Allow metadata to contain a list of values by cccs-rs · Pull Request #201 · VirusTotal/yara-python

cccs-rs · 2022-03-09T20:26:00Z

Derivation of: #74 😍

This allows the Match.meta values to becomes lists if there are rule meta with the same name but different values. This is also to bring output from the Python library more inline with the output from the commandline.

ie. Suppose there's a match given for the following rule:

rule myRule :
{
	meta:
              ...
		malware = "BAD THING"
		malware = "REALLY BAD THING"
         ...
}

The corresponding values in Match.meta['malware'] will be:
["BAD THING", "REALLY BAD THING"] instead of just "REALLY BAD THING"

google-cla · 2022-03-09T20:26:05Z

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

For more information, open the CLA check for this pull request.

plusvic · 2022-03-10T10:16:21Z

But this breaks backward compatibility, right? People that are already using Match.meta do not expect to receive an array when they do Match.meta['malware']. We should keep with the approach followed in #74, add a new function for those that want to retrieve metadata with multiple values.

cccs-rs · 2022-03-10T12:31:36Z

But this breaks backward compatibility, right? People that are already using Match.meta do not expect to receive an array when they do Match.meta['malware']. We should keep with the approach followed in #74, add a new function for those that want to retrieve metadata with multiple values.

Could a flag in Rules.match() control this behaviour, say via a param overwrite_meta_values?
The flag will have the default state to maintain backwards compatibility, but for those that want this feature, they can change the flag.

Not sure if it's ideal to have a special function that outputs arrays for all metadata since it could just be a flag that changes the output from Dict[str, str] to Dict[str, List[str]].

plusvic · 2022-03-10T14:27:29Z

Yes, an argument allow_duplicate_metadata to Rules.match() that changes that behaviour should be fine. The default value would be False, which means that Match.meta will be a dictionary a Dict[key, value] as it is now. If the value is True , Match.meta will be a Dict[key, [value1, value2, ....]].

cccs-rs · 2022-03-14T14:25:41Z

bump?

cccs-rs · 2022-03-22T16:06:45Z

bump

cccs-rs · 2022-03-31T13:57:57Z

bump

cccs-rs · 2022-04-05T11:04:57Z

bump

cccs-rs · 2022-04-12T11:44:32Z

bump

cccs-rs · 2022-04-19T19:06:58Z

bump

cccs-rs · 2022-04-26T11:24:34Z

bump

plusvic · 2022-04-26T11:38:38Z

@cccs-rs, adding the same comment every week is not going to speed up things. It's ok to ping the maintainers from time to time, but not at this rate.

plusvic · 2022-05-19T08:59:41Z

yara-python.c

-    PyDict_SetItemString(meta_list, meta->identifier, object);
-    Py_DECREF(object);
+
+    if (CALLBACK_ALLOW_DUPLICATES){


The use of the global variable CALLBACK_ALLOW_DUPLICATES is not safe with concurrent code. A better solution is adding a new field allow_duplicate_metadata to the CALLBACK_DATA structure. This field would be initialized with the value passed to match, and the callback function receives a pointer to CALLBACK_DATA where all the context about the current scan can be found.

Updated, thanks for the feedback! 😀

plusvic · 2022-05-19T09:01:26Z

I also miss a test case for this new feature.

Allow metadata to contain a list of values

b7c0a5c

use flag to control if we want duplicative metadata

b34f37e

cccs-rs mentioned this pull request Mar 14, 2022

Switch yara-python to fork CybercentreCanada/assemblyline-service-yara#28

Merged

wxsBSD mentioned this pull request Apr 22, 2022

yara-python <-> yara inconsistent handling of metadata #205

Closed

plusvic reviewed May 19, 2022

View reviewed changes

add allow_duplicate_metadata to CALLBACK_DATA; add test for feature

9bb85eb

plusvic approved these changes May 20, 2022

View reviewed changes

plusvic merged commit d29ca08 into VirusTotal:master May 20, 2022

plusvic mentioned this pull request May 20, 2022

Provide duplicate meta keys as list instead of just the last seen value #74

Closed

Conversation

cccs-rs commented Mar 9, 2022

Uh oh!

google-cla bot commented Mar 9, 2022

Uh oh!

plusvic commented Mar 10, 2022

Uh oh!

cccs-rs commented Mar 10, 2022

Uh oh!

plusvic commented Mar 10, 2022

Uh oh!

cccs-rs commented Mar 14, 2022

Uh oh!

cccs-rs commented Mar 22, 2022

Uh oh!

cccs-rs commented Mar 31, 2022

Uh oh!

cccs-rs commented Apr 5, 2022

Uh oh!

cccs-rs commented Apr 12, 2022

Uh oh!

cccs-rs commented Apr 19, 2022

Uh oh!

cccs-rs commented Apr 26, 2022

Uh oh!

plusvic commented Apr 26, 2022

Uh oh!

plusvic May 19, 2022

Choose a reason for hiding this comment

Uh oh!

cccs-rs May 19, 2022

Choose a reason for hiding this comment

Uh oh!

plusvic commented May 19, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants