Introduce UEFI Firmware Analyzer #93
Conversation
…dashboard and unified CLI
Technical Details:
- Created 'uefi_analyzer' module consolidating analysis and reporting logic.
- Implemented 'BiosAnalyzer' with Flash-accurate metrics:
- Physical Flash Occupancy: Strict constraint based on root-level FV allocation.
- Deep Analysis (Logical): Captures decompressed component data.
- Developed interactive HTML Dashboard with modern UI:
- Hierarchical tree explorer for FVs, FFS files, and Sections.
- Absolute start/end hexadecimal address ranges for all components.
- Intelligent recursive search with automatic parent expansion.
- Progress bars for space utilization at every nested level.
- Raw JSON fallback for non-standard UEFI structures.
- Added 'uefi-analyze' unified CLI for one-step binary-to-dashboard workflow.
- Integrated UEFI Analysis into Windows Context Menu for right-click explorer access.
- Enhanced 'UefiParser' with robust UTF-8 handling and version metadata fixes.
- Bumped project version to 2.0.6."
|
pls review ++ |
There was a problem hiding this comment.
Pull request overview
This PR introduces a comprehensive UEFI Firmware Analyzer module that provides both physical flash and logical (decompressed) analysis capabilities. The analyzer generates an interactive HTML dashboard with hierarchical exploration, space utilization metrics, and intelligent search functionality.
Changes:
- Created the
uefi_analyzermodule with three core components:BiosAnalyzerfor metrics calculation,report_generatorfor HTML dashboard generation, andclifor unified command-line interface - Added
uefi-analyzeCLI command for one-step binary-to-dashboard workflow - Integrated UEFI analysis into Windows Context Menu for right-click access
- Enhanced
UefiParserwith improved UTF-8 handling and version metadata robustness - Bumped project version to 2.0.6
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/xmlcli/modules/winContextMenu/xmlcli_registry_listener.py | Adds new "analyze_uefi" command that chains JSON generation with dashboard creation |
| src/xmlcli/modules/uefi_analyzer/report_generator.py | Implements HTML dashboard generator with embedded JavaScript for interactive firmware visualization |
| src/xmlcli/modules/uefi_analyzer/cli.py | Provides unified CLI entry point that handles both binary parsing and JSON analysis workflows |
| src/xmlcli/modules/uefi_analyzer/bios_analyzer.py | Implements core analysis logic with separate physical/logical metrics calculation |
| src/xmlcli/modules/uefi_analyzer/analyze_view.py | Alternative entry point for analysis-only workflow when JSON already exists |
| src/xmlcli/modules/uefi_analyzer/init.py | Package initialization file |
| src/xmlcli/modules/uefi_analyzer/README.md | Documentation for the UEFI analyzer module features and usage |
| src/xmlcli/common/bios_fw_parser.py | Fixes exception handling syntax and adds robustness for version attribute access |
| src/xmlcli/_version.py | Increments BUILD number from 5 to 6 |
| pyproject.toml | Updates version to 2.0.6 and registers new CLI command |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| output = uefi_parser.sort_output_fv(output) | ||
| output_json_file = os.path.join(self.output_directory, "{}.json".format(self.binary_file_name)) | ||
| uefi_parser.write_result_to_file(output_json_file, output_dict=output) | ||
| return output_json_file |
There was a problem hiding this comment.
The new command_analyze_uefi method lacks test coverage. Since other command methods in this file appear to have corresponding tests, this new functionality should also be tested to verify the chaining of JSON generation and analysis works correctly.
| """ | ||
|
|
||
| def generate_report(analysis_data, output_file): | ||
| report_content = HTML_TEMPLATE.replace("{{DATA_JSON}}", json.dumps(analysis_data, ensure_ascii=False)) |
There was a problem hiding this comment.
