opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

[ImportStixFile] Different behavior depending on the location of the import

Open Lhorus6 opened this issue 1 year ago • 2 comments

Description

I observe a different behavior of the connector depending on whether I import from the global import panel "Data > Import" or from a "Data" tab of an entity

Environment

OCTI 6.1.2

Reproducible Steps

File to reproduce: file_example.json

Steps to create the smallest reproducible scenario:

  1. Download the attached file above
  2. Navigate on a report and upload the file in the "Data" tab -> error
  3. Navigate to "Data > Import" and upload the file -> no error

NB: Don't pay attention to the error generated during the import. This is because the file is a list of STIX objects and not a bundle. The purpose of the ticket is to show the divergent behavior depending on the location of the import, not to discuss the error.

Expected Output

I expect the same result no matter where I import it.

Screenshots

From "Data > Import"

Screenshot 2024-05-18 135016

From a "Data" tab in a report

Screenshot 2024-05-18 134959

Lhorus6 avatar May 18 '24 11:05 Lhorus6

@nino-filigran Should this file be imported or not? What is the correct behavior? I suppose in our case, it should also result in an error in data/import.

CelineSebe avatar May 22 '24 09:05 CelineSebe

In this exact example, it should not from my understanding.

nino-filigran avatar May 22 '24 15:05 nino-filigran

After some investigation, it turns out that depending on where the import is asked, the process uses a different logic branch. Given this badly formatted file example, the error is thrown as soon as there is a JSON parsing attempt. From that Data > Import section, the instruction responsible for the JSON parsing is not called, because the conditions are not met. From the Data tab of a report, the JSON parsing is done early in the import process.

In my opinion, whenever an error has occurred, it is a good thing to know about it.

Goumies avatar Jul 02 '24 12:07 Goumies

Is there a reason of having different ways of processing a file? If yes, the goal would to be align the 2 behaviors. I agree with you @Goumies, showing an error would be better.

nino-filigran avatar Jul 02 '24 13:07 nino-filigran

The main reason is the presence of the entity's ID from where the import is asked.

The executed code contains several conditions. None are fulfilled to proceed to the JSON parsing, with the file example, when import is asked from Data / Import. So there is no error in this case, @nino-filigran.

Goumies avatar Jul 02 '24 15:07 Goumies

The difference in behavior was due to the fact that:

  • in the first use case, when importing the file from an entity, we modify the bundle to add the imported items to the current container. Because the file wasn't a proper bundle, this fails, causing the error.
  • in the second case, when importing the file globally, we do not modify the bundle to add the items to the current entity. And because the bundle was sent for validation, the connector doesn't even verify the data, it just sends the content of the file directly to a workbench file. In any case, when now importing as a draft, we get an error in both cases now. So I'm closing the issue, since it is fixed for draft case, but feel free to open it again if you want us to add a 'validation' step on the content of the workbench file in the case of the import-stix connector

JeremyCloarec avatar Apr 09 '25 16:04 JeremyCloarec