l2tscaffolder fails to create parser

[infosecjosh]

l2tscaffolder has syntax error when creating parser ERROR:root:Syntax error while attempting to generate parser, error message: invalid syntax (, line 30)

Did some testing and did a generic SQL "SELECT from table;" and "SELECT from table"

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

1. What definition was selected 2 - plaso

2. Answers to questions

$ l2t_scaffolder.py == Starting the scaffolder == Gathering required information.

Available definitions: [0] timesketch [1] turbinia [2] plaso Definition choice: 2 plaso chosen.

Path to the project root: /home/forensics/plaso Path [/home/forensics/plaso] set as the project path.

Name of the module to be generated. This can be something like "foobar sqlite" or "event analytics".

This will be used for class name generation and file name prefixes. Module Name: android_googlemail About to create a new feature branch to store newly generated code. ERROR:root:Running: "git show-ref --verify --quiet refs/heads/"android_googlemail"" failed with error: . Creating feature branch: android_googlemail inside /home/forensics/plaso Switching to feature branch android_googlemail

Available scaffolders for plaso: [0] sqlite Scaffolder choice: 0

Define the name of the callback function (key) that will be called for every row returned from the SQL query (value). The plugin will execute the SQL query and call the callback once for each resulting row. The name of the function should follow style guide and be descriptive. An example of that is a SQL statement that fetches bookmarks, the key name should be Bookmark, or if the SQL statement collects GPS coordinates it could be called Location. Callback function name [#1]: Messages SQL Statement [#1]: SELECT * from messages More entries? [Y/n]: n

List of required tables Value to add [#1]: messages Add more values? [Y/n]: n

Absolute or relative path to the file that will be used for tests. Value: /home/forensics/google_db/mailstore.user@gmail.com.db Ready to generate files? [Y/n]: y File: /home/forensics/plaso/test_data/mailstore.jpinkman2018@gmail.com.db written to disk. ERROR:root:Syntax error while attempting to generate parser, error message: invalid syntax (, line 30) File: /home/forensics/plaso/tests/parsers/sqlite_plugins/android_googlemail.py written to disk. File: /home/forensics/plaso/plaso/formatters/android_googlemail.py written to disk. File: /home/forensics/plaso/tests/formatters/android_googlemail.py written to disk. File: /home/forensics/plaso/plaso/formatters/init.py written to disk. File: /home/forensics/plaso/plaso/parsers/sqlite_plugins/init.py written to disk.

3. Error message, or output that was unexpected

"File: /home/forensics/plaso/plaso/parsers/sqlite_plugins/android_googlemail.py written to disk"

• OS: Ubuntu 16.04

l2tscaffolder Version l2tscaffolder==20190103

[kiddinn]

ok, I was able to reproduce this, looking at what the bug is and then I'll submit a fix

[kiddinn]

OK, debugging this shows:

SyntaxError('invalid syntax', ('<unknown>', 30, 10, '      self.* = None\n'))

So line 30 in the sqlite_plugin.jinja2....

{% for attr in query_columns[query_name]|sort(false) %}self.{{ attr }} = None

So looking at the query columns here... I get:

{'Messages': ['*']}

If you would do something different than select then this will work.... since now the generator tries to add the attribute "self." which is not valid.

I will add a check to see whether a select * is selected, and advise against it....

You should be able to create the plugin if you change from "SELECT *" to "SELECT column_a, column_b, ...."

[kiddinn]

Now when you try to run the generate this way you get:

Callback function name [#1]: Messages
SQL Statement [#1]: SELECT * FROM messages 
More entries? [Y/n]: n
Unable to configure, with error: UnableToConfigure('Unable to generate parser while using * to select columns. Please adjust your SELECT statements to include explicit column names.',)
Want to try again? [Y/n]:  

That is you'll need to redo the SQL statement.

And if you redo the statement:

Callback function name [#1]: Messages
SQL Statement [#1]: SELECT Message,Timestamp,Foobar FROM messages
More entries? [Y/n]: n

IT will be accepted and the parser will be generated...

[infosecjosh]

Thanks