diff --git a/flow/record/fieldtypes/__init__.py b/flow/record/fieldtypes/__init__.py index 6eed1e0..27a13a3 100644 --- a/flow/record/fieldtypes/__init__.py +++ b/flow/record/fieldtypes/__init__.py @@ -767,7 +767,8 @@ def __new__(cls, value: str) -> command: # an '%' for an environment variable # r'\\' for a UNC path # the strip and check for ":" on the second line is for `:` - windows = value.startswith((r"\\", "%")) or value.lstrip("\"'")[1] == ":" + stripped_value = value.lstrip("\"'") + windows = value.startswith((r"\\", "%")) or (len(stripped_value) >= 2 and stripped_value[1] == ":") if windows: cls = windows_command diff --git a/tests/test_fieldtypes.py b/tests/test_fieldtypes.py index cb187b3..c8fc2d2 100644 --- a/tests/test_fieldtypes.py +++ b/tests/test_fieldtypes.py @@ -1075,9 +1075,16 @@ def test_command_integration_none(tmp_path: pathlib.Path) -> None: # Test a quoted path (r"'c:\path to some exe' /d /a", r"c:\path to some exe", [r"/d /a"]), # Test a unquoted path - (r"'c:\Program Files\hello.exe'", r"c:\Program Files\hello.exe", []), + (r"\Users\test\hello.exe", r"\Users\test\hello.exe", []), # Test an unquoted path with a path as argument - (r"'c:\Program Files\hello.exe' c:\startmepls.exe", r"c:\Program Files\hello.exe", [r"c:\startmepls.exe"]), + (r"\Users\test\hello.exe c:\startmepls.exe", r"\Users\test\hello.exe", [r"c:\startmepls.exe"]), + # Test a quoted UNC path + (r"'\\192.168.1.2\Program Files\hello.exe'", r"\\192.168.1.2\Program Files\hello.exe", []), + # Test an unquoted UNC path + (r"\\192.168.1.2\Users\test\hello.exe /d /a", r"\\192.168.1.2\Users\test\hello.exe", [r"/d /a"]), + # Test an empty command string + (r"''", r"", []), + # Test None (None, None, None), ], )