search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.43k stars 622 forks source link

Regexp observables are sanitized like URLs, changing the original regexp #490

Open lc4nt opened 6 years ago

lc4nt commented 6 years ago

Request Type

Bug

Work Environment

Question Answer
TheHive version 3.0.5

Problem Description

When creating a regular expression type of observable regexp, the dots are sanitized in an attempt to make potential link unclickable, as well as any https or http string. But this invalidates the regular expression itself.

Steps to Reproduce

  1. Create an observable of type regexp with the expression: ^https?:\/\/.+/myevilpattern\?evilfile\.php$
  2. Observe the resulting regular expression that will be modified in: ^hxxps?:\/\/[.]+/myevilpattern\?evilfile\[.]php$. The brackets and hxxps are making the regular expression different from the original.

Possible Solutions

Avoid sanitizing the regexp observable like if it contains a URL.

rolinh commented 6 years ago

To be clear, this is not a problem with the regexp type only. Any observable type is applied the same sanitization process, whether it makes sense or not.

image

chelmzy commented 5 years ago

Is there any update or work around to this feature? I currently have a custom observable that contains a link I do NOT want to be sanitized.

Tyrell20 commented 3 years ago

As reported by @rolinh all observable are sanitized. With this mode analyzer does not able to run over it. Any update or work around?

Many thanks