Merge branch 'main' into ruff

dissect/util/sid.py

@@ -5,7 +5,7 @@
 from typing import BinaryIO
 
 
-def read_sid(fh: BinaryIO | bytes, endian: str = "<") -> str:
+def read_sid(fh: BinaryIO | bytes, endian: str = "<", swap_last: bool = False) -> str:
     """Read a Windows SID from bytes.
 
     Normally we'd do this with cstruct, but do it with just struct to keep dissect.util dependency-free.
@@ -23,18 +23,26 @@ def read_sid(fh: BinaryIO | bytes, endian: str = "<") -> str:
     Args:
         fh: A file-like object or bytes object to read the SID from.
         endian: Optional endianness for reading the sub authorities.
+        swap_list: Optional flag for swapping the endianess of the _last_ sub authority entry.
     """
     if isinstance(fh, bytes):
         fh = io.BytesIO(fh)
 
-    revision, sub_authority_count, authority = struct.unpack("BB6s", fh.read(8))
+    buf = fh.read(8)
+    revision = buf[0]
+    sub_authority_count = buf[1]
+    authority = int.from_bytes(buf[2:], "big")
 
-    sub_authorities = struct.unpack(f"{endian}{sub_authority_count}I", fh.read(sub_authority_count * 4))
+    sub_authority_buf = bytearray(fh.read(sub_authority_count * 4))
+    if sub_authority_count and swap_last:
+        sub_authority_buf[-4:] = sub_authority_buf[-4:][::-1]
+
+    sub_authorities = struct.unpack(f"{endian}{sub_authority_count}I", sub_authority_buf)
 
     sid_elements = [
         "S",
         f"{revision}",
-        f"{authority[-1]}",
+        f"{authority}",
     ]
     sid_elements.extend(map(str, sub_authorities))
     return "-".join(sid_elements)

tests/test_sid.py

@@ -22,17 +22,52 @@ def id_fn(val: bytes | str) -> str:
 
 
 @pytest.mark.parametrize(
-    ("binary_sid", "readable_sid"),
+    ("binary_sid", "readable_sid", "endian", "swap_last"),
     [
-        (b"\x01\x00\x00\x00\x00\x00\x00\x00", "S-1-0"),
-        (b"\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00", "S-1-1-0"),
+        (
+            b"\x01\x00\x00\x00\x00\x00\x00\x00",
+            "S-1-0",
+            "<",
+            False,
+        ),
+        (
+            b"\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00",
+            "S-1-1-0",
+            "<",
+            False,
+        ),
         (
             b"\x01\x04\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x15\xcd\x5b\x07\x00\x00\x00\x10\xf4\x01\x00\x00",
             "S-1-5-21-123456789-268435456-500",
+            "<",
+            False,
+        ),
+        (
+            io.BytesIO(b"\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00"),
+            "S-1-1-0",
+            "<",
+            False,
+        ),
+        (
+            b"\x01\x04\x00\x00\x00\x00\x00\x05\x00\x00\x00\x15\x07\x5b\xcd\x15\x10\x00\x00\x00\x00\x00\x01\xf4",
+            "S-1-5-21-123456789-268435456-500",
+            ">",
+            False,
+        ),
+        (
+            b"\x01\x04\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x15\xcd\x5b\x07\x00\x00\x00\x10\x00\x00\x01\xf4",
+            "S-1-5-21-123456789-268435456-500",
+            "<",
+            True,
+        ),
+        (
+            b"\x01\x04\x00\x00\x00\x00\x00\x05\x00\x00\x00\x15\x07\x5b\xcd\x15\x10\x00\x00\x00\xf4\x01\x00\x00",
+            "S-1-5-21-123456789-268435456-500",
+            ">",
+            True,
         ),
-        (io.BytesIO(b"\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00"), "S-1-1-0"),
     ],
     ids=id_fn,
 )
-def test_read_sid(binary_sid: bytes | BinaryIO, readable_sid: str) -> None:
-    assert readable_sid == sid.read_sid(binary_sid)
+def test_read_sid(binary_sid: bytes | BinaryIO, endian: str, swap_last: bool, readable_sid: str) -> None:
+    assert readable_sid == sid.read_sid(binary_sid, endian, swap_last)