From 39346fa65fcad1c799e8f0a2fe92bbfd83bb831b Mon Sep 17 00:00:00 2001
From: Dysnome <87428283+Dysnome@users.noreply.github.com>
Date: Tue, 27 Jan 2026 13:47:06 +0100
Subject: [PATCH] fix: Correct isBlacklisted() return logic in OTX module

fix: Correct inverted return values in isBlacklisted() function

The isBlacklisted() function had inverted logic - it returned False when
a value was found in the blacklist and True when not found. This caused
all non-blacklisted results to be filtered out throughout the module.

Fixed by correcting the return values:
- Returns True when value is found in blacklist (was False)
- Returns False when value is not in blacklist (was True)

This fixes enrichment failures in:
- IP passive DNS lookups (getIP function)
- Hash malware domain lookups (getHash function)
- Domain enrichment (getDomain function)

Tested with IP address passive DNS enrichment and confirmed hostnames
are now returned correctly from the OTX API.
---
 misp_modules/modules/expansion/otx.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/misp_modules/modules/expansion/otx.py b/misp_modules/modules/expansion/otx.py
index 7630ff28..5a04d3a4 100755
--- a/misp_modules/modules/expansion/otx.py
+++ b/misp_modules/modules/expansion/otx.py
@@ -68,9 +68,9 @@ def isBlacklisted(value):
 
     for b in blacklist:
         if value in b:
-            return False
+            return True
 
-    return True
+    return False
 
 
 def valid_ip(ip):