Bugfix: Fixed broken links in dashboard (#3817)

Extended the link_to() VQL function to support more objects, such as
uploads.

Also fixed timezone issues in graphs.

artifacts/definitions/Demo/Plugins/GUI.yaml

@@ -392,3 +392,25 @@ sources:
                          B=dict(z=1,
                                 nesting=dict(Foo="Hello world"))))) AS A
           FROM scope()
+
+      - type: VQL
+        template: |
+          /*
+          # Test the link_to() VQL Function
+          */
+          LET ColumnTypes <= dict(
+            LinkToFlow="url_internal",
+            LinkToHunt="url_internal",
+            LinkToArtifact="url_internal",
+            Download="url_internal",
+            LinkToClient="url_internal")
+
+          LET s = scope()
+          LET Uploaded <= upload(accessor="data", file="Hello", name="test.txt")
+
+          SELECT link_to(client_id=ClientId, flow_id=s.FlowId || "F.123") AS LinkToFlow,
+                 link_to(client_id=ClientId) AS LinkToClient,
+                 link_to(hunt_id=s.HuntId || "H.123") AS LinkToHunt,
+                 link_to(artifact=ArtifactName) AS LinkToArtifact,
+                 link_to(upload=Uploaded) AS Download
+          FROM scope()

artifacts/definitions/Server/Import/CuratedSigma.yaml

@@ -19,7 +19,6 @@ parameters:
       - Velociraptor Hayabusa Ruleset
       - Velociraptor Hayabusa Live Detection
       - Velociraptor ChopChopGo Ruleset (Linux)
-      - Velociraptor Curated Windows Ruleset
 
   - name: Prefix
     description: Add this prefix to imported artifacts

artifacts/definitions/Server/Import/PreviousReleases.yaml

@@ -23,14 +23,11 @@ parameters:
     description: |
       The Velociraptor Release to import.
     type: choices
-    default: v0.7.1
+    default: v0.72
     choices:
-      - v0.6.6
-      - v0.6.7
-      - v0.6.8
-      - v0.6.9
       - v0.7.0
       - v0.7.1
+      - v0.72
 
 sources:
   - query: |

artifacts/definitions/Server/Internal/ToolDependencies.yaml

@@ -7,19 +7,19 @@ description: |
 
 tools:
   - name: VelociraptorWindows
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-amd64.exe
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.1-windows-amd64.exe
     serve_locally: true
-    version: 0.73.0-rc1
+    version: 0.73.1
 
   - name: VelociraptorWindows_x86
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-386.exe
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.1-windows-386.exe
     serve_locally: true
-    version: 0.73.0-rc1
+    version: 0.73.1
 
   - name: VelociraptorLinux
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-linux-amd64-musl
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.1-linux-amd64-musl
     serve_locally: true
-    version: 0.73.0-rc1
+    version: 0.73.1
 
   # On MacOS we can not embed the config in the binary so we use a
   # shell script stub instead. See
@@ -31,11 +31,11 @@ tools:
     serve_locally: true
 
   - name: VelociraptorWindowsMSI
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-amd64.msi
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.1-windows-amd64.msi
     serve_locally: true
-    version: 0.73.0-rc1
+    version: 0.73.1
 
   - name: VelociraptorWindows_x86MSI
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-386.msi
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.1-windows-386.msi
     serve_locally: true
-    version: 0.73.0-rc1
+    version: 0.73.1

artifacts/definitions/Server/Monitor/Health.yaml

@@ -75,24 +75,28 @@ reports:
             <span class="row">
               <span class="col-sm panel">
                CPU and Memory Utilization
-               {{- Query "CPU" | LineChart "xaxis_mode" "time" "RSS.yaxis" 2 -}}
+               {{- Query "CPU" | TimeChart "RSS.yaxis" 2 -}}
               </span>
               <span class="col-sm panel">
                Currently Connected Clients
-               {{- Query "CurrentConnections" | LineChart "xaxis_mode" "time" "RSS.yaxis" 2 -}}
+               {{- Query "CurrentConnections" | TimeChart "RSS.yaxis" 2 -}}
               </span>
             </span>
           </span>
 
