Merge pull request #927 from jedi22/xattr_plist

eXtended attribute table optimization
2024-11-07 18:08:53 +00:00 · 2015-04-02 14:46:48 -07:00 · 2015-04-02 14:46:48 -07:00 · 59d79ee385
commit 59d79ee385
parent da0ce578da 9a1fdf0cbe
4 changed files with 28 additions and 283 deletions
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@ -41,7 +41,7 @@ if(APPLE)
    system/darwin/sysctl_utils.cpp
    system/darwin/xprotect.cpp
    system/darwin/nfs_shares.cpp
-    system/darwin/xattr.cpp
+    system/darwin/xattr_where_from.cpp
  )

  ADD_OSQUERY_LINK(FALSE "-framework CoreFoundation")
@ -133,7 +133,6 @@ ADD_OSQUERY_LIBRARY(TRUE osquery_utility_tables

 ADD_OSQUERY_TEST(FALSE etc_hosts_tests networking/etc_hosts_tests.cpp)
 if(APPLE)
-  ADD_OSQUERY_TEST(FALSE xattr_tests system/darwin/xattr_tests.cpp)
  ADD_OSQUERY_TEST(FALSE apps_tests system/darwin/apps_tests.cpp)
  ADD_OSQUERY_TEST(FALSE certificates_tests system/darwin/certificates_tests.cpp)
  ADD_OSQUERY_TEST(FALSE firewall_tests system/darwin/firewall_tests.cpp)
--- a/osquery/tables/specs/darwin/xattr_where_from.table
+++ b/osquery/tables/specs/darwin/xattr_where_from.table
@ -7,4 +7,4 @@ schema([
    Column("download_page", TEXT),
    Column("raw64", TEXT),
 ])
-implementation("xattr@genXattr")
+implementation("xattr_where_from@genXattr")
--- a/osquery/tables/system/darwin/xattr_tests.cpp
+++ b/osquery/tables/system/darwin/xattr_tests.cpp
@ -1,206 +0,0 @@
-#include <gtest/gtest.h>
-#include <osquery/core.h>
-#include <osquery/tables.h>
-#include <osquery/logger.h>
-#include <string>
-#include <iostream>
-
-namespace osquery {
-namespace tables {
-struct XAttrField {
-  uint8_t type;
-  uint8_t header_length;
-  uint64_t length;
-};
-
-struct XAttrAttribute {
-  std::string attribute_data;
-  int return_value;
-  int buffer_length;
-};
-
-struct XAttrField getFieldLength(int buffer_position,
-                                 struct XAttrAttribute x_att_data);
-std::string fixString(const std::string& toFix);
-void parseWhereFromData(Row& r, const struct XAttrAttribute x_att);
-class XattrTests : public testing::Test {};
-
-TEST_F(XattrTests, test_correct_length_parse) {
-  struct XAttrAttribute xAttrTest;
-  xAttrTest.attribute_data = std::string(
-      "\x62\x70\x6C\x69\x73\x74\x30\x30\xA2\x01\x02\x5F\x10\x4F\x68\x74\x74\x70"
-      "\x3A\x2F\x2F\x69\x73\x6F\x73\x2E\x75\x62\x75\x6E\x74\x75\x2E\x6D\x69\x72"
-      "\x72\x6F\x72\x2E\x63\x6F\x6E\x73\x74\x61\x6E\x74\x2E\x63\x6F\x6D\x2F\x31"
-      "\x34\x2E\x30\x34\x2E\x31\x2F\x75\x62\x75\x6E\x74\x75\x2D\x31\x34\x2E\x30"
-      "\x34\x2E\x31\x2D\x64\x65\x73\x6B\x74\x6F\x70\x2D\x61\x6D\x64\x36\x34\x2E"
-      "\x69\x73\x6F\x5F\x10\x5E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75"
