def extract_file_rpm(cls, filename, extraction_path):
""" Extract rpm packages """
if sys.platform.startswith("linux"):
if not inpath("rpm2cpio") or not inpath("cpio"):
raise Exception(
"'rpm2cpio' and 'cpio' are required to extract rpm files")
else:
with popen_ctx(["rpm2cpio", filename],
stdout=subprocess.PIPE) as proc:
return subprocess.call(["cpio", "-idmv"],
stdin=proc.stdout,
cwd=extraction_path)
else:
if not inpath("7z"):
raise Exception("7z is required to extract rpm files")
else:
cpio_path = filename.split("\\")
cpio_path = "\\".join(cpio_path[:len(cpio_path) - 1])
subprocess.call(f'7z x {filename} -o"{cpio_path}"')
for file in os.listdir(cpio_path):
if "cpio" in file:
filename = cpio_path + "\\" + file
subprocess.call(f'7z x {filename} -o"{extraction_path}"')
if os.path.isfile(filename):
os.remove(filename)
def setup_method(self):
assert inpath("ar"), "Required tool 'ar' not found"
download_file(TMUX_DEB, os.path.join(self.tempdir, "test.deb"))
shutil.copyfile(
os.path.join(self.tempdir, "test.deb"),
os.path.join(self.tempdir, "test.ipk"),
)
def extract_file_zip(cls, filename, extraction_path):
""" Extract zip files """
if not inpath("unzip"):
shutil.unpack_archive(filename, extraction_path)
else:
return subprocess.call(
["unzip", "-qq", "-n", "-d", extraction_path, filename])
def setUp(self):
self.assertTrue(inpath("ar"), msg="Required tool 'ar' not found")
download_file(TMUX_DEB, os.path.join(self.tempdir, "test.deb"))
shutil.copyfile(
os.path.join(self.tempdir, "test.deb"),
os.path.join(self.tempdir, "test.ipk"),
)
def is_executable(self, filename):
"""check if file is an ELF binary file"""
output = None
if inpath("file"):
# use system file if available (for performance reasons)
output = subprocess.check_output(["file", filename])
output = output.decode(sys.stdout.encoding)
if "cannot open" in output:
self.logger.warning(
f"Unopenable file {filename} cannot be scanned")
return False, None
if (("LSB " not in output) and ("LSB shared" not in output)
and ("LSB executable" not in output)
and ("PE32 executable" not in output)
and ("PE32+ executable" not in output)
and ("Mach-O" not in output)
and ("PKG-INFO: " not in output)
and ("METADATA: " not in output)
and ("pom.xml" not in output)):
return False, None
# otherwise use python implementation of file
elif not is_binary(filename):
return False, None
return True, output
def scan_file(self, filename):
"""Scans a file to see if it contains any of the target libraries,
and whether any of those contain CVEs"""
self.logger.debug(f"Scanning file: {filename}")
self.total_scanned_files += 1
# Do not try to scan symlinks
if os.path.islink(filename):
return None
# Ensure filename is a file
if not os.path.isfile(filename):
self.logger.warning(f"Invalid file {filename} cannot be scanned")
return None
# step 1: check if it's an ELF binary file
if inpath("file"):
# use system file if available (for performance reasons)
o = subprocess.check_output(["file", filename])
o = o.decode(sys.stdout.encoding)
if "cannot open" in o:
self.logger.warning(
f"Unopenable file {filename} cannot be scanned")
return None
if (("LSB " not in o) and ("LSB shared" not in o)
and ("LSB executable" not in o)
and ("PE32 executable" not in o)
and ("PE32+ executable" not in o) and ("Mach-O" not in o)):
return None
# otherwise use python implementation of file
elif not is_binary(filename):
return None
# parse binary file's strings
if inpath("strings"):
# use "strings" on system if available (for performance)
o = subprocess.check_output(["strings", filename])
lines = o.decode("utf-8").splitlines()
else:
