timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

Refactor the .plaso check in importer

Open jaegeral opened this issue 3 years ago • 2 comments

Currently the import client and the backend check for .plaso in the filename to verify it is a plaso file. This is not perfect from user perspective as well as error safe.

Instead the import should check on actual content in the file based on the .plaso format.

jaegeral avatar Apr 28 '21 20:04 jaegeral

This check should also be done for JSON(L)and CSV files. At this moment, if a user submits a file without an extension, the server will throw an error and the imported timeline will be stuck on indexing.

itsmvd avatar May 04 '21 02:05 itsmvd

The simplest solution would be to check the file's mime-type. Python provides a module for that, but it guesses the file type based on its extension.

python-magic is a wrapper around libmagic, so it can detect json and csv files well. It wouldn't be able to detect .plaso files by default since there seems to be no mime type for plaso files, so a custom magic file would be needed.

jacadzaca avatar Sep 01 '22 18:09 jacadzaca