LzmaScanner for deep scan (#705)

Author: babenek

credsweeper/deep_scanner/deep_scanner.py

@@ -2,7 +2,7 @@
 import logging
 from typing import List, Optional, Any, Tuple, Union
 
-from credsweeper.common.constants import RECURSIVE_SCAN_LIMITATION
+from credsweeper.common.constants import RECURSIVE_SCAN_LIMITATION, MIN_DATA_LEN
 from credsweeper.config import Config
 from credsweeper.credentials import Candidate
 from credsweeper.credentials.augment_candidates import augment_candidates
@@ -23,6 +23,7 @@
 from .html_scanner import HtmlScanner
 from .jks_scanner import JksScanner
 from .lang_scanner import LangScanner
+from .lzma_scanner import LzmaScanner
 from .mxfile_scanner import MxfileScanner
 from .pdf_scanner import PdfScanner
 from .pkcs12_scanner import Pkcs12Scanner
@@ -48,6 +49,7 @@ class DeepScanner(
     HtmlScanner,  #
     JksScanner,  #
     LangScanner,  #
+    LzmaScanner,  #
     PdfScanner,  #
     Pkcs12Scanner,  #
     PptxScanner,  #
@@ -106,6 +108,9 @@ def get_deep_scanners(data: bytes, file_type: str, depth: int) -> Tuple[List[Any
         elif Util.is_bzip2(data):
             if 0 < depth:
                 deep_scanners.append(Bzip2Scanner)
+        elif Util.is_lzma(data):
+            if 0 < depth:
+                deep_scanners.append(LzmaScanner)
         elif Util.is_tar(data):
             if 0 < depth:
                 deep_scanners.append(TarScanner)
@@ -239,15 +244,18 @@ def recursive_scan(
                 recursive_limit_size: maximal bytes of opened files to prevent recursive zip-bomb attack
         """
         candidates: List[Candidate] = []
-        logger.debug("Start data_scan: size=%d, depth=%d, limit=%d, path=%s, info=%s", len(data_provider.data), depth,
-                     recursive_limit_size, data_provider.file_path, data_provider.info)
-
         if 0 > depth:
             # break recursion if maximal depth is reached
-            logger.debug("bottom reached %s recursive_limit_size:%d", data_provider.file_path, recursive_limit_size)
+            logger.debug("Bottom reached %s recursive_limit_size:%d", data_provider.file_path, recursive_limit_size)
             return candidates
-
         depth -= 1
+        if MIN_DATA_LEN > len(data_provider.data):
+            # break recursion if maximal depth is reached
+            logger.debug("Too small data: size=%d, depth=%d, limit=%d, path=%s, info=%s", len(data_provider.data),
+                         depth, recursive_limit_size, data_provider.file_path, data_provider.info)
+            return candidates
+        logger.debug("Start data_scan: size=%d, depth=%d, limit=%d, path=%s, info=%s", len(data_provider.data), depth,
+                     recursive_limit_size, data_provider.file_path, data_provider.info)
 
         if FilePathExtractor.is_find_by_ext_file(self.config, data_provider.file_type):
             # Skip scanning file and makes fake candidate due the extension is suspicious

credsweeper/deep_scanner/lzma_scanner.py

@@ -0,0 +1,40 @@
+import logging
+import lzma
+from abc import ABC
+from pathlib import Path
+from typing import List, Optional
+
+from credsweeper.credentials import Candidate
+from credsweeper.deep_scanner.abstract_scanner import AbstractScanner
+from credsweeper.file_handler.data_content_provider import DataContentProvider
+from credsweeper.utils import Util
+
+logger = logging.getLogger(__name__)
+
+
+class LzmaScanner(AbstractScanner, ABC):
+    """Implements lzma scanning"""
+
+    def data_scan(
+            self,  #
+            data_provider: DataContentProvider,  #
+            depth: int,  #
+            recursive_limit_size: int) -> Optional[List[Candidate]]:
+        """Extracts data from lzma archive and launches data_scan"""
+        try:
+            file_path = Path(data_provider.file_path)
+            new_path = file_path.as_posix()
+            if ".xz" == file_path.suffix:
+                new_path = new_path[:-3]
+            elif ".lzma" == file_path.suffix:
+                new_path = new_path[:-5]
+            lzma_content_provider = DataContentProvider(data=lzma.decompress(data_provider.data),
+                                                        file_path=new_path,
+                                                        file_type=Util.get_extension(new_path),
+                                                        info=f"{data_provider.info}|LZMA:{file_path}")
+            new_limit = recursive_limit_size - len(lzma_content_provider.data)
+            lzma_candidates = self.recursive_scan(lzma_content_provider, depth, new_limit)
+            return lzma_candidates
+        except Exception as lzma_exc:
+            logger.error(f"{data_provider.file_path}:{lzma_exc}")
+        return None

