Describe the bug
The following file - do_snapshot.py.zip (pass: zippy, potentially dangerous code) - has been identified as text/plain instead of code/python, after being extracted from an archive.
It contains one of quite typical obfuscation methods, which I belive should be detected: _ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)
To Reproduce
Steps to reproduce the behavior:
Upload the file
Observe wrong type
Expected behavior
File identified as code/python
Screenshots
Environment (please complete the following information if pertinent):
Assemblyline Version: [e.g. 4.3.1.x] 4.5.0.43
Extract 4.5.0.36
Additional context
BTW, I was recently thinking, if it wouldn't be wise to fall back on the file extension in cases like this (when the normal file identification process didn't produce any meaningful result, but the extension gives a hint). I don't think we would lose anything if files identified as text/plain got a type assignment based on the extension (maybe behind a config flag?). Although I'm not sure if the extension is preserved e.g. on resubmit.
Describe the bug The following file - do_snapshot.py.zip (pass:
zippy
, potentially dangerous code) - has been identified astext/plain
instead ofcode/python
, after being extracted from an archive.It contains one of quite typical obfuscation methods, which I belive should be detected:
_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)
To Reproduce Steps to reproduce the behavior:
Expected behavior File identified as
code/python
Screenshots
Environment (please complete the following information if pertinent):
Additional context
BTW, I was recently thinking, if it wouldn't be wise to fall back on the file extension in cases like this (when the normal file identification process didn't produce any meaningful result, but the extension gives a hint). I don't think we would lose anything if files identified as
text/plain
got a type assignment based on the extension (maybe behind a config flag?). Although I'm not sure if the extension is preserved e.g. on resubmit.