Add Mach-O magic bytes to bundled binary detector

DataDog · Jan 22, 2025 · 3ecdba7 · 3ecdba7
1 parent 4d8b797
commit 3ecdba7
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/guarddog/analyzer/metadata/bundled_binary.py b/guarddog/analyzer/metadata/bundled_binary.py
@@ -14,7 +14,12 @@ class BundledBinary(Detector):
 
     # magic bytes are the first few bytes of a file that can be used to identify the file type
     # regardless of their extension
-    magic_bytes = {"exe": b"\x4D\x5A", "elf": b"\x7F\x45\x4C\x46"}
+    magic_bytes = {
+        "exe": b"\x4D\x5A",
+        "elf": b"\x7F\x45\x4C\x46",
+        "macho32": b"\xFE\xED\xFA\xCE",
+        "macho64": b"\xFE\xED\xFA\xCF",
+    }
 
     def __init__(self):
         super().__init__(

diff --git a/tests/analyzer/metadata/test_bundled_binary.py b/tests/analyzer/metadata/test_bundled_binary.py
@@ -19,6 +19,8 @@ class TestBundleBinary:
     binary_sample_elf = (
         b"\x7F\x45\x4C\x46" + b"0x90" * 10
     )  # elf magic number plus nop sled
+    binary_sample_macho32 = b"\xFE\xED\xFA\xCE" + b"0x90" * 10
+    binary_sample_macho64 = b"\xFE\xED\xFA\xCF" + b"0x90" * 10
 
     @pytest.mark.parametrize(
         "detector",
@@ -52,6 +54,38 @@ def test_elf(self, detector: BundledBinary):
             matches, _ = detector.detect({}, dir)
             assert matches
 
+    @pytest.mark.parametrize(
+        "detector",
+        [
+            (pypi_detector),
+            (npm_detector),
+        ],
+    )
+    def test_macho32(self, detector: BundledBinary):
+        with tempfile.TemporaryDirectory() as dir:
+            full_path = os.path.join(dir, "package")
+            os.mkdir(full_path)
+            with open(os.path.join(full_path, "linux.txt"), "wb") as f:
+                f.write(self.binary_sample_macho32)
+            matches, _ = detector.detect({}, dir)
+            assert matches
+
+    @pytest.mark.parametrize(
+        "detector",
+        [
+            (pypi_detector),
+            (npm_detector),
+        ],
+    )
+    def test_macho64(self, detector: BundledBinary):
+        with tempfile.TemporaryDirectory() as dir:
+            full_path = os.path.join(dir, "package")
+            os.mkdir(full_path)
+            with open(os.path.join(full_path, "linux.txt"), "wb") as f:
+                f.write(self.binary_sample_macho64)
+            matches, _ = detector.detect({}, dir)
+            assert matches
+
     @pytest.mark.parametrize(
         "detector",
         [