enh: collector_mail_attach allow_empty (#2647)

* enh: collector_mail_attach allow_empty

Author: e3rd

.reuse/dep5

@@ -45,3 +45,7 @@ License: AGPL-3.0-or-later
 Files: intelmq/tests/bots/collectors/mail/gpg_ring/**
 Copyright: 2025 Edvard Rejthar, CSIRT.cz <[email protected]>
 License: AGPL-3.0-or-later
+
+Files: intelmq/tests/bots/collectors/mail/text_attachment_empty.eml
+Copyright: 2025 Edvard Rejthar, CSIRT.cz <[email protected]>
+License: AGPL-3.0-or-later

CHANGELOG.md

@@ -44,6 +44,7 @@ Please refer to the [NEWS](NEWS.md) for a list of changes which have an affect o
 ### Bots
 #### Collectors
 - `intelmq.bots.collectors.mail.collector_mail_attach`: Decrypt GPG attachments (PR#2623 by Edvard Rejthar).
+- `intelmq.bots.collectors.mail.collector_mail_attach`: Allow empty attachments (PR#2647 by Edvard Rejthar).
 - `intelmq.bots.collectors.shodan.collector_alert`: Added a new collector to query the Shodan Alert API (PR#2618 by Sebastian Wagner and Malawi CERT).
 - Remove `intelmq.bots.collectors.blueliv` as it uses an unmaintained library, does not work any more and breaks other CI tests (fixes #2593, PR#2632 by Sebastian Wagner).
 

docs/user/bots.md

@@ -494,6 +494,10 @@ The fields can be used by parsers to identify the feed and are not automatically
 
 (optional, string) The OpenPGP private key passhrase.
 
+**`allow_empty`**
+
+(optional, boolean) Allow the attachment to be empty. If False (default), an error is raised and bot stays stopped.
+
 **`gpg_home`**
 
 (optional, string) Change the GPG home directory.

intelmq/bots/collectors/mail/collector_mail_attach.py

@@ -39,6 +39,9 @@ class MailAttachCollectorBot(MailCollectorBot):
     gpg_home: str = ""
     """ Change the GPG home directory """
 
+    allow_empty: bool = False
+    """ Allow the attachment to be empty. If False, an error is raised and bot stays stopped. """
+
     def init(self):
         super().init()
         if self.attach_regex is None:
@@ -88,6 +91,11 @@ def process_message(self, uid, message):
                         else:
                             self.logger.error('Could not decrypt attachment %s: %s.', file_name, gpg.status)
                             continue
+
+                    if not raw_report and self.allow_empty:
+                        self.logger.info("Empty email report ignored.")
+                        return True
+
                     report = self.new_report()
                     report.add("raw", raw_report)
                     if file_name:

intelmq/tests/bots/collectors/mail/lib.py

@@ -19,6 +19,7 @@
     EMAIL_FAKE_ATTACHMENT = parse_email((Path(__file__).parent / 'fake_attachment.eml').read_text())
     EMAIL_TEXT_ATTACHMENT = parse_email((Path(__file__).parent / 'text_attachment.eml').read_text())
     EMAIL_GPG_ATTACHMENT = parse_email((Path(__file__).parent / 'gpg_attachment.eml').read_text())
+    EMAIL_TEXT_ATTACHMENT_EMPTY = parse_email((Path(__file__).parent / 'text_attachment_empty.eml').read_text())
 
 
 class MockedImbox():
@@ -59,3 +60,7 @@ def messages(self, *args, **kwargs):
 class MockedGpgAttachmentImbox(MockedImbox):
     def messages(self, *args, **kwargs):
         yield 0, deepcopy(EMAIL_GPG_ATTACHMENT)
+
+class MockedEmptyTextAttachmentImbox(MockedImbox):
+    def messages(self, *args, **kwargs):
+        yield 0, deepcopy(EMAIL_TEXT_ATTACHMENT_EMPTY)

intelmq/tests/bots/collectors/mail/test_collector_attach.py

@@ -16,8 +16,9 @@
 
 from intelmq.bots.collectors.mail.collector_mail_attach import MailAttachCollectorBot
 from intelmq.lib.utils import base64_encode
+from intelmq.lib.exceptions import PipelineError
 if os.getenv('INTELMQ_TEST_EXOTIC'):
-    from .lib import MockedZipImbox, MockedBadAttachmentImbox, MockedTextAttachmentImbox, MockedGpgAttachmentImbox
+    from .lib import MockedZipImbox, MockedBadAttachmentImbox, MockedTextAttachmentImbox, MockedGpgAttachmentImbox, MockedEmptyTextAttachmentImbox
 
 REPORT_FOOBARZIP = {
                     '__type': 'Report',
@@ -82,6 +83,19 @@ def test_text_attachment(self):
                                      'extract_files': False})
         self.assertMessageEqual(0, REPORT_FOOBARTXT)
 
+    def test_text_attachment_empty(self):
+        # without allow_empty, the parsing fails
+        with mock.patch('imbox.Imbox', new=MockedEmptyTextAttachmentImbox), self.assertRaises(PipelineError):
+            self.run_bot(parameters={'attach_regex': '.*.txt$',
+                                     'extract_files': False,
+                                     'allow_empty': False})
+
+        with mock.patch('imbox.Imbox', new=MockedEmptyTextAttachmentImbox):
+            self.run_bot(parameters={'attach_regex': '.*.txt$',
+                                     'extract_files': False,
+                                     'allow_empty': True})
+        self.assertOutputQueueLen(0)
+
 
     def _make_ring(self):
         temp_gnupg_dir = mkdtemp(prefix="gnupg-temp-")

intelmq/tests/bots/collectors/mail/text_attachment_empty.eml

@@ -0,0 +1,34 @@
+To: [email protected]
+From: Sebastian Wagner <[email protected]>
+Subject: foobar zip
+Message-ID: <[email protected]>
+Date: Tue, 3 Sep 2019 16:57:40 +0200
+MIME-Version: 1.0
+Content-Type: multipart/mixed;
+ boundary="------------1D845FBEEAAC1F68B4B45905"
+Content-Language: en-US
+
+This is a multi-part message in MIME format.
+--------------1D845FBEEAAC1F68B4B45905
+Content-Type: text/html; charset=utf-8
+Content-Transfer-Encoding: 8bit
+
+<html>
+  <head>
+
+    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+  </head>
+  <body text="#000000" bgcolor="#FFFFFF">
+    Please look at the attachment<br>
+  </body>
+</html>
+
+--------------1D845FBEEAAC1F68B4B45905
+Content-Type: text/plain; charset=UTF-8;
+ name="foobar.txt"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment;
+ filename="foobar.txt"
+
+
+--------------1D845FBEEAAC1F68B4B45905--