PyPI - dissect.apfs - Versions diffs - 1.1.dev1__tar.gz → 1.2.dev1__tar.gz - Mend

dissect.apfs 1.1.dev1tar.gz → 1.2.dev1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

{dissect_apfs-1.1.dev1/dissect.apfs.egg-info → dissect_apfs-1.2.dev1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.apfs
-Version: 1.1.dev1
+Version: 1.2.dev1
 Summary: A Dissect module implementing a parser for the APFS file system, a commonly used Apple file system
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/__init__.py RENAMED Viewed

@@ -1,3 +1,5 @@
+from __future__ import annotations
 from dissect.apfs.apfs import APFS
 from dissect.apfs.exception import (
     Error,

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/apfs.py RENAMED Viewed

@@ -1,5 +1,7 @@
 from __future__ import annotations
+import logging
+import os
 from typing import TYPE_CHECKING, BinaryIO
 from dissect.apfs.c_apfs import c_apfs
@@ -11,6 +13,9 @@ if TYPE_CHECKING:
     from dissect.apfs.objects.fs import FS
     from dissect.apfs.objects.keybag import ContainerKeybag
+log = logging.getLogger(__name__)
+log.setLevel(os.getenv("DISSECT_LOG_APFS", "CRITICAL"))
 class APFS:
     """Container class for APFS operations.
@@ -24,8 +29,29 @@ class APFS:
         self.fh.seek(0)
         self.sb = NxSuperblock.from_block(self, 0, self.fh.read(c_apfs.NX_DEFAULT_BLOCK_SIZE))
-        self.sbs = [self.sb] + [obj for obj in self.sb.checkpoint_objects if isinstance(obj, NxSuperblock)]
-        self.sb = sorted(self.sbs, key=lambda obj: obj.xid)[-1]
+        self.sb.check()
+        self.sbs = sorted(
+            [obj for obj in self.sb.checkpoint_objects if isinstance(obj, NxSuperblock)],
+            key=lambda obj: obj.xid,
+            reverse=True,
+        )
+        # TODO: Do more accurate checkpoint traversal
+        for sb in self.sbs:
+            try:
+                sb.check()
+                sb.compare(self.sb)
+            except Exception as e:
+                log.debug("Skipping superblock xid=%d: %s", sb.xid, e)
+                continue
+            if not sb.omap.is_valid():
+                log.debug("Skipping superblock xid=%d: invalid OMAP", sb.xid)
+                continue
+            self.sb = sb
+            break
     @property
     def block_size(self) -> int:

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/c_apfs.py RENAMED Viewed

@@ -2,6 +2,8 @@
 # - https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
 # - https://github.com/sgan81/apfs-fuse
 # - https://github.com/linux-apfs/linux-apfs-rw
+from __future__ import annotations
 from dissect.cstruct import cstruct
 apfs_def = """

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/exception.py RENAMED Viewed

@@ -1,3 +1,6 @@
+from __future__ import annotations
 class Error(Exception):
     pass

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/objects/fs.py RENAMED Viewed

@@ -792,27 +792,27 @@ class DirectoryEntry:
     @cached_property
     def type(self) -> int:
         """The file type of this directory entry."""
-        return self.value.flags & c_apfs.DREC_TYPE_MASK << 12
+        return (self.value.flags & c_apfs.DREC_TYPE_MASK) << 12
     def is_dir(self) -> bool:
         """Return whether this directory entry is a directory."""
-        return stat.S_ISDIR(self.type << 12)
+        return stat.S_ISDIR(self.type)
     def is_file(self) -> bool:
         """Return whether this directory entry is a regular file."""
-        return stat.S_ISREG(self.type << 12)
+        return stat.S_ISREG(self.type)
     def is_symlink(self) -> bool:
         """Return whether this directory entry is a symbolic link."""
-        return stat.S_ISLNK(self.type << 12)
+        return stat.S_ISLNK(self.type)
     def is_block_device(self) -> bool:
         """Return whether this directory entry is a block device."""
-        return stat.S_ISBLK(self.type << 12)
+        return stat.S_ISBLK(self.type)
     def is_character_device(self) -> bool:
         """Return whether this directory entry is a character device."""
-        return stat.S_ISCHR(self.type << 12)
+        return stat.S_ISCHR(self.type)
     def is_device(self) -> bool:
         """Return whether this directory entry is a device (block or character)."""
@@ -820,15 +820,15 @@ class DirectoryEntry:
     def is_fifo(self) -> bool:
         """Return whether this directory entry is a FIFO."""
-        return stat.S_ISFIFO(self.type << 12)
+        return stat.S_ISFIFO(self.type)
     def is_socket(self) -> bool:
         """Return whether this directory entry is a socket."""
-        return stat.S_ISSOCK(self.type << 12)
+        return stat.S_ISSOCK(self.type)
     def is_whiteout(self) -> bool:
         """Return whether this directory entry is a whiteout."""
-        return stat.S_ISWHT(self.type << 12)
+        return stat.S_ISWHT(self.type)
 class XAttr:

