search

CERT-Polska / karton

Distributed malware processing framework based on Python, Redis and S3.
https://karton-core.readthedocs.io/en/latest/
BSD 3-Clause "New" or "Revised" License
381 stars 45 forks source link

Fix issue #222 with matches_filters method #223

Closed Antelox closed 1 year ago

Antelox commented 1 year ago

Issue reported here: https://github.com/CERT-Polska/karton/issues/222

I have just refactored the code in order to keep the matching logic the same and at the same time to take into account the use case that is causing the wrong matching when filters have more negated fields that matches the headers values.

I have also updated the unittest related to the task filters with negation.

In [1]: from karton.core import Task
In [2]: Task({
   ...:     "type": "sample",
   ...:     "kind": "runnable",
   ...:     "platform": "win32",
   ...:     "extension": "msix"
   ...: }).matches_filters([
   ...:         {"type": "sample", "kind": "runnable", "platform": "win*", "extension": "!msi*"},
   ...:         {"type": "sample", "kind": "runnable", "platform": "win*", "extension": "!lnk"},
   ...:         {"type": "sample", "kind": "document", "platform": "win*"}
   ...:     ])
   ...: 
Out[2]: False
$ python -m unittest discover tests/
.............
----------------------------------------------------------------------
Ran 13 tests in 0.040s

OK