search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.23k stars 922 forks source link

Domain observable with underscore is incorrectly rejected #7620

Open samczsun opened 3 months ago

samczsun commented 3 months ago

Description

This regex does not accept underscores in domains, but underscores are permitted in domains.

https://github.com/OpenCTI-Platform/opencti/blob/542b5cd9504279bc5f5c63f98725a392a35c3dd5/opencti-platform/opencti-graphql/src/utils/syntax.js#L138

Environment

  1. OS (where OpenCTI server runs): Ubuntu
  2. OpenCTI version: 6.1.11
  3. OpenCTI client: Frontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create domain observable with domain that contains an underscore, such as example_domain.godaddysites.com

Expected Output

An observable is created

Actual Output

An error occurs

Additional information

Screenshots (optional)

Jipegien commented 2 months ago

RFCs forbid use of underscore in domain names BUT some registrars allow it in subdomains. We need to modify the regexp to accept underscores in subdomains, but not the domain itself and the TLD

romain-filigran commented 5 days ago

I reopened this issue as I get some ingestion error when trying to create domain observable with value: "test._mysubdomain.mydomain.com"

SarahBocognano commented 3 days ago

@romain-filigran It's because you put the dot before the underscore. Do we want it possible ? If yes I can of course modify the regex to accept a dot followed by an underscore