Improve tar loader for Windows filesystem tar files (fox-it#353)

Zawadidone · Apr 5, 2024 · cafc4fb · cafc4fb
1 parent cab9dba
commit cafc4fb
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 2 deletions.
diff --git a/dissect/target/loaders/tar.py b/dissect/target/loaders/tar.py
@@ -42,7 +42,7 @@ def map(self, target: target.Target) -> None:
             if member.name == ".":
                 continue
 
-            if not member.name.startswith("fs/") and not member.name.startswith("/sysvol"):
+            if not member.name.startswith(("/fs", "fs/", "/sysvol", "sysvol/")):
                 if "/" not in volumes:
                     vol = filesystem.VirtualFilesystem(case_sensitive=True)
                     vol.tar = self.tar
@@ -52,8 +52,10 @@ def map(self, target: target.Target) -> None:
                 volume = volumes["/"]
                 mname = member.name
             else:
-                if not member.name.startswith("/sysvol"):
+                if not member.name.startswith(("/sysvol", "sysvol/")):
                     parts = member.name.replace("fs/", "").split("/")
+                    if parts[0] == "":
+                        parts.pop(0)
                 else:
                     parts = member.name.lstrip("/").split("/")
                 volume_name = parts[0]

diff --git a/tests/data/test-windows-fs-c-absolute.tar b/tests/data/test-windows-fs-c-absolute.tar
diff --git a/tests/data/test-windows-fs-c-relative.tar b/tests/data/test-windows-fs-c-relative.tar
diff --git a/tests/data/test-windows-sysvol-absolute.tar b/tests/data/test-windows-sysvol-absolute.tar
diff --git a/tests/data/test-windows-sysvol-relative.tar b/tests/data/test-windows-sysvol-relative.tar
diff --git a/tests/test_loaders_tar.py b/tests/test_loaders_tar.py
@@ -1,5 +1,8 @@
+import pytest
+
 from dissect.target import Target
 from dissect.target.loaders.tar import TarLoader
+from dissect.target.plugins.os.windows._os import WindowsPlugin
 
 from ._utils import absolute_path
 
@@ -44,3 +47,18 @@ def test_tar_loader_compressed_tar_file_with_empty_dir(target_unix):
     empty_folder = target_unix.fs.path("test/empty_dir")
     assert empty_folder.exists()
     assert empty_folder.is_dir()
+
+
+@pytest.mark.parametrize(
+    "archive",
+    [
+        ("data/test-windows-sysvol-absolute.tar"),
+        ("data/test-windows-sysvol-relative.tar"),
+        ("data/test-windows-fs-c-relative.tar"),
+        ("data/test-windows-fs-c-absolute.tar"),
+    ],
+)
+def test_tar_loader_windows_sysvol_formats(target_default, archive):
+    loader = TarLoader(absolute_path(archive))
+    loader.map(target_default)
+    assert WindowsPlugin(target_default).detect(target_default)