yara-python <-> yara inconsistent handling of metadata

Question

yara-python <-> yara inconsistent handling of metadata

tlansec opened this issue 2 years ago · comments

If I have the following rule foo.yar:

rule my_metadata_rule
{
	meta:
		foo = "bar"
		foo = "rae"
	
	condition:
		true
}

And I use yara:

yara -m foo.yar foo.yar

my_metadata_rule [foo="bar",foo="rae"] foo.yar

I get the expected output where both metadata values are printed, but if using yara-python and inspecting a matches metadata, only the last value of "foo" is returned. I know in some older version of YARA duplicate metadata fields were not allowed and I suspect that this was never considered for YARA-python.

I am unsure what the best fix (or even if one is required) is, as potentially changing the match.meta object from a dictionary would likely break any existing integrations.

Cheers,
Tom

Wesley Shields · Answer 1 · Sat Apr 23 2022 04:49:56 GMT+0800 (China Standard Time)

There are a couple of open PRs for this:

#74

#201

But yes, you are right that this is a known issue. The problem is fixing it without breaking existing scripts that expect scalar values and not lists.

cccs-rs · Answer 2 · Fri May 20 2022 19:18:17 GMT+0800 (China Standard Time)

Should now be resolved in: d29ca08