assemblyline-v4-service 4.6.0.dev7__py3-none-any.whl → 4.6.0.23__py3-none-any.whl

assemblyline_v4_service/VERSION

@@ -1 +1 @@
-4.6.0.dev7
+4.6.0.23

assemblyline_v4_service/common/api.py

@@ -164,12 +164,11 @@ class PrivilegedServiceAPI:
     def get_safelist(self, tag_list=None):
         if DEVELOPMENT_MODE:
             return {}
-        tag_types = None
 
         if tag_list and not isinstance(tag_list, list):
             raise ValueError("Parameter tag_list should be a list of strings.")
 
-        return self.safelist_client.get_safelisted_tags(tag_types)
+        return self.safelist_client.get_safelisted_tags(tag_list)
 
     def lookup_safelist(self, qhash):
         if DEVELOPMENT_MODE:

assemblyline_v4_service/common/ocr.py

@@ -8,103 +8,76 @@ from assemblyline_v4_service.common.utils import PASSWORD_WORDS
 # The terms related to each indicator category
 OCR_INDICATORS_TERMS: dict[str, list[str]] = {
     "ransomware": [
-        # https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/ransomware_message.py
-        "AES 128",
-        "AES 256",
-        "AES-128",
-        "AES-256",
-        "AES128",
-        "AES256",
-        "RSA 1024",
-        "RSA 2048",
-        "RSA 4096",
-        "RSA-1024",
-        "RSA-2048",
-        "RSA-4096",
-        "RSA1024",
-        "RSA2048",
-        "RSA4096",
-        "bitcoin",
-        "bootkit",
-        "decrypt",
-        "download tor",
-        "encrypt",
-        "enter code",
-        "has been locked",
-        "install tor",
-        "pay a fine",
-        "pay fine",
-        "pay the fine",
-        "payment",
-        "personal code",
-        "personal key",
-        "private code",
-        "private key",
-        "ransom",
-        "recover data",
-        "recover data",
-        "recover files",
-        "recover files",
-        "recover personal",
-        "recover the data",
-        "recover the files",
-        "recover them",
-        "recover your",
-        "restore data",
-        "restore files",
-        "restore the data",
-        "restore the files",
-        "rootkit",
-        "secret internet server",
-        "secret server",
-        "tor browser",
-        "tor gateway",
-        "tor-browser",
-        "tor-gateway",
-        "torbrowser",
-        "torgateway",
-        "torproject.org",
-        "unique key",
-        "victim",
-        "your code",
-        "your data",
-        "your documents",
-        "your files",
-        "your key",
-        # https://github.com/CAPESandbox/community/blob/815e21980f4b234cf84e78749447f262af2beef9/modules/signatures/office_macro.py
-        "bank account",
-        # https://github.com/CAPESandbox/community/blob/815e21980f4b234cf84e78749447f262af2beef9/modules/signatures/ransomware_message.py
-        "Attention!",
-        "BTC",
-        "HardwareID",
-        "bit coin",
-        "decrypter",
-        "decryptor",
-        "device ID",
-        "encrypted",
-        "encryption ID",
-        "ethereum",
-        "get back my",
-        "get back your",
-        "localbitcoins",
-        "military grade encryption",
-        "personal ID",
-        "personal identification code",
-        "personal identifier",
-        "recover datarecover the files",
-        "recover my",
-        "restore system",
-        "restore the system",
-        "unique ID",
-        "wallet address",
-        "what happend",
-        "what happened",
-        "your database",
-        "your network",
-        # Other
-        "coin",
-        "ether",
-        "litecoin",
+         "tor browser",
+         "torproject org",
+         "www torproject",
+         "www torproject org",
+         "https www torproject",
+         "https www torproject org",
+         "install tor",
+         "install tor browser",
+         "tor browser https",
+         "files encrypted",
+         "download install tor",
+         "download install tor browser",
+         "browser https www torproject",
+         "decrypt files",
+         "tor browser https www",
+         "private key",
+         "id snip",
+         "download tor",
+         "onion http",
+         "install tor browser https",
+         "https torproject",
+         "https torproject org",
+         "onion snip",
+         "torproject org download",
+         "www torproject org download",
+         "download tor browser",
+         "restore files",
+         "recover files",
+         "decryption software",
+         "pay ransom",
+         "decryption tool",
+         "data loss",
+         "tor browser open",
+         "data encrypted",
+         "important files",
+         "data stolen",
+         "damage files",
+         "decrypt file",
+         "tor browser http",
+         "leaked data",
+         "recover data",
+         "tor browser site",
+         "using tor",
+         "decrypt data",
+         "decrypt file free",
+         "install tor browser site",
+         "key snip",
+         "tor browser site https",
+         "using tor browser",
+         "decryption key",
+         "onion login",
+         "password snip",
+         "site https torproject",
+         "site https torproject org",
+         "tor browser download",
+         "browser https torproject",
+         "browser https torproject org",
+         "browser site https torproject",
+         "permanent data",
+         "permanent data loss",
+         "tor browser https torproject",
+         "torproject org open",
+         "contact soon possible",
+         "delete data",
+         "don try",
+         "encrypted data",
+         "https ibb",
+         "https ibb snip",
+         "ibb snip",
+         "onionmail org",
     ],
     "macros": [
         # https://github.com/cuckoosandbox/community/blob/17d57d46ccbca0327a8299cb93abba8604b74df7/modules/signatures/windows/office_enablecontent_ocr.py

