Allow accessor scope to be configured in remapping (#3290)

Fixed #3256
Velocidex · Feb 15, 2024 · ecb35eb · ecb35eb
1 parent 29fe107
commit ecb35eb
Show file tree

Hide file tree

Showing 11 changed files with 311 additions and 150 deletions.
diff --git a/api/proto/api.pb.gw.go b/api/proto/api.pb.gw.go
diff --git a/artifacts/testdata/server/.gitignore b/artifacts/testdata/server/.gitignore
@@ -9,4 +9,6 @@ orgs
 snapshot.json
 snapshot.json.index
 clients/C.123
-clients/C.4f5e52adf0a337a9/flow_index.json*
+clients/C.4f5e52adf0a337a9/flow_index.json*
+
+hunts/index.*
diff --git a/artifacts/testdata/server/testcases/remapping_ssh.in.yaml b/artifacts/testdata/server/testcases/remapping_ssh.in.yaml
@@ -0,0 +1,37 @@
+Parameters:
+  RemappingTemplate: |
+    remappings:
+      # SSH mount from
+      - type: mount
+        scope: |
+          LET X <= log(message="Evaluated Remapping")
+          LET SSH_CONFIG <= dict(hostname='localhost:22',
+             username='test', private_key="XXX")
+        from:
+          accessor: ssh
+
+        on:
+          accessor: file
+          prefix: /remote/mnt
+          path_type: linux
+
+  LogRegex: "While parsing private key: ssh: no key found|remap: Failed to apply remapping|Unknown filesystem accessor file"
+
+Queries:
+  - LET _ <= remap(config=RemappingTemplate)
+
+  # Test that we are launching the ssh accessor
+  - SELECT * FROM glob(
+       globs='/*', root='/remote/mnt/foobar', accessor="file")
+
+  # The above should emit some errors so check for them now.
+
+  # 1. ssh: no key found shows that ssh accessor is receiving the
+  #    bogus key and trying to parse it.
+  # 2. Failed to apply remapping - remapping failed to apply this will
+  #    wipe all accessors from the device manager.
+  # 3. Unknown filesystem accessor file - the file accessor is no
+  #    longer available. This ensures we dont accidentally operate on
+  #    the host filesystem if the mapping is broken.
+  - |
+    SELECT * FROM test_read_logs() WHERE Log =~ LogRegex
diff --git a/artifacts/testdata/server/testcases/remapping_ssh.out.yaml b/artifacts/testdata/server/testcases/remapping_ssh.out.yaml
@@ -0,0 +1,12 @@
+LET _ <= remap(config=RemappingTemplate)[]SELECT * FROM glob( globs='/*', root='/remote/mnt/foobar', accessor="file")[]SELECT * FROM test_read_logs() WHERE Log =~ LogRegex
+[
+ {
+  "Log": "Velociraptor: remap: ssh: While parsing private key: ssh: no key found\n"
+ },
+ {
+  "Log": "Velociraptor: remap: Failed to apply remapping - will apply an empty remapping to block further processing\n"
+ },
+ {
+  "Log": "Velociraptor: glob: Field root Unknown filesystem accessor file\n"
+ }
+]
diff --git a/bin/analysis_target.go b/bin/analysis_target.go
@@ -6,10 +6,10 @@ import (
 	"io/ioutil"
 
 	"github.com/Velocidex/ordereddict"
-	"github.com/Velocidex/yaml/v2"
 	"www.velocidex.com/golang/velociraptor/accessors"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	logging "www.velocidex.com/golang/velociraptor/logging"
+	"www.velocidex.com/golang/velociraptor/utils"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 	"www.velocidex.com/golang/velociraptor/vql/acl_managers"
 	"www.velocidex.com/golang/velociraptor/vql/remapping"
@@ -32,11 +32,11 @@ func applyAnalysisTarget(config_obj *config_proto.Config) error {
 	}
 
 	remapping_config := []*config_proto.RemappingConfig{}
-	err = yaml.Unmarshal(data, remapping_config)
+	err = utils.YamlUnmarshal(data, remapping_config)
 	if err != nil {
 		// It might be a regular config file
 		full_config := &config_proto.Config{}
-		err := yaml.Unmarshal(data, full_config)
+		err := utils.YamlUnmarshal(data, full_config)
 		if err != nil {
 			return err
 		}