From 22523215502c36b921c7c08cd11257244f48240f Mon Sep 17 00:00:00 2001 From: Dan Tavori <38749041+dantavori@users.noreply.github.com> Date: Tue, 12 Mar 2024 14:56:23 +0200 Subject: [PATCH] [XSUP-34670] Remove usage of executeCommand (#33313) * copy is in cidr ranges code * added a rn for IsInCidrRanges for validate to pass --- .../ReleaseNotes/1_2_64.md | 11 ++ .../Scripts/IsInCidrRanges/IsInCidrRanges.js | 4 +- .../IsNotInCidrRanges/IsNotInCidrRanges.js | 136 ++++++++++++++- .../playbook-TestIsNotInCidrRanges.yml | 156 +++++++----------- .../FiltersAndTransformers/pack_metadata.json | 2 +- 5 files changed, 208 insertions(+), 101 deletions(-) create mode 100644 Packs/FiltersAndTransformers/ReleaseNotes/1_2_64.md diff --git a/Packs/FiltersAndTransformers/ReleaseNotes/1_2_64.md b/Packs/FiltersAndTransformers/ReleaseNotes/1_2_64.md new file mode 100644 index 000000000000..91b448a50c7f --- /dev/null +++ b/Packs/FiltersAndTransformers/ReleaseNotes/1_2_64.md @@ -0,0 +1,11 @@ + +#### Scripts + + + +##### IsNotInCidrRanges + +- Fixed an issue where the automation returned an error when used as a filter. diff --git a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js index 6747558a2374..149685616048 100644 --- a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js +++ b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js @@ -1,4 +1,5 @@ -// pack version: 1.2.37 +// NOTE: A copy of the code below is in IsNotInCidrRanges script, they should be kept identical + function isIPv6(ip) { return ip.indexOf(':') !== -1; } @@ -128,4 +129,5 @@ return results; ipAddresses = argToList(args.left) cidrRanges = argToList(args.right) +// NOTE: A copy of the code above is in IsNotInCidrRanges script, they should be kept identical return isIPInAnyCIDR(ipAddresses, cidrRanges); \ No newline at end of file diff --git a/Packs/FiltersAndTransformers/Scripts/IsNotInCidrRanges/IsNotInCidrRanges.js b/Packs/FiltersAndTransformers/Scripts/IsNotInCidrRanges/IsNotInCidrRanges.js index 9f70c9cf19ac..9ff8d1508fb9 100644 --- a/Packs/FiltersAndTransformers/Scripts/IsNotInCidrRanges/IsNotInCidrRanges.js +++ b/Packs/FiltersAndTransformers/Scripts/IsNotInCidrRanges/IsNotInCidrRanges.js @@ -1,3 +1,135 @@ -var res = executeCommand("IsInCidrRanges", args); -res = Array.isArray(res) ? res : [res]; +// NOTE: The code below is a copy of the code in IsInCidrRanges script, they should be kept identical + +function isIPv6(ip) { + return ip.indexOf(':') !== -1; +} + +function ipv6ToBinary(ipv6) { + // Split the IPv6 address into its components + var components = ipv6.split(':'); + + // Handle zero compression (::) + var zeroCompressionIndex = components.indexOf(''); + if (zeroCompressionIndex !== -1) { + var zeroCount = 8 - components.length + 1; // Calculate the number of missing components + components.splice(zeroCompressionIndex, 1); + for (var i = 0; i < zeroCount; i++) { + components.splice(zeroCompressionIndex, 0, '0000'); // Replace :: with zero components + } + } + + // Convert each component to binary and pad to 16 bits + var binaryComponents = components.map(function (component) { + // Handle the case when the component is an empty string + if (component === '') { + return '0000000000000000'; // 16 zeros for an empty component + } + + var binary = parseInt(component, 16).toString(2); + return Array(17 - binary.length).join('0') + binary; + }); + + // Concatenate the binary components + var binaryString = binaryComponents.join(''); + + return binaryString; +} + + +function ipToBinary(ip) { + if (isIPv6(ip)) { + // IPv6 + return ipv6ToBinary(ip); + } else { + // IPv4 + return ip.split('.').map(octet => ('00000000' + parseInt(octet, 10).toString(2)).slice(-8)).join(''); + } +} + +function validateCIDR(cidrRange) { + var cidrRegex = /^([0-9a-f:.]