Do not allow workers to produced extracted payloads identical to the scanned payload. #162
Comments
|
I created PR #164 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have had a few instances where I scanned a payload with a worker plugin, and the worker plugin produced an extracted payload that was identical to the payload being scanned by the worker. I had a decorator create a file tree from the results (based on
payload_idandextracted_fromand it ended up creating a circular reference.I feel like it would be a worthwhile update to stoQ to prevent this from happening, a simple check during the deduplication logic to prevent adding self to the
extracted_fromlist would be great. A warning could be logged.One practical example:
https://www.virustotal.com/gui/file/b180cf82624994d05f7bcdf221372d5149e6382e52036d5b1487a3e5f3f12144/details
It is a corrupt PE that has a section (.bss) that is equal to the PE itself.
If a worker plugin carved out the PE as an extracted payload, the stoQ deduplication logic would prevent the file from being analyzed over and over, but a decorator that tries to create a file tree based on the
payload_idandextracted_fromfields would create a circular reference.The text was updated successfully, but these errors were encountered: