Merge branch 'master' into staging

Author: doomedraven

analyzer/linux/lib/core/packages.py

@@ -202,7 +202,11 @@ def strace_analysis(self):
 
         target_cmd = f"{self.target}"
         if "args" in kwargs:
-            target_cmd += f' {" ".join(kwargs["args"])}'
+            args = kwargs["args"]
+            if not isinstance(args, str):
+                args = " ".join(args)
+            target_cmd += f" {args}"
+
 
         # eg: strace_args=-e trace=!recvfrom;epoll_pwait
         strace_args = self.options.get("strace_args", "").replace(";", ",")

analyzer/windows/analyzer.py

@@ -657,19 +657,25 @@ def analysis_loop(self, aux_modules):
 
         emptytime = None
         complete_folder = hashlib.md5(f"cape-{self.config.id}".encode()).hexdigest()
-        complete_analysis_pattern = os.path.join(os.environ["TMP"], complete_folder)
+        complete_analysis_patterns = [os.path.join(os.environ["TMP"], complete_folder)]
+        if "SystemRoot" in os.environ:
+            complete_analysis_patterns.append(os.path.join(os.environ["SystemRoot"], "Temp", complete_folder))
+
         while self.do_run:
             self.time_counter = timeit.default_timer() - time_start
             if self.time_counter >= int(self.config.timeout):
                 log.info("Analysis timeout hit, terminating analysis")
                 ANALYSIS_TIMED_OUT = True
                 break
 
-            if os.path.isdir(complete_analysis_pattern):
+            if any(os.path.isdir(p) for p in complete_analysis_patterns):
                 log.info("Analysis termination requested by user")
                 ANALYSIS_TIMED_OUT = True
                 break
 
+            if ANALYSIS_TIMED_OUT:
+                break
+
             # If the process lock is locked, it means that something is
             # operating on the list of monitored processes. Therefore we
             # cannot proceed with the checks until the lock is released.

analyzer/windows/modules/packages/nodejs.py

@@ -1,21 +1,148 @@
+import os
+import zipfile
+import logging
+
 from lib.common.abstracts import Package
 from lib.common.common import check_file_extension
 from lib.common.constants import OPT_ARGUMENTS
 
+log = logging.getLogger(__name__)
+
+# CONFIGURATION - allow non installed nodejs
+# Best practice: Keep filenames in one place
+# Grab a copy of https://nodejs.org/download/release/latest-v25.x/node-v25.2.1-win-x64.zip or another version of your interest
+# Store it in extras as nodejs.zip
+NODE_ZIP_NAME = "nodejs.zip"
+NODE_DIR_NAME = "nodejs"
+
+
+def setup_node_environment():
+    """
+    Attempts to unzip a portable Node environment.
+    Returns: (path_to_node_exe, None) on success (None, error_message) on failure
+    """
+    try:
+        # Determine paths
+        user_profile = os.environ.get("USERPROFILE", "C:\\Users\\Admin")
+        install_path = os.path.join(user_profile, "AppData", "Local", "app")
+
+        # Look for zip in absolute path relative to current execution or fixed 'extras'
+        # Assuming 'extras' is in the current working dir of the analyzer
+        node_zip_path = os.path.abspath(os.path.join("extras", NODE_ZIP_NAME))
+        node_bin_path = os.path.join(install_path, NODE_DIR_NAME)
+
+        if not os.path.exists(node_zip_path):
+            return None, f"Zip not found at {node_zip_path}"
+
+        if not os.path.exists(node_bin_path):
+            os.makedirs(node_bin_path)
+
+        node_exe_path = None
+
+        # 1. Open Zip and Find node.exe BEFORE extracting
+        with zipfile.ZipFile(node_zip_path, 'r') as z:
+            # list of all files in zip
+            file_list = z.namelist()
+
+            # Find the internal path to node.exe
+            # This works for both "node.exe" (root) and "node-v25.../node.exe" (subfolder)
+            node_internal_path = next((f for f in file_list if f.lower().endswith("node.exe")), None)
+
+            if not node_internal_path:
+                return None, "Archive does not contain node.exe"
+
+            # 2. Extract
+            # We extract to a specific folder to avoid cluttering if it's a "root-files" zip
+            # We use the zip name (minus extension) as a container folder
+            extract_path = node_bin_path
+
+            if not os.path.exists(extract_path):
+                # Security: Check for path traversal before extraction.
+                for member in z.infolist():
+                    if member.filename.startswith("/") or ".." in member.filename:
+                        return None, f"Aborting extraction. Zip contains potentially malicious path: {member.filename}"
+
+                os.makedirs(extract_path)
+                log.info("Extracting to %s...", extract_path)
+                z.extractall(extract_path)
+
+            # 3. Construct the full path
+            # extract_path + internal_path_inside_zip
+            # e.g. C:\Apps\node-v25\ + node-v25-win-x64/node.exe
+            node_exe_path = os.path.join(extract_path, node_internal_path)
+
+            # Normalizing path separators (fixes mix of / and \)
+            node_exe_path = os.path.normpath(node_exe_path)
+
+        # 4. Final Verification and Env Setup
+        if node_exe_path and os.path.exists(node_exe_path):
+            # Add the folder containing node.exe to PATH
+            node_dir = os.path.dirname(node_exe_path)
+            current_path = os.environ.get("PATH", "")
+            os.environ["PATH"] = f"{node_dir};{current_path}"
+
+            return node_exe_path, None
+        else:
+            return None, "Extraction finished but node.exe not found on disk."
+
+    except (zipfile.BadZipFile, OSError) as e:
+        return None, f"Exception during Node setup: {str(e)}"
+
 