+)\/([0-9]{1,3})$/i; // Regex for IPv4 and IPv6 CIDR notation + + var match = cidrRange.match(cidrRegex); + + if (!match) { + return false; // CIDR range is not well-formed + } + + var subnetMask = parseInt(match[2], 10); + + if (match[1].indexOf(':') !== -1) { + // IPv6 CIDR + if (subnetMask < 0 || subnetMask > 128) { + return false; // Invalid subnet mask for IPv6 + } + } else { + // IPv4 CIDR + if (subnetMask < 0 || subnetMask > 32) { + return false; // Invalid subnet mask for IPv4 + } + } + + return true; // CIDR range is well-formed +} + +function getCIDRNetworkAddress(cidrRange) { + return cidrRange.split('/')[0] +} + +function getCIDRSubnetMask(cidrRange) { + return cidrRange.split('/')[1] +} + +function isIPInCIDR(ipAddress, cidrRange) { + if (!validateCIDR(cidrRange)) { + return false; + } + + var networkAddress = getCIDRNetworkAddress(cidrRange); + var cidrSubnetMask = getCIDRSubnetMask(cidrRange); + + // Convert IP address and network address to binary + var ipBinary = ipToBinary(ipAddress); + var networkBinary = ipToBinary(networkAddress); + + // Get the network part of the IP address based on the subnet mask + var networkPart = ipBinary.slice(0, parseInt(cidrSubnetMask, 10)); + + // Check if the network parts match + return networkPart === networkBinary.slice(0, parseInt(cidrSubnetMask, 10)); +} + +function isIPInAnyCIDR(ipAddresses, cidrRanges) { + results = new Array(ipAddresses.length); + + for (let i = 0; i < ipAddresses.length; i++) { + isInRange = false; + + for (let j = 0; j < cidrRanges.length; j++) { + + // Mismatches are always false + if ((!isIPv6(ipAddresses[i]) && isIPv6(getCIDRNetworkAddress(cidrRanges[j]))) + || (isIPv6(ipAddresses[i]) && !isIPv6(getCIDRNetworkAddress(cidrRanges[j])))) { + results[i] = 'False'; + } else if (isIPInCIDR(ipAddresses[i], cidrRanges[j])) { + isInRange = true; + results[i] = 'True'; + break; + } + } + + if (!isInRange) { + results[i] = 'False'; + } + } + + return results; +} + +ipAddresses = argToList(args.left) +cidrRanges = argToList(args.right) + +res = isIPInAnyCIDR(ipAddresses, cidrRanges); +// NOTE: The code above is a copy of the code in IsInCidrRanges script, they should be kept identical + return res.map(val => val.Contents == "True" ? "False" : "True"); \ No newline at end of file diff --git a/Packs/FiltersAndTransformers/TestPlaybooks/playbook-TestIsNotInCidrRanges.yml b/Packs/FiltersAndTransformers/TestPlaybooks/playbook-TestIsNotInCidrRanges.yml index e1655af8d927..e62582788a22 100644 --- a/Packs/FiltersAndTransformers/TestPlaybooks/playbook-TestIsNotInCidrRanges.yml +++ b/Packs/FiltersAndTransformers/TestPlaybooks/playbook-TestIsNotInCidrRanges.yml @@ -5,10 +5,10 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: d7a15a3f-1244-4368-89ef-1f71ccdd03cc + taskid: a21bae17-c296-443c-85f0-67fd303d8863 type: start task: - id: d7a15a3f-1244-4368-89ef-1f71ccdd03cc + id: a21bae17-c296-443c-85f0-67fd303d8863 version: -1 name: "" iscommand: false @@ -35,10 +35,10 @@ tasks: isautoswitchedtoquietmode: false "6": id: "6" - taskid: b891229e-c97c-4c08-818f-36297fd407ef + taskid: f0c2daad-d010-48eb-884d-98a225f1d14d type: regular task: - id: b891229e-c97c-4c08-818f-36297fd407ef + id: f0c2daad-d010-48eb-884d-98a225f1d14d version: -1 name: Delete Context description: |- @@ -47,10 +47,10 @@ tasks: This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations - scriptName: DeleteContext type: regular iscommand: false brand: "" + script: DeleteContext nexttasks: '#none#': - "16" @@ -75,10 +75,10 @@ tasks: isautoswitchedtoquietmode: false "8": id: "8" - taskid: c19632c9-036f-4eaa-8f76-04f32be72264 + taskid: f3dc2819-a2ae-4a92-8b25-b8095e40230f type: title task: - id: c19632c9-036f-4eaa-8f76-04f32be72264 + id: f3dc2819-a2ae-4a92-8b25-b8095e40230f version: -1 name: Test Success type: title @@ -87,86 +87,6 @@ tasks: description: '' separatecontext: false continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1070 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "14": - id: "14" - taskid: a5ec4291-79c3-4671-8265-6e06ceb23c9e - type: regular - task: - id: a5ec4291-79c3-4671-8265-6e06ceb23c9e - version: -1 - name: Run IsINotnCidrRanges - description: Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges. - scriptName: IsNotInCidrRanges - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "15" - scriptarguments: - extend-context: - simple: scriptResult=. - left: - simple: 11.1.1.1 - right: - simple: 192.168.1.0/24 - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 720 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "15": - id: "15" - taskid: 556ec2a7-24ee-434e-81db-bbf31aaeea9b - type: condition - task: - id: 556ec2a7-24ee-434e-81db-bbf31aaeea9b - version: -1 - name: Verify Output Is True - type: condition - iscommand: false - brand: "" - nexttasks: - "yes": - - "8" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: - value: - simple: ${scriptResult} - iscontext: true - right: - value: - simple: "True" - continueonerrortype: "" view: |- { "position": { @@ -183,17 +103,17 @@ tasks: isautoswitchedtoquietmode: false "16": id: "16" - taskid: 5b3c401e-4193-4365-8ff8-2bb05367ec82 + taskid: 710bd57d-5b5d-44dc-8e24-e5adc0f5a1d6 type: regular task: - id: 5b3c401e-4193-4365-8ff8-2bb05367ec82 + id: 710bd57d-5b5d-44dc-8e24-e5adc0f5a1d6 version: -1 name: Set IPs description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "17" @@ -201,7 +121,7 @@ tasks: key: simple: ips value: - simple: '["192.168.1.10","11.1.1.1"]' + simple: '["11.1.1.1"]' separatecontext: false continueonerrortype: "" view: |- @@ -220,25 +140,25 @@ tasks: isautoswitchedtoquietmode: false "17": id: "17" - taskid: b6529f09-5ba8-4e77-8f86-8a54a45c965e + taskid: 0f38ac46-e0a7-4504-8fa4-9adf1fad6cd0 type: regular task: - id: b6529f09-5ba8-4e77-8f86-8a54a45c965e + id: 0f38ac46-e0a7-4504-8fa4-9adf1fad6cd0 version: -1 name: Set CIDR ranges description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - - "14" + - "18" scriptarguments: key: simple: cidrs value: - simple: '["192.168.1.0/24","192.168.1.0/287"]' + simple: '["192.168.1.0/24"]' separatecontext: false continueonerrortype: "" view: |- @@ -255,12 +175,54 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "18": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: ips + operator: IsNotInCidrRanges + right: + iscontext: true + value: + simple: cidrs + label: "yes" + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "yes": + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8921485d-938a-40ce-88b2-dd43e3794b2f + iscommand: false + name: IsNotInCIDRRanges? + type: condition + version: -1 + taskid: 8921485d-938a-40ce-88b2-dd43e3794b2f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 1085, + "height": 910, "width": 380, "x": 50, "y": 50 diff --git a/Packs/FiltersAndTransformers/pack_metadata.json b/Packs/FiltersAndTransformers/pack_metadata.json index ede69cc60683..974fc0420159 100644 --- a/Packs/FiltersAndTransformers/pack_metadata.json +++ b/Packs/FiltersAndTransformers/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Filters And Transformers", "description": "Frequently used filters and transformers pack.", "support": "xsoar", - "currentVersion": "1.2.63", + "currentVersion": "1.2.64", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",