License.

__author__ = "Ryan Benson"
__version__ = "20241120"
__version__ = "20241121"
__email__ = "[email protected]"

import logging
Expand Down
6 changes: 4 additions & 2 deletions unfurl/parsers/parse_protobuf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,10 @@ def parse_protobuf_into_nodes(pb_value_dict, pb_types, edge_type=None):
urlsafe_b64_m = utils.urlsafe_b64_re.fullmatch(node.value)
standard_b64_m = utils.standard_b64_re.fullmatch(node.value)
hex_m = utils.hex_re.fullmatch(node.value)
all_digits_m = utils.digits_re.fullmatch(node.value)
all_letters_m = utils.letters_re.fullmatch(node.value)
# Updating to all letters/digits and forward slashes, to catch URL paths that may,
# by some chance, validly decode as protobuf, but really aren't.
all_digits_m = utils.digits_and_slash_re.fullmatch(node.value)
all_letters_m = utils.letters_and_slash_re.fullmatch(node.value)

if hex_m and not (all_digits_m or all_letters_m):
decoded = bytes.fromhex(node.value)
Expand Down
2 changes: 2 additions & 0 deletions unfurl/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
hex_re = re.compile(r'([A-F0-9]{2})+', flags=re.IGNORECASE)
digits_re = re.compile(r'\d+')
letters_re = re.compile(r'[A-Z]+', flags=re.IGNORECASE)
digits_and_slash_re = re.compile(r'[0-9/]+')
letters_and_slash_re = re.compile(r'[A-Z/]+', flags=re.IGNORECASE)
float_re = re.compile(r'\d+\.\d+')
mac_addr_re = re.compile(r'(?P<mac_addr>[0-9A-Fa-f]{12}|([0-9A-Fa-f]:){6})')
cisco_7_re = re.compile(r'\d{2}[A-F0-9]{4,}', re.IGNORECASE)
Expand Down
Loading