Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fd_fields bad typing breaks type checking #1443

Open
atcuno opened this issue Dec 18, 2024 · 5 comments
Open

fd_fields bad typing breaks type checking #1443

atcuno opened this issue Dec 18, 2024 · 5 comments
Assignees
@gcmoreira
Labels
parity-release

Comments

@atcuno
Copy link
Contributor

atcuno commented Dec 18, 2024

The second element is listed as int:

https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/plugins/linux/lsof.py#L57

But it is really the file object for the file:

https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/plugins/linux/lsof.py#L70

@gcmoreira Can you double check this and fix as needed?
@gcmoreira
Copy link
Contributor

It's a pointer (filp: file pointer) and a Pointer is an Integer in Volatility3.

volatility3/volatility3/framework/objects/__init__.py

Line 370 in 2383ea2

class Pointer(Integer):

@atcuno
Copy link
Contributor Author

atcuno commented Dec 18, 2024

It isn't a pointer though, it is the instantiated file instance. Look at how get_inode is called on it a few lines later:

https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/plugins/linux/lsof.py#L73

@gcmoreira
Copy link
Contributor

That's because the framework dereference the pointer for you.
That's actually the result of files_descriptors_for_process() this is documented here ... which was introduced in this commit. If you follow the code, see this code:

        fds = utility.array_of_pointers(fd_table, count = max_fds, subtype = file_type, context = context)
        for (fd_num, filp) in enumerate(fds):
            if filp != 0:
                full_path = LinuxUtilities.path_for_file(task, filp)
                yield fd_num, filp, full_path

these are the file pointers from the tasks' file descriptor table.

@atcuno
Copy link
Contributor Author

atcuno commented Dec 18, 2024

Could the api return a .dereference() of the pointer then things would be cleaner?

@gcmoreira
Copy link
Contributor

I don't see any immediate issues with it. Applying changes here is painful since it affects lsof, netstat, and from there it potentially propagates elsewhere.
Is something specifically wrong, or is this just a Pyright limitation? Could you suppress the warning with a comment? Would properly typing file_descriptors_for_process() resolve it?

Of course technically doable, however, it seems like a lot of effort affecting the versions of everything and potentially causing instability in those plugins just to resolve a warning.

BTW, any reason why you are using Pyright and not Pylance, which is a superset of Pyright and the official MS VSCode language server for Python?
https://marketplace.visualstudio.com/items?itemName=ms-python.vscode-pylance

Pylance is the default language support for [Python in Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-python.python) and is shipped as part of that extension as an optional dependency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gcmoreira gcmoreira

Labels
parity-release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atcuno @gcmoreira