assemblyline_v4_service/common/utils.py

@@ -80,14 +80,14 @@ def __extract_passwords_from_lines(texts, password_word, password_regex):
     password_keyword = f"{password_word}:"
     for line in texts:
         if password_keyword in line.lower():
-            new_passwords = re.split(password_regex, line)
+            new_passwords = set(re.split(password_regex, line))
             index = line.lower().rindex(password_keyword)
             if index > 0 and line[index - 1] != " ":
                 special_char = line[index - 1]
                 if special_char in BRACKET_PAIRS:
                     special_char = BRACKET_PAIRS[special_char]
-                for password in new_passwords:
-                    new_passwords.extend([password[:i] for i, ltr in enumerate(password) if ltr == special_char])
+                for password in list(new_passwords):
+                    new_passwords.update([password[:i] for i, ltr in enumerate(password) if ltr == special_char])
 
                 new_passwords = set(new_passwords)
                 new_passwords.discard("")
@@ -121,7 +121,8 @@ def _is_dev_mode() -> bool:
         stack_trace.seek(0)
         read_stack_trace = stack_trace.read()
 
-        if any(msg in read_stack_trace for msg in ['run_service_once', 'pytest', 'assemblyline_v4_service.testing.helper']):
+        if any(msg in read_stack_trace
+               for msg in ['run_service_once', 'pytest', 'assemblyline_service_utilites.testing.helper']):
             return True
 
     return False

assemblyline_v4_service/dev/run_service_once.py

@@ -1,6 +1,5 @@
 import argparse
 import cProfile
-import importlib
 import json
 import logging
 import os
@@ -9,8 +8,6 @@ import shutil
 import tempfile
 from typing import Dict, Union
 
-from cart import get_metadata_only, unpack_stream
-
 from assemblyline.common import forge
 from assemblyline.common.heuristics import HeuristicHandler, InvalidHeuristicException
 from assemblyline.common.importing import load_module_by_path
@@ -22,11 +19,12 @@ from assemblyline.odm.models.service import Service
 from assemblyline_v4_service.common.base import ServiceBase
 from assemblyline_v4_service.common.helper import get_heuristics, get_service_manifest
 from assemblyline_v4_service.dev.updater import load_rules
+from cart import get_metadata_only, unpack_stream
 
 
 class RunService:
     def __init__(self):
-        self.service: ServiceBase = None
+        self.service: Union[ServiceBase, None] = None
         self.service_class = None
         self.submission_params = None
         self.file_dir = None
@@ -185,7 +183,7 @@ class RunService:
         LOG.info(f"Cleaning up file used for temporary processing: {target_file}")
         os.unlink(target_file)
 
-        if self.service.rules_directory:
+        if self.service.rules_directory and self.service.rules_directory != "/":
             LOG.info("Cleaning up downloaded signatures..")
             shutil.rmtree(self.service.rules_directory)
 

assemblyline_v4_service/run_privileged_service.py

@@ -3,23 +3,22 @@ import json
 import os
 import shutil
 import tempfile
-import yaml
-
-from json import JSONDecodeError
 from io import BytesIO
+from json import JSONDecodeError
+
+import yaml
+from assemblyline_core.server_base import ServerBase
+from assemblyline_core.tasking_client import TaskingClient
 
-from assemblyline.common import forge
 from assemblyline.common.digests import get_sha256_for_file
 from assemblyline.common.importing import load_module_by_path
 from assemblyline.common.metrics import MetricsFactory
 from assemblyline.common.str_utils import StringTable
-from assemblyline.common.version import FRAMEWORK_VERSION, SYSTEM_VERSION, BUILD_MINOR
+from assemblyline.common.version import BUILD_MINOR, FRAMEWORK_VERSION, SYSTEM_VERSION
 from assemblyline.filestore import FileStoreException
-from assemblyline.remote.datatypes import get_client
 from assemblyline.odm.messages.service_heartbeat import Metrics
 from assemblyline.odm.messages.task import Task as ServiceTask
-from assemblyline_core.tasking_client import TaskingClient
-from assemblyline_core.server_base import ServerBase
+from assemblyline.remote.datatypes import get_client
 from assemblyline_v4_service.common.base import is_recoverable_runtime_error
 
 SERVICE_PATH = os.environ['SERVICE_PATH']
@@ -74,7 +73,7 @@ class RunPrivilegedService(ServerBase):
 
         self.status = STATUSES.INITIALIZING
         self.metric_factory = None
-        
+
     def _load_manifest(self):
         bio = BytesIO()
         with open(SERVICE_MANIFEST, "rb") as srv_manifest:
@@ -126,6 +125,7 @@ class RunPrivilegedService(ServerBase):
 
         # Load on-disk manifest for bootstrap/registration
         service_manifest = self._load_manifest()
+        file_required = service_manifest.get('file_required', True)
 
         # Register the service
         registration = self.tasking_client.register_service(service_manifest)
@@ -146,7 +146,6 @@ class RunPrivilegedService(ServerBase):
         self.service_tool_version = self.service.get_tool_version()
         self.metric_factory = MetricsFactory('service', Metrics, name=self.service_name,
                                              export_zero=False, redis=self.redis)
-        file_required = self.service_config.get('file_required', True)
 
