diff --git a/oletools/oleid.py b/oletools/oleid.py index 8542f4b..f6b050b 100644 --- a/oletools/oleid.py +++ b/oletools/oleid.py @@ -54,6 +54,7 @@ from __future__ import print_function # 2016-10-25 v0.50 PL: - fixed print and bytes strings for Python 3 # 2016-12-12 v0.51 PL: - fixed relative imports for Python 3 (issue #115) # 2017-04-26 PL: - fixed absolute imports (issue #141) +# 2017-09-01 SA: - detect OpenXML encryption __version__ = '0.51' @@ -211,6 +212,9 @@ class OleID: if 0x13 in self.suminfo: if self.suminfo[0x13] & 1: self.encrypted.value = True + # check if this is an OpenXML encrypted file + elif self.ole.exists('EncryptionInfo'): + self.encrypted.value = True def check_word (self): word = Indicator('word', False, name='Word Document', diff --git a/tests/oleid/__init__.py b/tests/oleid/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/oleid/__init__.py diff --git a/tests/oleid/test_issue_166.py b/tests/oleid/test_issue_166.py new file mode 100644 index 0000000..c350c00 --- /dev/null +++ b/tests/oleid/test_issue_166.py @@ -0,0 +1,26 @@ +""" +Test if oleid detects encrypted documents +""" + +import unittest, sys, os + +from tests.test_utils import DATA_BASE_DIR +from os.path import join + +from oletools import oleid + +class TestEncryptedDocumentDetection(unittest.TestCase): + def test_encrypted_document_detection(self): + """ Run oleid and check if the document is flagged as encrypted """ + filename = join(DATA_BASE_DIR, 'basic/encrypted.docx') + + oleid_instance = oleid.OleID(filename) + indicators = oleid_instance.check() + + is_encrypted = next(i.value for i in indicators if i.id == 'encrypted') + + self.assertEqual(is_encrypted, True) + +# just in case somebody calls this file as a script +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/test-data/basic/encrypted.docx b/tests/test-data/basic/encrypted.docx new file mode 100644 index 0000000..0f7a916 --- /dev/null +++ b/tests/test-data/basic/encrypted.docx