Merge pull request #207 from obsidianforensics/issue-202

Tighten b64+proto parsing to filter out all digits or all number path…
obsidianforensics · Nov 21, 2024 · a079650 · a079650
2 parents e1dbdf7 + 8049fa0
commit a079650
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ page with an interesting URL, you can click the bookmarklet and see the URL "unf
 
 ### Local Python Install
 
-1. Install via pip: `pip install dfir-unfurl`
+1. Install via pip: `pip install dfir-unfurl[all]`
 
 After Unfurl is installed, you can run use it via the web app or command-line:
 
@@ -87,6 +87,3 @@ optional arguments:
 
 If using Docker as above, run: 
 ``docker exec unfurl python -m unittest discover -s unfurl/tests``
-
-## Legal Bit
-This is not an officially supported Google product.
diff --git a/unfurl/__init__.py b/unfurl/__init__.py
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 __author__ = "Ryan Benson"
-__version__ = "20241120"
+__version__ = "20241121"
 __email__ = "[email protected]"
 
 import logging

diff --git a/unfurl/parsers/parse_protobuf.py b/unfurl/parsers/parse_protobuf.py
@@ -125,8 +125,10 @@ def parse_protobuf_into_nodes(pb_value_dict, pb_types, edge_type=None):
     urlsafe_b64_m = utils.urlsafe_b64_re.fullmatch(node.value)
     standard_b64_m = utils.standard_b64_re.fullmatch(node.value)
     hex_m = utils.hex_re.fullmatch(node.value)
-    all_digits_m = utils.digits_re.fullmatch(node.value)
-    all_letters_m = utils.letters_re.fullmatch(node.value)
+    # Updating to all letters/digits and forward slashes, to catch URL paths that may,
+    # by some chance, validly decode as protobuf, but really aren't.
+    all_digits_m = utils.digits_and_slash_re.fullmatch(node.value)
+    all_letters_m = utils.letters_and_slash_re.fullmatch(node.value)
 
     if hex_m and not (all_digits_m or all_letters_m):
         decoded = bytes.fromhex(node.value)

diff --git a/unfurl/utils.py b/unfurl/utils.py
@@ -24,6 +24,8 @@
 hex_re = re.compile(r'([A-F0-9]{2})+', flags=re.IGNORECASE)
 digits_re = re.compile(r'\d+')
 letters_re = re.compile(r'[A-Z]+', flags=re.IGNORECASE)
+digits_and_slash_re = re.compile(r'[0-9/]+')
+letters_and_slash_re = re.compile(r'[A-Z/]+', flags=re.IGNORECASE)
 float_re = re.compile(r'\d+\.\d+')
 mac_addr_re = re.compile(r'(?P<mac_addr>[0-9A-Fa-f]{12}|([0-9A-Fa-f]:){6})')
 cisco_7_re = re.compile(r'\d{2}[A-F0-9]{4,}', re.IGNORECASE)