 class NodeJS(Package):
     """Package for executing JavaScript files using NodeJS."""
 
     PATHS = [
-        ("ProgramFiles", "NodeJS", "node.exe"),
+        # Standard 64-bit Install (most common)
+        # Default folder is usually lowercase "nodejs"
+        ("ProgramFiles", "nodejs", "node.exe"),
+
+        # 32-bit Node on 64-bit Windows
+        ("ProgramFiles(x86)", "nodejs", "node.exe"),
+
+        # Your specific custom paths (Case insensitive, so NodeJS works too)
         ("LOCALAPPDATA", "Programs", "NodeJS", "node.exe"),
+
+        # Fallback for manual installs at root
+        ("SystemDrive", "nodejs", "node.exe"),
     ]
+
     summary = "Executes a JS sample using NodeJS."
-    description = "Uses node.exe instead of wscript.exe to execute JavaScript files."
+    description = "Uses node.exe to execute JavaScript files."
     option_names = (OPT_ARGUMENTS,)
 
     def start(self, path):
-        node = self.get_path("node.exe")
         path = check_file_extension(path, ".js")
         args = self.options.get(OPT_ARGUMENTS, "")
-        return self.execute(node, f'"{path}" {args}', path)
+
+        # Prepare the argument list
+        # CAPE expects a list of arguments for the process
+        node_args = f'"{path}"'
+
+        # Append additional arguments if they exist
+        if args:
+            node_args += f" {args}"
+
+        # 1. Try to set up Custom Node
+        binary = None
+
+        # Check if the zip exists before trying setup
+        if os.path.exists(os.path.join("extras", NODE_ZIP_NAME)):
+            custom_bin, error = setup_node_environment()
+            if custom_bin:
+                binary = custom_bin
+                log.info("Using Custom Node.js: %s", binary)
+            else:
+                log.error("Failed to setup Custom Node: %s", error)
+                # Do NOT return here, fall through to system node
+
+        # 2. Fallback to System Node if custom failed or zip missing
+        if not binary:
+            log.info("Falling back to system installed Node.js")
+            binary = self.get_path("node.exe")
+
+        # 3. Execution
+        if not binary:
+            raise Exception("Node.js executable not found in custom bundle OR system paths.")
+
+        return self.execute(binary, node_args, path)

lib/cuckoo/common/cleaners_utils.py

@@ -56,7 +56,6 @@
         mongo_update_one,
         mongo_update_many,
         mongo_delete_calls_by_task_id_in_range,
-        mongo_delete_data_range,
     )
 elif repconf.elasticsearchdb.enabled:
     from dev_utils.elasticsearchdb import all_docs, delete_analysis_and_related_calls, get_analysis_index
@@ -470,9 +469,9 @@ def tmp_clean_before(timerange: str):
 
