dissect.apfs 1.1.dev2__tar.gz → 1.2.dev2__tar.gz

{dissect_apfs-1.1.dev2/dissect.apfs.egg-info → dissect_apfs-1.2.dev2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.apfs
-Version: 1.1.dev2
+Version: 1.2.dev2
 Summary: A Dissect module implementing a parser for the APFS file system, a commonly used Apple file system
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/dissect/apfs/__init__.py

@@ -1,3 +1,5 @@
+from __future__ import annotations
+
 from dissect.apfs.apfs import APFS
 from dissect.apfs.exception import (
     Error,

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/dissect/apfs/c_apfs.py

@@ -2,6 +2,8 @@
 # - https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
 # - https://github.com/sgan81/apfs-fuse
 # - https://github.com/linux-apfs/linux-apfs-rw
+from __future__ import annotations
+
 from dissect.cstruct import cstruct
 
 apfs_def = """

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/dissect/apfs/exception.py

@@ -1,3 +1,6 @@
+from __future__ import annotations
+
+
 class Error(Exception):
     pass
 

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/dissect/apfs/objects/fs.py

@@ -792,27 +792,27 @@ class DirectoryEntry:
     @cached_property
     def type(self) -> int:
         """The file type of this directory entry."""
-        return self.value.flags & c_apfs.DREC_TYPE_MASK << 12
+        return (self.value.flags & c_apfs.DREC_TYPE_MASK) << 12
 
     def is_dir(self) -> bool:
         """Return whether this directory entry is a directory."""
-        return stat.S_ISDIR(self.type << 12)
+        return stat.S_ISDIR(self.type)
 
     def is_file(self) -> bool:
         """Return whether this directory entry is a regular file."""
-        return stat.S_ISREG(self.type << 12)
+        return stat.S_ISREG(self.type)
 
     def is_symlink(self) -> bool:
         """Return whether this directory entry is a symbolic link."""
-        return stat.S_ISLNK(self.type << 12)
+        return stat.S_ISLNK(self.type)
 
     def is_block_device(self) -> bool:
         """Return whether this directory entry is a block device."""
-        return stat.S_ISBLK(self.type << 12)
+        return stat.S_ISBLK(self.type)
 
     def is_character_device(self) -> bool:
         """Return whether this directory entry is a character device."""
-        return stat.S_ISCHR(self.type << 12)
+        return stat.S_ISCHR(self.type)
 
     def is_device(self) -> bool:
         """Return whether this directory entry is a device (block or character)."""
@@ -820,15 +820,15 @@ class DirectoryEntry:
 
     def is_fifo(self) -> bool:
         """Return whether this directory entry is a FIFO."""
-        return stat.S_ISFIFO(self.type << 12)
+        return stat.S_ISFIFO(self.type)
 
     def is_socket(self) -> bool:
         """Return whether this directory entry is a socket."""
-        return stat.S_ISSOCK(self.type << 12)
+        return stat.S_ISSOCK(self.type)
 
     def is_whiteout(self) -> bool:
         """Return whether this directory entry is a whiteout."""
-        return stat.S_ISWHT(self.type << 12)
+        return stat.S_ISWHT(self.type)
 
 
 class XAttr:

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/dissect/apfs/objects/keybag.py

@@ -292,7 +292,6 @@ def _create_cipher(key: bytes, iv: bytes = b"\x00" * 16, mode: str = "cbc") -> A
 
     Dynamic based on the available crypto module.
     """
-
     if HAS_PYSTANDALONE:
         key_size = len(key)
         if key_size not in (32, 24, 16):

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/dissect/apfs/stream.py

@@ -88,26 +88,30 @@ class FileStream(AlignedStream):
 
         while length:
             logical_address, physical_address, extent_length, crypto_id = self._lookup(offset)
-            block = self.volume.container._read_block(physical_address, extent_length // self.align)
+
+            offset_in_extent = offset - logical_address
+            if offset_in_extent >= extent_length:
+                raise Error(
+                    f"Offset {offset:#x} is out of bounds for extent ({logical_address:#x}, {extent_length:#x})"
+                )
+
+            block_in_extent = offset_in_extent // self.align
+            read_length = min(extent_length - offset_in_extent, length)
+            block = self.volume.container._read_block(physical_address + block_in_extent, read_length // self.align)
 
             if self.volume.is_encrypted:
                 if not self.volume._cipher:
                     raise Error("Volume is encrypted, unlock it first")
 
                 if self.volume.is_onekey:
-                    block = self.volume._cipher.decrypt(block, crypto_id * self.volume.container.sectors_per_block)
+                    sector = (crypto_id + block_in_extent) * self.volume.container.sectors_per_block
+                    block = self.volume._cipher.decrypt(block, sector)
                 else:
                     raise Error("Multi-key encryption is not supported yet")
 
-            if offset_in_extent := offset - logical_address:
-                block = block[offset_in_extent:]
-
-            if length < len(block):
-                block = block[:length]
-
             result.append(block)
-            offset += min(extent_length, length)
-            length -= min(extent_length, length)
+            offset += read_length
+            length -= read_length
 
         return b"".join(result)
 

