Skip to content

Refactor parser pipeline with streaming input #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
coffeegist wants to merge 102 commits into from
Closed

Refactor parser pipeline with streaming input #12

coffeegist wants to merge 102 commits into from

Conversation

@coffeegist
Copy link
Contributor

@coffeegist coffeegist commented Oct 27, 2025

Overview

Refactors the parsing pipeline to use streaming input instead of loading entire files into memory. This architectural change prepares the codebase for better memory efficiency and sets the foundation for future optimizations.

Changes

  • Introduced DataSource and DataStream abstractions with generator-based processing
  • Implemented FileDataStream, OutflankDataStream, and MythicDataStream
  • Refactored parsers to use BoundaryBasedParser pattern
  • Streamlined parser registration in ParsingPipelineFactory
  • Cleaned up imports and removed unused parser code
  • Updated tests to be compliant with the new architecture

Testing

  • All existing tests pass
  • Verified output matches previous implementation using JSON diffs

Notes

  • This PR contains only architectural changes, no algorithm optimizations
  • Follow-up PR will include performance improvements built on this foundation

Tw1sm and others added 30 commits August 9, 2023 14:31
@Tw1sm
update JSON specs for BH CE (v5.0.0)
d0d951e
@coffeegist
* Require changelog updates for PRs coming into main
a058bcb
@coffeegist
* Add opened event to changelog action
57d1ce3
@coffeegist
* Update github checkout action to v4 and set fetch-depth to 0
03e7795
@coffeegist
* Fetch origin on changelog checks
e5f907f
@coffeegist
* Tag v0.2.1 for release
a05a761
@Tw1sm
giant push of session/local group handling
3b7fb6e
@Tw1sm
add log with ldap/sessions/localgroup for additional test cases
844be35
@Tw1sm
add crossRef model for tracking domain netBIOS names (for session cor…
af5a5b6 
…relation)
@Tw1sm
change crossref to referral
0f99a43
@Tw1sm
move sid check to should_import func
4cdd551
@Tw1sm
update marvel log with crossref query data
3d8e598
@Tw1sm
match sessions using NetWkstaGetInfo on NetBIOS domain name/hostname
627b243
@Tw1sm
add tests for fully processed local groups/session objects
6d51e14
@Tw1sm
upper nCName; fix test
6a83f85
@Tw1sm
remove weak computer matching on only samaccountname
7f8dd6a
@Tw1sm
change repository URLs
ba35bba
@Tw1sm
update readme
a8a965b
@Tw1sm
update changelog
5e1ee0b
@coffeegist
Merge pull request #4 from coffeegist/feature/parse-session-data
ee84bdf
@Tw1sm
ensure GPOs get domainsid attr set
790390c
@Tw1sm
update readme
7172f5b
@Tw1sm
Update README.md
9914ead
@Tw1sm
Merge pull request #5 from coffeegist/fix/gpo-json-domainsid-prop
e0c5d7d 
Fix/gpo json domainsid prop
@Tw1sm
add session blog
7409776
@Tw1sm
Merge pull request #6 from coffeegist/fix/readme
d811dd6 
README Update
update pyproject
2cb5742
update pyproject
05105e6
update pyproject
7356b40
Add PKI (ADCS) support
b8809fb
Tw1sm and others added 29 commits April 29, 2025 14:43
@Tw1sm
add test case and update changelog
91c1ae8
@Tw1sm
Merge pull request #28 from martanne/adexplorer
d227028 
Allow schemaIDGUID to be formatted as UUID
@JoernHe
Fix operatingsystemservicepack
ecbad8f
@Tw1sm
bump version and changelog
69689ac
@Tw1sm
Merge pull request #30 from JoernHe/patch-1
02d608d 
Fix: Prevent KeyError when 'operatingsystem' is missing during service pack append
@JoernHe
fix: Ensure self.certtemplates exists before iterating (#31)
fed5d2b 
* fix: Ensure self.certtemplates exists before iterating in resolve_published_templates

* update changelog
@Tw1sm
Feature/mythic (#32)
1629e61 
* tweak logging; start mythic parser

