Crash on checking threat attributes that are not in current object while generating report
BloodyFoxy opened this issue · comments
How does the problem look like and what steps reproduce it?
Issue can be easily reproduced when trying to generate report using provided threat library, sample tm.py (both one in repo and another slightly different in README.md) and template.
Traceback using tm.py from repo:
Exception has occurred: AttributeError
'Actor' object has no attribute 'providesIntegrity'
File "/root/pytm/pytm/pytm.py", line 445, in apply
return eval(self.condition)
File "/root/pytm/pytm/pytm.py", line 547, in resolve
if not t.apply(e):
File "/root/pytm/pytm/pytm.py", line 721, in process
self.resolve()
File "/root/pytm/tm.py", line 91, in <module>
tm.process()
Threat being checked is AC05
with condition '((not target.source.providesIntegrity or not target.sink.providesIntegrity) and not target.isEncrypted) or (target.source.inScope and not target.isResponse and (not target.authenticatesDestination or not target.checksDestinationRevocation))'
. As we know Actor
object doesn't have any providesIntegrity
attribute, but it's being checked.
Can you reproduce it using the latest master?
Yes. That's what I used.
What is your running environment?
OS: SLES 15/python:alpine-3.8 image
Python version: 3.6.10/3.8.6
Your model file, if possible: sample tm.py
from repo and another one from README.md
What have you already tried to solve the problem?
Not yet. I'm not proficient in Python and still poking the code.
EDIT: I think a simple exception can be added to handle such attribute issues in non-elegant way:
def apply(self, target):
if not isinstance(target, self.target):
return None
try:
return eval(self.condition)
except AttributeError:
return None
@izar It can fail on other attributes added to any object and on new/other conditions in Threat Database.
I edited my first post with suggestion to use a simple exception.