         # Start the service
         self.service.start_service()

assemblyline_v4_service/updater/helper.py

@@ -12,6 +12,7 @@ import psutil
 import regex as re
 import requests
 from git import Repo
+from azure.identity import DefaultAzureCredential
 
 from assemblyline.common.digests import get_sha256_for_file
 from assemblyline.common.identify import Identify
@@ -162,7 +163,7 @@ def url_download(source: Dict[str, Any], previous_update: int, logger: Logger, o
                 format = ident_type.split('archive/')[-1]
 
                 # Make sure identified format is supported by the library
-                format = format if format in ["zip", "tar"] else None
+                format = {"zip": "zip", "tar": "tar", "gzip": "gztar"}.get(format)
                 shutil.unpack_archive(file_path, extract_dir=extract_dir, format=format)
 
                 return extract_dir
@@ -187,6 +188,7 @@ def git_clone_repo(source: Dict[str, Any], previous_update: int = None, logger=N
     name = source['name']
     url = source['uri']
     key = source.get('private_key', None)
+    use_managed_identity = source.get('use_managed_identity', False)
     username = source.get('username', None)
     password = source.get('password', None)
     branch = source.get('git_branch', None) or None
@@ -195,15 +197,29 @@ def git_clone_repo(source: Dict[str, Any], previous_update: int = None, logger=N
     ca_cert = source.get("ca_cert")
     proxy = source.get('proxy', None)
     auth = None
-    if username and password:
+    git_env = {}
+
+    if use_managed_identity:
+        # Get Azure managed identity token
+        try:
+            credential = DefaultAzureCredential()
+        except Exception as e:
+            logger.warning(f"No managed identity available: {str(e)}")
+            raise SkipSource()
+        # Get token for Azure DevOps scope
+        token = credential.get_token("499b84ac-1321-427f-aa17-267ca6975798/.default")
+
+        git_env['GIT_CONFIG_COUNT'] = '1'
+        git_env['GIT_CONFIG_KEY_0'] = 'http.extraheader'
+        git_env['GIT_CONFIG_VALUE_0'] = f'AUTHORIZATION: bearer {token.token}'
+        auth = None
+    elif username and password:
         # Basic authentication scheme
         auth = f'{username}:{password}@'
     elif password:
         # Token-based authentication
         auth = f'{password}@'
 
-    git_env = {}
-
     if ignore_ssl_errors:
         git_env['GIT_SSL_NO_VERIFY'] = '1'
 

assemblyline_v4_service/updater/updater.py

@@ -177,7 +177,8 @@ class ServiceUpdater(ThreadedCoreBase):
         return 0
 
     def get_local_update_hash(self) -> str:
-        return hashlib.sha256(open(self._update_tar, "rb").read()).hexdigest()
+        with open(self._update_tar, "rb") as tar_file:
+            return hashlib.sha256(tar_file.read()).hexdigest()
 
     def status(self):
         return {
@@ -584,7 +585,9 @@ class ServiceUpdater(ThreadedCoreBase):
                 source.name: {'classification': source['default_classification'].value}
                 for source in self._service.update_config.sources
             }
-        open(os.path.join(new_directory, SIGNATURES_META_FILENAME), 'w').write(json.dumps(signature_map, indent=2))
+
+        with open(os.path.join(new_directory, SIGNATURES_META_FILENAME), 'w') as meta_file:
+            meta_file.write(json.dumps(signature_map, indent=2))
 
         try:
             # Tar update directory

{assemblyline_v4_service-4.6.0.dev7.dist-info → assemblyline_v4_service-4.6.0.23.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: assemblyline-v4-service
-Version: 4.6.0.dev7
+Version: 4.6.0.23
 Summary: Assemblyline 4 - Service base
 Home-page: https://github.com/CybercentreCanada/assemblyline-v4-service/
 Author: CCCS Assemblyline development team

{assemblyline_v4_service-4.6.0.dev7.dist-info → assemblyline_v4_service-4.6.0.23.dist-info}/RECORD

@@ -1,30 +1,30 @@
-assemblyline_v4_service/VERSION,sha256=RXif7lViUl2L5dgXfZbvMKnNzXb6AtzBTGVMAhZYWeM,11
+assemblyline_v4_service/VERSION,sha256=lNW-OljxL5aGkQmUD36vHwW5TAY2vv5qq0ECHx0RZ24,9
 assemblyline_v4_service/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 assemblyline_v4_service/healthz.py,sha256=3QGBg0EZuXC6UN411HFwpLNEop9UvS9feFhvBUTP-k4,1576
 assemblyline_v4_service/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-assemblyline_v4_service/run_privileged_service.py,sha256=IRqhG5ULKjOuy7-W4Fm_R0xb3HPhBlF5iHwNyRBHIME,14535
+assemblyline_v4_service/run_privileged_service.py,sha256=un2zcZjQVKYwMWihLLmeUc3IMJ6ALnFbR1FPeMW1U2A,14486
 assemblyline_v4_service/run_service.py,sha256=XfdABk3hEZsIw31tmFcJc-FbcxvBF9tiDIlg9oHCtZA,5900
 assemblyline_v4_service/common/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-assemblyline_v4_service/common/api.py,sha256=Xzp8j4HCCfjPvNSGKiZl5ttH2_Itg47cjlH0NXNtth0,6849
+assemblyline_v4_service/common/api.py,sha256=59XcuHxOpR4gSZI0foNqOaRh7IINTGvWD-pjEUrU-jU,6823
 assemblyline_v4_service/common/base.py,sha256=psivTxiOeN2jqL3G3I26oY9JFK-qPuwrg5y_y_d7xYs,14127
 assemblyline_v4_service/common/helper.py,sha256=xs9quuf-M1JOdKieBqOmWaOece0CtzXFhhe85xQYmuY,3289
-assemblyline_v4_service/common/ocr.py,sha256=3fV0PyY3oui_ucAM9dkolP0VRYKACKJuGY4M64DudIE,8841
+assemblyline_v4_service/common/ocr.py,sha256=NgkFqAq2lRzIveYUulKJmiiWYqwf4siYbL59n1Ow02o,8350
 assemblyline_v4_service/common/ontology_helper.py,sha256=9Ad81qbddg_pRMupT8o_KzxbKgpodaRqpc3mPoEKLtw,8494
 assemblyline_v4_service/common/request.py,sha256=W7fqC2xQE3i5i2jlCDyUDp3ZqJQQqSshNW0mQfJMkFg,11792
 assemblyline_v4_service/common/result.py,sha256=9AqM6qCYiia_Bpyn_fBFhzNQMcqJbtFSiGjp57fXW2E,32713
 assemblyline_v4_service/common/task.py,sha256=dJsvRpW0x88CCF_LW6w87jQ_UKTVaOs2Gb117IDNiU8,14233
-assemblyline_v4_service/common/utils.py,sha256=k2__d-V5LjB6o2IKbjVe7tJWKcKuUHto5TyT5oKhIa0,3890
+assemblyline_v4_service/common/utils.py,sha256=FDFsFcI6wt-pWyeQYnDWivsPbtme5RqVyofmNiggh6Y,3922
 assemblyline_v4_service/dev/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-assemblyline_v4_service/dev/run_service_once.py,sha256=wx_82hGwavxWhMsmNDfmlYs4KbcLnqeMg91ZGfXTZV0,10621
+assemblyline_v4_service/dev/run_service_once.py,sha256=W9kR49IUbkt8tNXjCT40ZMh-8p5W_odxlkDx6nhTAYM,10656
 assemblyline_v4_service/dev/updater.py,sha256=b-FK6XPRZbETbl-SIYEhnYGT-W7EcQhnxwD6x2NMC7g,6411
 assemblyline_v4_service/updater/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 assemblyline_v4_service/updater/__main__.py,sha256=9Os-u8Tf7MD73JSrUSPmOaErTgfvesNLiEeszU4ujXA,133
 assemblyline_v4_service/updater/app.py,sha256=Mtmx4bkXfP4nFqqa5q15jW8QIXr4JK84lCovxAVyvPs,3317
 assemblyline_v4_service/updater/client.py,sha256=tLY84gaGdFBVIDaMgRHIEa7x2S8jBl7lQLzp4seC6aI,11200
 assemblyline_v4_service/updater/gunicorn_config.py,sha256=p3j2KPBeD5jvMw9O5i7vAtlRgPSVVxIG9AO0DfN82J8,1247
-assemblyline_v4_service/updater/helper.py,sha256=Zy6OBmbTh0YurW0MnM0wM92vaKYMbo_MKnafe_5ONUI,10034
-assemblyline_v4_service/updater/updater.py,sha256=kli-5v1uVmk2FARAI9DsZ9YM4EhgirkmWJaMJWdm9GI,31795
-assemblyline_v4_service-4.6.0.dev7.dist-info/licenses/LICENCE.md,sha256=NSkYo9EH8h5oOkzg4VhjAHF4339MqPP2cQ8msTPgl-c,1396
+assemblyline_v4_service/updater/helper.py,sha256=OTV6WA77wBDOSVWaxijNg-HpwvEwnZozH03S3Q4oUns,10764
+assemblyline_v4_service/updater/updater.py,sha256=XiqabDp89-t_J6C3U33R-RvA5lMIahFW_MsAVUGyXok,31876
+assemblyline_v4_service-4.6.0.23.dist-info/licenses/LICENCE.md,sha256=NSkYo9EH8h5oOkzg4VhjAHF4339MqPP2cQ8msTPgl-c,1396
 test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 test/conftest.py,sha256=W3SieQpZsZpGEmtLqY4aIlxREDSsHceyCrFcFsWUM0U,1851
 test/test_healthz.py,sha256=DkeLUlrb7rGx3nZ04aADU9HXXu5mZTf_DBwT0xhzIv4,7
@@ -34,13 +34,13 @@ test/test_common/__init__.py,sha256=RkOm3vnVp5L947mD1jTo4bdOgLTZJ24_NX-kqfMn5a8,
 test/test_common/test_api.py,sha256=7wlo7wgB12T23zMLbwjJ3GIomLHqE_Qvs3xkibSsR1U,4902
 test/test_common/test_base.py,sha256=fuJSSlPxIDHq6HU1xbvaMFitw2z1spOZNHD2SJ4UUic,13346
 test/test_common/test_helper.py,sha256=sO6YAiBhKTqaxlpLhFYDuy2ZdbuF2cg07Ylzo83ZzQs,2575
-test/test_common/test_ocr.py,sha256=mt_PgElgwQKJmNrp2nRVx9NjfMedVk40I6IV317vATI,1753
+test/test_common/test_ocr.py,sha256=X_Y3c_yfRljD0o2SRUHuotKLTTX0lD5zW68mzQ7LKu4,1250
 test/test_common/test_ontology_helper.py,sha256=Q9-Eqeo8Ih7XlbFmlUAXCtgnfW8JCDqqlYFb56077h4,10331
-test/test_common/test_request.py,sha256=Ceyds8BNO1O0f1kH1VEb84faJcaupvSjVKIrGdHexsc,11842
-test/test_common/test_result.py,sha256=6BiOKxEPrKBjOY44jv3TY-yiXm0qI1ok_CZBnjP9TM4,45447
+test/test_common/test_request.py,sha256=HiDU1n4Rjso_U0qDME4ohA_9j7rpfqLSD1-e2RfqDYs,11186
+test/test_common/test_result.py,sha256=ZtLUddBDA_BTIjG3Jasbq78_AdEjCRe4cb85XLBwH5o,43585
 test/test_common/test_task.py,sha256=P44mNcSe-3tJgDk9ppN3KbM7oN4LBVIuhONG-Gveh74,19007
 test/test_common/test_utils.py,sha256=TbnBxqpS_ZC5ptXR9XJX3xtbItD0mTbtiBxxdyP8J5k,5904
-assemblyline_v4_service-4.6.0.dev7.dist-info/METADATA,sha256=AN3yICWqA4Zrg2qxniucq_N-mwp-MhTfZvCM5oKYQH4,5623
-assemblyline_v4_service-4.6.0.dev7.dist-info/WHEEL,sha256=CmyFI0kx5cdEMTLiONQRbGQwjIoR1aIYB7eCAQ4KPJ0,91
-assemblyline_v4_service-4.6.0.dev7.dist-info/top_level.txt,sha256=LpTOEaVCatkrvbVq3EZseMSIa2PQZU-2rhuO_FTpZgY,29
-assemblyline_v4_service-4.6.0.dev7.dist-info/RECORD,,
+assemblyline_v4_service-4.6.0.23.dist-info/METADATA,sha256=qlCtnIYJy133FR_xB5Cbv1Mg8RdLqAVLSD4-PpZ8UaM,5621
+assemblyline_v4_service-4.6.0.23.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+assemblyline_v4_service-4.6.0.23.dist-info/top_level.txt,sha256=LpTOEaVCatkrvbVq3EZseMSIa2PQZU-2rhuO_FTpZgY,29
+assemblyline_v4_service-4.6.0.23.dist-info/RECORD,,

{assemblyline_v4_service-4.6.0.dev7.dist-info → assemblyline_v4_service-4.6.0.23.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (78.1.0)
+Generator: setuptools (80.9.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

test/test_common/test_ocr.py

@@ -1,29 +1,29 @@
 import os
-from test.test_common import TESSERACT_LIST
 
 import pytest
+from assemblyline_v4_service.common.ocr import (
+    detections,
+    ocr_detections,
+    update_ocr_config,
+)
+
+from test.test_common import TESSERACT_LIST
 
-from assemblyline_v4_service.common.ocr import ocr_detections, detections, update_ocr_config
 
-@pytest.mark.skipif(len(TESSERACT_LIST) < 1, reason="Requires tesseract-ocr apt package")
+@pytest.mark.skipif(
+    len(TESSERACT_LIST) < 1, reason="Requires tesseract-ocr apt package"
+)
 def test_ocr_detections():
     update_ocr_config()
-    file_path = os.path.join(os.path.dirname(__file__), "b32969aa664e3905c20f865cdd7b921f922678f5c3850c78e4c803fbc1757a8e")
+    file_path = os.path.join(
+        os.path.dirname(__file__),
+        "094177fc6c4642f12fbf6dce18f272227ace95576ff1765384902d2abebf09bf",
+    )
     assert ocr_detections(file_path) == {
-        'ransomware': [
-            "YOUR FILES HAVE BEEN ENCRYPTED AND YOU WON'T BE ABLE TO "
-            'DECRYPT THEM.',
-            'YOU CAN BUY DECRYPTION SOFTWARE FROM US, THIS SOFTWARE WILL '
-            'ALLOW YOU TO RECOVER ALL OF YOUR DATA AND',
-            'RANSOMWARE FROM YOUR COMPUTER. THE PRICE OF THE SOFTWARE IS '
-            '$.2..%.. PAYMENT CAN BE MADE IN BITCOIN OR XMR.',
-            'How 00! PAY, WHERE DO | GET BITCOIN OR XMR?',
-            'YOURSELF TO FIND OUT HOW TO BUY BITCOIN OR XMR.',
-            'PAYMENT INFORMATION: SEND $15, TO ONE OF OUR CRYPTO '
-            'ADDRESSES, THEN SEND US EMAIL WITH PAYMENT',
-            "CONFIRMATION AND YOU'LL GET THE DECRYPTION SOFTWARE IN EMAIL.",
-            "BTC ADDRESS : bciqsht77cpgw7kv420r4secmu88g34wvn96dsyc5s",
-        ],
+        "ransomware": [
+            "YOU CAN BUY DECRYPTION SOFTWARE FROM US, THIS SOFTWARE WILL ALLOW YOU TO RECOVER ALL OF YOUR DATA AND",
+            "CONFIRMATION AND YOU'LL GET THE DECRYPTION KEY IN EMAIL.",
+        ]
     }
 
