dissect.target 3.20.dev27__py3-none-any.whl → 3.20.dev29__py3-none-any.whl

dissect/target/helpers/configutil.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import io
 import json
+import logging
 import re
 import sys
 from collections import deque
@@ -47,6 +48,9 @@ except ImportError:
     HAS_TOML = False
 
 
+log = logging.getLogger(__name__)
+
+
 def _update_dictionary(current: dict[str, Any], key: str, value: Any) -> None:
     if prev_value := current.get(key):
         if isinstance(prev_value, dict):
@@ -465,6 +469,76 @@ class Toml(ConfigurationParser):
             raise ConfigurationParsingError("Failed to parse file, please install tomli.")
 
 
+class Env(ConfigurationParser):
+    """Parses ``.env`` file contents according to Docker and bash specification.
+
+    Does not apply interpolation of substituted values, eg. ``foo=${bar}`` and does not attempt
+    to parse list or dict strings. Does not support dynamic env files, eg. `` foo=`bar` ``. Also
+    does not support multi-line key/value assignments (yet).
+
+    Resources:
+        - https://docs.docker.com/compose/environment-variables/variable-interpolation/#env-file-syntax
+        - https://github.com/theskumar/python-dotenv/blob/main/src/dotenv/parser.py
+    """
+
+    RE_KV = re.compile(r"^(?P<key>.+?)=(?P<value>(\".+?\")|(\'.+?\')|(.*?))?(?P<comment> \#.+?)?$")
+
+    def __init__(self, comments: bool = True, *args, **kwargs) -> None:
+        super().__init__(*args, **kwargs)
+        self.comments = comments
+        self.parsed_data: dict | tuple[dict, str | None] = {}
+
+    def parse_file(self, fh: TextIO) -> None:
+        for line in fh.readlines():
+            # Blank lines are ignored.
+            # Lines beginning with ``#`` are processed as comments and ignored.
+            if not line or line[0] == "#" or "=" not in line:
+                continue
+
+            # Each line represents a key-value pair. Values can optionally be quoted.
+            # Inline comments for unquoted values must be preceded with a space.
+            # Value may be empty.
+            match = self.RE_KV.match(line)
+
+            # Line could be invalid
+            if not match:
+                log.warning("Could not parse line in %s: '%s'", fh, line)
+                continue
+
+            key = match.groupdict()["key"]
+            value = match.groupdict().get("value") or ""
+            value = value.strip()
+            comment = match.groupdict().get("comment")
+            comment = comment.replace(" # ", "", 1) if comment else None
+
+            # Surrounding whitespace characters are removed, unless quoted.
+            if value and ((value[0] == '"' and value[-1] == '"') or (value[0] == "'" and value[-1] == "'")):
+                is_quoted = True
+                value = value.strip("\"'")
+            else:
+                is_quoted = False
+                value = value.strip()
+
+            # Unquoted values may start with a quote if they are properly escaped.
+            if not is_quoted and value[:2] in ["\\'", '\\"']:
+                value = value[1:]
+
+            # Interpret boolean values
+            if value.lower() in ["1", "true"]:
+                value = True
+            elif value.lower() in ["0", "false"]:
+                value = False
+
+            # Interpret integer values
+            if isinstance(value, str) and re.match(r"^[0-9]{1,}$", value):
+                value = int(value)
+
+            if key.strip() in self.parsed_data:
+                log.warning("Duplicate environment key '%s' in file %s", key.strip(), fh)
+
+            self.parsed_data[key.strip()] = (value, comment) if self.comments else value
+
+
 class ScopeManager:
     """A (context)manager for dictionary scoping.
 

dissect/target/helpers/regutil.py

@@ -3,9 +3,10 @@ from __future__ import annotations
 
 import fnmatch
 import re
-import struct
 from collections import defaultdict
 from datetime import datetime
+from enum import IntEnum
+from functools import cached_property
 from io import BytesIO
 from pathlib import Path
 from typing import BinaryIO, Iterator, Optional, TextIO, Union
@@ -28,6 +29,19 @@ ValueType = Union[int, str, bytes, list[str]]
 """The possible value types that can be returned from the registry."""
 
 
+class RegistryValueType(IntEnum):
+    NONE = regf.REG_NONE
+    SZ = regf.REG_SZ
+    EXPAND_SZ = regf.REG_EXPAND_SZ
+    BINARY = regf.REG_BINARY
+    DWORD = regf.REG_DWORD
+    DWORD_BIG_ENDIAN = regf.REG_DWORD_BIG_ENDIAN
+    MULTI_SZ = regf.REG_MULTI_SZ
+    FULL_RESOURCE_DESCRIPTOR = regf.REG_FULL_RESOURCE_DESCRIPTOR
+    RESOURCE_REQUIREMENTS_LIST = regf.REG_RESOURCE_REQUIREMENTS_LIST
+    QWORD = regf.REG_QWORD
+
+
 class RegistryHive:
     """Base class for registry hives."""
 
