def validate(**object_data): title_validation = None short_description_validation = None description_validation = None tlp_validation = None if not object_data.get('title'): title_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Title missing') if not object_data.get('short_description'): short_description_validation = FieldValidationInfo( ValidationStatus.INFO, 'No short description') if not object_data.get('description'): description_validation = FieldValidationInfo( ValidationStatus.ERROR, 'Description is missing') if not object_data.get('tlp'): tlp_validation = FieldValidationInfo(ValidationStatus.ERROR, 'No TLP') return { 'title': title_validation, 'short_description': short_description_validation, 'description': description_validation, 'tlp': tlp_validation }
def validate(cls, **observable_data): domain_type = observable_data.get('type') value = observable_data.get('value') value_validation = None type_validation = None domain_matcher = None if domain_type == cls.FQDN_TYPE: domain_matcher = cls.FQDN_MATCHER elif domain_type == cls.TLD_TYPE: domain_matcher = cls.TLD_MATCHER if not value: value_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Domain value is missing') if domain_matcher: if value and not domain_matcher.match(value): value_validation = FieldValidationInfo(ValidationStatus.WARN, 'Domain value is invalid %s' % domain_type) else: type_validation = FieldValidationInfo( ValidationStatus.ERROR, 'Domain type is missing' if domain_type else 'Unrecognizable domain type') return cls(observable_data, type=type_validation, value=value_validation)
def __validate_email(address): if not address: return FieldValidationInfo(ValidationStatus.ERROR, 'Email address is missing') _, email_address = parseaddr(address) if AddressValidationInfo.EMAIL_MATCHER.match(email_address) is None: return FieldValidationInfo(ValidationStatus.WARN, 'The email address may be invalid') return None
def validate(cls, **observable_data): subject_validation = None from_validation = None date_validation = None if not (observable_data.get('subject') or observable_data.get('from') or observable_data.get('date')): subject_validation = from_validation = date_validation = \ FieldValidationInfo(ValidationStatus.ERROR, 'Email requires at least one of Subject, From or Date fields') else: if not cls.__validate_address(observable_data.get('from')): from_validation = FieldValidationInfo( ValidationStatus.WARN, 'Email From address may be invalid') if not cls.__validate_date(observable_data.get('date')): date_validation = FieldValidationInfo( ValidationStatus.WARN, 'Email Date may be invalid') to_validation = cls.__validate_address_list(observable_data.get('to'), 'To') cc_validation = cls.__validate_address_list(observable_data.get('cc'), 'Cc') bcc_validation = cls.__validate_address_list( observable_data.get('bcc'), 'Bcc') return cls(observable_data, subject=subject_validation, from_address=from_validation, date=date_validation, to=to_validation, cc=cc_validation, bcc=bcc_validation)
def __validate_mac(address): if not address: return FieldValidationInfo(ValidationStatus.ERROR, 'MAC address is missing') if AddressValidationInfo.MAC_MATCHER.match(address) is None: return FieldValidationInfo(ValidationStatus.WARN, 'MAC address may be invalid') return None
def __validate_ipv6(address): if not address: return FieldValidationInfo(ValidationStatus.ERROR, 'IPv6 address value is missing') if not AddressValidationInfo.is_ipv6(address): return FieldValidationInfo(ValidationStatus.WARN, 'IPv6 address appears invalid') return None
def __validate_type(observable_type): actual_type = getattr(observable_type, 'field_value', observable_type) field_path_name = getattr(observable_type, 'field_path_name', None) if not actual_type: return FieldValidationInfo(ValidationStatus.ERROR, 'Missing observable type', field_path_name) elif actual_type == ObservableValidationInfo.TYPE: return FieldValidationInfo(ValidationStatus.WARN, 'Unrecognizable observable type', field_path_name) else: return None
def validate(cls, **observable_data): user_agent = observable_data.get('user_agent') user_agent_validation = None if not user_agent: user_agent_validation = FieldValidationInfo( ValidationStatus.ERROR, 'User Agent value is missing') elif not cls.USER_AGENT_MATCHER.match(user_agent): user_agent_validation = FieldValidationInfo( ValidationStatus.WARN, 'User Agent value may be invalid') return cls(observable_data, user_agent=user_agent_validation)