 
 def cuckoo_clean_before(args: dict):
-    """Clean up failed tasks
+    """Clean up old tasks
     It deletes all stored data from file system and configured databases (SQL
-    and MongoDB for tasks completed before now - time range.
+    and optionally MongoDB) for tasks completed before now - time range.
     """
     # Init logging.
     # This need to init a console logger handler, because the standard
@@ -498,7 +497,15 @@ def cuckoo_clean_before(args: dict):
         log.info("url filter applied")
         category = "url"
 
-    old_tasks = db.list_tasks(added_before=added_before, category=category, not_status=TASK_PENDING)
+    tags_tasks_like = args.get("tags_tasks_filter", False)
+    delete_pending = args.get("delete_pending", False)
+
+    old_tasks = db.list_tasks(
+        added_before=added_before,
+        category=category,
+        not_status=False if delete_pending else TASK_PENDING,
+        tags_tasks_like=tags_tasks_like
+    )
 
     # We need this to cleanup file system and MongoDB calls collection
     id_arr = [e.id for e in old_tasks]
@@ -535,10 +542,11 @@ def cuckoo_clean_before(args: dict):
             response = input("You are deleting mongo data in cluster, are you sure you want to continue? y/n")
             if response.lower() in ("n", "not"):
                 sys.exit()
-        mongo_delete_data_range(range_end=highest_id)
-        # cleanup_files_collection_by_id(highest_id)
+        mongo_delete_data(id_arr)
 
-    db.delete_tasks(added_before=added_before, category=category)
+    db.delete_tasks(added_before=added_before,
+                    category=category,
+                    tags_tasks_like=tags_tasks_like)
 
 
 def cuckoo_clean_sorted_pcap_dump():

modules/processing/network.py

@@ -776,8 +776,6 @@ def run(self):
                     offset = file.tell()
                     continue
 
-                self._add_hosts(connection)
-
                 if ip.p == dpkt.ip.IP_PROTO_TCP:
                     tcp = ip.data
                     if not isinstance(tcp, dpkt.tcp.TCP):
@@ -843,6 +841,7 @@ def run(self):
                     self._icmp_dissect(connection, icmp)
 
                 offset = file.tell()
+                self._add_hosts(connection)
             except AttributeError:
                 continue
             except dpkt.dpkt.NeedData:

poetry.lock

@@ -64,7 +64,7 @@ pymongo = ">=4.0.1"
 # ImageHash = "4.3.1"
 LnkParse3 = "1.5.0"
 cachetools = "^5.5.1"
-django-allauth = "65.3.1"  # https://django-allauth.readthedocs.io/en/latest/configuration.html
+django-allauth = "65.13.0"  # https://django-allauth.readthedocs.io/en/latest/configuration.html
 # socks5man = {git = "https://github.com/CAPESandbox/socks5man.git", rev = "7b335d027297b67abdf28f38cc7d5d42c9d810b5"}
 # httpreplay = {git = "https://github.com/CAPESandbox/httpreplay.git", rev = "0d5a5b3144ab15f93189b83ca8188afde43db134"}
 # bingraph = {git = "https://github.com/CAPESandbox/binGraph.git", rev = "552d1210ac6770f8b202d0d1fc4610cc14d878ec"}

