1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""Tests for the path filter."""
from __future__ import unicode_literals
import io
import unittest
from dfvfs.helpers import file_system_searcher
from dfvfs.lib import definitions as dfvfs_definitions
from dfvfs.path import factory as path_spec_factory
from dfvfs.resolver import resolver as path_spec_resolver
from plaso.containers import artifacts
from plaso.engine import filter_file
from plaso.engine import path_filters
from plaso.engine import yaml_filter_file
from tests import test_lib as shared_test_lib
class PathFilterTest(shared_test_lib.BaseTestCase):
"""Tests for the path filter."""
def testInitialize(self):
"""Tests the __init__ function."""
test_filter = path_filters.PathFilter(
path_filters.PathFilter.FILTER_TYPE_INCLUDE)
self.assertIsNotNone(test_filter)
with self.assertRaises(ValueError):
test_filter = path_filters.PathFilter('bogus')
class PathCollectionFiltersHelperTest(shared_test_lib.BaseTestCase):
"""Tests for the path collection filters helper."""
# pylint: disable=protected-access
_FILTER_FILE_DATA = '\n'.join([
'# 2 hits.',
'/test_data/testdir/filter_.+.txt',
'# A single hit.',
'/test_data/.+evtx',
'# A single hit.',
'/AUTHORS',
'/does_not_exist/some_file_[0-9]+txt',
'# Path expansion.',
'{systemroot}/Tasks/.+[.]job',
'# This should not compile properly, missing file information.',
'failing/',
'# This should not fail during initial loading, but fail later on.',
'bad re (no close on that parenthesis/file',
''])
_YAML_FILTER_FILE_DATA = '\n'.join([
'type: include',
'paths:',
'- \'bad re (no close on that parenthesis/file\'',
'- \'failing/\'',
'- \'/does_not_exist/some_file_[0-9]+txt\'',
'---',
'type: include',
'path_separator: \'\\\'',
'paths:',
'- \'\\\\AUTHORS\'',
'- \'{systemroot}\\\\Tasks\\\\.+[.]job\'',
'---',
'type: include',
'paths:',
'- \'/test_data/.+evtx\'',
'- \'/test_data/testdir/filter_.+.txt\'',
''])
def testBuildFindSpecs(self):
"""Tests the BuildFindSpecs function."""
test_file_path = self._GetTestFilePath(['System.evtx'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_1.txt'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_3.txt'])
self._SkipIfPathNotExists(test_file_path)
test_filter_file = filter_file.FilterFile()
test_path_filters = test_filter_file._ReadFromFileObject(
io.StringIO(self._FILTER_FILE_DATA))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
test_helper = path_filters.PathCollectionFiltersHelper()
test_helper.BuildFindSpecs(
test_path_filters, environment_variables=[environment_variable])
self.assertEqual(len(test_helper.included_file_system_find_specs), 5)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
file_system.Close()
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
def testBuildFindSpecsWithYAMLFilterFile(self):
"""Tests the BuildFindSpecs function with YAML filter file."""
test_file_path = self._GetTestFilePath(['System.evtx'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_1.txt'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_3.txt'])
self._SkipIfPathNotExists(test_file_path)
test_filter_file = yaml_filter_file.YAMLFilterFile()
test_path_filters = test_filter_file._ReadFromFileObject(
io.StringIO(self._YAML_FILTER_FILE_DATA))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
test_helper = path_filters.PathCollectionFiltersHelper()
test_helper.BuildFindSpecs(
test_path_filters, environment_variables=[environment_variable])
self.assertEqual(len(test_helper.included_file_system_find_specs), 5)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
file_system.Close()
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
if __name__ == '__main__':
unittest.main()
|
