def test_markdown_fanging():
s = '[https://i.imgur.com/abc.png](https://i.imgur.com/abc.png)'
assert ioc_fanger.fang(
s) == 'https://i.imgur.com/abc.png]https://i.imgur.com/abc.png)'
s = '_o_o.lgms.nl_'
assert ioc_fanger.fang(s) == '_o_o.lgms.nl_'
def test_issue_47():
s = "a. [b"
result = ioc_fanger.fang(s)
assert result == "a. [b"
s = "a. (b"
result = ioc_fanger.fang(s)
assert result == "a. (b"
def test_odd_hXXp_replacement():
s = 'In the UI: https://help.passivetotal.org/tags_&_classifications.html (https://help.passivetotal.org/tags_&_classifications.html)'
assert ioc_fanger.fang(
s
) == 'In the UI: https://help.passivetotal.org/tags_&_classifications.html https://help.passivetotal.org/tags_&_classifications.html)'
# this is based on the text of an incident found here: https://app.threatconnect.com/auth/incident/incident.xhtml?incident=2952580883&owner=Technical%20Blogs%20and%20Reports#/
s = 'domain (www.example.com).'
assert ioc_fanger.fang(s) == 'domain www.example.com).'
def test_email_addresses(defanged_email_address_text,
fanged_email_address_text):
"""Make sure email addresses are properly fanged."""
fanged_addresses = ioc_fanger.fang(defanged_email_address_text)
assert fanged_addresses == fanged_email_address_text
s = 'test@[192.168.0.1]'
fanged_data = ioc_fanger.fang(s)
assert fanged_data == 'test@[192.168.0.1]'
def test_systematic_dot():
"""."""
s = "fooDOTcom"
assert ioc_fanger.fang(s) == "foo.com"
s = "foo[DOT]com"
assert ioc_fanger.fang(s) == "foo.com"
s = "foo{DOT}com"
assert ioc_fanger.fang(s) == "foo.com"
s = "foo(DOT)com"
assert ioc_fanger.fang(s) == "foo.com"
s = "foodotcom"
assert ioc_fanger.fang(s) == "foodotcom"
s = "foo[dot]com"
assert ioc_fanger.fang(s) == "foo.com"
# see https://github.com/ioc-fang/ioc_fanger/issues/30
s = "foo{dot}com"
assert ioc_fanger.fang(s) == "foo.com"
s = "foo(dot)com"
assert ioc_fanger.fang(s) == "foo.com"
s = "foo-dot-com"
assert ioc_fanger.fang(s) == "foo.com"
def test_issue_53__urls_in_query_strings_fanged():
"""Make sure URLs in query strings are properly fanged."""
# imagining s is part of a query string, make sure s is unchanged
s = "--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip"
result = ioc_fanger.fang(s)
assert result == "--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip"
# imagining s is part of a query string, make sure s is unchanged
s = "--~Chttps://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip"
result = ioc_fanger.fang(s)
assert result == "--~Chttps://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip"
def test_spanish_defanging():
s = 'me (arroba) example (punto) com'
assert ioc_fanger.fang(s) == '*****@*****.**'
s = 'me(arroba)example(punto)com'
assert ioc_fanger.fang(s) == '*****@*****.**'
s = 'me [arroba] example [punto] com'
assert ioc_fanger.fang(s) == '*****@*****.**'
s = 'me[arroba]example[punto]com'
assert ioc_fanger.fang(s) == '*****@*****.**'
def test_german_defanging():
s = 'me@example (punkt) com'
assert ioc_fanger.fang(s) == '*****@*****.**'
s = 'me@example(punkt)com'
assert ioc_fanger.fang(s) == '*****@*****.**'
s = 'me@example [punkt] com'
assert ioc_fanger.fang(s) == '*****@*****.**'
s = 'me@example[punkt]com'
assert ioc_fanger.fang(s) == '*****@*****.**'
def test_german_defanging():
s = "me@example (punkt) com"
assert ioc_fanger.fang(s) == "*****@*****.**"
s = "me@example(punkt)com"
assert ioc_fanger.fang(s) == "*****@*****.**"
s = "me@example [punkt] com"
assert ioc_fanger.fang(s) == "*****@*****.**"
s = "me@example[punkt]com"
assert ioc_fanger.fang(s) == "*****@*****.**"
def test_email_addresses(defanged_email_address_text, fanged_email_address_text):
"""Make sure email addresses are properly fanged."""
