-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[taxii2] Infinite loop in handling "next" value #1683
Comments
I think the spirit of the pr was to have a check for next. I would probably recommend rolling back the code and changing it to something like.. if "more" in response and "next" in response and response["more"] == True: |
@daniele2010 what are your thoughts on this? I haven't come across next not being in root, did you have an example response I could review? |
Hi, at the time of the PR the problem happened while I was trying to integrate https://osint.digitalside.it/taxiiserver.html I've debugged the code, below an extract of the response in the PR part:
that next key is checked against a list of id:
maybe @netbroom has a different output from the server, but this is the case where I was working at the time and it seems to work. |
@annoyingapt I think the safest and quickest option at this time is to roll back the commit before adding additional code as
Once the issue is fixed though I agree the connector should check if "next" has a value. I believe "next" should also be different than the current "next" value but not totally sure about that. Otherwise the same request will be made in a loop. @daniele2010 What was the reasoning that "next" must be a collection ID and the job must abort if it isn't? |
I'm not near a laptop for another couple of weeks, so someone else will need to raise a pr to fix this. I haven't looked at the digital side feed yet, but it might be that it more appropriate to use the misp feed connector to consume their feed. Note to whoever fixes this, if you roll back the code, can you merge the change I made here #1657 |
@annoyingapt I created #1686 to apply on top of the latest code in master in the interest of time and so your additional changes would not be lost. |
#1686 merged into master, closing as completed. |
@netbroom the problem is that DigitalSide provides a next string that is a collection id but it is not valid: The response contains this id:
while the root server has only these two collections:
so the next instruction would fail because there is no
I know this is a problem with DigitalSide server but some sort of control on the parameter is still needed, maybe a control on the validity of the UUID? |
@daniele2010 I'm not familiar with DigitalSide but it's possible that is a UUID for an object in the collection, not a collection ID. The
For example if the server uses an integer for indicator IDs stored in the database, the server may provide the last indicator ID in the response so that when the client requests the next page of objects, the server knows where it left off. In our TAXII feed The format of I think the only validation that should be done on |
@daniele2010 can you try the misp-feed connector instead? https://osint.digitalside.it/Threat-Intel/digitalside-misp-feed/ |
@netbroom So since
@annoyingapt thank you, I'll try in the next days, I would have liked to avoid it since I already have a MISP instance and it'd be cleaner to import it from there instead of OpenCTI |
The opencti misp-feed connector pulls misp feeds like circl. No misp needed. That is a different connector. |
Do not validate it. The connector will break. |
I really want to have a deep dive into this feed when I get back. But next should only be used for pagination of a single collection which have more objects than what is available in the request. So the server is basically telling you, use this value as a search and I will bring up the next 100 objects for example. The server should not be trying to daisy chain collections together, there is other code in the python code to cycle between collection ids. |
@annoyingapt yes exactly. For TAXII 2 the collection ID is already in the URL, IE We have a free TAXII 2.1 test collection available to test with here if anyone would like to use it to test this connector. |
@annoyingapt you're right, it shouldn't be done that way but it is still valid, since in The thing that I think is not correct, but please explain to me if I'm wrong, is that in case Moreover, in my case if the client asks for those objects it couldn't find them and it would crash. So, to recap, before my PR there was a bug with the integration that would not let me extract data from digitalside TAXII server, with my PR I have introduced a bug, but the solution I think is not reverse the PR but introduce a fix that would let anyone use any TAXII sever, otherwise we would lose the benefit of using this connector. |
The next variable is being sent as a filter argument. Don't worry, I'll have a look at the feed soon and can update you with what I find. There is also a taxii client built into the opencti gui you can use too, which is independent of this connector. |
I get the feeling that when you changed the code, the uuid in next might not have been a collection id like you thought, so by not matching, you aren't pulling the second request and creating the error you were seeing. But this is all hypothetical. |
@daniele2010 So when
|
For visibility. |
Description
This pull request adds code to check "next" value in TAXII 2.1 against a list of available collections.
However, "next" is not a collection, it's a value that the server provides for pagination based on each server's individual implementation.
From the TAXII 2.1 docs:
This causes the connector to enter an infinite loop:
Environment
Reproduced logic with samples of raw
taxii2.py
code.Reproducible Steps
Add TAXII2.1 feed using connector.
The text was updated successfully, but these errors were encountered: