pymisp 2.5.3__py3-none-any.whl → 2.5.7__py3-none-any.whl

tests/test_analyst_data.py

@@ -0,0 +1,123 @@
+#!/usr/bin/env python
+
+from __future__ import annotations
+
+import unittest
+from pymisp import (MISPAttribute, MISPEvent, MISPEventReport, MISPNote,
+                    MISPObject, MISPOpinion)
+from uuid import uuid4
+
+
+class TestAnalystData(unittest.TestCase):
+    def setUp(self) -> None:
+        self.note_dict = {
+            "uuid": uuid4(),
+            "note": "note3"
+        }
+        self.opinion_dict = {
+            "uuid": uuid4(),
+            "opinion": 75,
+            "comment": "Agree"
+        }
+
+    def test_analyst_data_on_attribute(self) -> None:
+        attribute = MISPAttribute()
+        attribute.from_dict(type='filename', value='foo.exe')
+        self._attach_analyst_data(attribute)
+
+    def test_analyst_data_on_attribute_alternative(self) -> None:
+        event = MISPEvent()
+        event.info = 'Test on Attribute'
+        event.add_attribute('domain', 'foo.bar')
+        self._attach_analyst_data(event.attributes[0])
+
+    def test_analyst_data_on_event(self) -> None:
+        event = MISPEvent()
+        event.info = 'Test Event'
+        self._attach_analyst_data(event)
+
+    def test_analyst_data_on_event_report(self) -> None:
+        event_report = MISPEventReport()
+        event_report.from_dict(name='Test Report', content='This is a report')
+        self._attach_analyst_data(event_report)
+
+    def test_analyst_data_on_event_report_alternative(self) -> None:
+        event = MISPEvent()
+        event.info = 'Test on Event Report'
+        event.add_event_report('Test Report', 'This is a report')
+        self._attach_analyst_data(event.event_reports[0])
+
+    def test_analyst_data_on_object(self) -> None:
+        misp_object = MISPObject('file')
+        misp_object.add_attribute('filename', 'foo.exe')
+        self._attach_analyst_data(misp_object)
+
+    def test_analyst_data_on_object_alternative(self) -> None:
+        event = MISPEvent()
+        event.info = 'Test on Object'
+        misp_object = MISPObject('file')
+        misp_object.add_attribute('filename', 'foo.exe')
+        event.add_object(misp_object)
+        self._attach_analyst_data(event.objects[0])
+
+    def test_analyst_data_on_object_attribute(self) -> None:
+        misp_object = MISPObject('file')
+        object_attribute = misp_object.add_attribute('filename', 'foo.exe')
+        self._attach_analyst_data(object_attribute)
+
+    def test_analyst_data_object_object_attribute_alternative(self) -> None:
+        misp_object = MISPObject('file')
+        misp_object.add_attribute('filename', 'foo.exe')
+        self._attach_analyst_data(misp_object.attributes[0])
+
+    def _attach_analyst_data(
+            self, container: MISPAttribute | MISPEvent | MISPEventReport | MISPObject) -> None:
+        object_type = container._analyst_data_object_type
+        note1 = container.add_note(note='note1')
+        opinion1 = note1.add_opinion(opinion=25, comment='Disagree')
+        opinion2 = container.add_opinion(opinion=50, comment='Neutral')
+        note2 = opinion2.add_note(note='note2')
+
+        dict_note = MISPNote()
+        dict_note.from_dict(
+            object_type=object_type, object_uuid=container.uuid, **self.note_dict
+        )
+        note3 = container.add_note(**dict_note)
+        dict_opinion = MISPOpinion()
+        dict_opinion.from_dict(
+            object_type='Note', object_uuid=note3.uuid, **self.opinion_dict
+        )
+        container.add_opinion(**dict_opinion)
+
+        self.assertEqual(len(container.notes), 3)
+        self.assertEqual(len(container.opinions), 3)
+
+        misp_note1, misp_note2, misp_note3 = container.notes
+        misp_opinion1, misp_opinion2, misp_opinion3 = container.opinions
+
+        self.assertEqual(misp_note1.object_type, object_type)
+        self.assertEqual(misp_note1.object_uuid, container.uuid)
+        self.assertEqual(misp_note1.note, 'note1')
+
+        self.assertEqual(misp_note2.object_type, 'Opinion')
+        self.assertEqual(misp_note2.object_uuid, opinion2.uuid)
+        self.assertEqual(misp_note2.note, 'note2')
+
+        self.assertEqual(misp_note3.object_type, object_type)
+        self.assertEqual(misp_note3.object_uuid, container.uuid)
+        self.assertEqual(misp_note3.note, 'note3')
+
+        self.assertEqual(misp_opinion1.object_type, 'Note')
+        self.assertEqual(misp_opinion1.object_uuid, note1.uuid)
+        self.assertEqual(misp_opinion1.opinion, 25)
+        self.assertEqual(misp_opinion1.comment, 'Disagree')
+
+        self.assertEqual(misp_opinion2.object_type, object_type)
+        self.assertEqual(misp_opinion2.object_uuid, container.uuid)
+        self.assertEqual(misp_opinion2.opinion, 50)
+        self.assertEqual(misp_opinion2.comment, 'Neutral')
+
+        self.assertEqual(misp_opinion3.object_type, 'Note')
+        self.assertEqual(misp_opinion3.object_uuid, note3.uuid)
+        self.assertEqual(misp_opinion3.opinion, 75)
+        self.assertEqual(misp_opinion3.comment, 'Agree')

