Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
The default is None.
Raises:
FormatError: when artifact_list is not set.
"""
if not artifact_list:
raise errors.FormatError(u'Missing artifact_list value.')
super(ArtifactCollectorDefinition, self).__init__(**kwargs)
self.artifact_list = artifact_list
class FileCollectorDefinition(CollectorDefinition):
"""Class that implements the file collector definition."""
TYPE_INDICATOR = definitions.TYPE_INDICATOR_FILE
def __init__(self, path_list=None, **kwargs):
"""Initializes the collector definition object.
Args:
path_list: optional list of path strings. The default is None.
Raises:
FormatError: when path_list is not set.
"""
if not path_list:
raise errors.FormatError(u'Missing path_list value.')
super(FileCollectorDefinition, self).__init__(**kwargs)
self.path_list = path_list
for artifact_definition in artifact_reader.ReadDirectory('data'):
if hasattr(artifact_definition, 'labels'):
for label in artifact_definition.labels:
self._label_counts[label] = self._label_counts.get(label, 0) + 1
for source in artifact_definition.sources:
self._total_count += 1
source_type = source.type_indicator
self._source_type_counts[source_type] = self._source_type_counts.get(
source_type, 0) + 1
if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
self._reg_key_count += len(source.keys)
elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
self._reg_key_count += len(source.key_value_pairs)
elif source_type in (definitions.TYPE_INDICATOR_FILE,
definitions.TYPE_INDICATOR_DIRECTORY):
self._path_count += len(source.paths)
os_list = source.supported_os
for os_str in os_list:
self._os_counts[os_str] = self._os_counts.get(os_str, 0) + 1
"""Represents a source type as a dictionary.
Returns:
dict[str, str]: source type attributes.
"""
source_type_attributes = {'paths': self.paths}
if self.separator != '/':
source_type_attributes['separator'] = self.separator
return source_type_attributes
class FileSourceType(SourceType):
"""File source type."""
TYPE_INDICATOR = definitions.TYPE_INDICATOR_FILE
def __init__(self, paths=None, separator='/'):
"""Initializes a source type.
Args:
paths (Optional[str]): paths relative to the root of the file system.
separator (Optional[str]): path segment separator.
Raises:
FormatError: when paths is not set or not a list type.
"""
if not paths:
raise errors.FormatError('Missing paths value.')
if not isinstance(paths, list):
raise errors.FormatError('Invalid paths value, not a list.')
def _BuildFindSpecsFromArtifact(self, definition, environment_variables):
"""Builds find specifications from an artifact definition.
Args:
definition (artifacts.ArtifactDefinition): artifact definition.
environment_variables (list[EnvironmentVariableArtifact]):
environment variables.
Returns:
list[dfvfs.FindSpec|dfwinreg.FindSpec]: dfVFS or dfWinReg find
specifications.
"""
find_specs = []
for source in definition.sources:
if source.type_indicator == artifact_types.TYPE_INDICATOR_FILE:
for path_entry in set(source.paths):
specifications = self._BuildFindSpecsFromFileSourcePath(
path_entry, source.separator, environment_variables,
self._knowledge_base.user_accounts)
find_specs.extend(specifications)
self.file_system_artifact_names.add(definition.name)
elif (source.type_indicator ==
artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
for key_path in set(source.keys):
if ArtifactDefinitionsFiltersHelper.CheckKeyCompatibility(key_path):
specifications = self._BuildFindSpecsFromRegistrySourceKey(key_path)
find_specs.extend(specifications)
self.registry_artifact_names.add(definition.name)
elif (source.type_indicator ==
def register_source(self, artifact_definition, artifact_source, variables):
supported = False
if artifact_source.type_indicator == artifacts.definitions.TYPE_INDICATOR_FILE:
supported = True
for p in artifact_source.paths:
for sp in variables.substitute(p):
self.add_pattern(artifact_definition.name, sp)
return supported
# launch it, but just collect its actions.
subflow = flow_obj.cast(find.FileFinderFlow)
subflow.globs = self.paths
subflow.download = download
if name is None:
name = self.artifact.name
subflow.set_collection_name("{flow_id}/%s" % name)
for action in subflow.generate_actions():
yield action
SOURCE_TYPES = {
definitions.TYPE_INDICATOR_FILE: FileSourceType,
}
class Artifact(agent.Flow):
"""Launch artifacts on the client."""
schema = [
dict(name="artifacts", repeated=True, private=True, user=True,
doc="The list of artifacts to launch."),
dict(name="copy_files", type="bool", user=True,
doc="Should we also download the files."),
]
def generate_actions(self):
self._artifact_profile = self._session.LoadProfile("artifacts")
self._collected_artifacts = []
field_type = RekallEFilterArtifacts.allowed_types[field["type"]]
data = info.get(name)
if data is not None:
row[name] = field_type(data)
result.add_result(**row)
yield result
# This lookup table maps between source type name and concrete implementations
# that we support. Artifacts which contain sources which are not implemented
# will be ignored.
SOURCE_TYPES = {
TYPE_INDICATOR_REKALL: RekallEFilterArtifacts,
definitions.TYPE_INDICATOR_FILE: FileSourceType,
definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType,
definitions.TYPE_INDICATOR_WMI_QUERY: WMISourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: RegistryKeySourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: RegistryValueSourceType,
}
class ArtifactDefinition(_FieldDefinitionValidator):
"""The main artifact class."""
def CheckLabels(self, art_definition):
"""Ensure labels are defined."""
labels = art_definition.get("labels", [])
# Keep unknown labels around in case callers want to check for complete
# label coverage. In most cases it is desirable to allow users to extend
# labels but when super strict validation is required we want to make