-      "\x62\x75\x6E\x74\x75\x2E\x63\x6F\x6D\x2F\x64\x6F\x77\x6E\x6C\x6F\x61\x64"
-      "\x2F\x64\x65\x73\x6B\x74\x6F\x70\x2F\x74\x68\x61\x6E\x6B\x2D\x79\x6F\x75"
-      "\x3F\x63\x6F\x75\x6E\x74\x72\x79\x3D\x55\x53\x26\x76\x65\x72\x73\x69\x6F"
-      "\x6E\x3D\x31\x34\x2E\x30\x34\x2E\x31\x26\x61\x72\x63\x68\x69\x74\x65\x63"
-      "\x74\x75\x72\x65\x3D\x61\x6D\x64\x36\x34\x08\x0B\x5D\x00\x00\x00\x00\x00"
-      "\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00"
-      "\x00\x00\x00\x00\x00\x00\x00\x00\xBE",
-      225);
-  xAttrTest.return_value = 1;
-  struct XAttrField result_f1 = getFieldLength(12, xAttrTest);
-  struct XAttrField result_f2 = getFieldLength(94, xAttrTest);
-  EXPECT_TRUE(result_f1.length == 79);
-  EXPECT_TRUE(result_f2.length == 94);
-}
-
-TEST_F(XattrTests, test_correct_length_long_parse) {
-  struct XAttrAttribute xAttrTest;
-  xAttrTest.attribute_data = std::string(
-      "\x62\x70\x6C\x69\x73\x74\x30\x30\xA2\x01\x02\x5F\x11\x04\xF3\x68\x74\x74"
-      "\x70\x73\x3A\x2F\x2F\x64\x6C\x2E\x62\x6F\x78\x63\x6C\x6F\x75\x64\x2E\x63"
-      "\x6F\x6D\x2F\x62\x63\x2F\x34\x2F\x62\x36\x61\x66\x38\x62\x37\x32\x61\x38"
-      "\x31\x31\x35\x36\x61\x62\x37\x32\x34\x32\x33\x38\x31\x62\x30\x36\x63\x65"
-      "\x61\x36\x30\x62\x2F\x35\x34\x6D\x43\x70\x4A\x34\x35\x53\x38\x30\x32\x72"
-      "\x5F\x6E\x41\x4D\x43\x59\x52\x66\x5A\x5F\x50\x5F\x57\x34\x48\x6E\x6F\x6D"
-      "\x72\x45\x46\x4C\x73\x46\x66\x52\x77\x7A\x6D\x67\x54\x46\x6E\x36\x38\x78"
-      "\x33\x30\x44\x50\x5A\x50\x52\x6D\x70\x4A\x70\x71\x4E\x5F\x72\x4C\x73\x42"
-      "\x6A\x4C\x50\x31\x34\x50\x79\x69\x43\x47\x71\x4F\x38\x70\x48\x6B\x6A\x51"
-      "\x5F\x71\x67\x51\x52\x62\x58\x36\x61\x74\x41\x39\x59\x43\x46\x6D\x45\x78"
-      "\x74\x69\x47\x41\x53\x59\x50\x45\x31\x6C\x6B\x52\x6E\x72\x32\x66\x75\x49"
-      "\x68\x6B\x39\x77\x74\x52\x77\x58\x7A\x6B\x30\x6F\x59\x2D\x47\x43\x4A\x56"
-      "\x5A\x2D\x74\x4D\x41\x67\x46\x37\x49\x30\x45\x56\x6B\x74\x34\x35\x2D\x4F"
-      "\x58\x49\x37\x38\x54\x7A\x4C\x6E\x44\x68\x73\x53\x54\x4D\x63\x6E\x4C\x68"
-      "\x6E\x77\x6A\x6F\x6D\x62\x39\x79\x57\x53\x62\x36\x67\x52\x7A\x58\x6F\x5F"
-      "\x41\x32\x76\x35\x54\x4E\x7A\x53\x39\x42\x5A\x4E\x78\x4E\x68\x41\x50\x30"
-      "\x4F\x4F\x31\x57\x71\x5A\x2D\x47\x53\x5A\x56\x50\x6C\x79\x78\x42\x32\x30"
-      "\x58\x65\x51\x72\x52\x67\x38\x69\x36\x4D\x43\x41\x4A\x64\x74\x32\x78\x5A"
-      "\x6F\x58\x54\x73\x50\x34\x53\x4B\x59\x4F\x38\x71\x4B\x61\x62\x79\x62\x79"
-      "\x6D\x31\x62\x4B\x79\x62\x4A\x73\x56\x55\x36\x38\x4C\x70\x68\x7A\x65\x45"
-      "\x75\x68\x36\x59\x4A\x46\x4B\x51\x31\x37\x50\x42\x57\x58\x67\x57\x49\x32"
-      "\x69\x52\x71\x34\x48\x2D\x62\x7A\x44\x54\x72\x70\x52\x32\x6D\x6B\x6A\x6B"