* add quiet flag

* updated ldapsearch BOF syntax in examples

* fix securityidentifier in test data

* uploader class to send files to BHCE

* update server default, move Path() cast

* readme/help edits

* suppress unverified https warning

* prep readme/changelog

* require mythic api token instead of user/pass

* prep merge
@Tw1sm
Feature/soapy (#33)
2227871 
* make search for non-cobalt log files more generic

* version and changelog
@Tw1sm
objectguids to uppercase
b66c13d
@Tw1sm
Merge pull request #34 from coffeegist/fix/objectguid
fa46676 
objectguids to uppercase
@IOKernel @Tw1sm
Fix to brc4 computer object parsing for msds-allowedtodelegateto (#35)
f1b3141 
* Fix to brc4 computer object parsing for msds-allowedtodelegateto

* add another variant for never expries

* Check if sid and object_type are solved, bloodhound-ce import fails if either is set to None

* bump version and changelog

---------

Co-authored-by: Tw1sm <[email protected]>
@Krypteria @Tw1sm
Bugfix - Neo.ClientError.Statement.TypeError on Computers (#36)
c858cd3 
* Bugfix - Neo.ClientError.Statement.TypeError

In some cases, msds-allowedtodelegateto generates an invalid map type that breaks the Bloodhound and Neo4ldap parser. Furthermore, this information is redundant, as the attribute is also stored as AllowedToDelegate.

* bump version & changelog

---------

Co-authored-by: Tw1sm <[email protected]>
@Bad-Jubies @Tw1sm
Add NoneType check for x509Certificate in build_certificate_chain (#38)
2a49ff7 
* Add NoneType check for x509Certificate in build_certificate_chain

* bump version + changelog

---------

Co-authored-by: Tw1sm <[email protected]>
@Tw1sm
fix links; pin click (#40)
a93c4a3
@coffeegist
* Rewrite ldapsearch bof parser to use streaming instead of loading f…
7fa848e 
…ile contents into memory
@coffeegist
* Remove random comment
f91ae98
@coffeegist
* Update parser class structure
685a718
@coffeegist
* Migrate to new datasource/datastream class design
47c7b9e
@coffeegist
* Add kwargs back to mock mythic login
31bba38
@coffeegist
* Remove unnecessary havoc parser
12a05f6 
* Remove MythicCallback wrapper
@coffeegist
* Convert outflank parser to a new DataStream strategy
3782a32
@coffeegist
* Implement BoundaryBasedParser parent class
99a7729
@coffeegist
Refactor parsers and models for consistency and clarity
83f6c6f 
- Updated attribute names in LocalGroupMembership, LocalPrivilegedSession, LocalRegistrySession, and LocalSession classes to use lowercase for consistency.
- Removed the GenericParser class and replaced its functionality with specific parsers for netloggedon, netsession, netlocalgroup, and regsession BOF outputs.
- Introduced new parsers: NetLocalGroupBofParser, NetLoggedOnBofParser, NetSessionBofParser, and RegSessionBofParser, each with specific start and end boundary patterns.
- Enhanced ParsingPipeline to register and process new parsers, allowing for better organization and handling of parsed objects.
- Updated tests to utilize the new parser structure and ensure correct parsing of BOF outputs.
- Removed unused shared parsers and generic parser code to streamline the codebase.
@coffeegist
* Remove ordering dependency from file glob test
9c4c887
@coffeegist
Refactor GPLink handling in BloodHoundDomain and BloodHoundOU classes…
c1f6b48 
…; add minimal OU GPLink log fixture for testing
@coffeegist
Refactor main function to improve local object parsing and logging; c…
3a1a307 
…onsolidate local group/session object retrieval
@coffeegist
Refactor parser handling in main function and ParsingPipelineFactory;…
e14837c 
… streamline parser registration based on type
@coffeegist
Refactor imports in main and test files; remove unused parser imports…
72bb90b 
… for clarity
@coffeegist
Bump version to 0.4.16 and update CHANGELOG for parser pipeline refactor
8857947
@coffeegist coffeegist closed this Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@coffeegist @Tw1sm @martanne @JoernHe @IOKernel @Krypteria @Bad-Jubies