From 44520e9f91c0adeb50fe611d48715e048e7c09b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Pos=C5=82uszny?= <mposluszny@splunk.com>
Date: Wed, 3 Apr 2024 12:46:48 +0200
Subject: [PATCH] fix for "in_attachment" traversal

---
 gsgmail_connector.py        | 13 ++++++++-----
 release_notes/unreleased.md |  5 +++++
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/gsgmail_connector.py b/gsgmail_connector.py
index 94e808f..5c968d7 100644
--- a/gsgmail_connector.py
+++ b/gsgmail_connector.py
@@ -441,8 +441,10 @@ def _parse_multipart_message(
     ):
         self._init_detail_fields(email_details)
 
-        def traverse(part, is_attachment=False):
-            if not is_attachment:
+        def traverse(part, in_attachment=False):
+            is_attachment = self._is_attachment(part)
+            # We are only gathering email data from top email, any attachment email should be omitted
+            if not is_attachment and not in_attachment:
                 self._parse_email_details(part, email_details)
 
             ret_val = phantom.APP_SUCCESS
@@ -454,11 +456,12 @@ def traverse(part, is_attachment=False):
 
             if not extract_nested and is_attachment:
                 return ret_val
+
             if part.is_multipart():
                 for subpart in part.get_payload():
                     # We assume that everything that is under attachment is also an attachment
                     ret_val = ret_val and traverse(
-                        subpart, self._is_attachment(subpart) or is_attachment
+                        subpart, is_attachment or in_attachment
                     )
             return ret_val
 
@@ -975,7 +978,7 @@ def handle_action(self, param):
             in_json['user_session_token'] = session_id
             connector._set_csrf_info(csrftoken, headers['Referer'])
 
-        ret_val = connector._handle_action(json.dumps(in_json), None)
-        print(json.dumps(json.loads(ret_val), indent=4))
+        ph_status = connector._handle_action(json.dumps(in_json), None)
+        print(json.dumps(json.loads(ph_status), indent=4))
 
     sys.exit(0)
diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md
index fbcb2fd..d2c074c 100644
--- a/release_notes/unreleased.md
+++ b/release_notes/unreleased.md
@@ -1 +1,6 @@
 **Unreleased**
+
+- [PAPP-33478] Multipart message parsing improvement. 
+    - Implemented parsing nested attachments.
+    - Fixed email attachments overriding main email metadata.
+    - Added `extract_nested` action, which creates artifacts from attachments from nested email attachments. Works only when `extract_attachments` is set to `true`.