Domain reputation: fix regex (#26068)

demisto · Apr 30, 2023 · e5c1587 · e5c1587
1 parent b1dc25a
commit e5c1587
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 4 deletions.
diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_65.md b/Packs/CommonScripts/ReleaseNotes/1_11_65.md
@@ -0,0 +1,7 @@
+
+#### Scripts
+
+##### ExtractDomainAndFQDNFromUrlAndEmail
+
+- Fixed an issue where domain where not extracted properly in case of encoded "@" in the text.
+- Updated the Docker image to: *demisto/py3-tools:1.0.0.56465*.
diff --git a/...cripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py b/...cripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py
@@ -90,8 +90,11 @@ def check_if_known_url(the_input):
 
 
 def extract_fqdn(the_input):
+    the_input = unquote(the_input)
     if the_input.endswith("@"):
         return ''
+    if not the_input[0].isalnum():
+        the_input = the_input[1:]
     the_input = check_if_known_url(the_input)
     # pre-processing the input, removing excessive characters
     the_input = pre_process_input(the_input)

diff --git a/...ripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml b/...ripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml
@@ -18,7 +18,7 @@ tags:
 - indicator-format
 timeout: '0'
 type: python
-dockerimage: demisto/py3-tools:1.0.0.52351
+dockerimage: demisto/py3-tools:1.0.0.56465
 runas: DBotWeakRole
 runonce: false
 tests:

diff --git a/...s/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail_test.py b/...s/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail_test.py
@@ -56,6 +56,7 @@
     ('/evil3.com', 'evil3.com'),  # noqa: E501 disable-secrets-detection
     ('<br>kasai.qlmsourcing.com', 'kasai.qlmsourcing.com'),  # disable-secrets-detection
     ('test.com@', ''),  # disable-secrets-detection
+    ('%40subdomain.domain.com', 'subdomain.domain.com'),  # disable-secrets-detection
 ])  # noqa: E124
 def test_extract_fqdn_or_domain(input, fqdn):
     extracted_fqdn = extract_fqdn(input)

diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Scripts",
     "description": "Frequently used scripts pack.",
     "support": "xsoar",
-    "currentVersion": "1.11.64",
+    "currentVersion": "1.11.65",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-domain.json b/Packs/CommonTypes/IndicatorTypes/reputation-domain.json
@@ -6,7 +6,7 @@
     "sortValues": null,
     "commitMessage": "",
     "shouldCommit": false,
-    "regex": "(?i)(?P<scheme>(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?P<domain>(?:[\\p{L}\\d\\-–]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})@?",
+    "regex": "(?i)(?P<scheme>(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?:%[\\da-f][\\da-f])?(?P<domain>(?:[\\p{L}\\d\\-–]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})(@|%40)?",
     "details": "Domain",
     "prevDetails": "Domain",
     "reputationScriptName": "",

diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_66.md b/Packs/CommonTypes/ReleaseNotes/3_3_66.md
@@ -0,0 +1,6 @@
+
+#### Indicator Types
+
+- **domainRepUnified**
+Updated the regex in order to properly extract domain from encoded Email address.
+
diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Types",
     "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
     "support": "xsoar",
-    "currentVersion": "3.3.65",
+    "currentVersion": "3.3.66",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",