 
@@ -40,4 +40,6 @@ def test_detections():
     assert detections("blah\nrecover them\nblah") == {}
 
     # Containing two ransomware strings
-    assert detections("blah\nrecover them\nblah\nencrypt") == {"ransomware": ["recover them", "encrypt"]}
+    assert detections("blah\nrecover data\nblah\nencrypted data") == {
+        "ransomware": ["recover data", "encrypted data"]
+    }

test/test_common/test_request.py

@@ -1,7 +1,6 @@
 import os
 import tempfile
 from logging import Logger
-from test.test_common import TESSERACT_LIST, setup_module
 
 import pytest
 from assemblyline_v4_service.common.request import ServiceRequest
@@ -9,6 +8,7 @@ from assemblyline_v4_service.common.result import Result, get_heuristic_primitiv
 from assemblyline_v4_service.common.task import MaxExtractedExceeded, Task
 
 from assemblyline.odm.messages.task import Task as ServiceTask
+from test.test_common import TESSERACT_LIST, setup_module
 
 # Ensure service manifest is instantiated before importing from OCR submodule
 setup_module()
@@ -112,19 +112,19 @@ def test_add_extracted(service_request):
 def test_add_image(service_request):
     image_path = os.path.join(
         os.path.dirname(__file__),
-        "b32969aa664e3905c20f865cdd7b921f922678f5c3850c78e4c803fbc1757a8e")
+        "094177fc6c4642f12fbf6dce18f272227ace95576ff1765384902d2abebf09bf")
 
     # Basic
     assert service_request.add_image(image_path, "image_name", "description of image") == {
         'img': {
             'description': 'description of image',
             'name': 'image_name',
-            'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329'
+            'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f'
         },
         'thumb': {
             'description': 'description of image (thumbnail)',
             'name': 'image_name.thumb',
-            'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901'
+            'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8'
         }
     }
 
@@ -139,7 +139,7 @@ def test_add_image(service_request):
             'is_supplementary': True,
             'name': 'image_name',
             'parent_relation': 'INFORMATION',
-            'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329'
+            'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f'
         },
         {
             'allow_dynamic_recursion': False,
@@ -149,7 +149,7 @@ def test_add_image(service_request):
             'is_supplementary': True,
             'name': 'image_name.thumb',
             'parent_relation': 'INFORMATION',
-            'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901'
+            'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8'
         },
     ]
 
@@ -164,31 +164,19 @@ def test_add_image(service_request):
     assert data["img"] == {
         'description': 'description of image',
         'name': 'image_name',
-        'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329'
+        'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f'
     }
     assert data["thumb"] == {
         'description': 'description of image (thumbnail)',
         'name': 'image_name.thumb',
-        'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901'
+        'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8'
     }
     assert data["ocr_section"].__dict__["section_body"].__dict__ == {
         '_config': {},
         '_data': {
-            'ransomware': [
-                "YOUR FILES HAVE BEEN ENCRYPTED AND YOU WON'T BE "
-                'ABLE TO DECRYPT THEM.',
-                'YOU CAN BUY DECRYPTION SOFTWARE FROM US, THIS '
-                'SOFTWARE WILL ALLOW YOU TO RECOVER ALL OF YOUR DATA '
-                'AND',
-                'RANSOMWARE FROM YOUR COMPUTER. THE PRICE OF THE '
-                'SOFTWARE IS $.2..%.. PAYMENT CAN BE MADE IN BITCOIN '
-                'OR XMR.',
-                'How 00! PAY, WHERE DO | GET BITCOIN OR XMR?',
-                'YOURSELF TO FIND OUT HOW TO BUY BITCOIN OR XMR.',
-                'PAYMENT INFORMATION: SEND $15, TO ONE OF OUR CRYPTO '
-                'ADDRESSES, THEN SEND US EMAIL WITH PAYMENT',
-                "CONFIRMATION AND YOU'LL GET THE DECRYPTION SOFTWARE IN EMAIL.",
-                "BTC ADDRESS : bciqsht77cpgw7kv420r4secmu88g34wvn96dsyc5s",
+            "ransomware": [
+                "YOU CAN BUY DECRYPTION SOFTWARE FROM US, THIS SOFTWARE WILL ALLOW YOU TO RECOVER ALL OF YOUR DATA AND",
+                "CONFIRMATION AND YOU'LL GET THE DECRYPTION KEY IN EMAIL.",
             ]
         },
         '_format': 'KEY_VALUE'
@@ -197,8 +185,8 @@ def test_add_image(service_request):
     heur_dict = get_heuristic_primitives(data["ocr_section"].__dict__["_heuristic"])
 