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/objects/keybag.py RENAMED Viewed

@@ -292,7 +292,6 @@ def _create_cipher(key: bytes, iv: bytes = b"\x00" * 16, mode: str = "cbc") -> A
     Dynamic based on the available crypto module.
     """
     if HAS_PYSTANDALONE:
         key_size = len(key)
         if key_size not in (32, 24, 16):

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/objects/nx_superblock.py RENAMED Viewed

@@ -29,8 +29,16 @@ class NxSuperblock(Object):
     __struct__ = c_apfs.nx_superblock
     object: c_apfs.nx_superblock
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+    def check(self) -> None:
+        """Check the validity of the superblock."""
+        if not self.is_valid():
+            raise Error("Invalid nx_superblock checksum")
+        if self.type != c_apfs.OBJECT_TYPE.NX_SUPERBLOCK:
+            raise Error("Invalid nx_superblock type")
+        if not self.is_ephemeral:
+            raise Error("Invalid nx_superblock storage type")
         if self.object.nx_magic.to_bytes(4, "big") != c_apfs.NX_MAGIC:
             raise Error(
@@ -38,6 +46,24 @@ class NxSuperblock(Object):
                 f"(expected {c_apfs.NX_MAGIC!r}, got {self.object.nx_magic.to_bytes(4, 'big')!r})"
             )
+    def compare(self, other: NxSuperblock) -> None:
+        """Compare this superblock to another superblock."""
+        if self.header.o_xid < other.header.o_xid:
+            raise Error("Lower xid than other superblock")
+        for attr in (
+            "nx_uuid",
+            "nx_fusion_uuid",
+            "nx_block_size",
+            "nx_block_count",
+            "nx_xp_desc_blocks",
+            "nx_xp_data_blocks",
+            "nx_xp_desc_base",
+            "nx_xp_data_base",
+        ):
+            if getattr(self.object, attr) != getattr(other.object, attr):
+                raise Error(f"Mismatch on {attr}")
     @cached_property
     def block_size(self) -> int:
         """The block size of the container."""
@@ -66,14 +92,20 @@ class NxSuperblock(Object):
     @cached_property
     def checkpoint_objects(self) -> list[CheckpointMap | NxSuperblock]:
         """All checkpoint objects in the container."""
-        return list(_read_checkpoint_objects(self.container, self.object.nx_xp_desc_base, self.object.nx_xp_desc_len))
+        # TODO: Rework this a bit to be more accurate
+        return list(
+            _read_checkpoint_objects(self.container, self.object.nx_xp_desc_base, self.object.nx_xp_desc_blocks)
+        )
     @cached_property
     def ephemeral_objects(self) -> dict[int, Object]:
         """All ephemeral objects in the container."""
+        # TODO: I don't think this is correct
         return {
             obj.oid: obj
-            for obj in _read_checkpoint_objects(self.container, self.object.nx_xp_data_base, self.object.nx_xp_data_len)
+            for obj in _read_checkpoint_objects(
+                self.container, self.object.nx_xp_data_base, self.object.nx_xp_data_blocks
+            )
         }
     @cached_property

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect/apfs/objects/omap.py RENAMED Viewed

@@ -20,6 +20,15 @@ class ObjectMap(Object):
         self.lookup = lru_cache(128)(self.lookup)
+    def is_valid(self) -> bool:
+        return (
+            super().is_valid()
+            and self.type == c_apfs.OBJECT_TYPE.OMAP
+            and self.subtype == 0
+            and self.is_physical
+            and self.oid == self.address
+        )
     @cached_property
     def btree(self) -> BTree:
         """The B-tree of the object map."""

