From 1327f34c2c89c2e48715014b16b1acc33e5b9359 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 10:48:25 +0100 Subject: [PATCH] Add tests to ensure we block macros --- tests/compose/filters/03_email_macro.sh | 14 ++++ .../2003x32_word_msgbox_stomped_fakecode.doc | Bin 0 -> 28672 bytes tests/compose/filters/excel4_sample_macro.slk | 68 ++++++++++++++++++ 3 files changed, 82 insertions(+) create mode 100755 tests/compose/filters/03_email_macro.sh create mode 100644 tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc create mode 100644 tests/compose/filters/excel4_sample_macro.slk diff --git a/tests/compose/filters/03_email_macro.sh b/tests/compose/filters/03_email_macro.sh new file mode 100755 index 00000000..c91d1363 --- /dev/null +++ b/tests/compose/filters/03_email_macro.sh @@ -0,0 +1,14 @@ +# Malicious macros should be blocked +# see https://github.com/clr2of8/VBAstomp and https://github.com/decalage2/oletools/wiki/mraptor +python3 tests/email_test.py message-macro-stomp "tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc" +if [ $? -eq 25 ]; then + exit 0 +else + exit 1 +fi +python3 tests/email_test.py message-autoexec-macro "tests/compose/filters/excel4_sample_macro.slk" +if [ $? -eq 25 ]; then + exit 0 +else + exit 1 +fi diff --git a/tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc b/tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc new file mode 100644 index 0000000000000000000000000000000000000000..f6d78e458fb3c8d0f00017f8d7a87e0744291da2 GIT binary patch literal 28672 zcmeHQeRN#Kb)WZkSC(YSUdhJTV9ZJ~U>i&9u2!;STcFi`ST>SZwrm`VVrwO>EZLG) zXxCtuU=~bTACjIrg~Lb7X`IxYegVgPB!!fm8n=JY78>_JI6!;AwF*PLchAw;fabEF)P=n%sqCF^E?6M7vjVnP!)X>w0m>fy52gBWup{c`ACB)sL z6O*7{rli1|jQJt#n)AwR!