def GenerateSample(self, number=0): result = rdfvalue.Artifact(name="artifact%s" % number, doc="Doco", provides="environ_windir", supported_os="Windows", urls="http://blah") return result
def ArtifactsFromYaml(yaml_content): """Get a list of Artifacts from json.""" try: raw_list = list(yaml.safe_load_all(yaml_content)) except ValueError as e: raise ArtifactDefinitionError("Invalid json for artifact: %s" % e) # Try to do the right thing with json/yaml formatted as a list. if (isinstance(raw_list, list) and len(raw_list) == 1 and isinstance(raw_list[0], list)): raw_list = raw_list[0] # Convert json into artifact and validate. valid_artifacts = [] for artifact_dict in raw_list: # In this case we are feeding parameters directly from potentially # untrusted yaml/json to our RDFValue class. However, safe_load ensures # these are all primitive types as long as there is no other deserialization # involved, and we are passing these into protobuf primitive types. try: artifact_value = rdfvalue.Artifact(**artifact_dict) valid_artifacts.append(artifact_value) except (TypeError, AttributeError) as e: raise ArtifactDefinitionError("Invalid artifact definition for %s: %s" % (artifact_dict.get("name"), e)) return valid_artifacts
def testGetArtifactPathDependencies(self): collectors = [{ "collector_type": rdfvalue.Collector.CollectorType.REGISTRY_VALUE, "args": { "path": r"%%current_control_set%%\Control\Session " r"Manager\Environment\Path" } }, { "collector_type": rdfvalue.Collector.CollectorType.WMI, "args": { "query": "SELECT * FROM Win32_UserProfile " "WHERE SID='%%users.sid%%'" } }, { "collector_type": rdfvalue.Collector.CollectorType.GREP, "args": { "content_regex_list": ["^%%users.username%%:"] } }] artifact = rdfvalue.Artifact(name="artifact", doc="Doco", provides=["environ_windir"], supported_os=["Windows"], urls=["http://blah"], collectors=collectors) self.assertItemsEqual([ x["collector_type"] for x in artifact.ToPrimitiveDict()["collectors"] ], ["REGISTRY_VALUE", "WMI", "GREP"]) class Parser1(object): knowledgebase_dependencies = ["appdata", "sid"] class Parser2(object): knowledgebase_dependencies = ["sid", "desktop"] @classmethod def MockGetClassesByArtifact(unused_cls, _): return [Parser1, Parser2] with utils.Stubber(parsers.Parser, "GetClassesByArtifact", MockGetClassesByArtifact): self.assertItemsEqual(artifact.GetArtifactPathDependencies(), [ "appdata", "sid", "desktop", "current_control_set", "users.sid", "users.username" ])
def testValidateSyntaxBadProvides(self): collectors = [{ "collector_type": rdfvalue.Collector.CollectorType.FILE, "args": { "path_list": [r"%%environ_systemdrive%%\Temp"] } }] artifact = rdfvalue.Artifact(name="bad", doc="Doco", provides=["windir"], supported_os=["Windows"], urls=["http://blah"], collectors=collectors) with self.assertRaises(artifact_lib.ArtifactDefinitionError): artifact.ValidateSyntax()
def testValidateSyntaxBadProvides(self): sources = [{ "type": rdfvalue.ArtifactSource.SourceType.FILE, "attributes": { "paths": [r"%%environ_systemdrive%%\Temp"] } }] artifact = rdfvalue.Artifact(name="bad", doc="Doco", provides=["windir"], supported_os=["Windows"], urls=["http://blah"], sources=sources) with self.assertRaises(artifact_lib.ArtifactDefinitionError): artifact.ValidateSyntax()
def testValidateSyntax(self): collectors = [{ "collector_type": rdfvalue.Collector.CollectorType.REGISTRY_VALUE, "args": { "path_list": [ r"%%current_control_set%%\Control\Session " r"Manager\Environment\Path" ] } }, { "collector_type": rdfvalue.Collector.CollectorType.FILE, "args": { "path_list": [r"%%environ_systemdrive%%\Temp"] } }] artifact = rdfvalue.Artifact(name="good", doc="Doco", provides=["environ_windir"], supported_os=["Windows"], urls=["http://blah"], collectors=collectors) artifact.ValidateSyntax()
def testValidateSyntax(self): sources = [{ "type": rdfvalue.ArtifactSource.SourceType.REGISTRY_KEY, "attributes": { "keys": [ r"%%current_control_set%%\Control\Session " r"Manager\Environment\Path" ] } }, { "type": rdfvalue.ArtifactSource.SourceType.FILE, "attributes": { "paths": [r"%%environ_systemdrive%%\Temp"] } }] artifact = rdfvalue.Artifact(name="good", doc="Doco", provides=["environ_windir"], supported_os=["Windows"], urls=["http://blah"], sources=sources) artifact.ValidateSyntax()