From c3b60469899122dc1ae70d6da9ce0bd5b1dd386b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 23:21:35 +0000 Subject: [PATCH 1/5] Bump github.com/gabriel-vasile/mimetype in the all group Bumps the all group with 1 update: [github.com/gabriel-vasile/mimetype](https://github.com/gabriel-vasile/mimetype). Updates `github.com/gabriel-vasile/mimetype` from 1.4.9 to 1.4.10 - [Release notes](https://github.com/gabriel-vasile/mimetype/releases) - [Commits](https://github.com/gabriel-vasile/mimetype/compare/v1.4.9...v1.4.10) --- updated-dependencies: - dependency-name: github.com/gabriel-vasile/mimetype dependency-version: 1.4.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] --- go.mod | 3 +-- go.sum | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 77f3878d0..d4fd060ef 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/cosnicolaou/pbzip2 v1.0.5 github.com/egibs/go-debian v0.18.0 github.com/fatih/color v1.18.0 - github.com/gabriel-vasile/mimetype v1.4.9 + github.com/gabriel-vasile/mimetype v1.4.10 github.com/google/go-cmp v0.7.0 github.com/google/go-containerregistry v0.20.6 github.com/klauspost/compress v1.18.0 @@ -77,7 +77,6 @@ require ( github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect golang.org/x/crypto v0.37.0 // indirect - golang.org/x/net v0.39.0 // indirect golang.org/x/sys v0.35.0 // indirect golang.org/x/text v0.24.0 // indirect google.golang.org/protobuf v1.36.3 // indirect diff --git a/go.sum b/go.sum index 61b94acec..d9305867b 100644 --- a/go.sum +++ b/go.sum @@ -51,8 +51,8 @@ github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM= github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= -github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY= -github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok= +github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0= +github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE= github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78= @@ -147,8 +147,6 @@ golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE= golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E= golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= -golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY= -golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= From 82ce60122e8bffd0ec21dd41f53989ce09383cfb Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 28 Aug 2025 09:32:43 -0500 Subject: [PATCH 2/5] Fix JS shellscript edge case Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/programkind/programkind.go | 10 ++++++++-- tests/linux/mimipenguin/python/mimipenguin.simple | 4 ++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index c1f6e330d..3fa32c1b3 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -94,7 +94,7 @@ var supportedKind = map[string]string{ "scptd": "application/x-applescript", "script": "text/x-generic-script", "service": "text/x-systemd", - "sh": "application/x-sh", + "sh": "text/x-shellscript", "so": "application/x-sharedlib", "ts": "application/typescript", "upx": "application/x-upx", @@ -119,7 +119,7 @@ var ( ZMagic = []byte{0x78, 0x5E} ) -const headerSize int = 512 +const headerSize int = 1024 // IsSupportedArchive returns whether a path can be processed by our archive extractor. // UPX files are an edge case since they may or may not even have an extension that can be referenced. @@ -224,6 +224,11 @@ func makeFileType(path string, ext string, mime string) *FileType { return Path(".elf") } + // fix mimetype bug that detects certain .js files as Bash + if mime == "text/x-shellscript" && strings.Contains(path, ".js") { + return Path(".js") + } + if strings.Contains(mime, "application") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "executable") { return &FileType{ Ext: ext, @@ -324,6 +329,7 @@ func File(path string) (*FileType, error) { case bytes.HasPrefix(hdr, ZMagic): return Path(".Z"), nil } + return nil, nil } diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index 9f946cfbf..3dba6765b 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -6,10 +6,14 @@ credential/os/shadow: medium credential/password: low credential/password/finder: high credential/ssh/d: medium +data/base64/decode: medium data/encoding/base64: low discover/process/name: medium discover/processes/list: medium +discover/system/platform: medium +exec/imports/python: low exfil/stealer/password: critical +fs/directory/list: low fs/file/open: low fs/path/etc: low fs/path/usr_bin: low From 90e100abc1b65535c9d111f3ce2b3b53cef0421b Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 28 Aug 2025 09:33:34 -0500 Subject: [PATCH 3/5] Revert header size change Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/programkind/programkind.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index 3fa32c1b3..d6c1a1de6 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -119,7 +119,7 @@ var ( ZMagic = []byte{0x78, 0x5E} ) -const headerSize int = 1024 +const headerSize int = 512 // IsSupportedArchive returns whether a path can be processed by our archive extractor. // UPX files are an edge case since they may or may not even have an extension that can be referenced. From 31504e7dbbaa34c3f573a5a7125755d581b895a1 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 28 Aug 2025 09:34:03 -0500 Subject: [PATCH 4/5] More correct comment Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/programkind/programkind.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index d6c1a1de6..c722a159d 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -224,7 +224,7 @@ func makeFileType(path string, ext string, mime string) *FileType { return Path(".elf") } - // fix mimetype bug that detects certain .js files as Bash + // fix mimetype bug that detects certain .js files as shellscript if mime == "text/x-shellscript" && strings.Contains(path, ".js") { return Path(".js") } From 29296e04a9719a5db88db06df3c406b5a7b7a45e Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 28 Aug 2025 09:38:23 -0500 Subject: [PATCH 5/5] Fix test cases Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/programkind/programkind_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/programkind/programkind_test.go b/pkg/programkind/programkind_test.go index c1c19d27a..1fed5a319 100644 --- a/pkg/programkind/programkind_test.go +++ b/pkg/programkind/programkind_test.go @@ -16,10 +16,10 @@ func TestFile(t *testing.T) { want *FileType }{ {"expr", &FileType{MIME: "application/x-mach-binary", Ext: "macho"}}, - {"snmpd", &FileType{MIME: "application/x-sh", Ext: "sh"}}, + {"snmpd", &FileType{MIME: "text/x-shellscript", Ext: "sh"}}, {"test.pl", &FileType{MIME: "text/x-perl", Ext: "pl"}}, {"peclcmd", &FileType{MIME: "text/x-php", Ext: "php"}}, - {"test.sh", &FileType{MIME: "application/x-sh", Ext: "sh"}}, + {"test.sh", &FileType{MIME: "text/x-shellscript", Ext: "sh"}}, {"libpam.so.0", &FileType{MIME: "application/x-sharedlib", Ext: "so"}}, {"ls", &FileType{MIME: "application/x-elf", Ext: "elf"}}, {"tiny", &FileType{MIME: "application/x-elf", Ext: "elf"}}, @@ -44,7 +44,7 @@ func TestPath(t *testing.T) { want *FileType }{ {"applescript.scpt", &FileType{MIME: "application/x-applescript", Ext: "scpt"}}, - {"./shell.sh", &FileType{MIME: "application/x-sh", Ext: "sh"}}, + {"./shell.sh", &FileType{MIME: "text/x-shellscript", Ext: "sh"}}, {"ls", nil}, {"/etc/systemd/system/launcher.service", &FileType{MIME: "text/x-systemd", Ext: "service"}}, {"yarn-package.json", &FileType{MIME: "application/json", Ext: "json"}},