Add warning for OBJECT_UNUSED in journal plugin (#971)

Author: JSCU-CNI

dissect/target/plugins/os/unix/log/journal.py

@@ -315,9 +315,18 @@ def __iter__(self) -> Iterator[dict[str, int | str]]:
         offset = self.header.entry_array_offset
         while offset != 0:
             self.fh.seek(offset)
+            object_type = self.fh.read(1)[0]
 
-            if self.fh.read(1)[0] != c_journal.ObjectType.OBJECT_ENTRY_ARRAY:
-                raise ValueError(f"Expected OBJECT_ENTRY_ARRAY at offset {offset}")
+            if object_type == c_journal.ObjectType.OBJECT_UNUSED:
+                self.target.log.warning(
+                    "ObjectType OBJECT_UNUSED encountered for next OBJECT_ENTRY_ARRAY offset at 0x%X. "
+                    "This indicates allocated space in the journal file which is not used yet.",
+                    offset,
+                )
+                break
+
+            elif object_type != c_journal.ObjectType.OBJECT_ENTRY_ARRAY:
+                raise ValueError(f"Expected OBJECT_ENTRY_ARRAY or OBJECT_UNUSED at offset {offset}")
 
             if self.header.incompatible_flags & c_journal.IncompatibleFlag.HEADER_INCOMPATIBLE_COMPACT:
                 entry_array_object = c_journal.EntryArrayObject_Compact(self.fh)

tests/_data/plugins/os/unix/log/journal/system.journal

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd34a41863a93619bff6389d760dd3417652dc42083776bd8a13fa6a0725178e
+size 8388608

tests/_data/plugins/os/unix/log/journal/unused.journal

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eb19305d131360a8b6ea15f8db3c906cb0bb10c92e2b29a3155cbbcf67cc53c2
+size 8388608

tests/_data/plugins/os/unix/log/journal/user-1000.journal

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5dfb012b37018e9c39826ab0f44cd583045964c417e19bbaacbaefa74122da0
+size 16777216

tests/plugins/os/unix/log/test_journal.py

@@ -1,3 +1,6 @@
+import logging
+
+import pytest
 from flow.record.fieldtypes import datetime as dt
 
 from dissect.target.filesystem import VirtualFilesystem
@@ -28,3 +31,35 @@ def test_journal_plugin(target_unix: Target, fs_unix: VirtualFilesystem) -> None
     assert record.pid == 2096
     assert record.transport == "stdout"
     assert record.source == "/var/log/journal/1337/user-1000.journal"
+
+
+def test_journal_plugin_benchmark(target_unix: Target, fs_unix: VirtualFilesystem) -> None:
+    """test if we can parse some large journal files. this demonstrates how slow the journal plugin is."""
+
+    system_journal = absolute_path("_data/plugins/os/unix/log/journal/system.journal")
+    user_journal = absolute_path("_data/plugins/os/unix/log/journal/user-1000.journal")
+
+    fs_unix.map_file("/var/log/journal/deadbeef/system.journal", system_journal)
+    fs_unix.map_file("/var/log/journal/deadbeef/user-1000.journal", user_journal)
+    target_unix.add_plugin(JournalPlugin)
+
+    results = list(target_unix.journal())
+    assert len(results) == 252 + 17986
+
+
+def test_journal_plugin_unused_object(
+    caplog: pytest.LogCaptureFixture, target_unix: Target, fs_unix: VirtualFilesystem
+) -> None:
+    """test if we can handle OBJECT_UNUSED in journal files correctly."""
+
+    # unused.journal is a modified copy of system.journal at offset 0x393260.
+    # the next_entry_array_offset was set from 0x00 to 0x3C1337.
+    data_file = absolute_path("_data/plugins/os/unix/log/journal/unused.journal")
+    fs_unix.map_file("/var/log/journal/deadbeef/system.journal", data_file)
+    target_unix.add_plugin(JournalPlugin)
+
+    with caplog.at_level(logging.WARNING):
+        results = list(target_unix.journal())
+
+    assert "ObjectType OBJECT_UNUSED encountered for next OBJECT_ENTRY_ARRAY offset at 0x3C1337" in caplog.text
+    assert len(results) == 252