Failed to parse STIX file because hash value is empty
win911 opened this issue · comments
According to the following schema, hash value is allowed to be empty because there is no 'minLength' setting.
<xs:complexType name="HexBinaryObjectPropertyType">
<xs:annotation>
<xs:documentation>The HexBinaryObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type HexBinary. This type will be assigned to any property of a CybOX object that should contain content of type HexBinary and enables the use of relevant metadata for the property.</xs:documentation>
<xs:documentation>Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.</xs:documentation>
</xs:annotation>
<xs:simpleContent>
<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
<xs:simpleType>
<xs:union memberTypes="xs:string"/>
</xs:simpleType>
<xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" default="hexBinary">
<xs:annotation>
<xs:documentation>This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
But I got an error when I parsed the following STIX file.
<stix:STIX_Package
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ihstix="http://www.qcert.org"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:xlink="http://www.w3.org/1999/xlink"
id="ihstix:Package-0c5ca78f-ae58-4d30-96b8-c056d62ac0b1" version="1.1.1">
<stix:STIX_Header>
<stix:Description>Email- link to malicious Powershell, malicious Alfa Web Shell developed since a long time </stix:Description>
</stix:STIX_Header>
<stix:Indicators>
<stix:Indicator id="ihstix:indicator-c341725d-e11e-4908-806a-93fb80f2bacc" timestamp="2019-03-29T09:05:07.870837+00:00" xsi:type="indicator:IndicatorType">
<indicator:Title>: hashes</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description/>
<indicator:Observable id="ihstix:Observable-9df9c7d2-5cab-4bea-9451-467654028f01">
<cybox:Object id="ihstix:IhFile-c56f3632-c762-4f20-b344-37ea24dd4a0b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals"/>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">09ffd414668ee6cf12e30fad2f0799cb</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals"/>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals"/>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2019-03-29T09:05:07.871038+00:00">
<stixCommon:Value>Low</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>
Error
Traceback (most recent call last):
File "script.py", line 13, in <module>
main(sys.argv[1])
File "script.py", line 8, in main
package = parser.parse_xml(f, check_version=False)
File "/usr/lib/python2.7/site-packages/mixbox/parser.py", line 187, in parse_xml
entity = self.get_entity_class(xml_root_node.tag).from_obj(entity_obj)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
val = [transformer.from_obj(x) for x in val]
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 185, in from_obj
return klass.from_obj(cls_obj)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
val = [transformer.from_obj(x) for x in val]
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 379, in from_obj
field.__set__(entity, val)
File "/usr/lib/python2.7/site-packages/mixbox/fields.py", line 218, in __set__
self.postset_hook(instance, value)
File "/usr/lib/python2.7/site-packages/cybox/common/hashes.py", line 30, in _set_hash_type
hashlen = len(value.value)
TypeError: object of type 'NoneType' has no len()
script.py
from stix.core import STIXPackage
from stix.utils.parser import EntityParser
def main(file_path):
with open(file_path) as f:
parser = EntityParser()
package = parser.parse_xml(f, check_version=False)
if __name__ == "__main__":
import sys
main(sys.argv[1])
This does appear to be a bug. Empty hashes are schema compliant, but conceptually don't make much sense, at least for an "equals" comparison. They aren't valid. It might make more sense to leave the SHA256 and SHA1 hash elements out of the XML altogether. What was the intent of this content?