From 633f5252ec08fd96d4656e2934e19bfb93354f40 Mon Sep 17 00:00:00 2001
From: Christian Herdtweck <christian.herdtweck@intra2net.com>
Date: Tue, 12 Oct 2021 12:20:00 +0200
Subject: [PATCH] tests: Add test for olevba-output for xlm samples

---
 tests/olevba/test_basic.py | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/tests/olevba/test_basic.py b/tests/olevba/test_basic.py
index b5a8b77..5dc4fe0 100644
--- a/tests/olevba/test_basic.py
+++ b/tests/olevba/test_basic.py
@@ -4,8 +4,9 @@ Test basic functionality of olevba[3]
 
 import unittest
 import os
-from os.path import join
+from os.path import join, splitext
 import re
+import json
 
 # Directory with test data, independent of current working directory
 from tests.test_utils import DATA_BASE_DIR, call_and_capture
@@ -107,6 +108,48 @@ class TestOlevbaBasic(unittest.TestCase):
                 # without arg (test takes too long otherwise
                 ADD_ARGS = ([], )
 
+    def test_xlm(self):
+        """Test that xlm macros are found."""
+        XLM_DIR = join(DATA_BASE_DIR, 'excel4-macros')
+        ADD_ARGS = ['-j']
+
+        for filename in os.listdir(XLM_DIR):
+            full_name = join(XLM_DIR, filename)
+            suffix = splitext(filename)[1]
+            out_str, ret_code = call_and_capture('olevba',
+                                                 args=[full_name, ] + ADD_ARGS,
+                                                 accept_nonzero_exit=True)
+            output = json.loads(out_str)
+            self.assertEqual(len(output), 3)
+            self.assertEqual(output[0]['type'], 'MetaInformation')
+            self.assertEqual(output[0]['script_name'], 'olevba')
+            self.assertEqual(output[-1]['type'], 'MetaInformation')
+            self.assertEqual(output[-1]['n_processed'], 1)
+            self.assertEqual(output[-1]['return_code'], 0)
+            result = output[1]
+            self.assertTrue(result['json_conversion_successful'])
+            if suffix in ('.xlsb', '.xltm', '.xlsm'):
+                # TODO: cannot extract xlm macros for these types yet
+                self.assertEqual(result['macros'], [])
+            else:
+                code = result['macros'][0]['code']
+                if suffix == '.slk':
+                    self.assertIn('Excel 4 macros extracted', code)
+                else:
+                    self.assertIn('Excel 4.0 macro sheet', code)
+                self.assertIn('Auto_Open', code)
+                if 'excel5' not in filename:    # TODO: is not found in excel5
+                    self.assertIn('ALERT(', code)
+                self.assertIn('HALT()', code)
+
+                self.assertIn(len(result['analysis']), (2, 3))
+                types = [entry['type'] for entry in result['analysis']]
+                keywords = [entry['keyword'] for entry in result['analysis']]
+                self.assertIn('Auto_Open', keywords)
+                self.assertIn('XLM macro', keywords)
+                self.assertIn('AutoExec', types)
+                self.assertIn('Suspicious', types)
+
 
 # just in case somebody calls this file as a script
 if __name__ == '__main__':
--
libgit2 0.21.4