search

TheHive-Project / Cortex-Analyzers

Cortex Analyzers Repository
https://TheHive-Project.github.io/Cortex-Analyzers/
GNU Affero General Public License v3.0
434 stars 374 forks source link

Mark specific Configuration Items as Secret #445

Open norgalades opened 5 years ago

norgalades commented 5 years ago

Feature description Allow developers to flag a config item as "Secret" so that cortexutils can hide it in error messages. Add the info in "How to Write and Submit an Analyzer" documentation.

Additional context In some cases, an error in a Cortex-Analyzer code can reveal the API keys, like shown in the following image.

image

Complementary information This is my config file

{
  "name": "FalconSearchIOC",
  "author": "Norgalades",
  "license": "AGPL-V3",
  "url": "https://github.com/",
  "version": "1.0",
  "description": "Check if an IOC (IP, domain or hash) has been seen in your CrowdStike environment.",
  "dataTypeList": ["ip", "hash", "domain"],
  "baseConfig": "FalconSearchIOC",
  "command": "FalconSearchIOC/falcon_search_IOC.py",
  "configurationItems": [
    {
      "name": "cs_api_off",
      "description": "Office api",
      "type": "string",
      "multi": false,
      "required": true
    },
    {
      "name": "cs_api_aff",
      "description": "Aff api",
      "type": "string",
      "multi": false,
      "required": true
    }
  ]
}
jeromeleonard commented 5 years ago

Configuration Item name does not fit Cortexutils requirements to be 'REMOVED' when displaying error. see https://github.com/TheHive-Project/Cortex-Analyzers/blob/master/contrib/cortexutils/worker.py#L122 What is the difference between those 2 keys ?