_?x?h9RjR({B_qILYcn5V174F)=QAny6rVSnXCYH;IS{ zVaBoAh}eOOf`~JvTUM)LT$^=S@zhe=M7!9CykV3GiR~yKfh5WcBDM|O7-}Lh_mdViX&*lj5To7b=38ucv0Mc|G|I|70~(s%2M~d9f)59EcU$qPzA@y zdS{$3xxI_Lm1nc_aTDGm#2HKkY%T9AgtT*n+#X%Vc*$lf&G6N*b#1usJ(%@0Iiu3# z49Iv~#*8&>x{)%97h(RUkZTxahhVU+F|z`j*cz}kU~9nEz-6HU?i08!!MDK9!q|Ot z*Uilm&vpI_Sc-6&87~K&2b>S&KBEH2wPgWtA@B;|BH)$4#X!oq3iN6q*H7*kmjStV z_W-Ma%u@rp9C#h@df*Mf6~L81rr!v<8dwXg1KtGm0)0TH*Mnlo77f5glLxj97tw%r z%kvpcj=Uzkt91QHi5Op4)b0=u=wjfE(}{_&RCG-w_ayq$t}PsrR()ZSzOdyPy>yN~ zqAe^gsw~kfGo6n;wX;H$>6!pi?HjzpXxRWD^oAo8qnH`Y3>qM6*$Hw8hox-t7 z^lZ4t>-GA*#{>1=T2btDhD51DpQlxNy@AGiYlOefTjQ+>tra~xhQ|hycc(;8_kq-o z*p5bLpvRH$*QH1LL`|$C;tB3cXOg4w^l)-a^g4uoD6%;@F&ZCnA&?2l1B5M^=se-c zRFq`2Rb@RPM`dZz`;R`g(^)JIRmBDehx;oY+#M5x8EkF(uXtehvCOr9_(0W$d;B6C zZ3=q>p<2<<77f<=yuQ}9+O}|{A+tNUCzweDGA{q&-I?#<^dLU!i4Kn>M9Q;be^cYi zp4L!ubTm2UDCrTM!~GM5g`iNt{DiAAFuLlK|w^>lW}>cSmm9W}q}KGfy$ z`Rd$WPpt3$k31d2y?qn$i38$>jF?}ce?=DyPHK+?muM#kw+#)a!by0MqlvNf2C>+6 zqGVg^kn}DqS~r1zViTOp?XBZi{nK3kdvlkbsKnjb-lq9ZKJ-@(+(^sXbj`K;WL4yy zP1SA1H@0a@gx0&+ow&O*uHC#rR7Ntc&6(Tb;bunq!*EuvONpz#R^q?8aeda`` zr)son?#X2#kNc!$SBv{@w(#(+s}5+=k{DjOmh%c}nTWj78#Y2NctrXBG(qohRZqwm z`HAf;kpW8~jN3u5rXZSrFe$`+$R-V!;b3aHZMkODD*Ar<-14<&_q6}PeHHI@y!FI# zR0eTGZpjJ8p$yInU@NV69MfLr1)v@F$VSrOZZX|y<{dYZWjReW=Te0D&`fcOm(7-# zj2!vr0@{C$_B;=;hZGeUe`(#eL~_#$j8H~C`%mwL1!!M+*3UIyw)UUCld}JmqwGJ! z9;A_0n{+v7KKs84{0rHC`a8=0Qy%UA8ekK!8Mqd>4oL5)1$Z+M?v!W+27ztB5HJj6 z`6%cHU^{Rla1-!WU}}a0oaI+ymST909U@Jlnvuh36*3oxllT3dpp5CcWFFU|kTt zw&MCjf0lguLvtRZ)D!?)=dhdhMw%N;6`j*!Gpz;fnhpl{3+6I`GLC<9f(bYwuObQ= zI+yIw+Mcehu?<^;2mL*vSZ8N!^FbKEjiIfvZUk;?3lbY~i8R6{c3^hus7`>18>@5) zXDfg`VuRU=pvn7llX6oq32ck2WNKUHLnx;M+cJ^dt?afk+sam_J#t-0C`(O4y(6|Y zTo>zTV~^Q@9m$CSHVnsg64D(8gVdjdb7Q8?Y zmQ$>za?NAqMaX8bSp7=s2*B#i+Qb%<_k>9~Sto(jcbxi<+F#vqwfp-&7Jnha?{CF6 zPLCi<0lgTjnOx#hJ(Ef@)-$V;xSDmSMjAR~Bh?AL(MY3JJ}MFL_a^O?F?CTg3k?6;KNDO!a zH~AZH@_T*Fp1uQ~cxrSwJ%szCnEPS#9;wUSJatCz`Yy3AM*B06tPol|_!Uzccj`u4 z6?K^ULoO58AE+Or4;wRUedgDnJ6A8ycnx5696KlW`S&v-*B#L-1bvLS=9%Xih7dhDU-`qf7x?!gmoi)_3M6i)uLk(SVWr zVpn#UlDT-(6jCNZ)7WK(_Jd9;9g%!sRNslakVRCpm{T?O1B4i7Q-8Ctg3S<(rECR5 z`ubwCZTkAMT*ydOtv5Cw zD5%_{449zu%YyPEa9T;D`Jf!9YJ@I+&l(C>q(p$y+kTQ1;JVKXvl{;h(8ybca=0-KBmY=qVz-Yh<#yi0|1|DZvO z)%O=mT}mk#;~f#+00Lp20W3Ddt3c&wnt6H=ccLs?t!