Python file identified as text/plain

[kam193]

Describe the bug The following file - do_snapshot.py.zip (pass: zippy, potentially dangerous code) - has been identified as text/plain instead of code/python, after being extracted from an archive.

It contains one of quite typical obfuscation methods, which I belive should be detected: _ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)

To Reproduce Steps to reproduce the behavior:

1. Upload the file
2. Observe wrong type

Expected behavior File identified as code/python

Screenshots

Environment (please complete the following information if pertinent):

• Assemblyline Version: [e.g. 4.3.1.x] 4.5.0.43
• Extract 4.5.0.36

Additional context

BTW, I was recently thinking, if it wouldn't be wise to fall back on the file extension in cases like this (when the normal file identification process didn't produce any meaningful result, but the extension gives a hint). I don't think we would lose anything if files identified as text/plain got a type assignment based on the extension (maybe behind a config flag?). Although I'm not sure if the extension is preserved e.g. on resubmit.

[gdesmar]

That last patch should fix the lambda detection. It should be part of next release! See you for the next tricky python identification evasion! 😃

[kam193]

Thanks again, see you next time :D

[cccs-rs]

Patch should be included in 4.5.0.44 release