caldera icon indicating copy to clipboard operation
caldera copied to clipboard

Published 20 hours ago verified publisher icon mitre

Displaying un-encoded commands when using obfuscation

Open mshkolnik22 opened this issue 3 years ago • 1 comments

Description

When using obfuscation for commands (e.g., Base64), the operations timeline now also contains the plaintext command to decode the actual command (e.g. eval "$(echo d2hvYW1p | base64 --decode)").

Type of change

Please delete options that are not relevant.

  • [x] New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my own code
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have added tests that prove my fix is effective or that my feature works
image image

mshkolnik22 avatar Jun 28 '22 18:06 mshkolnik22

I believe the reports are now working as expected, if there is any non-standard behaviour please let me know since I don't have a deep understanding of the reports structure

ZacharyLPalmer avatar Jul 25 '22 17:07 ZacharyLPalmer

@clenk On another note, the SonarCloud job is complaining that the Link class has too many parameters in its constructor (cap is 13, we have 16, not including self). Any tips on how to best handle that?

argaudreau avatar Aug 18 '22 19:08 argaudreau

@argaudreau The usual solution for this is to refactor the code to use an object that stores some of the parameters, but that may not be ideal in our case. We could add a rule to our Sonar configuration to ignore that rule (python:S107) for this file. I'd want to get some consensus before doing so though, just in case.

clenk avatar Aug 18 '22 20:08 clenk

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell B 1 Code Smell

100.0% 100.0% Coverage
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Aug 29 '22 17:08 sonarqubecloud[bot]

@clenk I did a local refactor to try and use raw_command instead of adding plaintext_command, but all that'd do is un-encode the command which is stored in base64. So if a command was obfuscated from the operation, we still wouldn't see the plaintext command.

As a workaround I've added a sonarcube exemption to the c_link.py class so it can have more than the allowed constructor parameters. Since it's a fairly large refactor to reduce the number of parameters as well as store the commands un-encoded, we can revisit that at a later date.

argaudreau avatar Aug 29 '22 17:08 argaudreau

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Sep 12 '22 19:09 sonarqubecloud[bot]