tests/test_emailobject.py

@@ -0,0 +1,157 @@
+from __future__ import annotations
+
+# import json
+import unittest
+
+from email.message import EmailMessage
+from io import BytesIO
+from os import urandom
+from pathlib import Path
+from typing import TypeVar, Type
+from zipfile import ZipFile
+
+from pymisp.tools import EMailObject
+from pymisp.exceptions import PyMISPNotImplementedYet, InvalidMISPObject
+
+T = TypeVar('T', bound='TestEmailObject')
+
+
+class TestEmailObject(unittest.TestCase):
+
+    eml_1: BytesIO
+
+    @classmethod
+    def setUpClass(cls: type[T]) -> None:
+        with ZipFile(Path("tests/email_testfiles/mail_1.eml.zip"), 'r') as myzip:
+            with myzip.open('mail_1.eml', pwd=b'AVs are dumb') as myfile:
+                cls.eml_1 = BytesIO(myfile.read())
+
+    def test_mail_1(self) -> None:
+        email_object = EMailObject(pseudofile=self.eml_1)
+        self.assertEqual(self._get_values(email_object, "subject")[0], "письмо уведом-е")
+        self.assertEqual(self._get_values(email_object, "to")[0], "kinney@noth.com")
+        self.assertEqual(self._get_values(email_object, "from")[0], "suvorov.s@nalg.ru")
+        self.assertEqual(self._get_values(email_object, "from-display-name")[0], "служба ФНС Даниил Суворов")
+        self.assertEqual(len(self._get_values(email_object, "email-body")), 1)
+
+        self.assertEqual(self._get_values(email_object, "received-header-ip"),
+                         ['64.98.42.207', '2603:10b6:207:3d::31',
+                          '2a01:111:f400:7e49::205', '43.230.105.145'])
+
+        self.assertIsInstance(email_object.email, EmailMessage)
+        for file_name, file_content in email_object.attachments:
+            self.assertIsInstance(file_name, str)
+            self.assertIsInstance(file_content, BytesIO)
+
+    def test_mail_1_headers_only(self) -> None:
+        email_object = EMailObject(Path("tests/email_testfiles/mail_1_headers_only.eml"))
+        self.assertEqual(self._get_values(email_object, "subject")[0], "письмо уведом-е")
+        self.assertEqual(self._get_values(email_object, "to")[0], "kinney@noth.com")
+        self.assertEqual(self._get_values(email_object, "from")[0], "suvorov.s@nalg.ru")
+
+        self.assertEqual(len(self._get_values(email_object, "email-body")), 0)
+
+        self.assertIsInstance(email_object.email, EmailMessage)
+        self.assertEqual(len(email_object.attachments), 0)
+
+    def test_mail_multiple_to(self) -> None:
+        email_object = EMailObject(Path("tests/email_testfiles/mail_multiple_to.eml"))
+
+        to = self._get_values(email_object, "to")
+        to_display_name = self._get_values(email_object, "to-display-name")
+        self.assertEqual(to[0], "jan.novak@example.com")
+        self.assertEqual(to_display_name[0], "Novak, Jan")
+        self.assertEqual(to[1], "jan.marek@example.com")
+        self.assertEqual(to_display_name[1], "Marek, Jan")
+
+    def test_msg(self) -> None:
+        # Test result of eml converted to msg is the same
+        eml_email_object = EMailObject(pseudofile=self.eml_1)
+        email_object = EMailObject(Path("tests/email_testfiles/mail_1.msg"))
+
+        self.assertIsInstance(email_object.email, EmailMessage)
+        for file_name, file_content in email_object.attachments:
+            self.assertIsInstance(file_name, str)
+            self.assertIsInstance(file_content, BytesIO)
+
+        self.assertEqual(self._get_values(email_object, "subject")[0],
+                         self._get_values(eml_email_object, "subject")[0])
+        self.assertEqual(self._get_values(email_object, "to")[0],
+                         self._get_values(eml_email_object, "to")[0])
+        self.assertEqual(self._get_values(email_object, "from")[0],
+                         self._get_values(eml_email_object, "from")[0])
+        self.assertEqual(self._get_values(email_object, "from-display-name")[0],
+                         self._get_values(eml_email_object, "from-display-name")[0])
+        self.assertEqual(len(self._get_values(email_object, "email-body")), 2)
+
+        self.assertEqual(self._get_values(email_object, "received-header-ip"),
+                         self._get_values(eml_email_object, "received-header-ip"))
+
+    def test_bom_encoded(self) -> None:
+        """Test utf-8-sig encoded email"""
