Our Opencti platform in production environment is shared by several profiles including non technical ones that could by a misclick download a malicious payload from that feed. We think that it would be safer to restrict that option to a specific group of persons. Moreover unless there's is a constraint that we did not have identified we think it would be safer to NOT unzip the password-protected archive downloaded from Abuse. From a storage capacity perspective, we would reduce the overall size of stored payloads.
Current Workaround
We found no workaround unless deactivating the connector.
Proposed Solution
Remove the code lines that unzip the payload or provide an option into the docker-compose
Add an option in the docker-compose to display or not the download button (there is no use case from our organization requirements to allow someone to download a payload from the frontend). An api call is preferred from a virtualized environment. Or we would like to have this option enabled for a specific population of employees only.
Additional Information
If the feature request is approved, would you be willing to submit a PR?
SamuelHassine
commented
1 year ago
Use case
Our Opencti platform in production environment is shared by several profiles including non technical ones that could by a misclick download a malicious payload from that feed. We think that it would be safer to restrict that option to a specific group of persons. Moreover unless there's is a constraint that we did not have identified we think it would be safer to NOT unzip the password-protected archive downloaded from Abuse. From a storage capacity perspective, we would reduce the overall size of stored payloads.
Current Workaround
We found no workaround unless deactivating the connector.
Proposed Solution
Additional Information
If the feature request is approved, would you be willing to submit a PR?
Yes