From 4e22afa31814f5279980b73b74c5d48388e793c9 Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Wed, 10 Jul 2024 13:05:09 -0700
Subject: [PATCH 1/3] updating code from Eric forks

---
 .github/workflows/unit-testing.yml | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml
index 970339f562..ea3edbefcb 100644
--- a/.github/workflows/unit-testing.yml
+++ b/.github/workflows/unit-testing.yml
@@ -7,11 +7,14 @@ jobs:
     runs-on: ubuntu-latest
     if: "!contains(github.ref, 'refs/tags/')" #don't run on tags - future steps won't run either since they depend on this job
     # needs: [validate-tag-if-present, quit-for-dependabot]
-    steps: 
+    steps:
+        #For fork PRs, always check out security_content and the PR target in security content!
         - name: Check out the repository code
           uses: actions/checkout@v4
           with:
-            ref: develop
+            repository: 'splunk/security_content' #this should be the TARGET repo of the PR. we hardcode it for now
+            ref: ${{ github.base_ref }}
+          
 
         - uses: actions/setup-python@v5
           with:
@@ -24,13 +27,20 @@ jobs:
             pip install contentctl
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
+        # Make sure we check out the PR, even if it actually lives in a fork
+        # Instructions for pulling a PR were taken from: 
+        # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally
         - name: Run ContentCTL test for changes against target branch
           run: |
+            
             echo "Current Branch (Head Ref): ${{ github.head_ref }}"
             echo "Target Branch (Base Ref): ${{ github.base_ref }}"
             git pull > /dev/null 2>&1
-            git checkout ${{ github.head_ref }}
-            echo "The target branch for this PR is ${{ github.base_ref }}"
+            git fetch origin pull/${{ github.event.pull_request.number }}/head:${{ github.head_ref }}
+            #We must specifically get the PR's target branch from security_content, not the one that resides in the fork PR's forked repo
+            git switch ${{ github.head_ref }}
+            #git checkout ${{ github.head_ref }}
+            #echo "The target branch for this PR is ${{ github.base_ref }}"
             contentctl test --disable-tqdm --no-enable-integration-testing --post-test-behavior never_pause mode:changes --mode.target-branch ${{ github.base_ref }}
             echo "contentctl test - COMPLETED"
           continue-on-error: true
@@ -55,5 +65,4 @@ jobs:
           run: |       
             echo "This job will fail if there are failures in unit-testing"  
             python .github/workflows/format_test_results.py >> $GITHUB_STEP_SUMMARY
-            echo "The Unit testing is completed. See details in the unit-testing job summary UI "
-            
\ No newline at end of file
+            echo "The Unit testing is completed. See details in the unit-testing job summary UI "
\ No newline at end of file

From fcae48286c5de610025ef25181aa4fb640e9db3f Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Wed, 10 Jul 2024 13:09:02 -0700
Subject: [PATCH 2/3] updating for testing

---
 .../application/crushftp_server_side_template_injection.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml
index 71c70e6b6c..56fcc3c796 100644
--- a/detections/application/crushftp_server_side_template_injection.yml
+++ b/detections/application/crushftp_server_side_template_injection.yml
@@ -7,7 +7,7 @@ data_source: []
 type: TTP
 status: production
 description: This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.
-search: '`crushftp`
+search: 'x`crushftp`
   | rex field=_raw "\[(?<protocol>HTTPS|HTTP):(?<session_id>[^\:]+):(?<user>[^\:]+):(?<src_ip>\d+\.\d+\.\d+\.\d+)\] (?<action>READ|WROTE): \*(?<http_method>[A-Z]+) (?<uri_query>[^\s]+) HTTP/[^\*]+\*"
   | eval message=if(match(_raw, "INCLUDE") and isnotnull(src_ip), "traces of exploitation by " . src_ip, "false")
   | search message!=false

From 64ccb8edea5b6f535ca1bb3c15dd755e10506c4f Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Wed, 10 Jul 2024 13:47:12 -0700
Subject: [PATCH 3/3] revert detection change

---
 .../application/crushftp_server_side_template_injection.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml
index 56fcc3c796..71c70e6b6c 100644
--- a/detections/application/crushftp_server_side_template_injection.yml
+++ b/detections/application/crushftp_server_side_template_injection.yml
@@ -7,7 +7,7 @@ data_source: []
 type: TTP
 status: production
 description: This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.
-search: 'x`crushftp`
+search: '`crushftp`
   | rex field=_raw "\[(?<protocol>HTTPS|HTTP):(?<session_id>[^\:]+):(?<user>[^\:]+):(?<src_ip>\d+\.\d+\.\d+\.\d+)\] (?<action>READ|WROTE): \*(?<http_method>[A-Z]+) (?<uri_query>[^\s]+) HTTP/[^\*]+\*"
   | eval message=if(match(_raw, "INCLUDE") and isnotnull(src_ip), "traces of exploitation by " . src_ip, "false")
   | search message!=false