stix20: fix SQL generation with ref lists

firepit/stix20.py

@@ -72,11 +72,14 @@ def comp2sql(sco_type, prop, op, value, dialect):
             _, from_type, ref_name, to_type = link
             if ref_name.endswith('_refs'):
                 # Handle reflists
-                tmp = (f'JOIN "__reflist" AS "r" ON "{from_type}"."id" = "r"."source_ref"'
-                       f' WHERE "r"."target_ref"')
+                tmp = (f'"id" IN (SELECT "id" FROM "{from_type}" JOIN "__reflist" AS "r"'
+                       f' ON "{from_type}"."id" = "r"."source_ref" AND "r"."ref_name" = \'{ref_name}\''
+                       f' AND "r"."target_ref"')
+                end = ')'
             else:
                 tmp = f'"{ref_name}"'
-            result = f' {tmp} IN (SELECT "id" FROM "{to_type}" WHERE {result})'
+                end = ''
+            result = f' {tmp} IN (SELECT "id" FROM "{to_type}" WHERE {result}){end}'
 
     return result
 

tests/test_stix_patterns.py

@@ -41,8 +41,9 @@ def _normalize_ws(s):
          "\"src_ref\" IN (SELECT \"id\" FROM \"ipv4-addr\" WHERE \"value\" = '127.0.0.1')"),
         ('email-message',
          "[email-message:to_refs[*].value = 'name@example.com']",
-         ("JOIN \"__reflist\" AS \"r\" ON \"email-message\".\"id\" = \"r\".\"source_ref\""
-          " WHERE \"r\".\"target_ref\" IN (SELECT \"id\" FROM \"email-addr\" WHERE \"value\" = 'name@example.com')")),
+         ("\"id\" IN (SELECT \"id\" FROM \"email-message\" JOIN \"__reflist\" AS \"r\""
+          " ON \"email-message\".\"id\" = \"r\".\"source_ref\" AND \"r\".\"ref_name\" = 'to_refs'"
+          " AND \"r\".\"target_ref\" IN (SELECT \"id\" FROM \"email-addr\" WHERE \"value\" = 'name@example.com'))")),
         ('file',
          "[file:hashes.'SHA-256' = 'whatever']",
          "\"hashes.'SHA-256'\" = 'whatever'"),