@@ -405,8 +419,8 @@ class VirtualValue(RegistryValue):
         return self._value
 
     @property
-    def type(self) -> int:
-        return None
+    def type(self) -> RegistryValueType:
+        return RegistryValueType.NONE
 
 
 class HiveCollection(RegistryHive):
@@ -683,8 +697,8 @@ class RegfValue(RegistryValue):
         return self.kv.value
 
     @property
-    def type(self) -> int:
-        return self.kv.type
+    def type(self) -> RegistryValueType:
+        return RegistryValueType(self.kv.type)
 
 
 class RegFlex:
@@ -750,17 +764,22 @@ class RegFlexKey(VirtualKey):
 
 class RegFlexValue(VirtualValue):
     def __init__(self, hive: RegistryHive, name: str, value: ValueType):
-        self._parsed_value = None
         super().__init__(hive, name, value)
 
+    @cached_property
+    def _parse(self) -> tuple[RegistryValueType, ValueType]:
+        return parse_flex_value(self._value)
+
     @property
     def value(self) -> ValueType:
-        if not self._parsed_value:
-            self._parsed_value = parse_flex_value(self._value)
-        return self._parsed_value
+        return self._parse[1]
+
+    @property
+    def type(self) -> RegistryValueType:
+        return self._parse[0]
 
 
-def parse_flex_value(value: str) -> ValueType:
+def parse_flex_value(value: str) -> tuple[RegistryValueType, ValueType]:
     """Parse values from text registry exports.
 
     Args:
@@ -770,31 +789,31 @@ def parse_flex_value(value: str) -> ValueType:
         NotImplementedError: If ``value`` is not of a supported type for parsing.
     """
     if value.startswith('"'):
-        return value.strip('"')
+        return RegistryValueType.SZ, value.strip('"')
 
     vtype, _, value = value.partition(":")
     if vtype == "dword":
-        return struct.unpack(">i", bytes.fromhex(value))[0]
+        return RegistryValueType.DWORD, int.from_bytes(bytes.fromhex(value), "big", signed=True)
     elif "hex" in vtype:
         value = bytes.fromhex(value.replace(",", ""))
         if vtype == "hex":
-            return value
+            return RegistryValueType.BINARY, value
 
         # hex(T)
         # These values match regf type values
         vtype = int(vtype[4:5], 16)
         if vtype == regf.REG_NONE:
-            return value if value else None
+            decoded = value if value else None
         elif vtype == regf.REG_SZ:
-            return regf.try_decode_sz(value)
+            decoded = regf.try_decode_sz(value)
         elif vtype == regf.REG_EXPAND_SZ:
-            return regf.try_decode_sz(value)
+            decoded = regf.try_decode_sz(value)
         elif vtype == regf.REG_BINARY:
-            return value
+            decoded = value
         elif vtype == regf.REG_DWORD:
-            return struct.unpack("<I", value)[0]
+            decoded = int.from_bytes(value, "little", signed=False)
         elif vtype == regf.REG_DWORD_BIG_ENDIAN:
-            return struct.unpack(">I", value)[0]
+            decoded = int.from_bytes(value, "big", signed=False)
         elif vtype == regf.REG_MULTI_SZ:
             d = BytesIO(value)
 
@@ -806,11 +825,12 @@ def parse_flex_value(value: str) -> ValueType:
 
                 r.append(s)
 
-            return r
+            decoded = r
         elif vtype == regf.REG_QWORD:
-            return struct.unpack(">Q", value)[0]
+            decoded = int.from_bytes(value, "big", signed=False)
         else:
             raise NotImplementedError(f"Registry flex value type {vtype}")
+        return RegistryValueType(vtype), decoded
 
 
 def has_glob_magic(pattern: str) -> bool:

dissect/target/plugins/apps/other/env.py

@@ -0,0 +1,56 @@
+from typing import Iterator
+
+from dissect.target.helpers.configutil import Env
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, arg, export
+
+EnvironmentFileRecord = TargetRecordDescriptor(
+    "application/other/file/environment",
+    [
+        ("datetime", "ts_mtime"),
+        ("string", "key"),
+        ("string", "value"),
+        ("string", "comment"),
+        ("path", "path"),
+    ],
+)
+
+
+class EnvironmentFilePlugin(Plugin):
+    """Environment file plugin."""
+
+    def check_compatible(self) -> None:
+        # `--env-path` is provided at runtime
+        pass
+
+    @export(record=EnvironmentFileRecord)
+    @arg("--env-path", help="path to scan environment files in")
+    @arg("--extension", help="extension of files to scan", default="env")
+    def envfile(self, env_path: str, extension: str = "env") -> Iterator[EnvironmentFileRecord]:
+        """Yield environment variables found in ``.env`` files at the provided path."""
+
+        if not env_path:
+            self.target.log.error("No ``--path`` provided!")
+
+        if not (path := self.target.fs.path(env_path)).exists():
+            self.target.log.error("Provided path %s does not exist!", path)
+
+        for file in path.glob("**/*." + extension):
+            if not file.is_file():
+                continue
+
+            mtime = file.lstat().st_mtime
+
+            with file.open("r") as fh:
+                parser = Env(comments=True)
+                parser.read_file(fh)
+
+                for key, (value, comment) in parser.parsed_data.items():
+                    yield EnvironmentFileRecord(
+                        ts_mtime=mtime,
+                        key=key,
+                        value=value,
+                        comment=comment,
+                        path=file,
+                        _target=self.target,
+                    )

