Fixes a bug in UnshortenLink analyzer

TheHive-Project · Jan 29, 2019 · ea317b4 · ea317b4
1 parent 7fcb699
commit ea317b4
Showing 1 changed file with 29 additions and 5 deletions.
diff --git a/analyzers/UnshortenLink/unshortenlink.py b/analyzers/UnshortenLink/unshortenlink.py
@@ -2,14 +2,15 @@
 # encoding: utf-8
 
 import requests
+import re
 from cortexutils.analyzer import Analyzer
 
 
 class UnshortenlinkAnalyzer(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
-        self.url = self.getParam('url', None)
-        self.proxies = self.getParam('config.proxy', None)
+        self.url = self.get_param('url', None)
+        self.proxies = self.get_param('config.proxy', None)
 
     def artifacts(self, raw):
         if raw['found']:
@@ -25,16 +26,39 @@ def summary(self, raw):
         value = ''
 
         if raw['found'] == True:
-            value='success'
+            value = 'success'
         else:
-            value='failure'
+            value = 'failure'
         taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
         return {'taxonomies': taxonomies}
 
     def run(self):
         Analyzer.run(self)
 
-        url = self.getData()
+        url = self.get_data()
+        if len(re.findall(
+                r"^(http:\/\/)?(https:\/\/)?[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(:[0-9]{1,5})?(\/)?$",
+                url)) > 0 \
+                or len(re.findall(r"^(http:\/\/)?(https:\/\/)?.+:[0-9]{1,5}$", url)) \
+                or len(re.findall(r'^(http:\/\/\[)?(https:\/\/\[)('
+                                  '([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|'
+                                  '([0-9a-fA-F]{1,4}:){1,7}:|'
+                                  '([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|'
+                                  '([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|'
+                                  '([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|'
+                                  '([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|'
+                                  '([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|'
+                                  '[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|'
+                                  ':((:[0-9a-fA-F]{1,4}){1,7}|:)|'
+                                  'fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|'
+                                  '::(ffff(:0{1,4}){0,1}:){0,1}' + \
+                                  '((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}'
+                                  '(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|'
+                                  '([0-9a-fA-F]{1,4}:){1,4}:'
+                                  '((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}'
+                                  '(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])'
+                                  ')(\])?(:[0-9]{1,5})?$', url)):
+            self.error("Searching for Ports and IPs not allowed.")
 
         if self.proxies:
             proxies = self.proxies