The analysis_data is directly embedded into HTML via string replacement without sanitization. If the JSON contains malicious content (e.g., </script><script>alert('XSS')</script>), it could lead to XSS vulnerabilities. Consider using proper escaping or a templating library that handles injection prevention.
| report_content = HTML_TEMPLATE.replace("{{DATA_JSON}}", json.dumps(analysis_data, ensure_ascii=False)) | |
| data_json = json.dumps(analysis_data, ensure_ascii=False) | |
| # Escape sequences that could break out of the <script> context | |
| data_json = data_json.replace("</", "<\\/") | |
| data_json = data_json.replace("\u2028", "\\u2028").replace("\u2029", "\\u2029") | |
| report_content = HTML_TEMPLATE.replace("{{DATA_JSON}}", data_json) |
There was a problem hiding this comment.
As the source is not generated externally, this doesn't expose to upload of any random malicious json but only firmware parsed from binary following platform initialisation spec.
Henceforth it's not applicable in this case
|
|
||
| if open_browser: | ||
| print("Opening dashboard in browser...") | ||
| webbrowser.open(f"file:///{report_file}") |
There was a problem hiding this comment.
The file URL construction using f-string concatenation may produce malformed URLs on Windows with backslashes. Use pathlib.Path(report_file).as_uri() or urllib.parse.urljoin('file:', pathname2url(report_file)) for proper cross-platform file URL formatting.
| with open(file_path, 'r') as f: | ||
| return json.load(f) |
There was a problem hiding this comment.
The load_json method doesn't handle potential JSONDecodeError or FileNotFoundError exceptions. When these errors occur, users will see a generic Python stack trace rather than a helpful error message explaining that the JSON file is invalid or missing.
| with open(file_path, 'r') as f: | |
| return json.load(f) | |
| try: | |
| with open(file_path, 'r') as f: | |
| return json.load(f) | |
| except FileNotFoundError as e: | |
| raise FileNotFoundError(f"JSON file not found: {file_path}") from e | |
| except json.JSONDecodeError as e: | |
| raise ValueError(f"Invalid JSON content in file '{file_path}': {e}") from e |
| with open(output_file, 'w') as f: | ||
| json.dump(data, f, indent=4) |
There was a problem hiding this comment.
The save_analysis method writes JSON files without UTF-8 encoding specification. For consistency with the report_generator (line 552) which uses encoding='utf-8', and to prevent potential encoding issues with special characters in firmware metadata, add encoding='utf-8' to the open() call.
There was a problem hiding this comment.
Report generation is in HTML type however json would be record parsed as per PI spec and doesn't hold chance of such corruption or unexpected character
| comp = self.compare(names[i], names[j]) | ||
| comp_file = os.path.join(output_dir, f"compare_{names[i]}_vs_{names[j]}.json") | ||
| with open(comp_file, 'w') as f: | ||
| json.dump(comp, f, indent=4) |
There was a problem hiding this comment.
Similar to the previous comment, this JSON dump should also specify UTF-8 encoding for the file handle to maintain consistency and prevent encoding issues.
|
|
||
| def main(): | ||
| parser = argparse.ArgumentParser(description="BIOS Analysis View Generator") | ||
| parser.add_argument("json_files", nargs="+", help="JSON files produced by UefiParser") |
There was a problem hiding this comment.
The help text should clarify the expected file format or provide an example path. Currently 'JSON files produced by UefiParser' is vague for users unfamiliar with the tool's output format.
| parser.add_argument("json_files", nargs="+", help="JSON files produced by UefiParser") | |
| parser.add_argument("json_files", nargs="+", help="Path(s) to firmware analysis JSON file(s) generated by UefiParser (e.g. /path/to/image1_uefi.json)") |
There was a problem hiding this comment.
Commentary Suggetion only. Not applicable
1 participant
For Issue #8
Technical Details:
Test Plan
Step 1: Parse the Binary to JSON
Step 2: Generate the Analysis Dashboard
uefi-analyze "C:\path\to\binary.bin"