Target-query Error : IndexError: string index out of range

[arnvtn]

Hi!
I have the following error when doing target-query -f runkeys mnt/fs/C :

  File "/home/airflow/.local/bin/target-query", line 8, in <module>
    sys.exit(main())
  File "/home/airflow/.local/lib/python3.10/site-packages/dissect/target/tools/utils.py", line 255, in wrapper
    return func(\**args, \**\\*kwargs)
  File "/home/airflow/.local/lib/python3.10/site-packages/dissect/target/tools/query.py", line 384, in main
    raise e
  File "/home/airflow/.local/lib/python3.10/site-packages/dissect/target/tools/query.py", line 373, in main
    for record_entries in entry:
  File "/home/airflow/.local/lib/python3.10/site-packages/dissect/target/plugins/os/windows/regf/runkeys.py", line 78, in runkeys
    yield RunKeyRecord(
  File "/home/airflow/.local/lib/python3.10/site-packages/dissect/target/helpers/record.py", line 78, in __call__
    return super().__call__(\**args, \**\\*kwargs)
  File "/home/airflow/.local/lib/python3.10/site-packages/flow/record/base.py", line 594, in __call__
    return self.recordType(\**args, \**\\*kwargs)
  File "<string>", line 30, in __init__
  File "/home/airflow/.local/lib/python3.10/site-packages/flow/record/base.py", line 194, in __setattr__
    v = field_type(v)
  File "/home/airflow/.local/lib/python3.10/site-packages/flow/record/fieldtypes/__init__.py", line 759, in __new__
    windows = value.startswith((r"
", "%")) or value.lstrip("\"'")[1] == ":"
IndexError: string index out of range

I'm working on Ubuntu 22.04.

Does anyone know what's causing this problem?

[arnvtn]

I tried to debug the problem by displaying the value of value in the .local/lib/python3.10/site-packages/flow/record/fieldtypes/__init__.py file, and found an empty line. I think that's where the problem comes from.

[arnvtn]

I thought the problem probably stemmed from the empty line in value, so I added the test if len(value.lstrip("\"'")) >= 1: in the .local/lib/python3.10/site-packages/flow/record/fieldtypes/__init__.py file at line 759 and it works:

def __new__(cls, value: str) -> command:
        if cls is not command:
            return super().__new__(cls)

        if not isinstance(value, str):
            raise ValueError(f "Expected a value of type 'str' not {type(value)}")

        # pre checking for windows like paths
        # This checks for windows like starts of a path:
        # an '%' for an environment variable
        # r'\\' for a UNC path
        # the strip and check for ":" on the second line is for `<drive_letter>:`
        if len(value.lstrip("\"'")) >= 1:
            windows = value.startswith((r"\\", "%")) or value.lstrip("\"'")[1] == ":"

            if windows:
                cls = windows_command
            else:
                cls = posix_command
            return super().__new__(cls)

I've tested it on several targets, and it seems to work all the time.

[Poeloe]

Hi @arnvtn,

Thanks for bringing up this issue with the command fieldtype in flow.record.

I've created a PR in the flow.record repository to fix this issue (slightly different solution, but close to your suggestion 😉). I also included some additional tests, including the test for an empty command string. I think that was the issue that you experienced, right?

You're welcome to test the solution on your data and report if this entirely fixes your issue.