From ce346a4f343dfc5edc0d5d76845f5e760ca58c05 Mon Sep 17 00:00:00 2001 From: Paul Coccoli Date: Thu, 18 Jan 2024 14:59:51 -0500 Subject: [PATCH] stix20: fix SQL generation with ref lists --- firepit/stix20.py | 9 ++++++--- tests/test_stix_patterns.py | 5 +++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/firepit/stix20.py b/firepit/stix20.py index 306f1b7..42980dd 100644 --- a/firepit/stix20.py +++ b/firepit/stix20.py @@ -72,11 +72,14 @@ def comp2sql(sco_type, prop, op, value, dialect): _, from_type, ref_name, to_type = link if ref_name.endswith('_refs'): # Handle reflists - tmp = (f'JOIN "__reflist" AS "r" ON "{from_type}"."id" = "r"."source_ref"' - f' WHERE "r"."target_ref"') + tmp = (f'"id" IN (SELECT "id" FROM "{from_type}" JOIN "__reflist" AS "r"' + f' ON "{from_type}"."id" = "r"."source_ref" AND "r"."ref_name" = \'{ref_name}\'' + f' AND "r"."target_ref"') + end = ')' else: tmp = f'"{ref_name}"' - result = f' {tmp} IN (SELECT "id" FROM "{to_type}" WHERE {result})' + end = '' + result = f' {tmp} IN (SELECT "id" FROM "{to_type}" WHERE {result}){end}' return result diff --git a/tests/test_stix_patterns.py b/tests/test_stix_patterns.py index af61c6f..3ac0061 100644 --- a/tests/test_stix_patterns.py +++ b/tests/test_stix_patterns.py @@ -41,8 +41,9 @@ def _normalize_ws(s): "\"src_ref\" IN (SELECT \"id\" FROM \"ipv4-addr\" WHERE \"value\" = '127.0.0.1')"), ('email-message', "[email-message:to_refs[*].value = 'name@example.com']", - ("JOIN \"__reflist\" AS \"r\" ON \"email-message\".\"id\" = \"r\".\"source_ref\"" - " WHERE \"r\".\"target_ref\" IN (SELECT \"id\" FROM \"email-addr\" WHERE \"value\" = 'name@example.com')")), + ("\"id\" IN (SELECT \"id\" FROM \"email-message\" JOIN \"__reflist\" AS \"r\"" + " ON \"email-message\".\"id\" = \"r\".\"source_ref\" AND \"r\".\"ref_name\" = 'to_refs'" + " AND \"r\".\"target_ref\" IN (SELECT \"id\" FROM \"email-addr\" WHERE \"value\" = 'name@example.com'))")), ('file', "[file:hashes.'SHA-256' = 'whatever']", "\"hashes.'SHA-256'\" = 'whatever'"),