def test_eml_contains_eml(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [
{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/Fwd_test-inner_attachment_eml.eml',
'name': 'Fwd_test-inner_attachment_eml.eml'
}
}
]
elif name == 'getEntry':
return [
{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'news or mail text, ASCII text'
}
}
]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 5
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email'][0]['Subject'] == 'Fwd: test - inner attachment eml'
assert 'ArcSight_ESM_fixes.yml' in results[0]['EntryContext']['Email'][0]['Attachments']
assert 'test - inner attachment eml.eml' in results[0]['EntryContext']['Email'][0]['Attachments']
assert results[0]['EntryContext']['Email'][0]['Depth'] == 0
assert results[0]['EntryContext']['Email'][1]["Subject"] == 'test - inner attachment eml'
assert 'CS Training 2019 - EWS.pptx' in results[0]['EntryContext']['Email'][1]["Attachments"]
assert results[0]['EntryContext']['Email'][1]['Depth'] == 1
def test_eml_contains_msg(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [
{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/DONT_OPEN-MALICIOS.eml',
'name': 'DONT_OPEN-MALICIOS.eml'
}
}
]
elif name == 'getEntry':
return [
{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'news or mail text, ASCII text'
}
}
]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 3
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email'][0]['Subject'] == 'DONT OPEN - MALICIOS'
assert results[0]['EntryContext']['Email'][0]['Depth'] == 0
assert 'Attacker+email+.msg' in results[0]['EntryContext']['Email'][0]['Attachments']
assert results[0]['EntryContext']['Email'][1]["Subject"] == 'Attacker email '
assert results[0]['EntryContext']['Email'][1]['Depth'] == 1
def test_eml_contains_eml_depth(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [
{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/Fwd_test-inner_attachment_eml.eml',
'name': 'Fwd_test-inner_attachment_eml.eml'
}
}
]
elif name == 'getEntry':
return [
{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'news or mail text, ASCII text'
}
}
]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test', 'max_depth': '1'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 3
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'Fwd: test - inner attachment eml'
assert 'ArcSight_ESM_fixes.yml' in results[0]['EntryContext']['Email']['Attachments']
assert 'test - inner attachment eml.eml' in results[0]['EntryContext']['Email']['Attachments']
assert isinstance(results[0]['EntryContext']['Email'], dict)
assert results[0]['EntryContext']['Email']['Depth'] == 0
def test_eml_base64_header_comment_although_string(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/DONT_OPEN-MALICIOUS_base64_headers.eml',
'name': 'DONT_OPEN-MALICIOUS_base64_headers.eml'
}
}]
elif name == 'getEntry':
return [{
'Type': entryTypes['file'],
'FileMetadata': {
'info':
'UTF-8 Unicode text, with very long lines, with CRLF line terminators'
}
}]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 3
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email'][0][
'Subject'] == 'DONT OPEN - MALICIOS'
assert results[0]['EntryContext']['Email'][0]['Depth'] == 0
assert 'Attacker+email+.msg' in results[0]['EntryContext']['Email'][0][
'Attachments']
assert results[0]['EntryContext']['Email'][1][
"Subject"] == 'Attacker email'
assert results[0]['EntryContext']['Email'][1]['Depth'] == 1
def test_email_raw_headers(mocker):
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test', 'max_depth': '1'})
mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file('multiple_to_cc.eml'))
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['From'] == '*****@*****.**'
assert results[0]['EntryContext']['Email']['To'] == '[email protected], [email protected]'
assert results[0]['EntryContext']['Email']['CC'] == '[email protected], [email protected]'
assert results[0]['EntryContext']['Email']['HeadersMap']['From'] == 'Guy Test <*****@*****.**>'
assert results[0]['EntryContext']['Email']['HeadersMap']['To'] == 'Guy Test <*****@*****.**>' \
', Guy Test1 <*****@*****.**>'
assert results[0]['EntryContext']['Email']['HeadersMap']['CC'] == 'Guy Test <*****@*****.**>, ' \
'Guy Test1 <*****@*****.**>'
def test_only_parts_of_object_email_saved(mocker):
"""
Fixes: https://github.com/demisto/etc/issues/29476
Given:
an eml file with a line break (`\n`) in the payload that has failed due to wring type.
Then:
filter only parts that are of type email.message.Message.
