diff options
author | Matthias Held <ilovemilk@wusa.io> | 2018-09-07 14:23:21 +0300 |
---|---|---|
committer | Matthias Held <ilovemilk@wusa.io> | 2018-09-07 14:23:21 +0300 |
commit | 5d7a2808606c2d939ad0ceffbbb1277f0fff67e7 (patch) | |
tree | 82283e99459c44d584be150d511c8b05eac57de0 | |
parent | 99516bcde8fd56a63233d8ace128e754c86b3356 (diff) |
Fix file corruption analyzer
-rw-r--r-- | lib/Analyzer/FileCorruptionAnalyzer.php | 32 | ||||
-rw-r--r-- | tests/Unit/Analyzer/FileCorruptionAnalyzerTest.php | 8 |
2 files changed, 29 insertions, 11 deletions
diff --git a/lib/Analyzer/FileCorruptionAnalyzer.php b/lib/Analyzer/FileCorruptionAnalyzer.php index 5b034cf..d1075ba 100644 --- a/lib/Analyzer/FileCorruptionAnalyzer.php +++ b/lib/Analyzer/FileCorruptionAnalyzer.php @@ -22,7 +22,7 @@ namespace OCA\RansomwareDetection\Analyzer; use OCA\RansomwareDetection\AppInfo\Application; -use OCA\RansomwareDetection\FileSignatureList; +use OCA\RansomwareDetection\FileSignatures; use OCP\Files\IRootFolder; use OCP\Files\NotFoundException; use OCP\Files\File; @@ -74,18 +74,34 @@ class FileCorruptionAnalyzer */ protected function isCorrupted(File $node) { - $signatures = FileSignatureList::getSignatures(); + $signatures = FileSignatures::getSignatures(); try { $data = $node->getContent(); + $pathInfo = pathinfo($node->getPath()); foreach ($signatures as $signature) { - if (strtolower($signature['byteSequence']) === strtolower(bin2hex(substr($data, $signature['offset'], strlen($signature['byteSequence']) / 2)))) { - $pathInfo = pathinfo($node->getPath()); - if (in_array(strtolower($pathInfo['extension']), $signature['extension'])) { - return new FileCorruptionResult(false, $signature['file_class']); + $isSignatureMatching = true; + if (in_array(strtolower($pathInfo['extension']), $signature['extensions'])) { + // starting byte sequence + if (array_key_exists('starting', $signature['signature'])) { + foreach ($signature['signature']['starting']['bytes'] as $bytes) { + if (strtolower($bytes) === + strtolower(bin2hex(substr($data, $signature['signature']['starting']['offset'], strlen($bytes) / 2)))) { + $isSignatureMatching = false; + } + } } - - return new FileCorruptionResult(true); + // trailing byte sequence + if (array_key_exists('trailing', $signature['signature'])) { + foreach ($signature['signature']['trailing']['bytes'] as $bytes) { + $trailingOffset = strlen($data) - $signature['signature']['trailing']['offset'] - strlen($bytes) / 2; + if (strtolower($bytes) !== + strtolower(bin2hex(substr($data, $trailingOffset, strlen($bytes) / 2)))) { + $isSignatureMatching = true; + } + } + } + return new FileCorruptionResult($isSignatureMatching); } } diff --git a/tests/Unit/Analyzer/FileCorruptionAnalyzerTest.php b/tests/Unit/Analyzer/FileCorruptionAnalyzerTest.php index f93d19e..182cc33 100644 --- a/tests/Unit/Analyzer/FileCorruptionAnalyzerTest.php +++ b/tests/Unit/Analyzer/FileCorruptionAnalyzerTest.php @@ -96,9 +96,11 @@ class FileCorruptionAnalyzerTest extends TestCase public function dataIsCorrupted() { return [ - ['data' => 'ffff', 'extension' => 'unknown', 'result' => true], - ['data' => 'ffd8ffffffff', 'extension' => 'csv', 'result' => true], - ['data' => 'ffd8ffffffff', 'extension' => 'jpg', 'result' => false], + ['data' => 'ffff', 'extension' => 'unknown', 'result' => false], + ['data' => 'ffd8ffffffff', 'extension' => 'csv', 'result' => false], + ['data' => 'ffd8ffe000104a46494600ffffffd9', 'extension' => 'jpg', 'result' => false], + ['data' => 'ffd8ffe000104a46494600ffff', 'extension' => 'jpg', 'result' => true], + ['data' => 'ffff', 'extension' => 'jpg', 'result' => true], ]; } |