-      "\x54\x41\x72\x4C\x65\x45\x63\x6B\x57\x4D\x37\x6E\x53\x50\x70\x51\x64\x73"
-      "\x71\x4B\x4D\x54\x75\x47\x45\x6C\x55\x68\x76\x54\x43\x61\x7A\x45\x4E\x7A"
-      "\x67\x4C\x6E\x41\x6B\x38\x69\x35\x37\x38\x61\x6A\x76\x73\x32\x75\x74\x6C"
-      "\x33\x30\x70\x78\x65\x36\x6A\x66\x77\x45\x6F\x43\x6E\x4F\x70\x77\x49\x4F"
-      "\x31\x71\x55\x71\x73\x5A\x2D\x52\x4C\x51\x6D\x35\x70\x42\x64\x4F\x6A\x54"
-      "\x46\x34\x75\x72\x6C\x69\x51\x47\x68\x33\x67\x65\x36\x43\x34\x7A\x55\x58"
-      "\x6B\x72\x51\x44\x49\x70\x5F\x5A\x56\x71\x72\x79\x62\x36\x66\x74\x59\x79"
-      "\x7A\x73\x4A\x41\x68\x4A\x33\x6D\x6C\x32\x34\x2D\x67\x64\x73\x58\x39\x37"
-      "\x38\x2D\x61\x38\x67\x67\x2D\x6E\x6E\x55\x36\x39\x56\x39\x6F\x42\x58\x4A"
-      "\x7A\x75\x31\x48\x5A\x68\x2D\x46\x62\x70\x53\x37\x6B\x36\x56\x51\x7A\x35"
-      "\x42\x72\x65\x69\x33\x72\x6C\x63\x33\x6D\x4C\x39\x32\x38\x69\x58\x36\x37"
-      "\x46\x6B\x34\x4D\x49\x52\x45\x68\x76\x34\x32\x6B\x56\x33\x57\x32\x42\x4C"
-      "\x34\x64\x6E\x37\x70\x64\x76\x70\x74\x4E\x37\x4D\x53\x57\x55\x4F\x45\x30"
-      "\x79\x4F\x33\x59\x62\x41\x59\x53\x47\x69\x76\x6F\x59\x62\x51\x33\x71\x41"
-      "\x64\x4A\x34\x4E\x6E\x48\x50\x59\x6B\x6C\x4A\x6E\x44\x58\x71\x30\x42\x73"
-      "\x4D\x65\x5A\x30\x6A\x45\x53\x42\x52\x75\x38\x54\x4A\x51\x65\x4B\x30\x6E"
-      "\x4C\x76\x42\x52\x41\x38\x41\x79\x48\x65\x72\x57\x57\x50\x30\x71\x71\x44"
-      "\x32\x42\x35\x30\x76\x2D\x78\x55\x4B\x41\x39\x64\x36\x48\x57\x57\x4C\x34"
-      "\x62\x79\x79\x35\x51\x4F\x43\x5A\x68\x55\x44\x66\x61\x70\x7A\x46\x78\x5F"
-      "\x71\x54\x74\x6F\x63\x71\x47\x66\x55\x52\x35\x4F\x68\x56\x43\x72\x4D\x5A"
-      "\x39\x75\x76\x35\x6B\x4C\x33\x4E\x36\x47\x4F\x44\x55\x48\x37\x6D\x31\x30"
-      "\x76\x69\x58\x62\x69\x55\x42\x55\x64\x55\x45\x7A\x47\x70\x30\x41\x66\x32"
-      "\x30\x77\x6A\x67\x46\x46\x36\x70\x6E\x45\x72\x44\x55\x38\x69\x51\x6F\x79"
-      "\x38\x55\x43\x70\x47\x51\x49\x2D\x59\x6E\x30\x4B\x52\x52\x54\x77\x59\x32"
-      "\x62\x37\x4F\x67\x77\x71\x72\x55\x41\x57\x68\x70\x5F\x6D\x37\x5F\x47\x6C"
-      "\x64\x31\x4D\x67\x77\x5F\x44\x6C\x33\x2D\x4B\x7A\x36\x52\x35\x44\x36\x4E"
-      "\x7A\x75\x69\x74\x74\x2D\x42\x71\x35\x46\x70\x6C\x6C\x34\x33\x2D\x56\x43"
-      "\x69\x4B\x2D\x56\x45\x62\x35\x65\x34\x66\x70\x4C\x67\x68\x64\x6E\x68\x2D"
-      "\x46\x33\x76\x38\x5A\x78\x53\x79\x46\x39\x79\x33\x5F\x49\x4B\x4C\x47\x51"
-      "\x75\x52\x6A\x6D\x72\x4A\x45\x54\x67\x77\x73\x57\x42\x75\x5F\x73\x67\x79"
-      "\x70\x51\x53\x78\x49\x51\x69\x4F\x53\x65\x36\x6D\x4F\x69\x78\x79\x65\x79"
-      "\x34\x5F\x57\x51\x30\x30\x48\x4B\x48\x34\x70\x7A\x67\x33\x72\x42\x46\x68"
-      "\x57\x38\x73\x52\x6C\x7A\x33\x71\x42\x48\x53\x45\x6F\x6F\x4C\x30\x6E\x74"
-      "\x41\x2D\x51\x4C\x56\x48\x4C\x4B\x56\x79\x33\x47\x6E\x6A\x4B\x6F\x4F\x36"
-      "\x51\x64\x2D\x77\x34\x76\x64\x37\x4B\x61\x52\x66\x56\x4C\x36\x30\x68\x42"
-      "\x72\x52\x38\x36\x75\x70\x39\x65\x4D\x6B\x6A\x77\x58\x58\x6B\x45\x4F\x56"
-      "\x31\x41\x64\x51\x46\x58\x42\x47\x33\x53\x57\x78\x41\x50\x4F\x57\x6D\x72"
-      "\x76\x4B\x69\x65\x74\x72\x68\x47\x65\x48\x65\x79\x52\x31\x42\x5F\x62\x4F"
-      "\x67\x48\x4E\x34\x77\x38\x61\x61\x6D\x71\x36\x64\x6B\x38\x41\x48\x44\x4A"
-      "\x49\x4B\x4D\x49\x64\x66\x67\x2D\x30\x30\x37\x38\x48\x45\x61\x69\x38\x38"
-      "\x5F\x6C\x62\x67\x52\x6E\x42\x52\x49\x56\x35\x64\x36\x51\x43\x39\x50\x63"
-      "\x6B\x6A\x4E\x4A\x47\x71\x53\x66\x6D\x34\x57\x4E\x69\x59\x37\x66\x6B\x35"
-      "\x5F\x2D\x70\x30\x4A\x43\x32\x68\x5A\x50\x57\x46\x2D\x6E\x35\x74\x74\x6A"
-      "\x64\x65\x70\x6B\x31\x6F\x64\x38\x68\x4B\x6F\x6F\x4B\x65\x78\x56\x51\x45"
-      "\x58\x4A\x69\x4F\x5F\x61\x4B\x53\x70\x4C\x4E\x6C\x73\x7A\x55\x45\x61\x57"
-      "\x46\x4A\x56\x74\x31\x38\x4A\x63\x32\x69\x53\x76\x45\x41\x61\x78\x33\x66"
-      "\x45\x58\x57\x53\x61\x34\x35\x30\x2D\x5F\x34\x5F\x66\x33\x45\x44\x32\x56"
-      "\x77\x72\x45\x4D\x68\x6A\x52\x4A\x47\x75\x35\x74\x68\x54\x76\x64\x54\x52"
-      "\x6E\x4B\x67\x78\x37\x70\x75\x77\x78\x69\x70\x52\x53\x4D\x6D\x4B\x52\x4A"
-      "\x46\x73\x52\x2F\x5F\x10\x68\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E"
-      "\x72\x65\x64\x64\x69\x74\x2E\x63\x6F\x6D\x2F\x72\x2F\x4C\x65\x61\x72\x6E"
-      "\x4A\x61\x70\x61\x6E\x65\x73\x65\x2F\x63\x6F\x6D\x6D\x65\x6E\x74\x73\x2F"
-      "\x32\x72\x74\x38\x33\x76\x2F\x6D\x79\x5F\x6A\x61\x70\x61\x6E\x65\x73\x65"
-      "\x5F\x74\x65\x61\x63\x68\x65\x72\x5F\x67\x61\x76\x65\x5F\x6D\x65\x5F\x61"
-      "\x5F\x63\x68\x61\x72\x74\x5F\x6F\x66\x5F\x74\x69\x6D\x65\x5F\x62\x61\x73"
-      "\x65\x64\x2F\x00\x08\x00\x0B\x05\x02\x00\x00\x00\x00\x00\x00\x02\x01\x00"
-      "\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-      "\x00\x00\x00\x05\x6D",
-      1427);
-  xAttrTest.return_value = 1;
-  struct XAttrField result_f1 = getFieldLength(12, xAttrTest);
-  struct XAttrField result_f2 = getFieldLength(1283, xAttrTest);
-  EXPECT_TRUE(result_f1.length == 1267);
-  EXPECT_TRUE(result_f2.length == 104);
-}
-
-TEST_F(XattrTests, test_full_row_parse) {
-  Row r;
-  struct XAttrAttribute xAttrTest;
-  xAttrTest.attribute_data = std::string(
-      "\x62\x70\x6C\x69\x73\x74\x30\x30\xA2\x01\x02\x5F\x10\x37\x68\x74\x74\x70"
-      "\x3A\x2F\x2F\x73\x33\x2E\x61\x6D\x61\x7A\x6F\x6E\x61\x77\x73\x2E\x63\x6F"
-      "\x6D\x2F\x6F\x72\x64\x65\x72\x65\x64\x62\x79\x74\x65\x73\x2F\x43\x6F\x6E"
-      "\x74\x72\x6F\x6C\x6C\x65\x72\x4D\x61\x74\x65\x2E\x64\x6D\x67\x5F\x10\x2B"
-      "\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6F\x72\x64\x65\x72\x65\x64"