@iV8%OL>CpE)ejjW?iYg_dtV4tqR&S3I4-arnMI`jL1DH=Y<Yl3V^3sTNY(RSrc?9i`b`~N(La%6l-ZSmb$B3(4 zxM6=H@37)OLF6#<<+DFVvyeDzV5cr_f7J9UDBifsW@3MMhyP|_1$v>2?rKA6n&`&E zS~;pY9&M7rQ}##00frCz_sO>k>ac6i|5%pF+7HyU3~S18cg@+8&B~fJLsv-3X@X&8 zp~@;e(n1;aPtBvsC@KZx;=~<~g^JyhGQEhY@`i=sL^437sdOcy5MQOM{FI`2*0AC! zs!K1!urOcPbU3G)4w!<~sGEvbWrIY@8ZhZ(7;`R6eNE6w~1A)mg;?rAQ z{7RbT4dNcyLjL)I0X%Jw;w;nPc&CIyCU-Jbbn{-=z5q@^y`as&5Io!-c%yvk zzX8{vIEY$$z>mRS?ZkC6I6iPX;m@i!2Mmt!G_c2fD%glT^CCSTDjmy(iJv5^a4O4or`dW*2 z8sQ7;p$YA*M;oaNr3b#MVZ6;VD%&`Wmf=_q;T5=}o6xtFQWtD3^QM3}nnOBH0P#nD z0y$#nUsP%=0__?4>xO3^gO0&eo)6yx z;M+%-Ll$@??~JL3j7eQsLo?Hq-<&a%n%aSOkD-lxQv-*q@;!)@?B5RPC;$$RZq1Wh z%&0oVM$m^E+4Bf`q+VR%8(M1AEggYV!7&d_vAFqoJc^|mAOv#r1c$HCe-o~p_aXGY z0s4-j)>>%Q3v5HE4e62GED9pkxK9Em-!JbMw*J!QNeKEG#UE!hXS|wCyqnISLETtQ zIHC#YtGOD@NXKy|Xep@MT#=|{8bQOV(;!X-O{P!f z6^=3Yba*7lm!=A>tP3$h^%ya=F>Qpd5@^u^y>OXqmfI%@=#9W3HVRZ?VoiS!i^9*} z^=7k6^?bRr*(!L2gvAuQ9t*J1Q%!3Eqj0Y;Ek&*D*3zul8n?s$cQmlM#s9P6&_8y( zQu5sPH~#gZ@33W@?{6$Q-E;0opKbo5?|1bbzU|((6rYrvl?)I^D%t{(6^F0K_QuJR z!td;L3x^YDnZNvzTezG!&9!d)-&4mf9w_|XhqiH5W6CG#YgtR$yxj^$_wKG$p`Ns{2=^o zWH8R?uGmM3oymcHBMDz$1MF{p&{QbYYMImMTkZjO&8TB^+{02%Fxk?~M+ES=b&X5C(}Zc9w0@aPiTqK?;EM*@{Poc_(QvfQifmg~TT68?6pS=B1bvb4 zn#M@PK%{L5wNy9xo4kRx=BVEr#53EVHylMmdFdVP$yC}C*`H2~4J0N!8^;EdUoJ1r zb;;LqPkmFpKinAb)`p_Z-ddk86oqmE^|f9I2{rqCUT;J2-gP+fUzaQ8m6CDG>`jfw z`x6joRalF^VYP?otM~a=dl~|`Ku_vvM2mN|C-*NzAN@jL6zc%8&Cl~0Q6c#0 zQ?H6Ud+EKLt^6A!6Q%IDOumghPxS5S+jD2von1zv^;+UwB$|+W!CFlsecuZ~Hj76u zCKL**^kXt`jAt4EQfpZ8rc<6iDR>`cXaXKW-w63AA8kE~bW&Io2}jWLpCR7ewX+BZF2@e5JPwStnTs4A!O zsQ4z7;~PG&oBEkfnUB+Qx}528>cIIYYkD&7HG%eUkQ(r2s(v93-{Ho+CNlHJg zhi`7Fek!W!S8+vE`9f6Xn@-hyRJ2fe#iu?@)hJe8I=vnhS9(_QLR1M=_Q6WSNQ|N# zq*gx5s5sLJFTozsKD`dg=W_3XGD+!qrj#oMioumA%gr&yZLl>kdkw(L@N}oKbHroo z?)d2VNFuknC@-JAIJ?Bwis_`8gXlyHOw{{r{;A7$#mhe zK2z>u(7fk%;I{(B&Qs5mwDQvPQV~xJWcYiBUuKxPMAxKF*$&2+m=weYTLZQRYz^2N zur*+7z}A4R0b2vM25b%38n87mYYkk;|JQ%`#t)yYyW0KmWAOi1fBr1}fBNq9hv}aV z0qK{I1L^PMSBKKye-M;s1YZa8J0SQ)gZ%2@lc4n9j{)hwKMmxY1TO;V@ALeCvd;jm zem#9)g4Hip{xN-i@;|y_uB?Ok=JEoVPM4u_mSdR0hs(~Kfj7o_4ECW*#hdH zb^m$(bi}O4TEBm`l_Njv=h++YshRfwTIAgZBv|XOH(0Z}UP}L~P(#wJ<@_IT&#HR- zqC%JN@o-FM+W#8lJ!p=9q2H*_v=vvGTcY{~u|)_10UmKZ!o`%X4qMbLL3irPaFrf04Rb gc6$A9|I5U&+FyLO@$rv8`0nl9-?