+        bom_email_object = EMailObject(Path("tests/email_testfiles/mail_1_bom.eml"))
+        eml_email_object = EMailObject(pseudofile=self.eml_1)
+
+        self.assertIsInstance(bom_email_object.email, EmailMessage)
+        for file_name, file_content in bom_email_object.attachments:
+            self.assertIsInstance(file_name, str)
+            self.assertIsInstance(file_content, BytesIO)
+
+        self.assertEqual(self._get_values(bom_email_object, "subject")[0],
+                         self._get_values(eml_email_object, "subject")[0])
+        self.assertEqual(self._get_values(bom_email_object, "to")[0],
+                         self._get_values(eml_email_object, "to")[0])
+        self.assertEqual(self._get_values(bom_email_object, "from")[0],
+                         self._get_values(eml_email_object, "from")[0])
+        self.assertEqual(self._get_values(bom_email_object, "from-display-name")[0],
+                         self._get_values(eml_email_object, "from-display-name")[0])
+        self.assertEqual(len(self._get_values(bom_email_object, "email-body")), 1)
+
+        self.assertEqual(self._get_values(bom_email_object, "received-header-ip"),
+                         self._get_values(eml_email_object, "received-header-ip"))
+
+    def test_handling_of_various_email_types(self) -> None:
+        self._does_not_fail(Path("tests/email_testfiles/mail_2.eml"),
+                            "ensuring all headers work")
+        self._does_not_fail(Path('tests/email_testfiles/mail_3.eml'),
+                            "Check for related content in emails emls")
+        self._does_not_fail(Path('tests/email_testfiles/mail_3.msg'),
+                            "Check for related content in emails msgs")
+        self._does_not_fail(Path('tests/email_testfiles/mail_4.msg'),
+                            "Check that HTML without specific encoding")
+        self._does_not_fail(Path('tests/email_testfiles/mail_5.msg'),
+                            "Check encapsulated HTML works")
+
+    def _does_not_fail(self, path: Path, test_type: str="test") -> None:
+        found_error = None
+        try:
+            EMailObject(path)
+        except Exception as _e:
+            found_error = _e
+        if found_error is not None:
+            self.fail('Error {} raised when parsing test email {} which tests against {}. It should not have raised an error.'.format(
+                type(found_error),
+                path,
+                test_type))
+
+    def test_random_binary_blob(self) -> None:
+        """Email parser fails correctly on random binary blob."""
+        random_data = urandom(1024)
+        random_blob = BytesIO(random_data)
+        found_error = None
+        try:
+            broken_obj = EMailObject(pseudofile=random_data)
+        except Exception as _e:
+            found_error = _e
+        if not isinstance(found_error, InvalidMISPObject):
+            self.fail("Expected InvalidMISPObject when EmailObject receives completely unknown binary input data. But, did not get that exception.")
+        try:
+            broken_obj = EMailObject(pseudofile=random_blob)
+        except Exception as _e:
+            found_error = _e
+        if not isinstance(found_error, InvalidMISPObject):
+            self.fail("Expected InvalidMISPObject when EmailObject receives completely unknown binary input data in a pseudofile. But, did not get that exception.")
+
+    @staticmethod
+    def _get_values(obj: EMailObject, relation: str) -> list[str]:
+        return [attr.value for attr in obj.attributes if attr['object_relation'] == relation]

tests/test_fileobject.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+from __future__ import annotations
+
+import unittest
+import json
+from pymisp.tools import FileObject
+import pathlib
+
+
+class TestFileObject(unittest.TestCase):
+    def test_mimeType(self) -> None:
+        file_object = FileObject(filepath=pathlib.Path(__file__))
+        attributes = json.loads(file_object.to_json())['Attribute']
+        mime = next(attr for attr in attributes if attr['object_relation'] == 'mimetype')
+        # was "Python script, ASCII text executable"
+        # libmagic on linux: 'text/x-python'
+        # libmagic on os x:  'text/x-script.python'
+        self.assertEqual(mime['value'][:7], 'text/x-')
+        self.assertEqual(mime['value'][-6:], 'python')