     assert heur_dict == {
-        'heur_id': 1, 'score': 1200, 'attack_ids': ['T1005'],
-        'signatures': {'ransomware_strings': 8},
+        'heur_id': 1, 'score': 500, 'attack_ids': ['T1005'],
+        'signatures': {'ransomware_strings': 2},
         'frequency': 0, 'score_map': {}}
 
     assert service_request.temp_submission_data == {}

test/test_common/test_result.py

@@ -1,17 +1,50 @@
-from assemblyline.odm.messages.task import Task as ServiceTask
-from assemblyline_v4_service.common.task import Task
-from assemblyline_v4_service.common.result import (
-    BODY_FORMAT, DividerSectionBody, GraphSectionBody, Heuristic, ImageSectionBody, InvalidFunctionException,
-    InvalidHeuristicException, JSONSectionBody, KVSectionBody, MemorydumpSectionBody, MultiSectionBody,
-    OrderedKVSectionBody, ProcessItem, ProcessTreeSectionBody, Result, ResultAggregationException, ResultGraphSection,
-    ResultImageSection, ResultJSONSection, ResultKeyValueSection, ResultMemoryDumpSection, ResultMultiSection,
-    ResultOrderedKeyValueSection, ResultProcessTreeSection, ResultSection, ResultTableSection, ResultTextSection,
-    ResultTimelineSection, ResultURLSection, SectionBody, TableRow, TableSectionBody, TextSectionBody,
-    TimelineSectionBody, TypeSpecificResultSection, URLSectionBody, get_heuristic_primitives)
-from assemblyline_v4_service.common.request import ServiceRequest
-import pytest
 import os
 import tempfile
+
+import pytest
+from assemblyline_v4_service.common.request import ServiceRequest
+from assemblyline_v4_service.common.result import (
+    BODY_FORMAT,
+    DividerSectionBody,
+    GraphSectionBody,
+    Heuristic,
+    ImageSectionBody,
+    InvalidFunctionException,
+    InvalidHeuristicException,
+    JSONSectionBody,
+    KVSectionBody,
+    MemorydumpSectionBody,
+    MultiSectionBody,
+    OrderedKVSectionBody,
+    ProcessItem,
+    ProcessTreeSectionBody,
+    Result,
+    ResultAggregationException,
+    ResultGraphSection,
+    ResultImageSection,
+    ResultJSONSection,
+    ResultKeyValueSection,
+    ResultMemoryDumpSection,
+    ResultMultiSection,
+    ResultOrderedKeyValueSection,
+    ResultProcessTreeSection,
+    ResultSection,
+    ResultTableSection,
+    ResultTextSection,
+    ResultTimelineSection,
+    ResultURLSection,
+    SectionBody,
+    TableRow,
+    TableSectionBody,
+    TextSectionBody,
+    TimelineSectionBody,
+    TypeSpecificResultSection,
+    URLSectionBody,
+    get_heuristic_primitives,
+)
+from assemblyline_v4_service.common.task import Task
+
+from assemblyline.odm.messages.task import Task as ServiceTask
 from test.test_common import TESSERACT_LIST, setup_module
 
 # Ensure service manifest is instantiated before importing from OCR submodule
@@ -602,18 +635,18 @@ def test_imagesectionbody_add_image(service_request):
     isb = ImageSectionBody(service_request)
     image_path = os.path.join(
         os.path.dirname(__file__),
-        "b32969aa664e3905c20f865cdd7b921f922678f5c3850c78e4c803fbc1757a8e")
+        "094177fc6c4642f12fbf6dce18f272227ace95576ff1765384902d2abebf09bf")
 
     # Basic
     assert isb.add_image(image_path, "image_name", "description of image") is None
     assert isb._data == [
         {'img': {
             'name': 'image_name',
-            'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329',
+            'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f',
             'description': 'description of image'},
          'thumb': {
              'name': 'image_name.thumb',
-             'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901',
+             'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8',
              'description': 'description of image (thumbnail)'}}]
 
     isb._data.clear()
@@ -623,23 +656,15 @@ def test_imagesectionbody_add_image(service_request):
     _, path = tempfile.mkstemp()
     ocr_io = open(path, "w")
     assert isb.add_image(image_path, "image_name", "description of image", "TLP:A", ocr_heuristic_id,
-                         ocr_io).body == '{"ransomware": ["YOUR FILES HAVE BEEN ENCRYPTED AND YOU WON\'T BE ABLE TO ' \
-                                         'DECRYPT THEM.", "YOU CAN BUY DECRYPTION SOFTWARE FROM US, THIS SOFTWARE ' \
-                                         'WILL ALLOW YOU TO RECOVER ALL OF YOUR DATA AND", "RANSOMWARE FROM YOUR ' \
-                                         'COMPUTER. THE PRICE OF THE SOFTWARE IS $.2..%.. PAYMENT CAN BE MADE IN ' \
-                                         'BITCOIN OR XMR.", "How 00! PAY, WHERE DO | GET BITCOIN OR XMR?", "YOURSELF ' \
-                                         'TO FIND OUT HOW TO BUY BITCOIN OR XMR.", "PAYMENT INFORMATION: SEND $15, ' \
-                                         'TO ONE OF OUR CRYPTO ADDRESSES, THEN SEND US EMAIL WITH PAYMENT", ' \
-                                         '"CONFIRMATION AND YOU\'LL GET THE DECRYPTION SOFTWARE IN EMAIL.", ' \
-                                         '"BTC ADDRESS : bciqsht77cpgw7kv420r4secmu88g34wvn96dsyc5s"]}'
+                         ocr_io).body == '{"ransomware": ["YOU CAN BUY DECRYPTION SOFTWARE FROM US, THIS SOFTWARE WILL ALLOW YOU TO RECOVER ALL OF YOUR DATA AND", "CONFIRMATION AND YOU\'LL GET THE DECRYPTION KEY IN EMAIL."]}'
     assert isb._data == [
         {'img': {
             'name': 'image_name',
-            'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329',
+            'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f',
             'description': 'description of image'},
          'thumb': {
             'name': 'image_name.thumb',
-            'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901',
+            'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8',
             'description': 'description of image (thumbnail)'}}]
 