-      "\x62\x79\x74\x65\x73\x2E\x63\x6F\x6D\x2F\x63\x6F\x6E\x74\x72\x6F\x6C\x6C"
-      "\x65\x72\x6D\x61\x74\x65\x2F\x08\x0B\x45\x00\x00\x00\x00\x00\x00\x01\x01"
-      "\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-      "\x00\x00\x00\x00\x00\x73",
-      150);
-  xAttrTest.return_value = 1;
-  xAttrTest.buffer_length = 150;
-  parseWhereFromData(r, xAttrTest);
-  EXPECT_TRUE(r["download_url"].compare(
-                  "http://s3.amazonaws.com/orderedbytes/ControllerMate.dmg") ==
-              0);
-  EXPECT_TRUE(r["download_page"].compare(
-                  "http://www.orderedbytes.com/controllermate/") == 0);
-}
-
-TEST_F(XattrTests, test_fix_string) {
-  std::string fixme(
-      "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11"
-      "\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23"
-      "\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35"
-      "\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47"
-      "\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59"
-      "\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b"
-      "\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d"
-      "\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
-      "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1"
-      "\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3"
-      "\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5"
-      "\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7"
-      "\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9"
-      "\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb"
-      "\xfc\xfd\xfe\xff",
-      256);
-  std::string result = fixString(fixme);
-  std::cout << result;
-  std::string good(
-      " %01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%"
-      "18%19%1a%1b%1c%1d%1e%1f "
-      "!\"#$%&'()*+,-./"
-      "0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`"
-      "abcdefghijklmnopqrstuvwxyz{|}~%80%81%82%83%84%85%86%87%88%89%8a%8b%8c%"
-      "8d%8e%8f%90%91%92%93%94%95%96%97%98%99%9a%9b%9c%9d%9e%9f%a0%a1%a2%a3%a4%"
-      "a5%a6%a7%a8%a9%aa%ab%ac%ad%ae%af%b0%b1%b2%b3%b4%b5%b6%b7%b8%b9%ba%bb%bc%"
-      "bd%be%bf%c0%c1%c2%c3%c4%c5%c6%c7%c8%c9%ca%cb%cc%cd%ce%cf%d0%d1%d2%d3%d4%"
-      "d5%d6%d7%d8%d9%da%db%dc%dd%de%df%e0%e1%e2%e3%e4%e5%e6%e7%e8%e9%ea%eb%ec%"
-      "ed%ee%ef%f0%f1%f2%f3%f4%f5%f6%f7%f8%f9%fa%fb%fc%fd%fe%ff");
-  EXPECT_TRUE(good.compare(result));
-}
-}
-}
-
-int main(int argc, char* argv[]) {
-  testing::InitGoogleTest(&argc, argv);
-  return RUN_ALL_TESTS();
-}
--- a/osquery/tables/system/darwin/xattr_where_from.cpp
+++ b/osquery/tables/system/darwin/xattr_where_from.cpp
@ -2,10 +2,13 @@

