Skip to content

[SIEM] Fixes escape bug for filterQuery #43030

Merged
stephmilovic merged 11 commits intoelastic:masterfrom
stephmilovic:query-builder-esc
Sep 6, 2019
Merged

[SIEM] Fixes escape bug for filterQuery #43030
stephmilovic merged 11 commits intoelastic:masterfrom
stephmilovic:query-builder-esc

Conversation

@stephmilovic
Copy link
Copy Markdown
Contributor

@stephmilovic stephmilovic commented Aug 9, 2019
edited
Loading

Summary

@spong noticed a bug where when searching fields with escaped values, nothing would get returned: #42866

After playing with the query, I noticed Elasticsearch does not enjoy getting escaped values on strings.

This does not have matches:

"match_phrase": {
  "event.action": "Registry value set \\(rule\\: RegistryEvent\\)"
}

This has matches

"match_phrase": {
  "event.action": "Registry value set (rule: RegistryEvent)"
}

I fixed the bug by surrounding all strings in returned in escapeQueryValue with ". This way we only need to escape " and it eliminates the bugs we were seeing.

To test:
Check the following timeline links return results:

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

For maintainers

@stephmilovic stephmilovic added Team:SIEM release_note:skip Skip the PR/issue when compiling release notes labels Aug 9, 2019
@stephmilovic stephmilovic requested review from cwurm and spong August 9, 2019 15:21
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Aug 9, 2019

Pinging @elastic/siem

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Aug 9, 2019

💚 Build Succeeded

@FrankHassanabad FrankHassanabad changed the title [SIEM] fix escape bug for filterQuery [SIEM] Fixes escape bug for filterQuery Aug 9, 2019
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Aug 12, 2019

💚 Build Succeeded

FrankHassanabad
FrankHassanabad approved these changes Aug 12, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested it out and played with it and it fixes the issue.

If there are changes required of the downstream libs and a new PR for the downstream lib is created just tack it on optionally I would say.

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Aug 12, 2019

💔 Build Failed

@stephmilovic
Copy link
Copy Markdown
Contributor Author

stephmilovic commented Aug 22, 2019

update: @XavierM and i need to pair on this further

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 3, 2019

💔 Build Failed

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 3, 2019

💚 Build Succeeded

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 3, 2019

💔 Build Failed

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 3, 2019

💔 Build Failed

@spong spong added the v7.5.0 label Sep 4, 2019
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 4, 2019

💚 Build Succeeded

@stephmilovic stephmilovic mentioned this pull request Sep 4, 2019
Merged
9 tasks
XavierM
XavierM approved these changes Sep 6, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@XavierM XavierM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested locally, and I agreed that match_phrase will do the job, no need to be stubburn and use only used match in dsl

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 6, 2019

💚 Build Succeeded

@stephmilovic stephmilovic merged commit d909457 into elastic:master Sep 6, 2019
@stephmilovic stephmilovic deleted the query-builder-esc branch September 6, 2019 14:31
@stephmilovic stephmilovic mentioned this pull request Sep 6, 2019
Merged
stephmilovic added a commit to stephmilovic/kibana that referenced this pull request Sep 6, 2019
@stephmilovic
[SIEM] Fixes escape bug for filterQuery (elastic#43030)
cb82729
stephmilovic added a commit to stephmilovic/kibana that referenced this pull request Sep 6, 2019
@stephmilovic
[SIEM] Fixes escape bug for filterQuery (elastic#43030)
e17682a
This was referenced Sep 6, 2019
Merged
Closed
jloleysens added a commit to jloleysens/kibana that referenced this pull request Sep 6, 2019
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into fix/autocompl…
b6a35c5 
…ete-for-distance_feature

* 'master' of github.com:elastic/kibana:
  [SIEM] Fixes escape bug for filterQuery  (elastic#43030)
  Export saved objects based on search criteria (elastic#44723)
  refactor(webhook-whitelisting): Removed unneeded schema config (elastic#44974)
  [APM] Make number of x ticks responsive to the plot width (elastic#44870)
  [ML] Single metric viewer: Fix top nav refresh behaviour. (elastic#44860)
stephmilovic added a commit that referenced this pull request Sep 6, 2019
@stephmilovic
[SIEM] Fixes escape bug for filterQuery (#43030) (#45007)
c38b478
stephmilovic added a commit that referenced this pull request Sep 6, 2019
@stephmilovic
[SIEM] Fixes escape bug for filterQuery (#43030) (#45006)
14ac18a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@XavierM XavierM XavierM approved these changes

@cwurm cwurm Awaiting requested review from cwurm

@spong spong Awaiting requested review from spong

@FrankHassanabad FrankHassanabad Awaiting requested review from FrankHassanabad

Assignees

No one assigned

Labels

release_note:skip Skip the PR/issue when compiling release notes Team:SIEM v7.4.0 v7.5.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@stephmilovic @elasticmachine @XavierM @FrankHassanabad @spong