def testValidation(self):
glob_expression = rdf_paths.GlobExpression(
"/home/%%Users.username%%/**/.mozilla/")
glob_expression.Validate()
glob_expression = rdf_paths.GlobExpression("/home/**/**")
self.assertRaises(ValueError, glob_expression.Validate)
def _BuildPredicate(self, client_id, token=None):
if self.path_globs_whitelist is None:
return None
client_obj = aff4.FACTORY.Open(client_id.ToClientURN(),
aff4_type=aff4_grr.VFSGRRClient,
token=token)
blacklist_regexes = []
for expression in self.path_globs_blacklist:
for pattern in expression.Interpolate(client=client_obj):
blacklist_regexes.append(
rdf_paths.GlobExpression(pattern).AsRegEx())
whitelist_regexes = []
for expression in self.path_globs_whitelist:
for pattern in expression.Interpolate(client=client_obj):
whitelist_regexes.append(
rdf_paths.GlobExpression(pattern).AsRegEx())
def Predicate(fd):
pathspec = fd.Get(fd.Schema.PATHSPEC)
path = pathspec.CollapsePath()
return (not any(r.Match(path) for r in blacklist_regexes)
and any(r.Match(path) for r in whitelist_regexes))
return Predicate
def FetchBinaries(self, responses):
"""Parses the Rekall response and initiates FileFinder flows."""
if not responses.success:
self.Log("Error fetching VAD data: %s", responses.status)
return
self.Log("Found %d binaries", len(responses))
if self.args.filename_regex:
binaries = []
for response in responses:
if self.args.filename_regex.Match(response.CollapsePath()):
binaries.append(response)
self.Log("Applied filename regex. Have %d files after filtering.",
len(binaries))
else:
binaries = responses
if self.args.fetch_binaries:
self.CallFlow(file_finder.FileFinder.__name__,
next_state="HandleDownloadedFiles",
paths=[
rdf_paths.GlobExpression(b.CollapsePath())
for b in binaries
],
pathtype=rdf_paths.PathSpec.PathType.OS,
action=rdf_file_finder.FileFinderAction.Download())
else:
for b in binaries:
self.SendReply(b)
def testRegExIsCorrectForGlobWithoutStars(self):
glob_expression = rdf_paths.GlobExpression("/foo/bar/blah.txt")
regex = glob_expression.AsRegEx()
self.assertTrue(regex.Match("/foo/bar/blah.txt"))
self.assertFalse(regex.Match("/foo/bar/blah2.txt"))
self.assertFalse(regex.Match("/some/foo/bar/blah2.txt"))
self.assertFalse(regex.Match("/some/foo/bar/blah2.txt/other"))
def testRegExIsCorrectForGlobWithSingleStar(self):
glob_expression = rdf_paths.GlobExpression("/foo/bar/*.txt")
regex = glob_expression.AsRegEx()
self.assertTrue(regex.Match("/foo/bar/blah.txt"))
self.assertFalse(regex.Match("/foo/bar/blah.plist"))
self.assertFalse(regex.Match("/foo/bar/blah/blah.txt"))
self.assertFalse(regex.Match("/foo/blah1/blah2/bar/blah.txt"))
def testInterpolateClientAttributes(self):
path = rdf_paths.GlobExpression(u"%%Users.homedir%%\\.ssh")
res = list(path.InterpolateClientAttributes(self.client))
self.assertEqual(len(res), 2)
self.assertTrue("c:\\Users\\test\\.ssh" in res)
self.assertTrue("c:\\Users\\test2\\.ssh" in res)
def testIgnoresFileNotMatchingPathGlobsBlacklist(self):
handler = flow_plugin.ApiGetFlowFilesArchiveHandler(
path_globs_whitelist=[rdf_paths.GlobExpression("/**/*/test.plist")],
path_globs_blacklist=[rdf_paths.GlobExpression("**/*.plist")])
result = handler.Handle(
flow_plugin.ApiGetFlowFilesArchiveArgs(
client_id=self.client_id,
flow_id=self.flow_urn.Basename(),
archive_format="ZIP"),
token=self.token)
manifest = self._GetZipManifest(result)
self.assertEqual(manifest["archived_files"], 0)
self.assertEqual(manifest["failed_files"], 0)
self.assertEqual(manifest["processed_files"], 1)
self.assertEqual(manifest["ignored_files"], 1)
self.assertEqual(manifest["ignored_files_list"], [
utils.SmartUnicode(
self.client_id.Add("fs/os").Add(self.base_path).Add("test.plist"))
])
def testRegExIsCaseInsensitive(self):
glob_expression = rdf_paths.GlobExpression("/foo/**/bar?/*{.txt,.exe}")
regex = glob_expression.AsRegEx()
self.assertTrue(regex.Match("/foo/bar1/blah.txt"))
