[Bug][EmlParser] Problem running the analyzer if an attachment contains the character "?"

nicodeff commented 3 years ago

Describe the bug If the EML message contains an attachement with file name contains "?" character, EmlParser not working

To Reproduce Steps to reproduce the behavior:

Send an e-mail with attachement filename contains ? Or

Edit EML filename for modify this values

Content-Type: application/msword; name="2 - test?.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="2 - test?.doc"

Error message : Report creation failure: [Invalid format for artifact.attachment: FileInputValue(1 - ??????.pdf,/tmp/cortex-job-34c8fXsB4PrCcvtTyvV3-3558916277537544/output/tmp2wd7gamn,application/octet-stream), expected attachment]

Work environment

Client OS: Windows 10
- Server OS: CentOS 7
Browse type and version:
- Cortex version: 3.1.1-1
Cortex Analyzer/Responder name: EmlParser
- Cortex Analyzer/Responder version: 2.0

Thanks,

Regards,

Nicolas

jeromeleonard commented 3 years ago

Hi,

I tried and did not manage to reproduce this bug. Are you using the docker image of the Analyzer of the program on the Cortex host ?

nicodeff commented 3 years ago

Hello Jerome,

We don't use the docker image.

You can try to reproduce the bug directly with this EML. Ceci est un test.txt

Thanks a lot for your help,

Regards,

Nicolas

TheHive-Project / Cortex-Analyzers

[Bug][EmlParser] Problem running the analyzer if an attachment contains the character "?" #1028