[mwdb] OpenCTI connector flooding MWDB API with requests when /api/file retuns different HTTP response code than 200

[psrok1]

Description

I'm from CERT.pl and we're responsible for https://github.com/CERT-Polska/mwdb-core project and https://mwdb.cert.pl service that is used commonly by users of this connector.

Recently we noticed that we're flooded from time to time with infinite /api/file?query=... requests that possibly originate from connector distributed via this repository.

The issue is in this loop: https://github.com/OpenCTI-Platform/connectors/blob/f293124805b5b161db88b314069da80ff5185dbd/external-import/mwdb/src/mwdb.py#L558 When resp.status is not 200, but 401, 429 or any other common error returned by our API: this loop goes into infinite loop without any delay.

Delay and proper error handling is expected when this condition is not fulfilled:

https://github.com/OpenCTI-Platform/connectors/blob/f293124805b5b161db88b314069da80ff5185dbd/external-import/mwdb/src/mwdb.py#L571

I also don't think that it's needed to reinvent the wheel and call MWDB API using requests while we have https://github.com/CERT-Polska/mwdblib Python binding. It also correctly handles any error conditions like rate limiting or missing authorization.

Additional information

Not provided, I'm owner of the API targeted by the connector, not an OpenCTI instance.

[msm-code]

When resp.status is not 200, but 401, 429 or any other common error returned by our API

I'll just add that 429 is used by mwdb server for rate limitting (to notify the client that they should slow down a bit).

Connector as implemented here not only ignores this status code, but it even makes the problem worse because it starts sending even more requests in an infinite loop. I think that's the most common reason for "DoS attacks" done by users of this connector on the mwdb service.