Giters

CybOXProject / python-cybox

A Python library for parsing, manipulating, and generating CybOX content.

Home Page:http://cybox.readthedocs.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Failed to parse STIX file because hash value is empty

win911 opened this issue · comments

commented

According to the following schema, hash value is allowed to be empty because there is no 'minLength' setting.

<xs:complexType name="HexBinaryObjectPropertyType">
  <xs:annotation>
    <xs:documentation>The HexBinaryObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type HexBinary. This type will be assigned to any property of a CybOX object that should contain content of type HexBinary and enables the use of relevant metadata for the property.</xs:documentation>
    <xs:documentation>Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:BaseObjectPropertyType">
      <xs:simpleType>
        <xs:union memberTypes="xs:string"/>
      </xs:simpleType>
      <xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" default="hexBinary">
        <xs:annotation>
          <xs:documentation>This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>

But I got an error when I parsed the following STIX file.

<stix:STIX_Package
  xmlns:stix="http://stix.mitre.org/stix-1"
  xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
  xmlns:cybox="http://cybox.mitre.org/cybox-2"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ihstix="http://www.qcert.org"
  xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
  xmlns:indicator="http://stix.mitre.org/Indicator-2"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns:stixCommon="http://stix.mitre.org/common-1"
  xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  id="ihstix:Package-0c5ca78f-ae58-4d30-96b8-c056d62ac0b1" version="1.1.1">
  <stix:STIX_Header>
    <stix:Description>Email- link to malicious Powershell, malicious Alfa Web Shell developed since a long time </stix:Description>
  </stix:STIX_Header>
  <stix:Indicators>
    <stix:Indicator id="ihstix:indicator-c341725d-e11e-4908-806a-93fb80f2bacc" timestamp="2019-03-29T09:05:07.870837+00:00" xsi:type="indicator:IndicatorType">
      <indicator:Title>: hashes</indicator:Title>
      <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
      <indicator:Description/>
      <indicator:Observable id="ihstix:Observable-9df9c7d2-5cab-4bea-9451-467654028f01">
        <cybox:Object id="ihstix:IhFile-c56f3632-c762-4f20-b344-37ea24dd4a0b">
          <cybox:Properties xsi:type="FileObj:FileObjectType">
            <FileObj:File_Name condition="Equals"/>
            <FileObj:Hashes>
              <cyboxCommon:Hash>
                <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
                <cyboxCommon:Simple_Hash_Value condition="Equals">09ffd414668ee6cf12e30fad2f0799cb</cyboxCommon:Simple_Hash_Value>
              </cyboxCommon:Hash>
              <cyboxCommon:Hash>
                <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                <cyboxCommon:Simple_Hash_Value condition="Equals"/>
              </cyboxCommon:Hash>
              <cyboxCommon:Hash>
                <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
                <cyboxCommon:Simple_Hash_Value condition="Equals"/>
              </cyboxCommon:Hash>
            </FileObj:Hashes>
          </cybox:Properties>
        </cybox:Object>
      </indicator:Observable>
      <indicator:Confidence timestamp="2019-03-29T09:05:07.871038+00:00">
        <stixCommon:Value>Low</stixCommon:Value>
      </indicator:Confidence>
    </stix:Indicator>
  </stix:Indicators>
</stix:STIX_Package>

Error

Traceback (most recent call last):
  File "script.py", line 13, in <module>
    main(sys.argv[1])
  File "script.py", line 8, in main
    package = parser.parse_xml(f, check_version=False)
  File "/usr/lib/python2.7/site-packages/mixbox/parser.py", line 187, in parse_xml
    entity = self.get_entity_class(xml_root_node.tag).from_obj(entity_obj)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
    val = [transformer.from_obj(x) for x in val]
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 185, in from_obj
    return klass.from_obj(cls_obj)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
    val = transformer.from_obj(val)
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
    val = [transformer.from_obj(x) for x in val]
  File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 379, in from_obj
    field.__set__(entity, val)
  File "/usr/lib/python2.7/site-packages/mixbox/fields.py", line 218, in __set__
    self.postset_hook(instance, value)
  File "/usr/lib/python2.7/site-packages/cybox/common/hashes.py", line 30, in _set_hash_type
    hashlen = len(value.value)
TypeError: object of type 'NoneType' has no len()

script.py

from stix.core import STIXPackage
from stix.utils.parser import EntityParser


def main(file_path):
    with open(file_path) as f:
        parser = EntityParser()
        package = parser.parse_xml(f, check_version=False)


if __name__ == "__main__":
    import sys
    main(sys.argv[1])
commented

This does appear to be a bug. Empty hashes are schema compliant, but conceptually don't make much sense, at least for an "equals" comparison. They aren't valid. It might make more sense to leave the SHA256 and SHA1 hash elements out of the XML altogether. What was the intent of this content?

commented

Fixed in #321 .