Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Artifacts globstar support incomplete #2481

Open
aarontp opened this issue May 2, 2019 · 5 comments
Open

Artifacts globstar support incomplete #2481

aarontp opened this issue May 2, 2019 · 5 comments
Assignees
@joachimmetz
Labels
code health Non-functional changes to improve code health enhancement New or improved functionality needs closer look Issue that requires further analysis by a maintainer
Milestone
Parking/Temporary...

Comments

@aarontp
Copy link

aarontp commented May 2, 2019
edited by joachimmetz
Loading

Description of problem:
image_export.py's usage of file globs in paths coming from Forensic Artifacts appears to be incomplete. I'm not sure how many of these are by design vs. bugs (if any), but there are a few limitations: ** is supported in the last segment of a path (e.g. the file segment), or in the second to last segment (the last directory segment), but:

  • It's not supported anywhere else in the path - addressed by Changes for globstar expansion #2481 #2634
  • ** seems to match exactly 3 directories, and not 1-3 directories (e.g. to match /foo/1/2/3/file.txt, /foo/**/file.txt will match, but /foo/1/**/file.txt will not)
  • The number expansions to support more directories does not seem to work (e.g. /**5/file.txt will not recurse 5 directories).
  • It does not seem to work when it is the start of the last directory segment (e.g. /foo/**bar/file.txt will not work)

A good first step for this might be to document the syntax, and what is expected to work.

Command line and arguments:
$ image_export.py --custom_artifact_definitions /tmp/artifacts/test.yaml --artifact_filters TestConfigFile -w /tmp/output/ /dev/sdd1

Source data:
N/A

Plaso version:
HEAD / latest release

Debug output/tracebacks:
N/A
@joachimmetz joachimmetz added the needs closer look Issue that requires further analysis by a maintainer label Jun 5, 2019
@joachimmetz joachimmetz added this to the 2019 June release milestone Jun 5, 2019
@joachimmetz joachimmetz self-assigned this Jun 9, 2019
@joachimmetz
Copy link
Member

joachimmetz commented Jun 9, 2019
edited
Loading

plaso/plaso/engine/path_helper.py

Line 200 in 7c24390

glob_regex = r'(.*)?{0:s}\*\*(\d{{1,2}})?({0:s})?$'.format(

only detects ** at the end of the path, which is a limitation

@joachimmetz
Copy link
Member

ForensicArtifacts/artifacts#342

@joachimmetz joachimmetz changed the title Artifacts globbing support incomplete Artifacts globstar support incomplete Jun 10, 2019
@joachimmetz
Copy link
Member

It does not seem to work when it is the start of the last directory segment (e.g. /foo/**bar/file.txt will not work)

The bash implementation of globstar seems to resolve **bar as *bar/**

@joachimmetz
Copy link
Member

joachimmetz commented Jun 10, 2019
edited
Loading

** seems to match exactly 3 directories, and not 1-3 directories (e.g. to match /foo/1/2/3/file.txt, /foo//file.txt will match, but /foo/1//file.txt will not)

**5 should be expanded to *, */*, */*/*, */*/*/*, */*/*/*/*

I'll have a look what might not be working for image_export.

Note that for image_export there must be files (data streams) that can be exported.

@joachimmetz
Copy link
Member

joachimmetz commented Jun 10, 2019
edited
Loading 

name: GlobStarTest
doc: globstar test
sources:
- type: FILE
  attributes:
    paths:
      - '\Program Files\**3\*.dll'
    separator: '\'
labels: [Users]
supported_os: [Windows]

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Jun 10, 2019
@joachimmetz
Changes for globstar expansion log2timeline#2481
b3f767a
@joachimmetz joachimmetz mentioned this issue Jun 10, 2019
Merged
joachimmetz added a commit to joachimmetz/plaso that referenced this issue Jun 10, 2019
@joachimmetz
Changes for globstar expansion log2timeline#2481
b48605c
@joachimmetz joachimmetz added code health Non-functional changes to improve code health enhancement New or improved functionality labels Jun 11, 2019
joachimmetz added a commit to joachimmetz/plaso that referenced this issue Jun 22, 2019
@joachimmetz
Changes for globstar expansion log2timeline#2481
47dbaa1
Onager pushed a commit that referenced this issue Jun 22, 2019
@joachimmetz @Onager
Changes for globstar expansion #2481 (#2634)
fca48ea
joachimmetz added a commit that referenced this issue Jun 28, 2019
@joachimmetz
Changes for globstar expansion #2481 (#2634)
cf06340
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
code health Non-functional changes to improve code health enhancement New or improved functionality needs closer look Issue that requires further analysis by a maintainer
Projects
None yet
Milestone
Parking/Temporary release
Development

No branches or pull requests
3 participants
@Onager @aarontp @joachimmetz