Skip to content

fix(analysisinfo): detect auto-selected package from Windows analyzer logs #2937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kevoreilly merged 2 commits into from
Mar 16, 2026
Merged

fix(analysisinfo): detect auto-selected package from Windows analyzer logs #2937

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6f4953a
fix(analysisinfo): detect auto-selected package from Windows analyzer…
wmetcalf Mar 9, 2026
ca5fe67
refactor: use str.find() to avoid double scan of analysis log
wmetcalf Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions modules/processing/analysisinfo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,15 @@ def get_package(self):
raise CuckooProcessingError(f"Error opening {self.log_path}: {e}") from e
else:
with suppress(Exception):
idx = analysis_log.index('INFO: Automatically selected analysis package "')
package = analysis_log[idx + 47 :].split('"', 1)[0]
# Try both Windows and Linux analyzer log formats
for marker in (
'INFO: analysis package selected: "',
'INFO: Automatically selected analysis package "',
):
idx = analysis_log.find(marker)
if idx != -1:
package = analysis_log[idx + len(marker) :].split('"', 1)[0]
break
Comment on lines +72 to +79
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The get_package function extracts the analysis package name from the analysis.log file. This log's content can be influenced by an untrusted guest VM, making it vulnerable to log injection. An attacker could inject a fake log line to spoof the package name, potentially leading to data spoofing in the analysis report or Cross-Site Scripting (XSS) if the name is rendered without proper escaping. It is crucial to implement validation or sanitization on the extracted package name to mitigate this vulnerability. Additionally, the current approach of using if marker in analysis_log: followed by analysis_log.index(marker) causes the string to be scanned twice for each marker. For improved efficiency, consider using analysis_log.find(marker) instead, which avoids redundant scans.

Suggested change
for marker in (
'INFO: analysis package selected: "',
'INFO: Automatically selected analysis package "',
):
if marker in analysis_log:
idx = analysis_log.index(marker)
package = analysis_log[idx + len(marker) :].split('"', 1)[0]
break
for marker in (
'INFO: analysis package selected: "',
'INFO: Automatically selected analysis package "',
):
idx = analysis_log.find(marker)
if idx != -1:
package = analysis_log[idx + len(marker) :].split('"', 1)[0]
break

Copy link
Copy Markdown
Contributor Author

@wmetcalf wmetcalf Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied the .find() suggestion to avoid the double scan — good catch. The log injection/XSS concern isn't applicable here though: the existing code already extracted from the same guest-controlled log in the same way, and the package name is used internally for processing, not rendered raw in any frontend context.

return package

def run(self):
Expand Down