credsweeper/secret/config.json

@@ -2,10 +2,13 @@
     "exclude": {
         "pattern": [],
         "containers": [
+            ".aar",
             ".apk",
             ".bz2",
             ".gz",
+            ".lzma",
             ".tar",
+            ".xz",
             ".zip"
         ],
         "documents": [
@@ -20,17 +23,20 @@
         ],
         "extension": [
             ".7z",
+            ".a",
             ".aac",
-            ".aar",
             ".avi",
+            ".bin",
             ".bmp",
             ".class",
             ".css",
             ".dmg",
             ".ear",
             ".eot",
+            ".elf",
             ".exe",
             ".gif",
+            ".gmo",
             ".ico",
             ".img",
             ".info",
@@ -45,17 +51,21 @@
             ".mp4",
             ".npy",
             ".npz",
+            ".obj",
             ".ogg",
             ".pak",
             ".png",
             ".psd",
             ".pyc",
             ".pyd",
             ".pyo",
+            ".rar",
             ".rc",
             ".rc2",
             ".rar",
             ".realm",
+            ".res",
+            ".rpm",
             ".s7z",
             ".scss",
             ".so",
@@ -70,6 +80,7 @@
             ".wav",
             ".webm",
             ".webp",
+            ".wma",
             ".woff",
             ".yuv"
         ],

credsweeper/utils/util.py

@@ -161,6 +161,7 @@ def is_known(data: bytes) -> bool:
                 or Util.is_gzip(data) \
                 or Util.is_tar(data) \
                 or Util.is_bzip2(data) \
+                or Util.is_lzma(data) \
                 or Util.is_com(data) \
                 or Util.is_pdf(data) \
                 or Util.is_elf(data):
@@ -459,6 +460,14 @@ def is_jks(data: bytes) -> bool:
                 return True
         return False
 
+    @staticmethod
+    def is_lzma(data: bytes) -> bool:
+        """According https://en.wikipedia.org/wiki/List_of_file_signatures - lzma also xz"""
+        if isinstance(data, bytes) and 6 <= len(data):
+            if data.startswith(b"\xFD\x37\x7A\x58\x5A\x00") or data.startswith(b"\x5D\x00\x00"):
+                return True
+        return False
+
     @staticmethod
     def is_asn1(data: bytes) -> bool:
         """Only sequence type 0x30 and size correctness is checked"""

experiment/src/data_loader.py

@@ -43,10 +43,7 @@ def read_detected_data(file_path: str) -> Dict[identifier, Dict]:
         # skip not ML values like private keys and so on. Unsupported for ml train. "use_ml" rules ONLY
         assert 0 < len(cred["line_data_list"]), cred  # at least, one line_data_list must present
         line_data = deepcopy(cred["line_data_list"][0])
-        if hasattr(line_data, "entropy_validation"):
-            line_data.pop("entropy_validation")
-        if hasattr(line_data, "entropy"):
-            line_data.pop("entropy")
+        line_data.pop("entropy")
         line_data.pop("info")
         line_data["line"] = None  # will be read during join_label with data for ML input only
         meta_path = transform_to_meta_path(line_data["path"])

fuzz/re-fuzzing.sh

@@ -21,6 +21,12 @@ find $PARENTDIR/tests/samples/* -type f -print0 | while IFS= read -r -d '' f; do
     rm -vf $PARENTDIR/$CORPUS_DIR/$s.bz2
     bzip2 -k $PARENTDIR/$CORPUS_DIR/$s
     mv -vf $PARENTDIR/$CORPUS_DIR/$s.bz2 $PARENTDIR/$CORPUS_DIR/$(sha1sum $PARENTDIR/$CORPUS_DIR/$s.bz2 | cut -c-40)
+    rm -vf $PARENTDIR/$CORPUS_DIR/$s.xz
+    xz -z -k $PARENTDIR/$CORPUS_DIR/$s
+    mv -vf $PARENTDIR/$CORPUS_DIR/$s.xz $PARENTDIR/$CORPUS_DIR/$(sha1sum $PARENTDIR/$CORPUS_DIR/$s.xz | cut -c-40)
+    rm -vf $PARENTDIR/$CORPUS_DIR/$s.lzma
+    lzma -z -k $PARENTDIR/$CORPUS_DIR/$s
+    mv -vf $PARENTDIR/$CORPUS_DIR/$s.lzma $PARENTDIR/$CORPUS_DIR/$(sha1sum $PARENTDIR/$CORPUS_DIR/$s.lzma | cut -c-40)
     # produce zip archive with simple file names
     rm -vf $PARENTDIR/$CORPUS_DIR/$s.zip
     zip -j -9 -D $PARENTDIR/$CORPUS_DIR/$s.zip $f

tests/__init__.py

@@ -1,7 +1,7 @@
 from pathlib import Path
 
 # total number of files in test samples
-SAMPLES_FILES_COUNT = 151
+SAMPLES_FILES_COUNT = 153
 
 # the lowest value of ML threshold is used to display possible lowest values
 NEGLIGIBLE_ML_THRESHOLD = 0.0001
@@ -20,7 +20,7 @@
 SAMPLES_IN_DOC = 778
 
 # archived credentials that are not found without --depth
-SAMPLES_IN_DEEP_1 = SAMPLES_POST_CRED_COUNT + 92
+SAMPLES_IN_DEEP_1 = SAMPLES_POST_CRED_COUNT + 98
 SAMPLES_IN_DEEP_2 = SAMPLES_IN_DEEP_1 + 5
 SAMPLES_IN_DEEP_3 = SAMPLES_IN_DEEP_2 + 1