# Otherwise, use python implementation
s = Strings(filename)
lines = s.parse()
yield from self.run_checkers(filename, lines)
def extract_file_tar(cls, filename, extraction_path):
""" Extract tar files """
if not inpath("tar"):
""" Acutally MinGW provides tar, so this might never get called """
shutil.unpack_archive(filename, extraction_path)
else:
return subprocess.call(
["tar", "-C", extraction_path, "-xf", filename])
def extract_file_deb(cls, filename, extraction_path):
""" Extract debian packages """
if not inpath("ar"):
raise Exception("'ar' is required to extract deb files")
else:
result = subprocess.call(["ar", "x", filename],
cwd=extraction_path)
if result != 0:
return result
if not inpath("tar"):
shutil.unpack_archive(filename, extraction_path)
else:
datafile = glob.glob(
os.path.join(extraction_path, "data.tar.*"))[0]
# flag a is not supported while using x
result = subprocess.call(
["tar", "-C", extraction_path, "-xf", datafile])
return result
def extract_file_cab(cls, filename, extraction_path):
""" Extract cab files """
if sys.platform.startswith("linux"):
if not inpath("cabextract"):
raise Exception(
"'cabextract' is required to extract cab files")
else:
return subprocess.call(
["cabextract", "-d", extraction_path, filename])
else:
subprocess.call(["Expand", filename, "-F:*", extraction_path])
def parse_strings(self, filename):
"""parse binary file's strings"""
if inpath("strings"):
# use "strings" on system if available (for performance)
lines = subprocess.check_output(["strings",
filename]).decode("utf-8")
else:
# Otherwise, use python implementation
s = Strings(filename)
lines = s.parse()
return lines
def setUp(self):
self.assertTrue(inpath("tar"), "Required tool 'tar' not found")
for filename, tarmode in [
("test.tgz", "w:gz"),
("test.tar.gz", "w:gz"),
("test.tar.bz2", "w:bz2"),
("test.tar", "w"),
]:
tarpath = os.path.join(self.tempdir, filename)
tar = tarfile.open(tarpath, mode=tarmode)
data = "feedface".encode("utf-8")
addfile = BytesIO(data)
info = tarfile.TarInfo(name="test.txt")
info.size = len(data)
tar.addfile(tarinfo=info, fileobj=addfile)
tar.close()
if sys.version_info.major == 3 and sys.version_info.minor >= 3:
tarpath = os.path.join(self.tempdir, "test.tar")
tarpath_xz = os.path.join(self.tempdir, "test.tar.xz")
with open(tarpath, "rb") as infile, lzma.open(tarpath_xz,
"w") as outfile:
outfile.write(infile.read())
def test_not_inpath(self):
assert not inpath("cve_bin_tool_test_for_not_in_path")
def test_inpath(self):
"""Test the check to see if a command line utility is installed
and in path before we try to run it."""
assert inpath("python")
def setUp(self):
self.assertTrue(inpath("unzip"), msg="Required tool 'unzip' not found")
for filename in ["test.exe", "test.zip", "test.jar", "test.apk"]:
zippath = os.path.join(self.tempdir, filename)
with ZipFile(zippath, "w") as zipfile:
zipfile.writestr(ZipInfo("test.txt"), "feedface")
def setUp(self):
self.assertTrue(inpath("cabextract"),
msg="Required tool 'cabextract' not found")
download_file(VMWARE_CAB, os.path.join(self.tempdir, "test.cab"))
def test_inpath(self):
""" Test the check to see if a command line utility is installed
and in path before we try to run it. """
self.assertTrue(inpath('python'))
def test_inpath(self):
self.assertTrue(inpath('python'))
def test_not_inpath(self):
self.assertFalse(inpath('cve_bin_tool_test_for_not_in_path'))
def setUp(self):
self.assertTrue(inpath("rpm2cpio"),
msg="Required tool 'rpm2cpio' not found")
self.assertTrue(inpath("cpio"), msg="Required tool 'cpio' not found")
download_file(CURL_7_20_0_URL, os.path.join(self.tempdir, "test.rpm"))