       ## Current Orgs
+      {{ define "OrgsTable" }}
+         LET ColumnTypes <= dict(ClientConfig='url_internal')
+         LET OrgsTable = SELECT Name, OrgId,
+                         upload(accessor='data', file=_client_config,
+                                name='client.'+OrgId+'.config.yaml') AS _Upload
+         FROM orgs()
+
+         SELECT Name, OrgId, link_to(upload=_Upload) AS ClientConfig
+         FROM OrgsTable
+      {{ end }}
 
-      {{ Query "LET ColumnTypes <= dict(ClientConfig='url_internal') \
-                SELECT Name, OrgId, \
-                       format(format='[%s](/notebooks/Dashboards/%s/uploads/data/client.%s.config.yaml)', \
-                       args=[OrgId, ArtifactName, OrgId]) AS ClientConfig, \
-                       upload(accessor='data', file=_client_config, \
-                              name='client.'+OrgId+'.config.yaml') AS _Upload \
-                FROM orgs() " | Table }}
+      {{ Query "OrgsTable" | Table }}
 
       ## Disk Space
 

artifacts/testdata/server/testcases/link_to.in.yaml

@@ -1,7 +1,16 @@
 Queries:
+  # Client links automatically add hostname by default. Lets create a client to show it.
+  - LET ClientId <= client_create(client_id="C.123", hostname="My Client Hostname")
+  - LET Upload <= upload(accessor='data', file="hello", name="Text.txt")
+
   - |
-    SELECT link_to(hunt_id="H.1234", type="hunt", text="Hunt Link") ,
-           link_to(client_id="C.123", flow_id="F.123", text='Flow link'),
-           link_to(client_id="C.123", artifact="Custom.Artifact.Name", text='Event link', type="event"),
-           link_to(artifact="Custom.Artifact.Name", text='Artifact link', type="artifact")
+    SELECT link_to(hunt_id="H.1234", text="Hunt Link") AS HuntLink,
+           link_to(client_id="C.123", flow_id="F.123") AS FlowLink,
+           link_to(client_id="C.123") AS ClientLink,
+           link_to(client_id="C.123", artifact="Custom.Artifact.Name",
+                   text='Event link') AS ArtifactLink,
+           link_to(artifact="Custom.Artifact.Name", text='Artifact link'),
+           link_to(upload=Upload) AS Download
     FROM scope()
+
+  - LET _ <= SELECT * FROM client_delete(client_id="C.123", really_do_it=TRUE)

artifacts/testdata/server/testcases/link_to.out.yaml

@@ -1,13 +1,18 @@
-SELECT link_to(hunt_id="H.1234", type="hunt", text="Hunt Link") ,
-       link_to(client_id="C.123", flow_id="F.123", text='Flow link'),
-       link_to(client_id="C.123", artifact="Custom.Artifact.Name", text='Event link', type="event"),
-       link_to(artifact="Custom.Artifact.Name", text='Artifact link', type="artifact")
+LET ClientId <= client_create(client_id="C.123", hostname="My Client Hostname")[]LET Upload <= upload(accessor='data', file="hello", name="Text.txt")[]SELECT link_to(hunt_id="H.1234", text="Hunt Link") AS HuntLink,
+       link_to(client_id="C.123", flow_id="F.123") AS FlowLink,
+       link_to(client_id="C.123") AS ClientLink,
+       link_to(client_id="C.123", artifact="Custom.Artifact.Name",
+               text='Event link') AS ArtifactLink,
+       link_to(artifact="Custom.Artifact.Name", text='Artifact link'),
+       link_to(upload=Upload) AS Download
 FROM scope()
 [
  {
-  "link_to(hunt_id=\"H.1234\", type=\"hunt\", text=\"Hunt Link\")": null,
-  "link_to(client_id=\"C.123\", flow_id=\"F.123\", text='Flow link')": null,
-  "link_to(client_id=\"C.123\", artifact=\"Custom.Artifact.Name\", text='Event link', type=\"event\")": null,
-  "link_to(artifact=\"Custom.Artifact.Name\", text='Artifact link', type=\"artifact\")": null
+  "HuntLink": "[Hunt Link](/?org_id=root#/hunts/H.1234/overview)",
+  "FlowLink": "[F.123](/?org_id=root#/collected/C.123/F.123/overview)",
+  "ClientLink": "[C.123 (My Client Hostname)](/?org_id=root#/host/C.123)",
+  "ArtifactLink": "[Event link](/?org_id=root#/host/C.123)",
+  "link_to(artifact=\"Custom.Artifact.Name\", text='Artifact link')": "[Artifact link](/?org_id=root#/artifacts/Custom.Artifact.Name)",
+  "Download": "[/uploads/data/Text.txt](/api/v1/DownloadVFSFile?fs_components=uploads\u0026fs_components=data\u0026fs_components=Text.txt\u0026org_id=root\u0026vfs_path=%2Fuploads%2Fdata%2FText.txt)"
  }
-]
+]LET _ <= SELECT * FROM client_delete(client_id="C.123", really_do_it=TRUE)[]

