Validate ransomware target directories #1288
Conversation
DeepCode's analysis on #4bec95 found:
Top issues
👉 View analysis in DeepCode’s Dashboard | Configure the bot👉 The DeepCode service and API will be deprecated in August, 2021. Here is the information how to migrate. Thank you for using DeepCode 🙏 ❤️ !If you are using our plugins, you might be interested in their successors: Snyk's JetBrains plugin and Snyk's VS Code plugin. |
Codecov Report
@@ Coverage Diff @@
## develop #1288 +/- ##
===========================================
- Coverage 30.68% 29.34% -1.34%
===========================================
Files 449 452 +3
Lines 13470 14286 +816
===========================================
+ Hits 4133 4192 +59
- Misses 9337 10094 +757
Continue to review full report at Codecov.
|
monkey/monkey_island/cc/ui/src/components/configuration-components/ValidationFormats.js
Outdated
Show resolved
Hide resolved
| @@ -1,13 +1,22 @@ | |||
| const ipRegex = '((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' | |||
| const cidrNotationRegex = '([0-9]|1[0-9]|2[0-9]|3[0-2])' | |||
| const hostnameRegex = '^([A-Za-z0-9]*[A-Za-z]+[A-Za-z0-9]*.?)*([A-Za-z0-9]*[A-Za-z]+[A-Za-z0-9]*)$' | |||
| // path starts with `/` OR `$` | |||
| const linuxDirRegex = '^/|\\$' | |||
There was a problem hiding this comment.
afdbfasd$ is a valid absolute path according to this regex. Maybe change to ^/|^\\$?
| [VALID_DIR_LINUX]: buildValidDirLinuxRegex(), | ||
| [VALID_DIR_WINDOWS]: buildValidDirWindowsRegex() |
There was a problem hiding this comment.
This doesn't check if it's a valid directory. Doesn't even check if it's a directory, the regex would match a file as well. Maybe rename to getRegexWindowsStartsLikeAbsolutePath or getRegexWindowsIsAbsolutePath something?
| VALID_DIR_LINUX = "valid-directory-linux" | ||
| VALID_DIR_WINDOWS = "valid-directory-windows" |
There was a problem hiding this comment.
Same as the other comment, the name is misleading as this validator doesn't check if the directory is valid, it only checks if the start of the path looks like the start of an absolute path.
… rename related stuff to accurately describe it
|
This doesn't make sense as a valid ABS path, the whitespace should be either ignored or invalid as a starting character: |
|
@VakarisZ shows me invalid |
| @@ -32,7 +32,7 @@ def __init__(self, config: dict, telemetry_messenger: ITelemetryMessenger): | |||
| target_directories["windows_target_dir"] | |||
| if is_windows_os() | |||
| else target_directories["linux_target_dir"] | |||
| ) | |||
| ).strip() | |||
There was a problem hiding this comment.
At least on Linux, it is valid, if uncommon, to have a space at the end of a directory.
ubuntu@appimage:~/testdir$ ls
ubuntu@appimage:~/testdir$ mkdir "space_test "
ubuntu@appimage:~/testdir$ cd space_test
-su: cd: space_test: No such file or directory
ubuntu@appimage:~/testdir$ ls
'space_test '
ubuntu@appimage:~/testdir$ cd "space_test "
ubuntu@appimage:~/testdir/space_test $ pwd
/home/ubuntu/testdir/space_test
We shouldn't be preventing valid directories from being used, no matter how unusual they might be. What was the motivation for this change?
There was a problem hiding this comment.
If the user accidentally leaves a space before or after the path, the payload won't run at all. But since, like you said, we shouldn't be preventing valid directories from being used, no matter how unusual they might be, how about we add a check in the UI and show a warning message if there are stray spaces?
There was a problem hiding this comment.
A space before the path will be flagged, since this isn't an absolute path. A space after is trickier, since we don't really have a mechanism to distinguish a warning from something invalid. I say we leave it as is. After all, we don't spell check the directory names to check for typos. We can revisit if we get support requests or complaints from users.
There was a problem hiding this comment.
Windows doesn't care about space after.
| const linuxPathStartsWithTilde = '^~' // path starts with `~` | ||
|
|
||
| const windowsAbsolutePathRegex = '^([A-Za-z]:(\\\\|\\/))' // path starts like `C:\` OR `C:/` | ||
| const windowsPathStartsWithEnvVariableRegex = '^\\$|^(%\\w*\\d*\\s*%)' // path starts like `$` OR `%abc%` |
There was a problem hiding this comment.