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2/dissect.apfs.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.apfs
-Version: 1.1.dev2
+Version: 1.2.dev2
 Summary: A Dissect module implementing a parser for the APFS file system, a commonly used Apple file system
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/dissect.apfs.egg-info/SOURCES.txt

@@ -53,6 +53,7 @@ tests/_data/corrupt.bin.gz
 tests/_data/encrypted.bin.gz
 tests/_data/jhfs_converted.bin.gz
 tests/_data/jhfs_encrypted.bin.gz
+tests/_data/large.bin.gz
 tests/_data/snapshot.bin.gz
 tests/_docs/Makefile
 tests/_docs/__init__.py

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/pyproject.toml

@@ -99,7 +99,7 @@ select = [
   "SLOT",
   "SIM",
   "TID",
-  "TCH",
+  "TC",
   "PTH",
   "PLC",
   "TRY",
@@ -107,8 +107,25 @@ select = [
   "PERF",
   "FURB",
   "RUF",
+  "D"
 ]
-ignore = ["E203", "B904", "UP024", "ANN002", "ANN003", "ANN204", "ANN401", "SIM105", "TRY003"]
+ignore = [
+    "E203", "B904", "UP024", "ANN002", "ANN003", "ANN204", "ANN401", "SIM105", "TRY003", "PLC0415",
+    # Ignore some pydocstyle rules for now as they require a larger cleanup
+    "D1",
+    "D205",
+    "D301",
+    "D417",
+    # Seems bugged: https://github.com/astral-sh/ruff/issues/16824
+    "D402",
+]
+future-annotations = true
+
+[tool.ruff.lint.pydocstyle]
+convention = "google"
+
+[tool.ruff.lint.flake8-type-checking]
+strict = true
 
 [tool.ruff.lint.per-file-ignores]
 "tests/_docs/**" = ["INP001"]
@@ -117,6 +134,7 @@ ignore = ["E203", "B904", "UP024", "ANN002", "ANN003", "ANN204", "ANN401", "SIM1
 [tool.ruff.lint.isort]
 known-first-party = ["dissect.apfs"]
 known-third-party = ["dissect"]
+required-imports = ["from __future__ import annotations"]
 
 [tool.setuptools.packages.find]
 include = ["dissect.*"]

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/tests/_docs/conf.py

@@ -1,3 +1,5 @@
+from __future__ import annotations
+
 project = "dissect.apfs"
 
 extensions = [

{dissect_apfs-1.1.dev2 → dissect_apfs-1.2.dev2}/tests/test_apfs.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import gzip
 import hashlib
 from typing import TYPE_CHECKING
+from unittest.mock import patch
 
 import pytest
 
@@ -36,6 +37,11 @@ def _assert_apfs_content(volume: FS, beta: bool) -> None:
         ]
     )
 
+    # Test direntry parsing
+    assert node.listdir()["dir"].is_dir()
+    assert node.listdir()["hardlink"].is_file()
+    assert node.listdir()["symlink-dir"].is_symlink()
+
     # Empty file
     node = volume.get("empty")
     assert node.name == "empty"
@@ -240,6 +246,9 @@ def _assert_apfs_content(volume: FS, beta: bool) -> None:
 
     if ".HFS+ Private Directory Data\r" not in volume.get("/").listdir() and not beta:
         # Special files
+        dirents = volume.get("dir").listdir()
+        assert dirents["blockdev"].is_block_device()
+
         node = volume.get("dir/blockdev")
         assert node.name == "blockdev"
         assert node.is_block_device()
@@ -263,6 +272,8 @@ def _assert_apfs_content(volume: FS, beta: bool) -> None:
             "chardev-svr4",
             "chardev-ultrix",
         ]:
+            assert dirents[name].is_character_device()
+
             node = volume.get(f"dir/{name}")
             assert node.name == name
             assert node.is_character_device()
@@ -369,3 +380,27 @@ def test_corrupt_checkpoints(caplog: pytest.LogCaptureFixture) -> None:
 
     assert caplog.messages[0] == "Skipping superblock xid=304: invalid OMAP"
     assert caplog.messages[1] == "Skipping superblock xid=303: Invalid nx_superblock checksum"
+
+
+def test_large_extents() -> None:
+    """Test APFS volumes with large extents."""
+    with gzip.open(absolute_path("_data/large.bin.gz"), "rb") as fh:
+        container = APFS(fh)
+        assert len(container.volumes) == 1
+
+        volume = container.volumes[0]
+        assert volume.name == "Large"
+
+        node = volume.get("yomomma.bin")
+        assert node.size == 512 * 1024 * 1024
+
+        fh = node.open()
+
+        # First extent is 128MiB
+        assert fh._lookup(0) == (0, 1070, 128 * 1024 * 1024, 0)
+
+        with patch.object(volume.container, "_read_block", wraps=volume.container._read_block) as mock_read_block:
+            assert fh.read(512) == b"\x67" * 512
+
+            # Check that we only read one block, not the entire 128MiB extent
+            mock_read_block.assert_called_once_with(1070, 1)