"""
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file('new-line-in-parts.eml'))
mocker.patch.object(demisto, 'results')
main()
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['AttachmentNames'] == ['logo5.png', 'logo2.png']
def test_email_with_special_character(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/email_with_special_char_bytes.eml',
'name': 'email_with_special_char_bytes.eml'
}
}]
elif name == 'getEntry':
return [{
'Type': entryTypes['file'],
'FileMetadata': {
'info':
'RFC 822 mail text, ISO-8859 text, with very long lines, with CRLF line terminators'
}
}]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto,
'args',
return_value={
'entryid': 'test',
'max_depth': '1'
})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email'][
'Subject'] == 'Hello dear friend'
def test_eml_contains_msg(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [
{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/DONT_OPEN-MALICIOS.eml',
'name': 'DONT_OPEN-MALICIOS.eml'
}
}
]
elif name == 'getEntry':
return [
{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'news or mail text, ASCII text'
}
}
]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 3
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'DONT OPEN - MALICIOS'
assert 'Attacker+email+.msg' in results[0]['EntryContext']['Email']['Attachments']
assert results[0]['EntryContext']['Email']['AttachedEmails'][0]["Subject"] == 'Attacker email '
def test_eml_smtp_type(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [
{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/smtp_email_type.eml',
'name': 'smtp_email_type.eml'
}
}
]
elif name == 'getEntry':
return [
{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'SMTP mail, UTF-8 Unicode text, with CRLF terminators'
}
}
]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
# assert demisto.executeCommand('getFilePath', {})[0]['Type'] == entryTypes['note']
main()
assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'Test Smtp Email'
def test_eml_smtp_type(mocker):
def executeCommand(name, args=None):
if name == 'getFilePath':
return [
{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/smtp_email_type.eml',
'name': 'smtp_email_type.eml'
}
}
]
elif name == 'getEntry':
return [
{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'SMTP mail, UTF-8 Unicode text, with CRLF terminators'
}
}
]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
# assert demisto.executeCommand('getFilePath', {})[0]['Type'] == entryTypes['note']
main()
assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'Test Smtp Email'
def test_pkcs7_mime(mocker):
"""
Given: An email file smime2.p7m of type application/pkcs7-mime and info -
MIME entity text, ISO-8859 text, with very long lines, with CRLF line terminators
When: Parsing the email.
Then: The email is parsed correctly.
"""
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand',
side_effect=exec_command_for_file('smime2.p7m',
info='MIME entity text, ISO-8859 text, with very long lines,'
' with CRLF line terminators'))
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'Testing signed multipart email'
def test_eml_contains_htm_attachment_empty_file(mocker):
"""
Given: An email containing both an empty text file and a base64 encoded htm file.
When: Parsing a valid email file with default parameters.
Then: Three entries will be returned to the war room. One containing the command results. Another
containing the empty file. The last contains the htm file.
"""
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto,
'executeCommand',
side_effect=exec_command_for_file(
'eml_contains_emptytxt_htm_file.eml'))
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email'][0]['AttachmentNames'] == [
'unknown_file_name0', 'SomeTest.HTM'
]
def test_eml_contains_base64_encoded_eml(mocker, email_file):
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto,
'executeCommand',
side_effect=exec_command_for_file(email_file))
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 3
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email'][0][
'Subject'] == 'Fwd: test - inner attachment eml (base64)'
assert 'message.eml' in results[0]['EntryContext']['Email'][0][
'Attachments']
assert results[0]['EntryContext']['Email'][0]['Depth'] == 0
assert results[0]['EntryContext']['Email'][1][
"Subject"] == 'test - inner attachment eml'
assert results[0]['EntryContext']['Email'][1]['Depth'] == 1
def test_eml_contains_htm_attachment_empty_file_max_depth(mocker):
"""
Given: An email containing both an empty text file and a base64 encoded htm file.
When: Parsing a valid email file with max_depth=1.
Then: One entry containing the command results will be returned to the war room.
"""
mocker.patch.object(demisto,
'args',
return_value={
'entryid': 'test',
'max_depth': 1
})
mocker.patch.object(demisto,
'executeCommand',
side_effect=exec_command_for_file(
'eml_contains_emptytxt_htm_file.eml'))
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
def test_email_from_one_line_no_comma_lf(mocker):
"""
Given:
- The email message with a 'From' header that contains a newline.
- Checking an email file that contains '\r\n' in it's 'From' header.
When:
- After parsed email file into Email object
Then:
- Validate that all raw headers are valid.
"""
mocker.patch.object(demisto,
'args',
return_value={
'entryid': 'test',
'max_depth': '3'
})
mocker.patch.object(demisto,
'executeCommand',
side_effect=exec_command_for_file(
'from_one_line_no_comma_LF'
'.eml'))
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['From'] == '*****@*****.**'
assert results[0]['EntryContext']['Email']['HeadersMap'][
'From'] == '\"First Last\" <*****@*****.**>'