These are the rules I found regarding the naming of Windows environment variables:
Variables have a percent sign on both sides: %ThisIsAVariable%
The variable name can include spaces, punctuation and mixed case: %_Another Ex.ample%
(This is unlike Parameter variables which only have one % sign and are always one character long: %A )
A variable name may include any of the following characters:
A-Z, a-z, 0-9, # $ ' ( ) * + , - . ? @ [ ] _ ` { } ~
The first character of the name must not be numeric.
https://ss64.com/nt/syntax-variables.html
So we need something more like
| const windowsPathStartsWithEnvVariableRegex = '^\\$|^(%\\w*\\d*\\s*%)' // path starts like `$` OR `%abc%` | |
| const windowsEnvVarNonNumeric = '^%[A-Za-z0-9#\\$\'\\(\\)\\*\\+,-\\.\\?@\\[ \\]_`{}~]+ ' | |
| const windowsPathStartsWithEnvVariableRegex = `^\\\$|^(%${windowsEnvVarNonNumeric}+($windowsEnvVarNonNumeric|[0-9])*%)` // path starts like `$` OR `%abc%` |
Note: The above is untested.
There was a problem hiding this comment.
Fix committed: 6edca9a
monkey/monkey_island/cc/ui/src/components/configuration-components/ValidationFormats.js
Outdated
Show resolved
Hide resolved
| ] = path_with_whitespaces | ||
|
|
||
| assert ( | ||
| RansomwarePayload(ransomware_payload_config, telemetry_messenger_spy)._target_dir |
There was a problem hiding this comment.
We should avoid testing private variables and methods. Unit tests should test the interface, not the inner workings.
This may be moot, however, as the path on line 52 is valid:
ubuntu@appimage:~/testdir/space_test $ mkdir -p " t1/t2/t3 "
ubuntu@appimage:~/testdir/space_test $ cd !$
cd " t1/t2/t3 "
ubuntu@appimage:~/testdir/space_test / t1/t2/t3 $
We shouldn't be preventing the user from using valid paths, no matter how obnoxiously they've used spaces..
mssalvatore
force-pushed
the
ransomware-target-dir-validators
branch
from
845d7f6 to
b1d8d7d
Compare
monkey/monkey_island/cc/ui/src/components/configuration-components/ValidationFormats.js
Outdated
Show resolved
Hide resolved
| const whitespacesOnlyRegex = '^\\s*$' | ||
|
|
||
| const windowsAbsolutePathRegex = /^([A-Za-z]:(\\|\/))/ // path starts like `C:\` OR `C:/` | ||
| const windowsEnvVarNonNumeric = '[A-Za-z#\\$\'\\(\\)\\*\\+,-\\.\\?@\\[\\]_`\\{\\}~+ ]' |
There was a problem hiding this comment.
What does the + in the end do? We're already checking for + with \\+.
| const whitespacesOnlyRegex = '^\\s*$' | ||
|
|
||
| const windowsAbsolutePathRegex = /^([A-Za-z]:(\\|\/))/ // path starts like `C:\` OR `C:/` | ||
| const windowsEnvVarNonNumeric = '[A-Za-z#\\$\'\\(\\)\\*\\+,-\\.\\?@\\[\\]_`\\{\\}~+ ]' |
There was a problem hiding this comment.
Is windowsEnvVarNonNumeric the best name for this? Can file/directory names also contain the same characters? If yes, let's rename this.
There was a problem hiding this comment.
"?" characters are not allowed in file/directory names, but are allowed in environment variable names.
Refactored because the escape characters were cumbersome and difficult to read when regexes were defined as strings. Also allow special characters in Windows environment variable names as per https://ss64.com/nt/syntax-variables.html
As far as I can tell, environment variables in Windows look like %NAME%. Variables in powershell begin with $, but file explorer doesn't recognize paths beginning with $ as valid.
Co-authored-by: Shreya Malviya <[email protected]>
mssalvatore
force-pushed
the
ransomware-target-dir-validators
branch
from
2dcf2f7 to
4bec957
Compare
What does this PR do?
#1239
PR Checklist
Was the CHANGELOG.md updated to reflect the changes?Was the documentation framework updated to reflect the changesTesting Checklist
Added relevant unit tests?ransomware-dir-validator.mp4