fanged_addresses = ioc_fanger.fang(defanged_email_address_text)
assert fanged_addresses == fanged_email_address_text
s = "test@[192.168.0.1]"
fanged_data = ioc_fanger.fang(s)
assert fanged_data == "test@[192.168.0.1]"
s = "john.smith(comment)@example.com"
fanged_data = ioc_fanger.fang(s)
assert fanged_data == "john.smith(comment)@example.com"
def test_systematic_period_square_brackets():
"""."""
s = 'foo[.]com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo].[com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo[.[com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo].]com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo[.com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo.[com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo].com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo.]com'
assert ioc_fanger.fang(s) == 'foo.com'
def test_issue_34():
s = '''[Researcher email address].
Best Regards,'''
result = ioc_fanger.fang(s)
print(result)
assert result == '''[Researcher email address.
def test_issue_53__percent_encoded_urls_fanged_properly():
"""Testing to make sure percent encoded URLs are properly fanged."""
s = "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip"
result = ioc_fanger.fang(s)
assert (
result
== "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip"
)
def main():
"""."""
args = parse_arguments()
text = tcex.playbook.read(args.text)
tcex.log.info('Text before fanging: {}'.format(text))
fanged_text = ioc_fanger.fang(text)
# output the reversed string to downstream playbook apps
tcex.playbook.create_output('fangedText', fanged_text)
tcex.log.info('Text after fanging: {}'.format(fanged_text))
tcex.exit(0)
def test_issue_34():
s = """[Researcher email address].
Best Regards,"""
result = ioc_fanger.fang(s)
print(result)
assert (
result
== """[Researcher email address.
Best Regards,"""
)
def process_text():
"""Fang/defang indicators of compromise."""
text = request.form['text']
action = request.form['action']
if not text:
flash('Please enter some text.', 'error')
return redirect(url_for('index'))
else:
if action == 'fang':
processed_text = ioc_fanger.fang(text)
else:
processed_text = ioc_fanger.defang(text)
return processed_text
def test_odd_misc():
s = "www\.example\.com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "www^.example^.com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "foo[-]bar.com"
assert ioc_fanger.fang(s) == 'foo-bar.com'
s = "[www].example.com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "(www).example.com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = 'https://example.com\/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = """diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf
diota[-]ar.com/.well-known/acme-challenge/mxr.pdf"""
assert ioc_fanger.fang(
s) == """diota-ar.com:80/.well-known/acme-challenge/mxr.pdf
diota-ar.com/.well-known/acme-challenge/mxr.pdf"""
s = """xxxxs://proverka[.]host/ Email: silena[.]berillo(at)gmail[.]com, hto2018(at)yandex[.]ru"""
assert ioc_fanger.fang(
s
) == """https://proverka.host/ Email: [email protected], [email protected]"""
s = """code to (https://www.linkedin.com/feed/hashtag/?keywords=%23IOCs)<https://example.in/foo>"""
data = ioc_fanger.fang(s)
assert data == """code to https://www.linkedin.com/feed/hashtag/?keywords=%23IOCs)<https://example.in/foo>"""
s = 'analysis), yo'
data = ioc_fanger.fang(s)
assert data == s
def test_systematic_period_curly_braces():
s = 'foo{.}com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo}.{com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo{.{com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo{.com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo.{com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo}.}com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo}.com'
assert ioc_fanger.fang(s) == 'foo.com'
s = 'foo.}com'
assert ioc_fanger.fang(s) == 'foo.com'
def test_odd_brackets():
s = "www[.[example[.[com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "www].]example].]com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "www].[example].[com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "www.[example.[com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "www.]example.]com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "www[.example[.com"
assert ioc_fanger.fang(s) == 'www.example.com'
s = "www].example].com"
assert ioc_fanger.fang(s) == 'www.example.com'
def ioc_fang_defang(text, action):
"""Expand or collapse an IPv6 address."""
