search

CybOXProject / python-cybox

A Python library for parsing, manipulating, and generating CybOX content.
http://cybox.readthedocs.org/
BSD 3-Clause "New" or "Revised" License
77 stars 42 forks source link

Failed to parse STIX file because hash value is empty #320

Closed win911 closed 5 years ago

win911 commented 5 years ago

According to the following schema, hash value is allowed to be empty because there is no 'minLength' setting.

<xs:complexType name="HexBinaryObjectPropertyType">
  <xs:annotation>
    <xs:documentation>The HexBinaryObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type HexBinary. This type will be assigned to any property of a CybOX object that should contain content of type HexBinary and enables the use of relevant metadata for the property.</xs:documentation>
    <xs:documentation>Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:BaseObjectPropertyType">
      <xs:simpleType>
        <xs:union memberTypes="xs:string"/>
      </xs:simpleType>
      <xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" default="hexBinary">
        <xs:annotation>
          <xs:documentation>This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>

But I got an error when I parsed the following STIX file.

<stix:STIX_Package
  xmlns:stix="http://stix.mitre.org/stix-1"
  xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
  xmlns:cybox="http://cybox.mitre.org/cybox-2"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ihstix="http://www.qcert.org"
  xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
  xmlns:indicator="http://stix.mitre.org/Indicator-2"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns:stixCommon="http://stix.mitre.org/common-1"
  xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  id="ihstix:Package-0c5ca78f-ae58-4d30-96b8-c056d62ac0b1" version="1.1.1">
  <stix:STIX_Header>
    <stix:Description>Email- link to malicious Powershell, malicious Alfa Web Shell developed since a long time </stix:Description>
  </stix:STIX_Header>
  <stix:Indicators>
    <stix:Indicator id="ihstix:indicator-c341725d-e11e-4908-806a-93fb80f2bacc" timestamp="2019-03-29T09:05:07.870837+00:00" xsi:type="indicator:IndicatorType">
      <indicator:Title>: hashes</indicator:Title>
      <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
      <indicator:Description/>
      <indicator:Observable id="ihstix:Observable-9df9c7d2-5cab-4bea-9451-467654028f01">
        <cybox:Object id="ihstix:IhFile-c56f3632-c762-4f20-b344-37ea24dd4a0b">
          <cybox:Properties xsi:type="FileObj:FileObjectType">
            <FileObj:File_Name condition="Equals"/>
            <FileObj:Hashes>
              <cyboxCommon:Hash>
                <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
                <cyboxCommon:Simple_Hash_Value condition="Equals">09ffd414668ee6cf12e30fad2f0799cb</cyboxCommon:Simple_Hash_Value>
              </cyboxCommon:Hash>
              <cyboxCommon:Hash>
                <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                <cyboxCommon:Simple_Hash_Value condition="Equals"/>
              </cyboxCommon:Hash>
              <cyboxCommon:Hash>
                <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
                <cyboxCommon:Simple_Hash_Value condition="Equals"/>
              </cyboxCommon:Hash>
            </FileObj:Hashes>
          </cybox:Properties>
        </cybox:Object>
      </indicator:Observable>
      <indicator:Confidence timestamp="2019-03-29T09:05:07.871038+00:00">
        <stixCommon:Value>Low</stixCommon:Value>
      </indicator:Confidence>
    </stix:Indicator>
  </stix:Indicators>
</stix:STIX_Package>

Error

Traceback (most recent call last):
  File "script.py", line 13, in <module>
    main(sys.argv[1])
  File "script.py", line 8, in main
    package = parser.parse_xml(f, check_version=False)
  File "/usr/lib/python2.7/site-packages/mixbox/parser.py", line 187, in parse_xml
    entity = self.get_entity_class(xml_root_node.tag).from_obj(entity_obj)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
    val = [transformer.from_obj(x) for x in val]
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 185, in from_obj
    return klass.from_obj(cls_obj)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
    val = [transformer.from_obj(x) for x in val]
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 379, in from_obj
    field.__set__(entity, val)
  File "/usr/lib/python2.7/site-packages/mixbox/fields.py", line 218, in __set__
    self.postset_hook(instance, value)
  File "/usr/lib/python2.7/site-packages/cybox/common/hashes.py", line 30, in _set_hash_type
    hashlen = len(value.value)
TypeError: object of type 'NoneType' has no len()

script.py

from stix.core import STIXPackage
from stix.utils.parser import EntityParser

def main(file_path):
    with open(file_path) as f:
        parser = EntityParser()
        package = parser.parse_xml(f, check_version=False)

if __name__ == "__main__":
    import sys
    main(sys.argv[1])
chisholm commented 5 years ago

This does appear to be a bug. Empty hashes are schema compliant, but conceptually don't make much sense, at least for an "equals" comparison. They aren't valid. It might make more sense to leave the SHA256 and SHA1 hash elements out of the XML altogether. What was the intent of this content?

chisholm commented 5 years ago

Fixed in #321 .