def __validate_uri_type(cls, uri_type): if not uri_type: return FieldValidationInfo(ValidationStatus.ERROR, 'URI type is missing') if uri_type not in cls.__get_type_map(): return FieldValidationInfo( ValidationStatus.ERROR, 'Unable to determine URI type (%s)' % uri_type) return None
def validate(cls, **observable_data): type_validation = None raw_artifact_validation = None if not observable_data.get('type'): type_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Artifact type is missing') if not observable_data.get('raw_artifact'): raw_artifact_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Artifact data is missing') return cls(observable_data, type=type_validation, raw_artifact=raw_artifact_validation)
def __validate_ipv4(address): status = None if not address: status = FieldValidationInfo(ValidationStatus.ERROR, 'IP address is missing') elif AddressValidationInfo.is_ipv4(address): if AddressValidationInfo.__is_warning_ipv4(address): status = FieldValidationInfo(ValidationStatus.WARN, 'IP address appears to be private') else: status = FieldValidationInfo(ValidationStatus.WARN, 'IPv4 address appears invalid') return status
def __validate_cidr(address): if not address: return FieldValidationInfo(ValidationStatus.ERROR, 'CIDR value is missing') address_parts = address.split('/') if len(address_parts) == 2: address_validation = AddressValidationInfo.__validate_ipv4(address_parts[0]) if address_validation is None: try: range_bits = int(address_parts[1]) if 0 <= range_bits <= 32: return None except ValueError: pass return FieldValidationInfo(ValidationStatus.WARN, 'CIDR value appears invalid')
def test_Validate_IfHostname_CallValidateHostnameValue(self, mock_hostname_validator): mock_hostname_validator.return_value = FieldValidationInfo(ValidationStatus.INFO, 'Testing function call...') hostname_value = 'blah' socket_validation = SocketValidationInfo.validate(hostname=hostname_value) self.assertEqual(socket_validation.hostname, mock_hostname_validator.return_value) mock_hostname_validator.assert_called_with(False, hostname_value)
def validate_protocol(protocol): protocol_validation = None if protocol and any(char.isdigit() for char in protocol): protocol_validation = FieldValidationInfo( ValidationStatus.WARN, 'Protocol contains numeric characters') return protocol_validation
def validate(cls, type_, id_): field_validation = {} if not NamespaceValidationInfo.__id_is_current_ns(id_): field_validation[r'namespace'] = FieldValidationInfo( ValidationStatus.WARN, r'%s originates from an external namespace' % CLIPPY_TYPES.get(type_, r'Object')) return cls(**field_validation)
def validate(cls, **observable_data): name = observable_data.get('name') if name: name_validation = None else: name_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Mutex name is missing') return cls(observable_data, name=name_validation)
def __validate_address_list(address_list, address_field_name): if address_list: for address in address_list: if not EmailValidationInfo.__validate_address(address): return FieldValidationInfo( ValidationStatus.WARN, 'An email address in the %s field may be invalid' % address_field_name) return None
def validate(cls, **observable_data): port = observable_data.get('port_value') if port: port_validation = None else: port_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Port value is missing') return cls(observable_data, port_value=port_validation)
def validate(cls, **observable_data): value = observable_data.get('hostname_value') if value: value_validation = cls.validate_hostname_value( observable_data.get('is_domain_name', False), value) else: value_validation = FieldValidationInfo( ValidationStatus.ERROR, 'Hostname value is missing') return cls(observable_data, hostname_value=value_validation)
def __validate_value(cls, value, uri_type): if not value: return FieldValidationInfo(ValidationStatus.ERROR, 'URI value is missing') type_handler = cls.__get_type_map().get(uri_type) if type_handler: return type_handler(value) return None
def __validate_hashes(hashes): msgs = {} if hashes: for hash_ in hashes: hash_type = hash_.get(r'type') regex, msg = HASHES.get(hash_type) if not regex.match(hash_.get(r'simple_hash_value')): msgs[hash_type] = FieldValidationInfo( ValidationStatus.WARN, msg) return msgs
def __validate_file_extension(file_extension): msg = None if file_extension: if FILE_EXTENSION.match(str(file_extension)): pass else: msg = FieldValidationInfo( ValidationStatus.WARN, r'File Extension should be .{something}') return msg
def __validate_size_in_bytes(size_in_bytes): msg = None if size_in_bytes: if POSITIVE_INTEGER.match(str(size_in_bytes)): pass else: msg = FieldValidationInfo( ValidationStatus.ERROR, r'Size In Bytes should be a positive integer') return msg