 
@@ -1281,18 +1306,18 @@ def test_resultimagesection_add_image(service_request):
     ris = ResultImageSection(service_request, "title_text_as_str")
 
     image_path = os.path.join(os.path.dirname(__file__),
-                              "b32969aa664e3905c20f865cdd7b921f922678f5c3850c78e4c803fbc1757a8e")
+                              "094177fc6c4642f12fbf6dce18f272227ace95576ff1765384902d2abebf09bf")
 
     # Basic
     assert ris.add_image(image_path, "image_name", "description of image") is None
     assert ris.section_body._data == [{
         'img':
                                       {'name': 'image_name',
-                                       'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329',
+                                       'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f',
                                        'description': 'description of image'},
                                       'thumb':
                                       {'name': 'image_name.thumb',
-                                       'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901',
+                                       'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8',
                                        'description': 'description of image (thumbnail)'}}]
 
     ris = ResultImageSection(service_request, "title_text_as_str")
@@ -1305,11 +1330,11 @@ def test_resultimagesection_add_image(service_request):
     assert ris.section_body._data == [{
         'img':
                                       {'name': 'image_name',
-                                       'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329',
+                                       'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f',
                                        'description': 'description of image'},
                                       'thumb':
                                       {'name': 'image_name.thumb',
-                                       'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901',
+                                       'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8',
                                        'description': 'description of image (thumbnail)'}}]
 
     ris = ResultImageSection(service_request, "title_text_as_str")
@@ -1319,26 +1344,15 @@ def test_resultimagesection_add_image(service_request):
     _, path = tempfile.mkstemp()
     ocr_io = open(path, "w")
     assert ris.add_image(image_path, "image_name", "description of image", "TLP:A", ocr_heuristic_id, ocr_io,
-                         auto_add_ocr_section=False).body == '{"ransomware": ["YOUR FILES HAVE BEEN ENCRYPTED AND ' \
-                                                             'YOU WON\'T BE ABLE TO DECRYPT THEM.", "YOU CAN BUY ' \
-                                                             'DECRYPTION SOFTWARE FROM US, THIS SOFTWARE WILL ALLOW ' \
-                                                             'YOU TO RECOVER ALL OF YOUR DATA AND", "RANSOMWARE FROM ' \
-                                                             'YOUR COMPUTER. THE PRICE OF THE SOFTWARE IS $.2..%.. ' \
-                                                             'PAYMENT CAN BE MADE IN BITCOIN OR XMR.", "How 00! PAY, ' \
-                                                             'WHERE DO | GET BITCOIN OR XMR?", "YOURSELF TO FIND OUT ' \
-                                                             'HOW TO BUY BITCOIN OR XMR.", "PAYMENT INFORMATION: ' \
-                                                             'SEND $15, TO ONE OF OUR CRYPTO ADDRESSES, THEN SEND ' \
-                                                             'US EMAIL WITH PAYMENT", "CONFIRMATION AND YOU\'LL GET ' \
-                                                             'THE DECRYPTION SOFTWARE IN EMAIL.", "BTC ADDRESS : ' \
-                                                             'bciqsht77cpgw7kv420r4secmu88g34wvn96dsyc5s"]}'
+                         auto_add_ocr_section=False).body == '{"ransomware": ["YOU CAN BUY DECRYPTION SOFTWARE FROM US, THIS SOFTWARE WILL ALLOW YOU TO RECOVER ALL OF YOUR DATA AND", "CONFIRMATION AND YOU\'LL GET THE DECRYPTION KEY IN EMAIL."]}'
     assert ris.section_body._data == [{
         'img': {
             'name': 'image_name',
-            'sha256': '09bf99ab5431af13b701a06dc2b04520aea9fd346584fa2a034d6d4af0c57329',
+            'sha256': 'f52a9f1cf33e800e804c100908206525d794f15a92d9637dc03226a84e26810f',
             'description': 'description of image'},
         'thumb': {
             'name': 'image_name.thumb',
-            'sha256': '1af0e0d99845493b64cf402b3704170f17ecf15001714016e48f9d4854218901',
+            'sha256': '00b5239a2d010b64e2a35fae38671bdda44c60cc4008af361d98bb1d12a845e8',
             'description': 'description of image (thumbnail)'}}]
 
     # Ensure that the image files added are marked as `is_image_section`