def visitFirstPathComponent(self, ctx): children = self.visitChildren(ctx) step = children[0].getText() # if step.endswith("_ref"): # return stix2.ReferenceObjectPathComponent(step) # else: return stix2.BasicObjectPathComponent(step)
def visitKeyPathStep(self, ctx): children = self.visitChildren(ctx) if isinstance(children[1], stix2.StringConstant): # special case for hashes return children[1].value else: return stix2.BasicObjectPathComponent(children[1].getText(), is_key=True)
def _element_list_to_object_path(object_type, path_elements): """ Build an AST ObjectPath instance from an object "path" given as a list of strings, ints and the special _INDEX_STAR_STEP object, used for list index "star" steps. The strings are interpreted as property names and the ints/star steps as list indices. :param object_type: The SCO type to use for the ObjectPath instance :param path_elements: The path elements as a list of strings/ints/_INDEX_STAR_STEPs :return: An ObjectPath instance """ path_components = [] i = 0 while i < len(path_elements): elt_i = path_elements[i] if not isinstance(elt_i, str): raise UnsupportedObjectStructureError(object_type, path_elements) if i < len(path_elements) - 1: elt_i1 = path_elements[i + 1] if isinstance(elt_i1, int): component = stix2.ListObjectPathComponent(elt_i, elt_i1) i += 1 elif elt_i1 is _INDEX_STAR_STEP: component = stix2.ListObjectPathComponent(elt_i, "*") i += 1 # ignoring ReferenceObjectPathComponent here. I think the pattern # visitor never uses it(?), so I guess I won't either. else: component = stix2.BasicObjectPathComponent(elt_i, False) else: component = stix2.BasicObjectPathComponent(elt_i, False) path_components.append(component) i += 1 object_path = stix2.ObjectPath(object_type, path_components) return object_path
def test_boolean_expression_with_parentheses(): exp1 = stix2.MatchesComparisonExpression(stix2.ObjectPath("email-message", [stix2.ReferenceObjectPathComponent("from_ref"), stix2.BasicObjectPathComponent("value")]), stix2.StringConstant(".+\\@example\\.com$")) exp2 = stix2.MatchesComparisonExpression("email-message:body_multipart[*].body_raw_ref.name", stix2.StringConstant("^Final Report.+\\.exe$")) exp = stix2.ParentheticalExpression(stix2.AndBooleanExpression([exp1, exp2])) assert str(exp) == "(email-message:from_ref.value MATCHES '.+\\\\@example\\\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\\\.exe$')" # noqa