Handle date time value lists in output modules #452 (#4528)

config/dpkg/changelog

@@ -1,5 +1,5 @@
-plaso (20221227-1) unstable; urgency=low
+plaso (20221229-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Log2Timeline maintainers <[email protected]>  Tue, 27 Dec 2022 09:40:48 +0100
+ -- Log2Timeline maintainers <[email protected]>  Thu, 29 Dec 2022 08:14:22 +0100

plaso/__init__.py

@@ -6,4 +6,4 @@
 of log2timeline.
 """
 
-__version__ = '20221227'
+__version__ = '20221229'

plaso/formatters/default.py

@@ -45,6 +45,10 @@ def _FormatMessage(self, format_string, event_values):
       if isinstance(value, dfdatetime_interface.DateTimeValues):
         continue
 
+      if (isinstance(value, list) and value and
+          isinstance(value[0], dfdatetime_interface.DateTimeValues)):
+        continue
+
       text_pieces.append('{0:s}: {1!s}'.format(name, value))
 
     return super(DefaultEventFormatter, self)._FormatMessage(

plaso/multi_process/output_engine.py

@@ -80,6 +80,11 @@ def _GetEventDataContentIdentifier(self, event_data, event_data_stream):
         if isinstance(attribute_value, dfdatetime_interface.DateTimeValues):
           continue
 
+        if (isinstance(attribute_value, list) and attribute_value and
+            isinstance(attribute_value[0],
+                       dfdatetime_interface.DateTimeValues)):
+          continue
+
         if isinstance(attribute_value, dfvfs_path_spec.PathSpec):
           attribute_value = attribute_value.comparable
 

plaso/output/l2t_csv.py

@@ -186,6 +186,11 @@ def _FormatExtraAttributes(
       if isinstance(attribute_value, dfdatetime_interface.DateTimeValues):
         continue
 
+      if (isinstance(attribute_value, list) and attribute_value and
+          isinstance(attribute_value[0],
+                     dfdatetime_interface.DateTimeValues)):
+        continue
+
       # Some parsers have written bytes values to storage.
       if isinstance(attribute_value, bytes):
         attribute_value = attribute_value.decode('utf-8', 'replace')

plaso/output/rawpy.py

@@ -104,6 +104,11 @@ def _GetFormattedEventNativePython(
       if isinstance(attribute_value, dfdatetime_interface.DateTimeValues):
         continue
 
+      if (isinstance(attribute_value, list) and attribute_value and
+          isinstance(attribute_value[0],
+                     dfdatetime_interface.DateTimeValues)):
+        continue
+
       # Some parsers have written bytes values to storage.
       if isinstance(attribute_value, bytes):
         attribute_value = attribute_value.decode('utf-8', 'replace')

plaso/output/shared_json.py

@@ -52,6 +52,11 @@ def _WriteSerializedDict(
         if isinstance(attribute_value, dfdatetime_interface.DateTimeValues):
           continue
 
+        if (isinstance(attribute_value, list) and attribute_value and
+            isinstance(attribute_value[0],
+                       dfdatetime_interface.DateTimeValues)):
+          continue
+
         event_values[attribute_name] = attribute_value
 
     if event_data_stream:

plaso/output/shared_opensearch.py

@@ -336,6 +336,11 @@ def _GetSanitizedEventValues(
         if isinstance(attribute_value, dfdatetime_interface.DateTimeValues):
           continue
 
+        if (isinstance(attribute_value, list) and attribute_value and
+            isinstance(attribute_value[0],
+                       dfdatetime_interface.DateTimeValues)):
+          continue
+
         event_values[attribute_name] = attribute_value
 
     if event_data_stream:

plaso/parsers/filestat.py

@@ -144,6 +144,9 @@ def ParseFileEntry(self, parser_mediator, file_entry):
     attribute_names = []
     for attribute in file_entry.attributes:
       attribute_name = getattr(attribute, 'name', None)
+      if isinstance(attribute_name, bytes):
+        attribute_name = attribute_name.decode('utf-8')
+
       if file_system_type != 'NTFS' and attribute_name:
         attribute_names.append(attribute_name)