Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Crowdstrike Falcon] unsupported_operation_exception on removeIf #4746

Closed
sakurai-youhei opened this issue Dec 1, 2022 · 1 comment · Fixed by #4758
Closed

[Crowdstrike Falcon] unsupported_operation_exception on removeIf #4746

sakurai-youhei opened this issue Dec 1, 2022 · 1 comment · Fixed by #4758
Labels
bug Something isn't working, use only for issues Integration:crowdstrike CrowdStrike

Comments

@sakurai-youhei
Copy link
Member

sakurai-youhei commented Dec 1, 2022
edited
Loading

If crowdstrike.event.CommandLine contains two consecutive spaces like "here are two spaces-> <-." in the following PoC, the script processor fails due to UnsupportedOperationException in the middle.

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "script": {
          "lang": "painless",
          "source": """
          // https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml#L303-L321

          def commandLine = ctx?.crowdstrike?.event?.CommandLine;
          if (commandLine != null) {
            commandLine = commandLine.trim();
            if (commandLine != "") {
              def args = Arrays.asList(/ /.split(commandLine));
              args.removeIf(arg -> arg == "");
              ctx.process = [
                'command_line': commandLine,
                'args': args,
                'executable': args.get(0)
                ]
            }
          }
          """
        }
      }
      ]
  },
  "docs": [
    {
      "_source": {
        "crowdstrike": {
          "event": {
            "CommandLine": "here are two spaces->  <-."
          }
        }
      }
    }
    ]
}
error response 
{
  "docs": [
    {
      "error": {
        "root_cause": [
          {
            "type": "script_exception",
            "reason": "runtime error",
            "script_stack": [
              "java.base/java.util.Iterator.remove(Iterator.java:102)",
              "java.base/java.util.Collection.removeIf(Collection.java:577)",
              """arg -> arg == "");
              """,
              "^---- HERE"
            ],
            "script": " ...",
            "lang": "painless",
            "position": {
              "offset": 435,
              "start": 435,
              "end": 468
            }
          }
        ],
        "type": "script_exception",
        "reason": "runtime error",
        "script_stack": [
          "java.base/java.util.Iterator.remove(Iterator.java:102)",
          "java.base/java.util.Collection.removeIf(Collection.java:577)",
          """arg -> arg == "");
              """,
          "^---- HERE"
        ],
        "script": " ...",
        "lang": "painless",
        "position": {
          "offset": 435,
          "start": 435,
          "end": 468
        },
        "caused_by": {
          "type": "unsupported_operation_exception",
          "reason": "remove"
        }
      }
    }
  ]
}

A quick fix would be something like this.

15c15
<               def args = Arrays.asList(/ /.split(commandLine));
---
>               def args = new ArrayList(Arrays.asList(/ /.split(commandLine)));
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds added Integration:crowdstrike CrowdStrike bug Something isn't working, use only for issues labels Dec 1, 2022
sakurai-youhei added a commit to sakurai-youhei/integrations that referenced this issue Dec 3, 2022
@sakurai-youhei
Fix parse of CommandLine in Falcon pipeline
d6be934 
Closes elastic#4746
@sakurai-youhei sakurai-youhei mentioned this issue Dec 3, 2022
Merged
5 tasks
sakurai-youhei added a commit that referenced this issue Dec 6, 2022
@sakurai-youhei
[Crowdstrike Falcon] Fix parse of CommandLine in Falcon pipeline (#4758)
f240fef 
* Fix parse of CommandLine in Falcon pipeline

Closes #4746

* Bump up the version

* Revert the test case

* Add a new test case
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working, use only for issues Integration:crowdstrike CrowdStrike
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Crowdstrike Falcon] Fix parse of CommandLine in Falcon pipeline sakurai-youhei/integrations
3 participants
@sakurai-youhei @elasticmachine @jamiehynds