Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Generic.Remediation.UploadFile.Glob.yaml #574

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Create Generic.Remediation.UploadFile.Glob.yaml #574

wants to merge 3 commits into from

Conversation

Che4ter
Copy link

@Che4ter Che4ter commented Apr 24, 2023

Create an artifact to upload a file to the target destination. If the target already exists, it will be overridden. The artefact uses the glob, so you can upload the file to multiple locations at once.

@Che4ter
Create Generic.Remediation.UploadFile.Glob.yaml
83fb508 
Create an artifact to upload a file to the target destination. If the target already exists, it will be overridden. 
The artefact uses the glob, so you can upload the file to multiple locations at once.
@CLAassistant
Copy link

CLAassistant commented Apr 24, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@Che4ter
Update Generic.Remediation.UploadFile.Glob.yaml
3bfe5ef 
Fix copy past error in the directory exclusion
scudette
scudette reviewed Apr 28, 2023
View reviewed changes
content/exchange/artifacts/Generic.Remediation.UploadFile.Glob.yaml Outdated
SELECT OSPath,Overridden,Size,Mtime,Ctime,Btime,IsDir,IsLink
FROM if(condition=ReallyDoIt,
then= upload_targets,
else= { SELECT *, FALSE as Overridden FROM upload_targets } )
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tested this actually stops it from overriding? I think it might be safer to just use an if() here:

if(condition = ReallyDoIt, then=copy(filename=UploadedFile.FullPath[0], accessor="file", dest=OSPath)) AS Overwritten

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it works fine. I used it multiple times during my last engagement. Most of the logic is copied from another artefact: https://docs.velociraptor.app/exchange/artifacts/pages/globremediation/

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its not really the same as that artifact - you can see in GlobRemediation the bottom query is

SELECT ...
      FROM if(condition=ReallyDoIt,
            then= delete_targets,
            else= { SELECT *, FALSE as Removed FROM targets } )

So depending on the condition it will choose a completely different query - one for delete and one for just showing.

But in this artifact it chooses the same query in both cases, it just replaces the column that removes with FALSE. This generally also works because VQL is generally lazy and wont evaluate a column that got replaced but it is quite fragile and potentially dangerous in this case.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your explanations. I've changed it to an if statement and simplified the query a bit.

@Che4ter
Update Generic.Remediation.UploadFile.Glob.yaml
7c26096 
Fixed unsafe override protection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scudette scudette scudette left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Che4ter @CLAassistant @scudette