cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
912 stars 79 forks source link

Bugfix in M365 Dumper Module #27

Closed 0x534a closed 1 year ago

0x534a commented 1 year ago

🗣 Description

This PR fixes a bug in the M365 dumper module. The bug produces an KeyError exception which leads to a crash of the application.

💭 Motivation and context

The exception is thrown in the function dump_exo_mailbox of the m365_datadumper.py. The complete stack trace can be found below.

Traceback (most recent call last):
  File "venv/goose/bin/goosey", line 11, in <module>
    load_entry_point('goosey==1.1.0', 'console_scripts', 'goosey')()
  File "venv/goose/lib/python3.8/site-packages/goosey/main.py", line 89, in main
    honkmain(args)
  File "venv/goose/lib/python3.8/site-packages/goosey/honk.py", line 278, in main
    asyncio.run(run(args, config, auth, auth_un_pw))
  File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "venv/goose/lib/python3.8/site-packages/goosey/honk.py", line 145, in run
    await asyncio.gather(*tasks)
  File "venv/goose/lib/python3.8/site-packages/goosey/m365_datadumper.py", line 278, in dump_exo_mailbox
    del result['@odata.context']
KeyError: '@odata.context'

As seen in the stack trace the key @odata.context is not part of the result dictionary. Thus, I suggest to check whether the key exists beforehand.

🧪 Testing

This PR was tested manually against a Microsoft 365 development tenant (E5 license).

✅ Pre-approval checklist

✅ Pre-merge checklist

✅ Post-merge checklist

victoriawallace-cisa commented 1 year ago

Thanks! We tested it as well and it works well. We'll go ahead and incorporate the pull request. Thank you!