search

oasis-open / cti-pattern-validator

OASIS TC Open Repository: Validate patterns used to express cyber observable content in STIX Indicators
https://stix2-patterns.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
26 stars 23 forks source link

Path Backslash Requirement #28

Closed ghost closed 7 years ago

ghost commented 7 years ago

Currently, https://github.com/oasis-open/cti-python-stix2 accepts 2 backslashes in directory path without interpretation while https://github.com/oasis-open/cti-pattern-validator requires 4 to return no error.

Not sure if these 2 libraries are expected to be consistent with each other.

Here is a sample to demostrate the inconsistency.

from stix2 import Indicator, Bundle
from stix2patterns.validator import run_validator

path = "[directory:path LIKE 'C:\\Windows\\System32\\WindowsPowerShell\\%']"

errors = run_validator(path)

### My Workaround ###
#errors = run_validator(path.replace('\\', '\\\\'))

if errors:
    print(errors)
else:
    indicator = Indicator( name="Powershell Directory",
                labels=['native tool'],
                pattern=path )
    print(str(indicator))
gtback commented 7 years ago

Thanks, @nullouis ! At this point, python-stix2 does not validate the patterns passed into Indicators, but there's an open PR (oasis-open/cti-python-stix2#45) to add that support.

In this case, the pattern-validator is doing the right thing. There needs to be one layer of escaping for the pattern String Literal, and another layer of escaping for the Python string, when you put a indicator string in Python code.