constants/constants.go

@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	VERSION = "0.73.0-rc1"
+	VERSION = "0.73.1"
 
 	ENROLLMENT_WELL_KNOWN_FLOW   = "E:Enrol"
 	MONITORING_WELL_KNOWN_FLOW   = FLOW_PREFIX + "Monitoring"

docs/deadcode.yaml

@@ -27,6 +27,12 @@ IgnoreFunctions:
   - Tracker.Debug
   - QueryLogType.Clear
   - SetPageSize
+  - mockUUID.GetGUID
+  - MockGUID
+  - SetFlowIdForTests
+  - ConstantIdGenerator.Next
+  - MockedScope.GetPlugin
+  - NewMockScope
 
   # Used to support cloudvelo
   - OverrideDatastoreImplementation

docs/references/vql.yaml

@@ -4359,7 +4359,53 @@
   - windows_386_cgo
   - windows_amd64_cgo
 - name: link_to
-  description: Create a url linking to a particular part in the Velociraptor GUI.
+  description: |
+    Create a url linking to a particular part in the Velociraptor GUI.
+
+    This function knows about how Velociraptor web app is routed
+    internally and can help you generate a valid URL that links into
+    the app. You can then use this URL to share a reference via
+    e.g. email, slack or other means.
+
+    The links generated will be in markdown format by default (i.e. of
+    the for `[Text](url)`). If you need a raw link without the text,
+    specify the `raw` parameter as TRUE.
+
+    If a link text is not supplied, this function will create a
+    default text message:
+
+    * For client links this text will also include the hostname
+    * For artifact links, this will include the artifact name
+    * For hunt, flows etc the text will be the hunt id, flow id etc.
+
+    By default the link will refer to the current org but you can
+    override this with the org id.
+
+    If you want to display the links in the notebook within the GUI
+    table you will need to set the column type to `url_internal` or
+    `url`.
+
+    NOTE: This function makes no effort to check if the link is
+    actually valid - i.e. it does not check that the client id refers
+    to a real client, flow id to a real flow, etc.
+
+    ### Example
+
+    ```sql
+    // Setting this in a notebook will tell the GUI to treat this
+    // column as URL.
+    LET ColumnTypes <= dict(HuntLink="url_internal")
+
+    SELECT link_to(hunt_id="H.1234") AS HuntLink,
+           link_to(client_id="C.123", flow_id="F.123") AS FlowLink,
+           link_to(client_id="C.123") AS ClientLink,
+           link_to(client_id="C.123", artifact="Custom.Artifact.Name",
+                   text='Event link') AS ArtifactLink,
+           link_to(artifact="Custom.Artifact.Name"),
+           link_to(upload=Upload) AS Download
+    FROM scope()
+    ```
+
   type: Function
   args:
   - name: type
@@ -4369,6 +4415,10 @@
     type: string
   - name: flow_id
     type: string
+  - name: upload
+    type: ordereddict.Dict
+    description: Upload object for the file to upload (upload object is returned by
+      the upload() function)
   - name: tab
     type: string
     description: The tab to focus - can be overview, request, results, logs, notebook
@@ -4381,6 +4431,9 @@
   - name: artifact
     type: string
     description: The artifact to retrieve
+  - name: raw
+    type: bool
+    description: When specified we emit a raw URL (without autodetected text)
   - name: org
     type: string
     description: If set the link accesses a different org. Otherwise we accesses the
@@ -9271,7 +9324,6 @@
     ```sql
     SELECT typeof(x=1) AS Type FROM scope()
     ```
-
   type: Function
   platforms:
   - linux_amd64_cgo