Describe the Bug
When the triple double quotes are used to output raw strings is used, the TOML is not checked for escaped characters and the rendered output is
To Reproduce
If I have a rule with a query DSL filter, that is sufficient long and an escaped character, this will cause the formatter to incorrectly output this as a raw string
{
"query_string": {
"query": "file.path: \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" file.path: Hello\\:World"
}
}
And the TOML will look like this
[[rule.filters]]
[rule.filters."$state"]
store = "appState"
[rule.filters.meta]
alias = "Custom Filter"
disabled = false
index = "apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-*"
key = "query"
negate = false
type = "query_string"
value = 'file.path: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" file.path: Hello\:World'
[rule.filters.query.query_string]
query = """
file.path: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" file.path: Hello\:World
"""
Expected Behavior
The output should always be escaped or the condition for raw should include checking for \ characters.
|
raw = (multiline or (DQ in v and SQ not in v)) and TRIPLE_DQ not in v |
Screenshots
Screenshots
Sample Filter
Corrupted TOML
Desktop - OS
None
Desktop - Version
No response
Additional Context
No response
Describe the Bug
When the triple double quotes are used to output raw strings is used, the TOML is not checked for escaped characters and the rendered output is
To Reproduce
If I have a rule with a query DSL filter, that is sufficient long and an escaped character, this will cause the formatter to incorrectly output this as a raw string
And the TOML will look like this
Expected Behavior
The output should always be escaped or the condition for
rawshould include checking for\characters.detection-rules/detection_rules/rule_formatter.py
Line 145 in 66a0b6b
Screenshots
Screenshots
Sample Filter
Corrupted TOML
Desktop - OS
None
Desktop - Version
No response
Additional Context
No response