 #include <string>
 #include <iomanip>
+#include <vector>

 #include <sys/xattr.h>

 #include <boost/filesystem.hpp>
+#include <boost/filesystem/path.hpp>
+#include <boost/property_tree/json_parser.hpp>

 #include <osquery/logger.h>
 #include <osquery/core.h>
@ -13,6 +16,8 @@
 #include <osquery/filesystem.h>
 #include <osquery/core/conversions.h>

+namespace pt = boost::property_tree;
+
 namespace osquery {
 namespace tables {

@ -78,85 +83,32 @@ struct XAttrAttribute getAttribute(const std::string& path,
  return x_att;
 }

-struct XAttrField getFieldLength(int buffer_position,
-                                 struct XAttrAttribute x_att_data) {
-  struct XAttrField field;
-  field.length = 0;
-  field.header_length =
-      ((unsigned char)x_att_data.attribute_data[buffer_position]) -
-      15; // Get the number of bytes
-  if (field.header_length > 8) {
-    field.header_length = 0;
-    return field;
-  }
-
-  for (unsigned int i = 1; i < field.header_length + 1; i++) {
-    field.length = field.length << 8;
-    field.length +=
-        (unsigned char)x_att_data.attribute_data[buffer_position + i];
-  }
-  return field;
-}
-
-std::string fixString(const std::string& toFix) {
-  std::stringstream result;
-  unsigned char byte;
-  int count = 0;
-  for (int i = 0; i < toFix.length(); ++i) {
-    byte = toFix[i];
-    if ((int)byte > 0x1F && (int)byte < 0x7F) {
-      result << byte;
-      continue;
-    } else if (byte == 0) {
-      result << ' ';
-    } else {
-      result << '%' << std::setfill('0') << std::setw(2) << std::hex
-             << (int)byte;
-    }
-    count++;
-  }
-  return result.str();
-}
-
-void parseWhereFromData(Row& r, const struct XAttrAttribute x_att) {
-  if (x_att.return_value == -1) {
-    VLOG(1) << handleError();
-  } else {
-    r["raw64"] = base64Encode(x_att.attribute_data);
-    if (x_att.buffer_length < 11 ||
-        0x5F != (unsigned char)x_att.attribute_data[11]) {
-      r["download_url"] = "No data";
-      r["download_page"] = "No data";
-    } else {
-      unsigned int starting_position = 12;
-      struct XAttrField field = getFieldLength(starting_position, x_att);
-      starting_position += 1 + field.header_length;
-      if (starting_position + field.length >= x_att.attribute_data.length()) {
-        return;
-      }
-      r["download_url"] = fixString(
-          x_att.attribute_data.substr(starting_position, field.length));
-      starting_position += field.length + 1;
-      if (starting_position + field.length >= x_att.attribute_data.length()) {
-        return;
-      }
-      field = getFieldLength(starting_position, x_att);
-      starting_position += field.header_length + 1;
-      r["download_page"] = fixString(
-          x_att.attribute_data.substr(starting_position, field.length));
-    }
-  }
-}
-
 void getFileData(Row& r,
                 const std::string& path,
                 const std::string& directory) {
-  r["path"] = path;
-  r["directory"] = directory;
-
  struct XAttrAttribute x_att =
      getAttribute(path, "com.apple.metadata:kMDItemWhereFroms");
-  parseWhereFromData(r, x_att);
+  r["path"] = path;
+  r["directory"] = directory;
+  r["raw64"] = base64Encode(x_att.attribute_data);
+
+  pt::ptree data;
+  osquery::parsePlistContent(x_att.attribute_data, data);
+
+  if(data.count("root") > 0){
+    std::vector<std::string> values;
+    for (const auto& node : data.get_child("root")) {
+      auto value = node.second.get<std::string>("", "");
+      values.push_back(value);
+    }
+    if(values.size() == 2){
+      r["download_url"] = values[0];
+      r["download_page"] = values[1];
+    }else{
+      r["download_url"] = "No data";
+      r["download_page"] = "No data";
+    }
+  }
 }

 QueryData genXattr(QueryContext& context) {