pyproject.toml

@@ -361,8 +361,9 @@ cython==3.0.11 ; python_version >= "3.10" and python_version < "4.0" \
 daphne==3.0.2 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:76ffae916ba3aa66b46996c14fa713e46004788167a4873d647544e750e0e99f \
     --hash=sha256:a9af943c79717bc52fe64a3c236ae5d3adccc8b5be19c881b442d2c3db233393
-django-allauth==65.3.1 ; python_version >= "3.10" and python_version < "4.0" \
-    --hash=sha256:e02e951b71a2753a746459f2efa114c7c72bf2cef6887dbe8607a577c0350587
+django-allauth==65.13.0 ; python_version >= "3.10" and python_version < "4.0" \
+    --hash=sha256:119c0cf1cc2e0d1a0fe2f13588f30951d64989256084de2d60f13ab9308f9fa0 \
+    --hash=sha256:7d7b7e7ad603eb3864c142f051e2cce7be2f9a9c6945a51172ec83d48c6c843b
 django-crispy-forms==2.3 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:2db17ae08527201be1273f0df789e5f92819e23dd28fec69cffba7f3762e1a38 \
     --hash=sha256:efc4c31e5202bbec6af70d383a35e12fc80ea769d464fb0e7fe21768bb138a20
@@ -1509,9 +1510,9 @@ pyopenssl==25.0.0 ; python_version >= "3.10" and python_version < "4.0" \
 pyparsing==3.2.1 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:506ff4f4386c4cec0590ec19e6302d3aedb992fdc02c761e90416f158dacf8e1 \
     --hash=sha256:61980854fd66de3a90028d679a954d5f2623e83144b5afe5ee86f43d762e5f0a
-pypdf==6.4.0 ; python_version >= "3.10" and python_version < "4.0" \
-    --hash=sha256:4769d471f8ddc3341193ecc5d6560fa44cf8cd0abfabf21af4e195cc0c224072 \
-    --hash=sha256:55ab9837ed97fd7fcc5c131d52fcc2223bc5c6b8a1488bbf7c0e27f1f0023a79
+pypdf==5.2.0 ; python_version >= "3.10" and python_version < "4.0" \
+    --hash=sha256:7c38e68420f038f2c4998fd9d6717b6db4f6cef1642e9cf384d519c9cf094663 \
+    --hash=sha256:d107962ec45e65e3bd10c1d9242bdbbedaa38193c9e3a6617bd6d996e5747b19
 pyre2-updated==0.3.8 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:2bda9bf4d59568152e085450ffc1c08fcf659000d06766861f7ff340ba601c3e \
     --hash=sha256:350be9580700b67af87f5227453d1123bc9f4513f0bcc60450574f1bc46cb24f \

requirements.txt

@@ -0,0 +1,47 @@
+import pytest
+import os
+import hashlib
+import tempfile
+
+# Ideally, this function would be imported from your application code
+def check_completion_logic(config):
+    complete_folder = hashlib.md5(f"cape-{config.id}".encode()).hexdigest()
+    complete_analysis_patterns = [os.path.join(os.environ["TMP"], complete_folder)]
+    if "SystemRoot" in os.environ:
+        complete_analysis_patterns.append(os.path.join(os.environ["SystemRoot"], "Temp", complete_folder))
+
+    return any(os.path.isdir(path) for path in complete_analysis_patterns)
+
+class MockConfig:
+    id = 123
+
+@pytest.fixture
+def mock_env(monkeypatch):
+    """Pytest fixture to mock environment and create temp dirs."""
+    with tempfile.TemporaryDirectory() as tmp_dir, tempfile.TemporaryDirectory() as sysroot_dir:
+        monkeypatch.setenv("TMP", tmp_dir)
+        monkeypatch.setenv("SystemRoot", sysroot_dir)
+        os.makedirs(os.path.join(sysroot_dir, "Temp"), exist_ok=True)
+        yield
+
+def test_completion_folder_in_tmp(mock_env):
+    config = MockConfig()
+    complete_folder = hashlib.md5(f"cape-{config.id}".encode()).hexdigest()
+    path = os.path.join(os.environ["TMP"], complete_folder)
+    os.makedirs(path)
+
+    assert check_completion_logic(config) is True
+
+    os.rmdir(path)
+    assert check_completion_logic(config) is False
+
+def test_completion_folder_in_systemroot(mock_env):
+    config = MockConfig()
+    complete_folder = hashlib.md5(f"cape-{config.id}".encode()).hexdigest()
+    path = os.path.join(os.environ["SystemRoot"], "Temp", complete_folder)
+    os.makedirs(path)
+
+    assert check_completion_logic(config) is True
+
+    os.rmdir(path)
+    assert check_completion_logic(config) is False