Skip to content

Misc fixes #614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 1, 2025
+39 −35
Merged

Misc fixes #614

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b128ef8
fix test case for api-obfuscation
sobregosodd Oct 1, 2025
37d005d
remove laying around file
sobregosodd Oct 1, 2025
9408388
adding test cases
sobregosodd Oct 1, 2025
44b9286
replacement of pkg_resources with packaging.requirements for parsing …
sobregosodd Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 0 additions & 12 deletions guarddog/analyzer/sourcecode/extension_suspicious_passwd_access_linux.yar
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions ...de/extension_powershell_policy_bypass.yar → ...cecode/suspicious_passwd_access_linux.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
rule DETECT_FILE_powershell_policy_bypass
rule suspicious_passwd_access_linux
{
meta:
author = "T HAMDOUNI, Datadog"
Expand All @@ -9,4 +9,4 @@ rule DETECT_FILE_powershell_policy_bypass
$read = /(readFile|readFileSync)\(\s*['"]\/etc\/passwd/ nocase
condition:
$cli or $read
}
}
19 changes: 9 additions & 10 deletions guarddog/scanners/pypi_project_scanner.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import re
from typing import List

import pkg_resources
from packaging.requirements import Requirement
import requests
from packaging.specifiers import Specifier, Version

Expand Down Expand Up @@ -111,12 +111,11 @@ def safe_parse_requirements(req):
"""
This helper function yields one valid requirement line at a time
"""
parsed = pkg_resources.parse_requirements(req)
while True:
for req_line in req:
if not req_line.strip():
continue
try:
yield next(parsed)
except StopIteration:
break
yield Requirement(req_line)
except Exception as e:
log.error(
f"Error when parsing requirements, received error {str(e)}. This entry will be "
Expand All @@ -130,7 +129,7 @@ def safe_parse_requirements(req):
continue

versions = get_matched_versions(
find_all_versions(requirement.project_name),
find_all_versions(requirement.name),
(
requirement.url
if requirement.url
Expand All @@ -140,7 +139,7 @@ def safe_parse_requirements(req):

if len(versions) == 0:
log.error(
f"Package/Version {requirement.project_name} not on PyPI\n"
f"Package/Version {requirement.name} not on PyPI\n"
)
continue

Expand All @@ -165,13 +164,13 @@ def safe_parse_requirements(req):
# find the dep with the same name or create a new one
dep = next(
filter(
lambda d: d.name == requirement.project_name,
lambda d: d.name == requirement.name,
dependencies,
),
None,
)
if not dep:
dep = Dependency(name=requirement.project_name, versions=set())
dep = Dependency(name=requirement.name, versions=set())
dependencies.append(dep)

dep.versions.update(dep_versions)
Expand Down
26 changes: 26 additions & 0 deletions tests/analyzer/sourcecode/api-obfuscation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,45 @@ def send():
open(filename, 'wb').write(rq.content)

# os.system('start '+filename)
# ruleid: api-obfuscation
os.__dict__['startfile']('start '+filename)

# ruleid: api-obfuscation
os.__dict__['startfile'].__call__('start '+filename)
# ruleid: api-obfuscation
os.__getattribute__('startfile')('start '+filename)

# ruleid: api-obfuscation
os.__getattribute__('startfile').__call__('start '+filename)

# ruleid: api-obfuscation
getattr(os, 'startfile')('start '+filename)

# ruleid: api-obfuscation
getattr(os, 'startfile').__call__('start '+filename)

# ruleid: api-obfuscation
__import__('os').startfile('start '+filename)

# ruleid: api-obfuscation
__import__('os').startfile.__call__('start '+filename)

# ruleid: api-obfuscation
__import__('os').__dict__['startfile']('start '+filename)

# ruleid: api-obfuscation
__import__('os').__dict__['startfile'].__call__('start '+filename)

# ruleid: api-obfuscation
__import__('os').__getattribute__('startfile')('start '+filename)

# ruleid: api-obfuscation
__import__('os').__getattribute__('startfile').__call__('start '+filename)

# ruleid: api-obfuscation
getattr(__import__('os'), 'startfile')('start '+filename)

# ruleid: api-obfuscation
getattr(__import__('os'), 'startfile').__call__('start '+filename)
except:
pass
1 change: 1 addition & 0 deletions tests/analyzer/sourcecode/suspicious_passwd_access_linux.test
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
cat /etc/passwd
10 changes: 0 additions & 10 deletions tests/analyzer/sourcecode/test_eval_call.js
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion tests/analyzer/sourcecode/test_sourcecode_yara.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,6 @@ def test_source_codde_analyzer_yara_exec(rule_name: str):
if not f.startswith(f"{rule_name}."):
continue

# testing file against against rule
# testing file against rule
print(f"Testing YARA rule: {rule_name}")
assert test_scan_rule.match(os.path.join(root, f))