From 99602862fd2003ea6139c9c5ad008f8a2092bc6a Mon Sep 17 00:00:00 2001
From: kazet <krzysztof.zajac@cert.pl>
Date: Mon, 6 Nov 2023 08:15:25 +0100
Subject: [PATCH] more listing detection (#613)

---
 artemis/reporting/modules/bruter/classifier.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/artemis/reporting/modules/bruter/classifier.py b/artemis/reporting/modules/bruter/classifier.py
index d5bf02a12..6ff505f24 100644
--- a/artemis/reporting/modules/bruter/classifier.py
+++ b/artemis/reporting/modules/bruter/classifier.py
@@ -175,16 +175,26 @@ def contains_crypto_keys(found_url: FoundURL) -> bool:
 
 
 def is_exposed_file_with_listing(found_url: FoundURL) -> bool:
+    def has_permission_string(s: str) -> bool:
+        for token in s.split():
+            token = token[-9:]
+            # This on purpose doesn't cover all possible permission strings, but only the most common ones
+            if token != "-" * 9 and re.match("^([-r][-w][-x]){3}$", token):
+                return True
+        return False
+
     if (
         "total " in found_url.content_prefix
-        and "drwx" in found_url.content_prefix
+        and has_permission_string(found_url.content_prefix)
         and not _is_html(found_url.content_prefix)
     ):  # ls results
         return True
 
     path = urllib.parse.urlparse(found_url.url).path
     if (
-        ".listing" in path and "drwx" in found_url.content_prefix and "<html" not in found_url.content_prefix
+        ".listing" in path
+        and has_permission_string(found_url.content_prefix)
+        and "<html" not in found_url.content_prefix
     ):  # other type of listing
         return True