Fix Nextcloud-Whitelist: false-positive when opening the trashbin cro…

…wdsecurity#1086 (crowdsecurity#1087) * Update nextcloud-whitelist.yaml Fix crowdsecurity#1086 * enhance: Add new test case based on whitelist changes * enhance: manually run index workflow cause fork --------- Co-authored-by: Laurence <[email protected]>
LaurenceJJones · Aug 21, 2024 · 21e221b · 21e221b
1 parent 5041166
commit 21e221b
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 10 deletions.
diff --git a/.index.json b/.index.json
@@ -7304,7 +7304,7 @@
   "crowdsecurity/nextcloud-whitelist": {
    "path": "parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml",
    "stage": "s02-enrich",
-   "version": "0.8",
+   "version": "0.9",
    "versions": {
     "0.1": {
      "digest": "7685c823a398a711b76afea742ebeb2637ac55c829eafba841b63504b1e2228e",
@@ -7337,10 +7337,14 @@
     "0.8": {
      "digest": "92408f18443f074036c7eb1d3b948b452f8e29e9ba2b2fca2e118cb98437f4e0",
      "deprecated": false
+    },
+    "0.9": {
+     "digest": "abb7cfd6a77a94a9c7347065ccbb3964408e51d4d58b3092f009abb65c2cb579",
+     "deprecated": false
     }
    },
    "long_description": "IyMgTmV4dGNsb3VkIHdoaXRlbGlzdAoKIyMjIENvbnRhY3RzIGFwcApDb250YWN0cyBoYXMgYW4gaXNzdWUgd2l0aCBleGNlc3NpdmUgNDA0IHJlc3BvbnNlIGNvZGVzIHdoZW4gYSB1c2VyIGltYWdlIGlzIG1pc3NpbmcKW1Vwc3RyZWFtIGlzc3VlXShodHRwczovL2dpdGh1Yi5jb20vbmV4dGNsb3VkL2NvbnRhY3RzL2lzc3Vlcy8zMDIxKQoKLS0tCiMjIyBQaG90b3MgYXBwCk9uIGZpcnN0IGxvYWQgdGhlIHBob3RvcyBhcHAgY2FsbHMgYSBwcmV2aWV3IGVuZHBvaW50LCBob3dldmVyLCBpZiBpdCBmYWlscyB0byBsb2FkIGl0IHdpbGwgdHJpZ2dlciBodHRwLXByb2JpbmcKCldoZW4gb3BlbmluZyB0aGUgcGhvdG9zIGFwcCwgbXVsdGlwbGUgcmVxdWVzdHMgYXJlIG1hZGUgdmVyeSBxdWlja2x5IGZvciBpbWFnZXMsIHNpbmNlIHRoZXkgYXJlIG5vdCBtYXJrZWQgYXMgaW1hZ2VzIChlbmRpbmcgaW4gcG5nLGpwZyBldGMpIGl0IGNhbiB0cmlnZ2VyIEhUVFAgY3Jhd2wgbm9uIHN0YXRpY3MuCgotLS0KIyMjIEJhY2t1cCBhcHAKV2hlbiBsb2FkaW5nIGJhY2t1cHMgZm9yIGEgZmlsZSBpZiB0aG9zZSBiYWNrdXBzIGhhdmUgYmVlbiBtb2RpZmllZCBvciBkZWxldGVkIGJ5IChPUy9VU0VSKSBpdCBjYW4gZWFzaWx5IHRyaWdnZXIgaHR0cC1wcm9iaW5nCgotLS0KIyMjIEZpbGVzIGFwcApUaGUgYC9jb3JlL3ByZXZpZXdgIGVuZHBvaW50IHJldHVybnMgNDA0IGlmIGEgZmlsZSBoYXMgbm8gdGh1bWJuYWlsIChpbmNsdWRpbmcgZmlsZXMgd2hpY2ggYXJlbid0IG1lYW50IHRvLCBsaWtlIFhNTHMpLgpUaGlzIGNhbiB0cmlnZ2VyIGh0dHAtcHJvYmluZyB3aGVuIHVzaW5nIHRoZSBmaWxlIHNlYXJjaCBiYXIuCgpXaGVuIHByZXZpZXdzIGFyZSBtaXNzaW5nIGZvciBmaWxlcyBpbiB0aGUgdHJhc2ggYmluLCBhIDQwNCBlcnJvciBpcyByZXR1cm5lZCB3aGljaCB0cmlnZ2VycyBodHRwIHByb2JpbmcuCgpJbiByYXJlIGNhc2VzIEhUVFAgUHJvYmluZyB3aWxsIGJlIHRyaWdnZXJlZCB3aGVuIG9wZW5pbmcgbXVsdGlwbGUgZm9sZGVycyBxdWlja2x5LCBOZXh0Y2xvdWQgY2hlY2tzIGZvciBhIGBgcmVhZG1lLm1kYGAgZmlsZSBhbmQgaWYgaXQgZG9lc24ndCBleGlzdCBhIDQwNCBlcnJvciBpcyB0aHJvd24uCgotLS0KIyMjIENyZWF0aW5nIGZpbGVzIHZpYSBXZWJEQVYKV2hlbiB1cGxvYWRpbmcgZmlsZXMgdmlhIFdlYkRBViwgYSBQUk9QRklORCByZXF1ZXN0IGlzIHNlbnQgdG8gdGhlIHNlcnZlciwgd2hpY2ggcmV0dXJucyA0MDQgaWYgdGhlIGZpbGUgZG9lcyBub3QKZXhpc3QuIFRoZW4gdGhlIGZpbGUgaXMgY3JlYXRlZC4gVXBsb2FkaW5nIG1vcmUgdGhhbiAxMCBmaWxlcyBhdCBhIHRpbWUgd2lsbCB0cmlnZ2VyIGh0dHAtcHJvYmluZy4K",
-   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9uZXh0Y2xvdWQtd2hpdGVsaXN0CmRlc2NyaXB0aW9uOiAiV2hpdGVsaXN0IGV2ZW50cyBmcm9tIG5leHRjbG91ZCIKZmlsdGVyOiAiZXZ0Lk1ldGEuc2VydmljZSA9PSAnaHR0cCcgJiYgZXZ0Lk1ldGEubG9nX3R5cGUgaW4gWydodHRwX2FjY2Vzcy1sb2cnLCAnaHR0cF9lcnJvci1sb2cnXSIKd2hpdGVsaXN0OgogIHJlYXNvbjogIk5leHRjbG91ZCBXaGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5maWxlX2V4dCA9PSAnLnZjZicgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgInBob3RvIiAjQ29udGFjdHMgYXBwIC52Y2YgbWlzc2luZyBwaG90bwogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3ZlcnNpb25zL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd2ZXJzaW9uJyAjQmFja3VwIGFwcCBtaXNzaW5nIGZpbGUgdmVyc2lvbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL3Bob3Rvcy9hcGkvdjEvcHJldmlldycgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ3gnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5JyAjUGhvdG8gYXBwIGxvYWRzIGFsbCBwcmV2aWV3cyBhcyBzbWFsbCBwYW5lcywgYnV0IGNhbiA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5yZXF1ZXN0IGNvbnRhaW5zICcvY29yZS9wcmV2aWV3JyAmJiBldnQuUGFyc2VkLmh0dHBfYXJncyBjb250YWlucyAneD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5PScgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ2ZpbGVJZD0nICNGaWxlIHByZXZpZXcgb2Z0ZW4gNDA0cyB3aGlsZSBzZWFyY2hpbmcKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgaW4gWydQUk9QRklORCcsICdHRVQnXSAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXi9yZW1vdGUucGhwLyh3ZWIpP2Rhdi8nICNVcGxvYWRpbmcgbmV3IGZpbGVzIHZpYSBXZWJEQVYgYWx3YXlzIHByb2R1Y2VzIGEgNDA0CiAgIC0gZXZ0Lk1ldGEuaHR0cF9zdGF0dXMgPT0gJzQwNCcgJiYgZXZ0Lk1ldGEuaHR0cF92ZXJiID09ICdHRVQnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAnL2FwcHMvbWFpbC9hcGkvYXZhdGFycy91cmwvJyAjV2hlbiBsb2FkaW5nIG1haWwgY29udGFjdHMgdGhlIGF2YXRhcnMgbWF5IGdldCA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnMjAwJyAmJiBldnQuUGFyc2VkLnN0YXRpY19yZXNzb3VyY2UgPT0gJ2ZhbHNlJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0Lk1ldGEuaHR0cF9wYXRoIGNvbnRhaW5zICcvYXBwcy9waG90b3MvYXBpL3YxL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeT0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdldGFnPScgI1doZW4gbG9hZGluZyBtdWx0aXBsZSBpbWFnZXMgaW5zaWRlIE5leHRjbG91ZCBQaG90b3MsIEhUVFAgQ3Jhd2wgbm9uIHN0YXRpY3MgaXMgdHJpZ2dlcmVkIHNpbmNlIHRoZSBpbWFnZXMgbG9vayBsaWtlIGR5bmFtaWMgYXNzZXRzLgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuUGFyc2VkLnJlcXVlc3QgPT0gJy9vY3MvdjIucGhwL2FwcHMvdGV4dC93b3Jrc3BhY2UnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdwYXRoPSUyRicgI1doZW4gb3BlbmluZyBmb2xkZXJzIGluIE5leHRjbG91ZCBGaWxlcyB0aGF0IGRvbid0IGNvbnRhaW4gYSByZWFkbWUubWQgNDA0IGVycm9yIGlzIHRocm93bgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3RyYXNoYmluL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdmaWxlSWQ9JyAmJiBldnQuUGFyc2VkLmh0dHBfYXJncyBjb250YWlucyAnJmZpbGU9JyAjIDQwNCBlcnJvciB0aHJvd24gd2hlbiBwcmV2aWV3IGlzIG1pc3NpbmcgZm9yIGZpbGVzIGluIHRyYXNoIGJpbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXFwvYXBwc1xcL2ZpbGVzXFwvYXBpXFwvdjFcXC90aHVtYm5haWxcXC8oXFxkKykvKFxcZCspJwo=",
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9uZXh0Y2xvdWQtd2hpdGVsaXN0CmRlc2NyaXB0aW9uOiAiV2hpdGVsaXN0IGV2ZW50cyBmcm9tIG5leHRjbG91ZCIKZmlsdGVyOiAiZXZ0Lk1ldGEuc2VydmljZSA9PSAnaHR0cCcgJiYgZXZ0Lk1ldGEubG9nX3R5cGUgaW4gWydodHRwX2FjY2Vzcy1sb2cnLCAnaHR0cF9lcnJvci1sb2cnXSIKd2hpdGVsaXN0OgogIHJlYXNvbjogIk5leHRjbG91ZCBXaGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5maWxlX2V4dCA9PSAnLnZjZicgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgInBob3RvIiAjQ29udGFjdHMgYXBwIC52Y2YgbWlzc2luZyBwaG90bwogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3ZlcnNpb25zL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd2ZXJzaW9uJyAjQmFja3VwIGFwcCBtaXNzaW5nIGZpbGUgdmVyc2lvbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL3Bob3Rvcy9hcGkvdjEvcHJldmlldycgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ3gnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5JyAjUGhvdG8gYXBwIGxvYWRzIGFsbCBwcmV2aWV3cyBhcyBzbWFsbCBwYW5lcywgYnV0IGNhbiA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5yZXF1ZXN0IGNvbnRhaW5zICcvY29yZS9wcmV2aWV3JyAmJiBldnQuUGFyc2VkLmh0dHBfYXJncyBjb250YWlucyAneD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5PScgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ2ZpbGVJZD0nICNGaWxlIHByZXZpZXcgb2Z0ZW4gNDA0cyB3aGlsZSBzZWFyY2hpbmcKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgaW4gWydQUk9QRklORCcsICdHRVQnXSAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXi9yZW1vdGUucGhwLyh3ZWIpP2Rhdi8nICNVcGxvYWRpbmcgbmV3IGZpbGVzIHZpYSBXZWJEQVYgYWx3YXlzIHByb2R1Y2VzIGEgNDA0CiAgIC0gZXZ0Lk1ldGEuaHR0cF9zdGF0dXMgPT0gJzQwNCcgJiYgZXZ0Lk1ldGEuaHR0cF92ZXJiID09ICdHRVQnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAnL2FwcHMvbWFpbC9hcGkvYXZhdGFycy91cmwvJyAjV2hlbiBsb2FkaW5nIG1haWwgY29udGFjdHMgdGhlIGF2YXRhcnMgbWF5IGdldCA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnMjAwJyAmJiBldnQuUGFyc2VkLnN0YXRpY19yZXNzb3VyY2UgPT0gJ2ZhbHNlJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0Lk1ldGEuaHR0cF9wYXRoIGNvbnRhaW5zICcvYXBwcy9waG90b3MvYXBpL3YxL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeT0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdldGFnPScgI1doZW4gbG9hZGluZyBtdWx0aXBsZSBpbWFnZXMgaW5zaWRlIE5leHRjbG91ZCBQaG90b3MsIEhUVFAgQ3Jhd2wgbm9uIHN0YXRpY3MgaXMgdHJpZ2dlcmVkIHNpbmNlIHRoZSBpbWFnZXMgbG9vayBsaWtlIGR5bmFtaWMgYXNzZXRzLgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuUGFyc2VkLnJlcXVlc3QgPT0gJy9vY3MvdjIucGhwL2FwcHMvdGV4dC93b3Jrc3BhY2UnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdwYXRoPSUyRicgI1doZW4gb3BlbmluZyBmb2xkZXJzIGluIE5leHRjbG91ZCBGaWxlcyB0aGF0IGRvbid0IGNvbnRhaW4gYSByZWFkbWUubWQgNDA0IGVycm9yIGlzIHRocm93bgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3RyYXNoYmluL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdmaWxlSWQ9JyAjIDQwNCBlcnJvciB0aHJvd24gd2hlbiBwcmV2aWV3IGlzIG1pc3NpbmcgZm9yIGZpbGVzIGluIHRyYXNoIGJpbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXFwvYXBwc1xcL2ZpbGVzXFwvYXBpXFwvdjFcXC90aHVtYm5haWxcXC8oXFxkKykvKFxcZCspJwo=",
    "description": "Whitelist events from nextcloud",
    "author": "crowdsecurity",
    "labels": null

diff --git a/.tests/nextcloud-whitelist/nextcloud-whitelist.log b/.tests/nextcloud-whitelist/nextcloud-whitelist.log
@@ -1,3 +1,4 @@
 192.168.1.1 - - [07/Oct/2022:00:01:18 +0200] "GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
 192.168.1.1 - - [07/Oct/2022:00:01:25 +0200] "GET /index.php/apps/mail/api/avatars/url/noreply%40test.fr HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
-192.168.1.1 - - [07/Oct/2022:00:01:25 +0200] "GET /apps/mail/api/avatars/url/noreply%40test.fr HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+192.168.1.1 - - [07/Oct/2022:00:01:25 +0200] "GET /apps/mail/api/avatars/url/noreply%40test.fr HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+192.168.1.1 - - [06/Aug/2024:20:58:42 +0200] "GET /apps/files_trashbin/preview?fileId=1331569&x=32&y=32&mimeFallback=true&a=0 HTTP/2.0" 404 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"