importlib fix for zipped pkg; catch stream decode errors; handle /Nam…

…es better

CHANGELOG.md

@@ -1,5 +1,10 @@
 # NEXT RELEASE
 
+# 1.10.8
+* Fix `importlib.resources` usage in case there's a zip file
+* `/Names` is an indeterminate reference type
+* Catch stream decode exceptions and show error instead of failing.
+
 # 1.10.7
 * Improve the handling of ColorSpace and Resources nodes
 

pdfalyzer/decorators/pdf_tree_node.py

@@ -13,6 +13,7 @@
 from anytree import NodeMixin, SymlinkNode
 from PyPDF2.generic import (DictionaryObject, EncodedStreamObject, IndirectObject, NumberObject, PdfObject,
      StreamObject)
+from PyPDF2.errors import PdfReadError
 from rich.markup import escape
 from rich.panel import Panel
 from rich.table import Table
@@ -53,7 +54,14 @@ def __init__(self, obj: PdfObject, address: str, idnum: int):
         self.all_references_processed = False
 
         if isinstance(obj, StreamObject):
-            self.stream_data = self.obj.get_data()
+            try:
+                self.stream_data = self.obj.get_data()
+            except PdfReadError as e:
+                msg = f"Failed to decode stream: {e}"
+                self.stream_data = msg
+                log.error(msg)
+                console.print_exception()
+
             self.stream_length = len(self.stream_data)
         else:
             self.stream_data = None

pdfalyzer/detection/yaralyzer_helper.py

@@ -1,17 +1,32 @@
 """
 Class to help with the pre-configured YARA rules in /yara.
 """
-import importlib.resources
+from importlib.resources import as_file, files
+from typing import Optional, Union
 
 from yaralyzer.yaralyzer import Yaralyzer
 
-YARA_RULES_DIR = importlib.resources.path('pdfalyzer', 'yara_rules')
+YARA_RULES_DIR = files('pdfalyzer').joinpath('yara_rules')
 
+YARA_RULES_FILES = [
+    'lprat.static_file_analysis.yara',
+    'PDF.yara',
+    'PDF_binary_stream.yara',
+]
 
 def get_file_yaralyzer(file_path_to_scan: str) -> Yaralyzer:
     """Get a yaralyzer for a file path"""
-    return Yaralyzer.for_rules_dirs([str(YARA_RULES_DIR)], file_path_to_scan)
+    return _build_yaralyzer(file_path_to_scan)
 
 
 def get_bytes_yaralyzer(scannable: bytes, label: str) -> Yaralyzer:
-    return Yaralyzer.for_rules_dirs([str(YARA_RULES_DIR)], scannable, label)
+    return _build_yaralyzer(scannable, label)
+
+
+def _build_yaralyzer(scannable: Union[bytes, str], label: Optional[str] = None) -> Yaralyzer:
+    # TODO: ugh this sucks (handling to extract .yara files from a python pkg zip)
+    with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[0])) as yara0:
+        with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[1])) as yara1:
+            with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[2])) as yara2:
+                rules_paths = [str(y) for y in [yara0, yara1, yara2]]
+                return Yaralyzer.for_rules_files(rules_paths, scannable, label)

pdfalyzer/util/adobe_strings.py

@@ -33,6 +33,7 @@
 K               = '/K'  # Equivalent of /Kids for /StructElem
 KIDS            = PagesAttributes.KIDS
 LAST            = '/Last'
+NAMES           = '/Names'
 NEXT            = '/Next'
 NUMS            = '/Nums'
 OBJECT_STREAM   = '/ObjStm'
@@ -104,6 +105,7 @@
     FIELDS,   # At least for  /AcroForm
     FIRST,
     FONT,
+    NAMES,
     OPEN_ACTION,
     P,   # At least for widgets...
     RESOURCES,

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pdfalyzer"
-version = "1.10.7"
+version = "1.10.8"
 description = "A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more."
 authors = ["Michel de Cryptadamus <[email protected]>"]
 license = "GPL-3.0-or-later"