def test_Validate_IfValueExists_CallValidateHostnameValue(self, mock_validate_hostname_value): hostname_value = 'dummy value' mock_validate_result = FieldValidationInfo(ValidationStatus.INFO, 'blah') mock_validate_hostname_value.return_value = mock_validate_result for is_domain in [True, False, None]: if is_domain is None: hostname_validation = HostnameValidationInfo.validate(hostname_value=hostname_value) else: hostname_validation = HostnameValidationInfo.validate(hostname_value=hostname_value, is_domain_name=is_domain) mock_validate_hostname_value.assert_called_with(bool(is_domain), hostname_value) self.assertEqual(hostname_validation.hostname_value, mock_validate_result)
def validate_hostname_value(is_domain, value): if is_domain: is_valid = DomainNameValidationInfo.get_domain_type_from_value( value) is not None else: is_valid = HostnameValidationInfo.HOSTNAME_MATCHER.match( value) is not None error = 'Invalid %s value' % ('domain' if is_domain else 'hostname') return None if is_valid else FieldValidationInfo( ValidationStatus.WARN, error)
def __validate_port(port): port_validation = None if port is None: port_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Port value is missing') else: try: port_value = int(port) except ValueError: port_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Invalid port value') else: if not (0 <= port_value <= 65535): port_validation = FieldValidationInfo( ValidationStatus.ERROR, 'Port value outside valid range') elif port_value == 0: port_validation = FieldValidationInfo(ValidationStatus.WARN, 'Port value is zero') return port_validation
def validate(cls, **observable_data): hive_validation = None key_validation = None hive = observable_data.get('hive') if hive and not cls.HIVE_MATCHER.match(hive): hive_validation = FieldValidationInfo( ValidationStatus.WARN, 'Registry hive may be invalid') key = observable_data.get('key') if not key: key_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Registry key is missing') elif not cls.KEY_MATCHER.match(key): key_validation = FieldValidationInfo( ValidationStatus.WARN, 'Registry key may be invalid') elif hive and key.startswith(hive): key_validation = FieldValidationInfo( ValidationStatus.WARN, 'Registry key prepended with hive value') return cls(observable_data, hive=hive_validation, key=key_validation)
def validate(cls, **observable_data): address_value = observable_data['address_value'] category = observable_data.get( 'category', AddressValidationInfo.IPv4_CATEGORY) or AddressValidationInfo.IPv4_CATEGORY # Default according to Cybox Schema category_validation = None address_validation = None address_validator = cls.__get_category_handler(category) if address_validator: address_validation = address_validator(address_value) else: category_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Unable to determine the address category (%s)' % category) return cls(observable_data, address_value=address_validation, category=category_validation)
def validate_socket(socket): protocol = socket.get('protocol') ip_address = socket.get('ip_address') hostname = socket.get('hostname') protocol_validation = validate_protocol(protocol) ip_address_validation = None hostname_validation = None if bool(ip_address) == bool(hostname): ip_address_validation = hostname_validation = \ FieldValidationInfo(ValidationStatus.ERROR, 'Only one of IP address or Hostname must be completed') elif ip_address: ip_address_validation = validate_ip_address(ip_address) elif hostname: hostname_validation = HostnameValidationInfo.validate_hostname_value( False, hostname) return dict(protocol=protocol_validation, ip_address=ip_address_validation, hostname=hostname_validation)
def __validate_incidents(incidents, stix_header): incident_validation = {} for incident in incidents: id_ = incident['id'] namespace_validation = NamespaceValidationInfo.validate(r'inc', id_) if namespace_validation.is_local(): other_properties = OtherStructureConverter.package_to_simple(incident, stix_header) validation_results = CommonValidationInfo.validate(**other_properties) if validation_results and validation_results.validation_dict: incident_validation.update({id_: validation_results.validation_dict}) if len(other_properties.get('external_ids', [])): field_validation = {'external_ids': FieldValidationInfo( ValidationStatus.WARN, r'External IDs exist within an Incident in the package') } incident_validation.update({id_: ObjectValidationInfo(**field_validation).validation_dict}) else: incident_validation.update({id_: namespace_validation.validation_dict}) return incident_validation