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1/dissect.apfs.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.apfs
-Version: 1.1.dev1
+Version: 1.2.dev1
 Summary: A Dissect module implementing a parser for the APFS file system, a commonly used Apple file system
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/dissect.apfs.egg-info/SOURCES.txt RENAMED Viewed

@@ -49,6 +49,7 @@ tests/_data/case_insensitive.bin.gz
 tests/_data/case_insensitive_beta.bin.gz
 tests/_data/case_sensitive.bin.gz
 tests/_data/case_sensitive_beta.bin.gz
+tests/_data/corrupt.bin.gz
 tests/_data/encrypted.bin.gz
 tests/_data/jhfs_converted.bin.gz
 tests/_data/jhfs_encrypted.bin.gz

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/pyproject.toml RENAMED Viewed

@@ -99,7 +99,7 @@ select = [
   "SLOT",
   "SIM",
   "TID",
-  "TCH",
+  "TC",
   "PTH",
   "PLC",
   "TRY",
@@ -107,8 +107,25 @@ select = [
   "PERF",
   "FURB",
   "RUF",
+  "D"
 ]
-ignore = ["E203", "B904", "UP024", "ANN002", "ANN003", "ANN204", "ANN401", "SIM105", "TRY003"]
+ignore = [
+    "E203", "B904", "UP024", "ANN002", "ANN003", "ANN204", "ANN401", "SIM105", "TRY003", "PLC0415",
+    # Ignore some pydocstyle rules for now as they require a larger cleanup
+    "D1",
+    "D205",
+    "D301",
+    "D417",
+    # Seems bugged: https://github.com/astral-sh/ruff/issues/16824
+    "D402",
+]
+future-annotations = true
+[tool.ruff.lint.pydocstyle]
+convention = "google"
+[tool.ruff.lint.flake8-type-checking]
+strict = true
 [tool.ruff.lint.per-file-ignores]
 "tests/_docs/**" = ["INP001"]
@@ -117,6 +134,7 @@ ignore = ["E203", "B904", "UP024", "ANN002", "ANN003", "ANN204", "ANN401", "SIM1
 [tool.ruff.lint.isort]
 known-first-party = ["dissect.apfs"]
 known-third-party = ["dissect"]
+required-imports = ["from __future__ import annotations"]
 [tool.setuptools.packages.find]
 include = ["dissect.*"]

dissect_apfs-1.2.dev1/tests/_data/corrupt.bin.gz ADDED Viewed

Binary file

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/tests/_docs/conf.py RENAMED Viewed

@@ -1,3 +1,5 @@
+from __future__ import annotations
 project = "dissect.apfs"
 extensions = [

{dissect_apfs-1.1.dev1 → dissect_apfs-1.2.dev1}/tests/test_apfs.py RENAMED Viewed

@@ -6,7 +6,7 @@ from typing import TYPE_CHECKING
 import pytest
-from dissect.apfs.apfs import APFS
+from dissect.apfs.apfs import APFS, log
 from dissect.apfs.c_apfs import c_apfs
 from tests.conftest import absolute_path
@@ -36,6 +36,11 @@ def _assert_apfs_content(volume: FS, beta: bool) -> None:
         ]
     )
+    # Test direntry parsing
+    assert node.listdir()["dir"].is_dir()
+    assert node.listdir()["hardlink"].is_file()
+    assert node.listdir()["symlink-dir"].is_symlink()
     # Empty file
     node = volume.get("empty")
     assert node.name == "empty"
@@ -240,6 +245,9 @@ def _assert_apfs_content(volume: FS, beta: bool) -> None:
     if ".HFS+ Private Directory Data\r" not in volume.get("/").listdir() and not beta:
         # Special files
+        dirents = volume.get("dir").listdir()
+        assert dirents["blockdev"].is_block_device()
         node = volume.get("dir/blockdev")
         assert node.name == "blockdev"
         assert node.is_block_device()
@@ -263,6 +271,8 @@ def _assert_apfs_content(volume: FS, beta: bool) -> None:
             "chardev-svr4",
             "chardev-ultrix",
         ]:
+            assert dirents[name].is_character_device()
             node = volume.get(f"dir/{name}")
             assert node.name == name
             assert node.is_character_device()
@@ -357,3 +367,15 @@ def test_snapshots() -> None:
         for i, snapshot in enumerate(volume.snapshots):
             assert snapshot.name == f"Snapshot {i}"
             assert snapshot.open().get("file").open().read() == f"Snapshot {i}\n".encode()
+def test_corrupt_checkpoints(caplog: pytest.LogCaptureFixture) -> None:
+    """Test APFS volumes with corrupt checkpoints."""
+    with gzip.open(absolute_path("_data/corrupt.bin.gz"), "rb") as fh, caplog.at_level("DEBUG", log.name):
+        container = APFS(fh)
+        assert container.sb.xid == 302
+        assert len(container.volumes) == 1
+    assert caplog.messages[0] == "Skipping superblock xid=304: invalid OMAP"
+    assert caplog.messages[1] == "Skipping superblock xid=303: Invalid nx_superblock checksum"