Skip to content
This repository was archived by the owner on Apr 26, 2021. It is now read-only.

Correctly parsing URIs#3199

Open
cccs-kevin wants to merge 2 commits intocuckoosandbox:masterfrom
cccs-kevin:invalid_uri_parse
Open

Correctly parsing URIs#3199
cccs-kevin wants to merge 2 commits intocuckoosandbox:masterfrom
cccs-kevin:invalid_uri_parse

Conversation

@cccs-kevin
Copy link

@cccs-kevin cccs-kevin commented Apr 23, 2021
edited
Loading

Thanks for contributing! But first: did you read our community guidelines?
https://cuckoo.sh/docs/introduction/community.html

What I have added/changed is:

Some logic to address edge cases created by certain malware... unfortunately I do not have a public hash to share for recreation.

The goal of my change is:

The TCP data captured from network traffic was parsed in the network processing module with the URI containing <protocol>://<netloc>/<path>, which then caused issues putting the URL back together here. The unparsed URI would then look like <protocol>://<netloc>/<protocol>://<netloc>/<path> which is an invalid URI.

The goal of my change is to parse this URI extracted from the pcap correctly before it goes into the urlunparse method.

What I have tested about my change is:

I tested with the .pcaps generated by the malware that displayed this behaviour, and this change fixes it.

Also this happens in the KVM machinery.

@cccs-kevin cccs-kevin mentioned this pull request Aug 30, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cccs-kevin