in src/jndi_deobfuscate/jndi_deobfuscate.py [0:0]
def _transform_replace_simple_lookups(input_string: str) -> str:
"""Given a string containing a JNDI/Java lookup features (that we mark as 'simple' internally), replace those lookups
with appropriate strings. An example is a date lookup string (${date:...})
This method is called 'simple', because it is exclusively looking for lookups that are correctly formed.
For lookups that are using the JNDI/Java feature known as `unresolved variables with default values` (which attackers may
use to obfuscate their attack string), this 'simple' lookup method is not used. (Instead, methods using the term `unresolved_variables_with_default_values` are used.)
"""
output_string = input_string
if output_string is not None:
# we need to prioritize replacing unresolved vars, before we try replacing with simple lookup strings
if not _does_string_have_unresolved_variables_with_default_values(input_string):
for lookup_name, lookup_regex in SIMPLE_LOOKUP_REGEX_PATTERNS.items():
lookup_found = re.search(lookup_regex, output_string)
if lookup_found:
output_string = re.sub(lookup_regex, lookup_name, output_string)
return output_string