logstash-codec-cef 5.0.4-java → 5.0.5-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +3 -0
  3. data/lib/logstash/codecs/cef.rb +10 -3
  4. data/logstash-codec-cef.gemspec +1 -1
  5. data/spec/codecs/cef_spec.rb +29 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2d6aa2e3f0deee7e7dc16646e1803e2514f2e52e5396329c5ca8fbc6a9a11890
4
- data.tar.gz: fdca34d3a6ce64552a5965a60543c97bd23629ae521f04d9d2757c3f7f5d746a
3
+ metadata.gz: 6c2a4f967f4d2a3308e0205434cbfcd38bdf6c0c95c2b90c07ad416e948ff0fd
4
+ data.tar.gz: bad30ef26fd5843daa1a0a15259c4202fa3057102cf80a04deee2a5e174b1e08
5
5
  SHA512:
6
- metadata.gz: b7bbb1fe5a6c5915e6c613e689a2c47ce7795c6b807c564b14b271b14adfe7b8c2f46626421acb6cc9cb45c08c7772801f9ad9bc9432bebe2eb8e2fa8e9f88b1
7
- data.tar.gz: d2a29e95aaa41635b6240219714da61daff58b75e37aff39e25365120ef66c066f3936d63e6cf2c028eb53e94056d42bbf2b5dc464e7502a314eb4878970349c
6
+ metadata.gz: bb8f6ea83a6e26a53c950f5523020138330ae154a89527fadfc9973b49911c49fd3088f8cf0e8066fb1d680fbb3fb3657de78616f945bbfe93840fe7b8b7e2a4
7
+ data.tar.gz: 34cdf61337136768c56d6a3e8bd1a75a9295620eae1bbcb5e24ef3086dfbeea4ed65f967be8602a02d92d1eacb0342500ce8ae0d7ceec6a167e477e49e261794
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 5.0.5
2
+ - Fix handling of malformed inputs that have illegal unescaped-equals characters in extension field values (restores behaviour from <= v5.0.3 in some edge-cases) ([#56](https://github.com/logstash-plugins/logstash-codec-cef/issues/56))
3
+
1
4
  ## 5.0.4
2
5
  - Fix bug in parsing headers where certain legal escape sequences could cause non-escaped pipe characters to be ignored.
3
6
  - Fix bug in parsing extension values where a legal unescaped space in a field's value could be interpreted as a field separator (#54)
data/lib/logstash/codecs/cef.rb CHANGED
@@ -180,11 +180,18 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
180
180
  # Cache of a gsub pattern that matches a backslash-escaped backslash or backslash-escaped equals, _capturing_ the escaped character
181
181
  EXTENSION_VALUE_ESCAPE_CAPTURE = /\\([\\=])/
182
182
 
183
- # While the original CEF spec calls out that extension keys must be alphanumeric and not contain spaces,
183
+ # While the original CEF spec calls out that extension keys must be alphanumeric and must not contain spaces,
184
184
  # in practice many "CEF" producers like the Arcsight smart connector produce non-legal keys including underscores,
185
185
  # commas, periods, and square-bracketed index offsets.
186
- # Allow any sequence of characters that are _not_ backslashes, equals, or spaces.
187
- EXTENSION_KEY_PATTERN = /[^= \\]+/
186
+ #
187
+ # To support this, we look for a specific sequence of characters that are followed by an equals sign. This pattern
188
+ # will correctly identify all strictly-legal keys, and will also match those that include a dot "subkey"
189
+ #
190
+ # That sequence must begin with one or more `\w` (word: alphanumeric + underscore), which _optionally_ may be followed
191
+ # by "subkey" sequence consisting of a literal dot (`.`) followed by a non-whitespace character, then one or more word
192
+ # characters, and then one or more characters that do not convey semantic meaning within CEF (e.g., literal-pipe (`|`),
193
+ # whitespace (`\s`), literal-dot (`.`), literal-equals (`=`), or literal-backslash ('\')).
194
+ EXTENSION_KEY_PATTERN = /(?:\w+(?:\.[^\s]\w+[^\|\s\.\=\\]+)?(?==))/
188
195
 
189
196
  # Some CEF extension keys seen in the wild use an undocumented array-like syntax that may not be compatible with
190
197
  # the Event API's strict-mode FieldReference parser (e.g., `fieldname[0]`).
data/logstash-codec-cef.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-cef'
4
- s.version = '5.0.4'
4
+ s.version = '5.0.5'
5
5
  s.platform = 'java'
6
6
  s.licenses = ['Apache License (2.0)']
7
7
  s.summary = "Reads the ArcSight Common Event Format (CEF)."
data/spec/codecs/cef_spec.rb CHANGED
@@ -431,6 +431,35 @@ describe LogStash::Codecs::CEF do
431
431
  end
432
432
  end
433
433
 
434
+ let(:malformed_unescaped_equals_in_extension_value) { %q{CEF:0|FooBar|Web Gateway|1.2.3.45.67|200|Success|2|rt=Sep 07 2018 14:50:39 cat=Access Log dst=1.1.1.1 dhost=foo.example.com suser=redacted src=2.2.2.2 requestMethod=POST request='https://foo.example.com/bar/bingo/1' requestClientApplication='Foo-Bar/2018.1.7; Email:user@example.com; Guid:test=' cs1= cs1Label=Foo Bar} }
435
+ it 'should split correctly' do
436
+ decode_one(subject, malformed_unescaped_equals_in_extension_value) do |event|
437
+ expect(event.get('cefVersion')).to eq('0')
438
+ expect(event.get('deviceVendor')).to eq('FooBar')
439
+ expect(event.get('deviceProduct')).to eq('Web Gateway')
440
+ expect(event.get('deviceVersion')).to eq('1.2.3.45.67')
441
+ expect(event.get('deviceEventClassId')).to eq('200')
442
+ expect(event.get('name')).to eq('Success')
443
+ expect(event.get('severity')).to eq('2')
444
+
445
+ # extension key/value pairs
446
+ expect(event.get('deviceReceiptTime')).to eq('Sep 07 2018 14:50:39')
447
+ expect(event.get('deviceEventCategory')).to eq('Access Log')
448
+ expect(event.get('deviceVersion')).to eq('1.2.3.45.67')
449
+ expect(event.get('destinationAddress')).to eq('1.1.1.1')
450
+ expect(event.get('destinationHostName')).to eq('foo.example.com')
451
+ expect(event.get('sourceUserName')).to eq('redacted')
452
+ expect(event.get('sourceAddress')).to eq('2.2.2.2')
453
+ expect(event.get('requestMethod')).to eq('POST')
454
+ expect(event.get('requestUrl')).to eq(%q{'https://foo.example.com/bar/bingo/1'})
455
+ # Although the value for `requestClientApplication` contains an illegal unquoted equals sign, the sequence
456
+ # preceeding the unescaped-equals isn't shaped like a key, so we allow it to be a part of the value.
457
+ expect(event.get('requestClientApplication')).to eq(%q{'Foo-Bar/2018.1.7; Email:user@example.com; Guid:test='})
458
+ expect(event.get('deviceCustomString1Label')).to eq('Foo Bar')
459
+ expect(event.get('deviceCustomString1')).to eq('')
460
+ end
461
+ end
462
+
434
463
  context('escaped-equals and unescaped-spaces in the extension values') do
435
464
  let(:query_string) { 'key1=value1&key2=value3 aa.bc&key3=value4'}
436
465
  let(:escaped_query_string) { query_string.gsub('=','\\=') }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.4
4
+ version: 5.0.5
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-08-22 00:00:00.000000000 Z
11
+ date: 2018-09-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement