Merge pull request #237 from target/ScanMsi

phutelmyer · web-flow · commit ae887adebafc · 2022-12-08T08:15:52.000-05:00
ScanMsi
diff --git a/.github/workflows/pr-actions.yaml b/.github/workflows/pr-actions.yaml
@@ -17,35 +17,38 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt-get -q update
-          sudo apt-get install --no-install-recommends -qq automake \
-            build-essential \
-            libfuzzy-dev \
-            gcc \
-            git \
-            libarchive-dev \
-            libmagic-dev \
-            libssl-dev \
-            libzbar0 \
-            libgl1 \
-            python3-setuptools \
-            libgmp-dev \
-            libpcap-dev \
-            libbz2-dev \
-            libgomp1 \
-            python3-dev \
-            python3-wheel \
-            mupdf-tools \
-            mupdf \
-            libglu1-mesa \
-            libtool \
-            pkg-config \
-            swig \
-            tesseract-ocr 
+          sudo apt-get install --no-install-recommends -qq \
+          automake \
+          build-essential \
+          curl \
+          gcc \
+          git \
+          libglu1-mesa \
+          libtool \
+          make \
+          swig \
+          python3-dev \
+          python3-pip \
+          python3-wheel \
+          pkg-config \
+          antiword \
+          libarchive-dev \
+          libfuzzy-dev \
+          libmagic-dev \
+          libssl-dev \
+          libzbar0 \
+          libgl1 \
+          python3-setuptools \
+          redis-server \
+          tesseract-ocr \
+          unrar \
+          upx \
+          jq \
+          exiftool && \
           python -m pip install --upgrade pip
           pip install validators setuptools --upgrade
           pip install --no-cache-dir -r src/python/requirements.txt
       - name: Test with pytest
         run: |
           pytest
       
-
diff --git a/build/python/backend/Dockerfile b/build/python/backend/Dockerfile
@@ -5,7 +5,7 @@ LABEL maintainer="Target Brands, Inc. TTS-CFC-OpenSource@target.com"
 ARG YARA_VERSION=4.2.3
 ARG YARA_PYTHON_VERSION=4.2.3
 ARG CAPA_VERSION=4.0.1
-ARG EXIFTOOL_VERSION=12.48
+ARG EXIFTOOL_VERSION=12.52
 
 # Update packages
 RUN apt-get -qq update && \
diff --git a/configs/python/backend/backend.yaml b/configs/python/backend/backend.yaml
@@ -238,13 +238,13 @@ scanners:
       priority: 5
       options:
         parser: "html5lib"
-  'ScanIni':
-    - positive:
-        filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
-        flavors:
-          - 'ini_file'
-          - 'olecf_file'
-      priority: 5
+#  'ScanIni':
+#    - positive:
+#        filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
+#        flavors:
+#          - 'ini_file'
+#          - 'olecf_file'
+#      priority: 5
   'ScanIso':
     - positive:
         flavors:
@@ -338,6 +338,30 @@ scanners:
         flavors:
           - 'browser_manifest'
       priority: 5
+  'ScanMsi':
+    - positive:
+        flavors:
+          - 'image/vnd.fpx'
+          - 'application/x-msi'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+        keys:
+          - 'Author'
+          - 'Characters'
+          - 'Company'
+          - 'CreateDate'
+          - 'LastModifiedBy'
+          - 'Lines'
+          - 'ModifyDate'
+          - 'Pages'
+          - 'Paragraphs'
+          - 'RevisionNumber'
+          - 'Software'
+          - 'Template'
+          - 'Title'
+          - 'TotalEditTime'
+          - 'Words'
   'ScanMmbot':
     - positive:
         flavors:
diff --git a/src/python/strelka/scanners/scan_msi.py b/src/python/strelka/scanners/scan_msi.py
@@ -0,0 +1,57 @@
+import json
+import subprocess
+import tempfile
+
+from strelka import strelka
+
+
+class ScanMsi(strelka.Scanner):
+    """Collects metadata parsed by Exiftool.
+
+    Options:
+        keys: exiftool key values to log in the event.
+            Defaults to all.
+        tmp_directory: Location where tempfile writes temporary files.
+            Defaults to '/tmp/'.
+    """
+
+    def scan(self, data, file, options, expire_at):
+        # Get a list of keys to collect from the MSI file
+        keys = options.get('keys', [])
+
+        # Get the temporary directory to write the MSI file to
+        tmp_directory = options.get('tmp_directory', '/tmp/')
+
+        with tempfile.NamedTemporaryFile(dir=tmp_directory) as tmp_data:
+            # Write the MSI data to the temporary file
+            tmp_data.write(data)
+            tmp_data.flush()
+
+            # Run exiftool to extract metadata from the file
+            try:
+                (stdout, stderr) = subprocess.Popen(
+                    ['exiftool', '-d', '"%s"', '-j', tmp_data.name],
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.DEVNULL,
+                ).communicate()
+            except Exception as e:
+                # Handle any exceptions raised while running exiftool
+                self.flags.append(f'msi_extract_error: {e}')
+                return
+
+            if stdout:
+                # Load the metadata from exiftool's JSON output
+                try:
+                    exiftool_dictionary = json.loads(stdout)[0]
+                except ValueError as e:
+                    # Handle any errors while parsing the JSON output
+                    self.flags.append(f'msi_parse_error: {e}')
+                    return
+
+                for k, v in exiftool_dictionary.items():
+                    # Only collect the keys specified in the `keys` list
+                    if keys and k not in keys:
+                        continue
+
+                    # Add the metadata key and value to the event
+                    self.event[k] = v
diff --git a/src/python/strelka/tests/fixtures/test.msi b/src/python/strelka/tests/fixtures/test.msi
diff --git a/src/python/strelka/tests/test_scan_msi.py b/src/python/strelka/tests/test_scan_msi.py
@@ -0,0 +1,39 @@
+import datetime
+from pathlib import Path
+from strelka.scanners.scan_msi import ScanMsi
+
+
+def test_scan_msi(mocker):
+    """
+    This tests the ScanMsi scanner.
+    It attempts to validate several given MSI metadata values.
+
+    Pass: Metadata values from file match specified values.
+    Failure: Unable to load file or metadata values do not match specified values.
+    """
+
+    scanner = ScanMsi(
+        {
+            "name": "ScanMsi",
+            "key": "scan_msi",
+            "limits": {"scanner": 10}
+        },
+        "test_coordinate",
+    )
+
+    mocker.patch.object(ScanMsi, "upload_to_coordinator", return_value=None)
+    scanner.scan_wrapper(
+        Path(Path(__file__).parent / "fixtures/test.msi").read_bytes(),
+        {
+            "uid": "12345",
+            "name": "somename"
+        },
+        {
+            "scanner_timeout": 5
+        },
+        datetime.date.today(),
+    )
+
+    assert scanner.event.get("Software") == "InstallShield® X - Professional Edition 10.0"
+    assert scanner.event.get("Keywords") == "Installer,MSI,Database"
+    assert scanner.event.get("Author") == "Microsoft Corporation"