self.assertTrue(regex.Match("/foO/bAr1/blah.txt"))
self.assertTrue(regex.Match("/foo/bar1/blah.TXT"))
self.assertFalse(regex.Match("/foo/bar2/blah.com"))
self.assertFalse(regex.Match("/foO/bAr2/blah.com"))
self.assertFalse(regex.Match("/foo/bar2/blah.COM"))
def testRegExIsCorrectForGlobWithTwoStars(self):
glob_expression = rdf_paths.GlobExpression("/foo/**/bar.txt")
regex = glob_expression.AsRegEx()
self.assertTrue(regex.Match("/foo/bar.txt"))
self.assertTrue(regex.Match("/foo/blah/bar.txt"))
self.assertTrue(regex.Match("/foo/blah1/blah2/bar.txt"))
self.assertFalse(regex.Match("/foo/bar.plist"))
self.assertFalse(regex.Match("/foo/blah/bar.txt/res"))
self.assertFalse(regex.Match("/foo/blah1/blah2/bar.txt2"))
def testRegExIsCorrectForGlobWithGrouping(self):
glob_expression = rdf_paths.GlobExpression("/foo/{bar,other}/*{.txt,.exe}")
regex = glob_expression.AsRegEx()
self.assertTrue(regex.Match("/foo/bar/blah.txt"))
self.assertTrue(regex.Match("/foo/other/blah2.txt"))
self.assertTrue(regex.Match("/foo/bar/blah.exe"))
self.assertTrue(regex.Match("/foo/other/blah2.exe"))
self.assertFalse(regex.Match("/foo/other2/blah.txt"))
self.assertFalse(regex.Match("/foo/bar/blah.com"))
def testGroupingInterpolation(self):
glob_expression = rdf_paths.GlobExpression()
interpolated = glob_expression.InterpolateGrouping("/home/*.{sh,deb}")
self.assertItemsEqual(interpolated, [u"/home/*.deb", u"/home/*.sh"])
interpolated = glob_expression.InterpolateGrouping("/home/*.{sh, deb}")
self.assertItemsEqual(interpolated, [u"/home/*. deb", u"/home/*.sh"])
interpolated = glob_expression.InterpolateGrouping(
"HKEY_CLASSES_ROOT/CLSID/{16d12736-7a9e-4765-bec6-f301d679caaa}")
self.assertItemsEqual(interpolated, [
u"HKEY_CLASSES_ROOT/CLSID/{16d12736-7a9e-4765-bec6-f301d679caaa}"
])
def testRegExIsCorrectForComplexGlob(self):
glob_expression = rdf_paths.GlobExpression("/foo/**/bar?/*{.txt,.exe}")
regex = glob_expression.AsRegEx()
self.assertTrue(regex.Match("/foo/bar1/blah.txt"))
self.assertTrue(regex.Match("/foo/bar2/blah.exe"))
self.assertTrue(regex.Match("/foo/c1/c2/c3/bar1/blah.txt"))
self.assertTrue(regex.Match("/foo/c1/c2/c3/bar2/blah.exe"))
self.assertFalse(regex.Match("/foo/bar/blah.txt"))
self.assertFalse(regex.Match("/foo/bar2/blah.com"))
self.assertFalse(regex.Match("/foo/c1/c2/c3/bar1/blah.txt/res.txt"))
self.assertFalse(regex.Match("/foo/c1/c2/c3/bar2/blah.exe/res.exe"))
def testArchivesFileMatchingPathGlobsWhitelist(self):
handler = flow_plugin.ApiGetFlowFilesArchiveHandler(
path_globs_blacklist=[],
path_globs_whitelist=[rdf_paths.GlobExpression("/**/*/test.plist")])
result = handler.Handle(
flow_plugin.ApiGetFlowFilesArchiveArgs(
client_id=self.client_id,
flow_id=self.flow_urn.Basename(),
archive_format="ZIP"),
token=self.token)
manifest = self._GetZipManifest(result)
self.assertEqual(manifest["archived_files"], 1)
self.assertEqual(manifest["failed_files"], 0)
self.assertEqual(manifest["processed_files"], 1)
self.assertEqual(manifest["ignored_files"], 0)
def testClientInterpolation(self):
client_id = "C.0000000000000001"
fd = aff4.FACTORY.Create(client_id, "VFSGRRClient", token=self.token)
users = fd.Schema.USER()
# Add 2 users
for i in range(2):
account_info = self.USER_ACCOUNT.copy()
account_info["username"] = "******" % i
users.Append(**account_info)
fd.Set(users)
fd.Close()
fd = aff4.FACTORY.Open(client_id, token=self.token)
glob_expression = rdf_paths.GlobExpression(
"/home/%%Users.username%%/.mozilla/")
interpolated = sorted(
glob_expression.InterpolateClientAttributes(client=fd))
self.assertEqual(interpolated[0], "/home/user0/.mozilla/")
self.assertEqual(interpolated[1], "/home/user1/.mozilla/")
def testRegExIsCorrectForGlobWithQuestion(self):
glob_expression = rdf_paths.GlobExpression("/foo/bar/???.txt")
regex = glob_expression.AsRegEx()
self.assertTrue(regex.Match("/foo/bar/bla.txt"))
self.assertFalse(regex.Match("/foo/bar/blah.txt"))