response = str()
error = False
if action == 'fang':
try:
response = ioc_fanger.fang(text)
except Exception as e:
error = True
response = str(e)
elif action == 'defang':
try:
response = ioc_fanger.defang(text)
except Exception as e:
error = True
response = str(e)
else:
raise RuntimeError(
"Unknown action provided to ioc_fang_defang function: {}".format(
action))
return response, error
def test_issue_24():
s = 'seasharpee'
assert ioc_fanger.fang(s) == 'seasharpee'
def test_issue_16():
s = "www[.example.com"
assert ioc_fanger.fang(s) == 'www.example.com'
def test_parenthetical_period():
s = "www(.)example(.)com"
assert ioc_fanger.fang(s) == 'www.example.com'
def test_debug():
# make sure using debug still works properly
s = '192[.]168[.]4[.]2'
assert ioc_fanger.fang(s, debug=True) == '192.168.4.2'
def test_fanging(defanged_text, fanged_text):
"""Test fanging."""
test_fanged_text = ioc_fanger.fang(defanged_text)
assert test_fanged_text == fanged_text
def fang_benchmark():
return ioc_fanger.fang(SAMPLE_TEXT_DEFANGED)
def test_email_addresses(defanged_email_address_text,
fanged_email_address_text):
"""Make sure email addresses are properly fanged."""
fanged_addresses = ioc_fanger.fang(defanged_email_address_text)
assert fanged_addresses == fanged_email_address_text
def test_odd_schemes():
s = 'xxxx://example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'xxxxx://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'xXxX://example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'xXxXx://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'hxxp://example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'hXXp://example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'hxxps://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'hXXps://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'http ://example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'https ://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'http:// example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'https:// example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'http//example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'https//example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'http// example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'https// example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'http:///example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'http:/// example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'http :///example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = 'https:///example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'https:/// example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'https :///example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = '[http]://example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = '[https]://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = '(http)://example.com/test.php'
assert ioc_fanger.fang(s) == 'http://example.com/test.php'
s = '(https)://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'http!://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'https!://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'https@://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'httpA://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'https&://example.com/test.php'
assert ioc_fanger.fang(s) == 'https://example.com/test.php'
s = 'https&://example.com/test.php https://example.com/test.php http&://example.com/test.php xxXpA://example.com/test.php'
assert ioc_fanger.fang(
s
) == 'https://example.com/test.php https://example.com/test.php https://example.com/test.php https://example.com/test.php'
s = 'hxxps[://]example[.]com/test[.]html'
assert ioc_fanger.fang(s) == 'https://example.com/test.html'
def prepare_text(text):
"""Fang (https://ioc-fang.hightower.space/) and encode the text in such a way that all Unicode domain names are converted into their punycode representation."""
text = ioc_fanger.fang(text)
# text = text.encode('idna').decode('utf-8')
return text
def test_odd_email_address_spacing():
s = "foo@barDOTcom"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo@bar DOT com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo@bar DOT com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo @ bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo @ bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo @ bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo @ bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "fooATbar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
# make sure that the `AT` parsing isn't too broad... it shouldn't replace 'AT' with '@' if the 'AT' is preceded by a capital letter
s = "fooMATbar.com"
assert ioc_fanger.fang(s) == 'fooMATbar.com'
# see the previous comment, except this makes sure that 'AT' isn't postceded by a capital letter
s = "fooATAbar.com"
assert ioc_fanger.fang(s) == 'fooATAbar.com'
s = "foo AT bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo AT bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo AT bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo AT bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo[AT]bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo(AT)bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo[at]bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo(at)bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo[ET]bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo(ET)bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo[et]bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo(et)bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo [AT] bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo (AT) bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo [at] bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo (at) bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo [ET] bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo (ET) bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo [et] bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
s = "foo (et) bar.com"
assert ioc_fanger.fang(s) == '*****@*****.**'