{dissect.target-3.20.dev27.dist-info → dissect.target-3.20.dev29.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev27
+Version: 3.20.dev29
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev27.dist-info → dissect.target-3.20.dev29.dist-info}/RECORD

@@ -46,7 +46,7 @@ dissect/target/filesystems/zip.py,sha256=BeNj23DOYfWuTm5V1V419ViJiMfBrO1VA5gP6rl
 dissect/target/helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/helpers/cache.py,sha256=TXlJBdFRz6V9zKs903am4Yawr0maYw5kZY0RqklDQJM,8568
 dissect/target/helpers/config.py,sha256=RMHnIuKJHINHiLrvKN3EyA0jFA1o6-pbeaycG8Pgrp8,2596
-dissect/target/helpers/configutil.py,sha256=2PjQG-8vsParTANkMox_2cB1_MDxpOURJrUFj5dL3DI,28355
+dissect/target/helpers/configutil.py,sha256=mO2XwhzLhGjFQzg_zC8SNi24CQhye1fhkYlH5Q5HFm8,31365
 dissect/target/helpers/cyber.py,sha256=WnJlk-HqAETmDAgLq92JPxyDLxvzSoFV_WrO-odVKBI,16805
 dissect/target/helpers/descriptor_extensions.py,sha256=uT8GwznfDAiIgMM7JKKOY0PXKMv2c0GCqJTCkWFgops,2605
 dissect/target/helpers/docs.py,sha256=J5U65Y3yOTqxDEZRCdrEmO63XQCeDzOJea1PwPM6Cyc,5146
@@ -62,7 +62,7 @@ dissect/target/helpers/polypath.py,sha256=h8p7m_OCNiQljGwoZh5Aflr9H2ot6CZr6WKq1O
 dissect/target/helpers/protobuf.py,sha256=b4DsnqrRLrefcDjx7rQno-_LBcwtJXxuKf5RdOegzfE,1537
 dissect/target/helpers/record.py,sha256=7Se6ZV8cvwEaGSjRd9bKhVnUAn4W4KR2eqP6AbQhTH4,5892
 dissect/target/helpers/record_modifier.py,sha256=O_Jj7zOi891HIyAYjxxe6LFPYETHdMa5lNjo4NA_T_w,3969
-dissect/target/helpers/regutil.py,sha256=kX-sSZbW8Qkg29Dn_9zYbaQrwLumrr4Y8zJ1EhHXIAM,27337
+dissect/target/helpers/regutil.py,sha256=ti-ht2N9UxbMjhUBP2bybY76_dAvbCz0txPBszvSKVw,28171
 dissect/target/helpers/shell_application_ids.py,sha256=hYxrP-YtHK7ZM0ectJFHfoMB8QUXLbYNKmKXMWLZRlA,38132
 dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
 dissect/target/helpers/utils.py,sha256=K3xVq9D0FwIhTBAuiWN8ph7Pq2GABgG3hOz-3AmKuEA,4244
@@ -127,6 +127,7 @@ dissect/target/plugins/apps/browser/firefox.py,sha256=mZBBagFfIdiz9kUyK4Hi989I4g
 dissect/target/plugins/apps/browser/iexplore.py,sha256=g_xw0toaiyjevxO8g9XPCOqc-CXZp39FVquRhPFGdTE,8801
 dissect/target/plugins/apps/container/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/container/docker.py,sha256=LTsZplaECSfO1Ysp_Y-9WsnNocsreu_iHO8fbSif3g0,16221
+dissect/target/plugins/apps/other/env.py,sha256=_I12S_wjyT18WlUJ5cWOy5OTI140AheH6tq743iiyys,1874
 dissect/target/plugins/apps/remoteaccess/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/remoteaccess/anydesk.py,sha256=IdijK3F6ppaB_IgKL-xDljlEbb8l9S2U0xSWKqK9xRs,4294
 dissect/target/plugins/apps/remoteaccess/remoteaccess.py,sha256=DWXkRDVUpFr1icK2fYwSXdZD204Xz0yRuO7rcJOwIwc,825
@@ -368,10 +369,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev27.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev27.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev27.dist-info/METADATA,sha256=O7DsHBHZKJGXZ1bQFS5nypC1x3WA9342Xj88YwbbT4k,12897
-dissect.target-3.20.dev27.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
-dissect.target-3.20.dev27.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev27.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev27.dist-info/RECORD,,
+dissect.target-3.20.dev29.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev29.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev29.dist-info/METADATA,sha256=5QkftvpVFTGaJunkmrOrcd8izTwayNKC5WbTqXhcMn8,12897
+dissect.target-3.20.dev29.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
+dissect.target-3.20.dev29.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev29.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev29.dist-info/RECORD,,