logstash-codec-cef 5.0.4-java → 5.0.5-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +3 -0
  3. data/lib/logstash/codecs/cef.rb +10 -3
  4. data/logstash-codec-cef.gemspec +1 -1
  5. data/spec/codecs/cef_spec.rb +29 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2d6aa2e3f0deee7e7dc16646e1803e2514f2e52e5396329c5ca8fbc6a9a11890
4
- data.tar.gz: fdca34d3a6ce64552a5965a60543c97bd23629ae521f04d9d2757c3f7f5d746a
3
+ metadata.gz: 6c2a4f967f4d2a3308e0205434cbfcd38bdf6c0c95c2b90c07ad416e948ff0fd
4
+ data.tar.gz: bad30ef26fd5843daa1a0a15259c4202fa3057102cf80a04deee2a5e174b1e08
5
5
  SHA512:
6
- metadata.gz: b7bbb1fe5a6c5915e6c613e689a2c47ce7795c6b807c564b14b271b14adfe7b8c2f46626421acb6cc9cb45c08c7772801f9ad9bc9432bebe2eb8e2fa8e9f88b1
7
- data.tar.gz: d2a29e95aaa41635b6240219714da61daff58b75e37aff39e25365120ef66c066f3936d63e6cf2c028eb53e94056d42bbf2b5dc464e7502a314eb4878970349c
6
+ metadata.gz: bb8f6ea83a6e26a53c950f5523020138330ae154a89527fadfc9973b49911c49fd3088f8cf0e8066fb1d680fbb3fb3657de78616f945bbfe93840fe7b8b7e2a4
7
+ data.tar.gz: 34cdf61337136768c56d6a3e8bd1a75a9295620eae1bbcb5e24ef3086dfbeea4ed65f967be8602a02d92d1eacb0342500ce8ae0d7ceec6a167e477e49e261794
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 5.0.5
2
+ - Fix handling of malformed inputs that have illegal unescaped-equals characters in extension field values (restores behaviour from <= v5.0.3 in some edge-cases) ([#56](https://github.com/logstash-plugins/logstash-codec-cef/issues/56))
3
+
1
4
  ## 5.0.4
2
5
  - Fix bug in parsing headers where certain legal escape sequences could cause non-escaped pipe characters to be ignored.
3
6
  - Fix bug in parsing extension values where a legal unescaped space in a field's value could be interpreted as a field separator (#54)
data/lib/logstash/codecs/cef.rb CHANGED
@@ -180,11 +180,18 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
180
180
  # Cache of a gsub pattern that matches a backslash-escaped backslash or backslash-escaped equals, _capturing_ the escaped character
181
181
  EXTENSION_VALUE_ESCAPE_CAPTURE = /\\([\\=])/
182
182
 
183
- # While the original CEF spec calls out that extension keys must be alphanumeric and not contain spaces,
183
+ # While the original CEF spec calls out that extension keys must be alphanumeric and must not contain spaces,
184
184
  # in practice many "CEF" producers like the Arcsight smart connector produce non-legal keys including underscores,
185
185
  # commas, periods, and square-bracketed index offsets.
186
- # Allow any sequence of characters that are _not_ backslashes, equals, or spaces.
187
- EXTENSION_KEY_PATTERN = /[^= \\]+/
186
+ #
187
+ # To support this, we look for a specific sequence of characters that are followed by an equals sign. This pattern
188
+ # will correctly identify all strictly-legal keys, and will also match those that include a dot "subkey"
189
+ #
190
+ # That sequence must begin with one or more `\w` (word: alphanumeric + underscore), which _optionally_ may be followed
191
+ # by "subkey" sequence consisting of a literal dot (`.`) followed by a non-whitespace character, then one or more word
192
+ # characters, and then one or more characters that do not convey semantic meaning within CEF (e.g., literal-pipe (`|`),
193
+ # whitespace (`\s`), literal-dot (`.`), literal-equals (`=`), or literal-backslash ('\')).
194
+ EXTENSION_KEY_PATTERN = /(?:\w+(?:\.[^\s]\w+[^\|\s\.\=\\]+)?(?==))/
188
195
 
189
196
  # Some CEF extension keys seen in the wild use an undocumented array-like syntax that may not be compatible with
190
197
  # the Event API's strict-mode FieldReference parser (e.g., `fieldname[0]`).
data/logstash-codec-cef.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-cef'
4
- s.version = '5.0.4'
4
+ s.version = '5.0.5'
5
5
  s.platform = 'java'
6
6
  s.licenses = ['Apache License (2.0)']
7
7
  s.summary = "Reads the ArcSight Common Event Format (CEF)."
data/spec/codecs/cef_spec.rb CHANGED
@@ -431,6 +431,35 @@ describe LogStash::Codecs::CEF do
431
431
  end
432
432
  end
433
433
 
434
+ let(:malformed_unescaped_equals_in_extension_value) { %q{CEF:0|FooBar|Web Gateway|1.2.3.45.67|200|Success|2|rt=Sep 07 2018 14:50:39 cat=Access Log dst=1.1.1.1 dhost=foo.example.com suser=redacted src=2.2.2.2 requestMethod=POST request='https://foo.example.com/bar/bingo/1' requestClientApplication='Foo-Bar/2018.1.7; Email:user@example.com; Guid:test=' cs1= cs1Label=Foo Bar} }
435
+ it 'should split correctly' do
436
+ decode_one(subject, malformed_unescaped_equals_in_extension_value) do |event|
437
+ expect(event.get('cefVersion')).to eq('0')
438
+ expect(event.get('deviceVendor')).to eq('FooBar')
439
+ expect(event.get('deviceProduct')).to eq('Web Gateway')
440
+ expect(event.get('deviceVersion')).to eq('1.2.3.45.67')
441
+ expect(event.get('deviceEventClassId')).to eq('200')
442
+ expect(event.get('name')).to eq('Success')
443
+ expect(event.get('severity')).to eq('2')
444
+
445
+ # extension key/value pairs
446
+ expect(event.get('deviceReceiptTime')).to eq('Sep 07 2018 14:50:39')
447
+ expect(event.get('deviceEventCategory')).to eq('Access Log')
448
+ expect(event.get('deviceVersion')).to eq('1.2.3.45.67')
449
+ expect(event.get('destinationAddress')).to eq('1.1.1.1')
450
+ expect(event.get('destinationHostName')).to eq('foo.example.com')
451
+ expect(event.get('sourceUserName')).to eq('redacted')
452
+ expect(event.get('sourceAddress')).to eq('2.2.2.2')
453
+ expect(event.get('requestMethod')).to eq('POST')
454
+ expect(event.get('requestUrl')).to eq(%q{'https://foo.example.com/bar/bingo/1'})
455
+ # Although the value for `requestClientApplication` contains an illegal unquoted equals sign, the sequence
456
+ # preceeding the unescaped-equals isn't shaped like a key, so we allow it to be a part of the value.
457
+ expect(event.get('requestClientApplication')).to eq(%q{'Foo-Bar/2018.1.7; Email:user@example.com; Guid:test='})
458
+ expect(event.get('deviceCustomString1Label')).to eq('Foo Bar')
459
+ expect(event.get('deviceCustomString1')).to eq('')
460
+ end
461
+ end
462
+
434
463
  context('escaped-equals and unescaped-spaces in the extension values') do
435
464
  let(:query_string) { 'key1=value1&key2=value3 aa.bc&key3=value4'}
436
465
  let(:escaped_query_string) { query_string.gsub('=','\\=') }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.4
4
+ version: 5.0.5
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-08-22 00:00:00.000000000 Z
11
+ date: 2018-09-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement