add rtf file test (#2503)

Author: doomedraven

installer/cape2.sh

@@ -71,21 +71,7 @@ ARCH="$(dpkg --print-architecture)"
 
 function issues() {
 cat << EOI
-Problems with PyOpenSSL?
-    sudo rm -rf /usr/local/lib/python3.8/dist-packages/OpenSSL/
-    sudo rm -rf /home/${USER}/.local/lib/python3.8/site-packages/OpenSSL/
-    sudo apt-get install -y --reinstall python-openssl
-
-Problem with PIP?
-    sudo python -m pip3 uninstall pip3 && sudo apt-get install -y --reinstall python3-pip
-
-Problem with pillow:
-    * ValueError: jpeg is required unless explicitly disabled using --disable-jpeg, aborting
-    * ValueError: zlib is required unless explicitly disabled using --disable-zlib, aborting
-Solution:
-    # https://askubuntu.com/a/1094768
-    # you may need to adjust version of libjpeg-turbo8
-    sudo apt-get install -y zlib1g-dev libjpeg-turbo8-dev libjpeg-turbo8=1.5.2-0ubuntu5
+    No known problems yet
 EOI
 }
 

lib/cuckoo/common/integrations/parse_office.py

@@ -184,7 +184,7 @@ def _parse_rtf(self, data: bytes) -> Dict[str, list]:
         rtfp.parse()
         save_dir = os.path.join(CUCKOO_ROOT, "storage", "analyses", self.task_id, "rtf_objects")
         if rtfp.objects and not path_exists(save_dir):
-            path_mkdir(save_dir)
+            path_mkdir(save_dir, exist_ok=True)
         for rtfobj in rtfp.objects:
             results.setdefault(str(rtfobj.format_id), [])
             temp_dict = {"class_name": "", "size": "", "filename": "", "type_embed": "", "CVE": "", "sha256": "", "index": ""}

pyproject.toml

@@ -151,7 +151,7 @@ select = [
 	"F",       # pyflakes
 	"E",       # pycodestyle errors
 	"W",       # pycodestyle warnings
-	"I",       # isort
+	# "I",       # isort
 	# "N",       # pep8-naming
 	"G",       # flake8-logging-format
 ]

tests/test_parse_office.py

@@ -0,0 +1,82 @@
+import unittest
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+import pytest
+from lib.cuckoo.common.integrations.parse_office import Office
+
+data_dir = Path(__file__).parent / "data" / "office"
+rtf_path = data_dir / "rtf_exploit.doc"
+
+
+class TestParseOffice(unittest.TestCase):
+    @patch("lib.cuckoo.common.integrations.parse_office.RtfObjParser")
+    @patch("lib.cuckoo.common.integrations.parse_office.path_exists")
+    @patch("lib.cuckoo.common.integrations.parse_office.hashlib.sha256")
+    def test_parse_rtf(self, mock_sha256, mock_path_exists, MockRtfObjParser):
+        # Setup
+        mock_sha256.return_value.hexdigest.return_value = "dummy_sha256"
+        mock_path_exists.return_value = False
+        mock_rtfobj = MagicMock()
+        mock_rtfobj.format_id = 1
+        mock_rtfobj.is_package = False
+        mock_rtfobj.is_ole = False
+        mock_rtfobj.rawdata = b"rawdata"
+        mock_rtfobj.start = 0
+        MockRtfObjParser.return_value.objects = [mock_rtfobj]
+
+        office = Office(
+            file_path="dummy_path",
+            task_id="dummy_task_id",
+            sha256="dummy_sha256",
+            options={},
+        )
+
+        # Execute
+        result = office._parse_rtf(b"dummy_data")
+
+        # Verify
+        expected_result = {
+            "1": [
+                {
+                    "class_name": "",
+                    "size": len(mock_rtfobj.rawdata),
+                    "filename": "object_00000000.raw",
+                    "type_embed": "",
+                    "CVE": "",
+                    "sha256": "dummy_sha256",
+                    "index": "00000000h",
+                }
+            ]
+        }
+        self.assertEqual(result, expected_result)
+
+
+    @pytest.mark.skipif(not data_dir.exists(), reason="Required data file is not present")
+    @pytest.mark.skipif(not rtf_path.exists(), reason="Required data file is not present")
+    def test_parse_real_rtf(self):
+        office = Office(
+            file_path=rtf_path,
+            task_id="1",
+            sha256="5b307600b1ceb84f29315c95e5b21776eb6154b79214528629e4fc2310cd50e3",
+            options={},
+        )
+        result = office._parse_rtf(Path(rtf_path).read_bytes())
+
+        assert result == {
+            "2": [
+                {
+                    "class_name": "Equation.3",
+                    "size": 3584,
+                    "filename": "object_0000272F.bin",
+                    "type_embed": "Embedded",
+                    "CVE": "Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)",
+                    "sha256": "c00b73082638eda4af3d5318aba64ae32d23f703a02c7338d5e34230a7855e70",
+                    "index": "0000272Fh",
+                }
+            ]
+        }
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/test_peepdf.py

@@ -9,9 +9,9 @@
 
 expected_result = {
     "Info": {
-       "Creator": "Scribus 1.3.3.12",
-       "Producer": "Scribus PDF Library 1.3.3.12",
-       "Author": ""
+        "Creator": "Scribus 1.3.3.12",
+        "Producer": "Scribus PDF Library 1.3.3.12",
+        "Author": ""
     },
     "Dates": [],
     "Keywords": {},
@@ -31,13 +31,9 @@
 @pytest.mark.skipif(not data_dir.exists(), reason="Required data file is not present")
 class TestPeepdf:
     """Class to test peepdf_parse."""
-    @pytest.mark.skipif(
-        not pdf_path.exists(),
-        reason="Required data file is not present",
-    )
+    @pytest.mark.skipif(not pdf_path.exists(), reason="Required data file is not present")
     def test_peepdf_parse_valid_pdf(self):
         """Test parsing a valid PDF sample."""
         result = peepdf_parse(str(pdf_path), pdfresult)
         del result["JSStreams"][0]["Data"]
-
         assert result == expected_result