%-Wd~5yx4WHm&)&Kwi literal 0 HcmV?d00001 diff --git a/tests/compose/filters/excel4_sample_macro.slk b/tests/compose/filters/excel4_sample_macro.slk new file mode 100644 index 00000000..3bd187ca --- /dev/null +++ b/tests/compose/filters/excel4_sample_macro.slk @@ -0,0 +1,68 @@ +ID;PWXL;N;E +P;PGeneral +P;P0 +P;P0.00 +P;P#,##0 +P;P#,##0.00 +P;P#,##0;;\-#,##0 +P;P#,##0;;[Red]\-#,##0 +P;P#,##0.00;;\-#,##0.00 +P;P#,##0.00;;[Red]\-#,##0.00 +P;P#,##0\ "$";;\-#,##0\ "$" +P;P#,##0\ "$";;[Red]\-#,##0\ "$" +P;P#,##0.00\ "$";;\-#,##0.00\ "$" +P;P#,##0.00\ "$";;[Red]\-#,##0.00\ "$" +P;P0% +P;P0.00% +P;P0.00E+00 +P;P##0.0E+0 +P;P#" "?/? +P;P#" "??/?? +P;Pdd/mm/yyyy +P;Pdd\-mmm\-yy +P;Pdd\-mmm +P;Pmmm\-yy +P;Ph:mm\ AM/PM +P;Ph:mm:ss\ AM/PM +P;Phh:mm +P;Phh:mm:ss +P;Pdd/mm/yyyy\ hh:mm +P;Pmm:ss +P;Pmm:ss.0 +P;P@ +P;P[h]:mm:ss +P;P_-* #,##0\ "$"_-;;\-* #,##0\ "$"_-;;_-* "-"\ "$"_-;;_-@_- +P;P_-* #,##0_-;;\-* #,##0_-;;_-* "-"_-;;_-@_- +P;P_-* #,##0.00\ "$"_-;;\-* #,##0.00\ "$"_-;;_-* "-"??\ "$"_-;;_-@_- +P;P_-* #,##0.00_-;;\-* #,##0.00_-;;_-* "-"??_-;;_-@_- +P;FCalibri;M220;L9 +P;FCalibri;M220;L9 +P;FCalibri;M220;L9 +P;FCalibri;M220;L9 +P;ECalibri;M220;L9 +P;ECalibri Light;M360;L55 +P;ECalibri;M300;SB;L55 +P;ECalibri;M260;SB;L55 +P;ECalibri;M220;SB;L55 +P;ECalibri;M220;L18 +P;ECalibri;M220;L21 +P;ECalibri;M220;L61 +P;ECalibri;M220;L63 +P;ECalibri;M220;SB;L64 +P;ECalibri;M220;SB;L53 +P;ECalibri;M220;L53 +P;ECalibri;M220;SB;L10 +P;ECalibri;M220;L11 +P;ECalibri;M220;SI;L24 +P;ECalibri;M220;SB;L9 +P;ECalibri;M220;L10 +P;ESegoe UI;M200;L9 +F;P0;DG0G8;E;M292 +B;Y2;X1;D0 0 1 0 +O;L;E;D;V0;K47;G100 0.001 +F;W1 1 17 +F;W2 16384 9 +NN;NAuto_Open;ER1C1 +C;Y1;X1;KFALSE;EALERT("This is a sample Excel 4 macro") +C;Y2;KTRUE;EHALT() +E