From dde448ee6b2c4a2b256c09168ea6360f59ca2cc8 Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Mon, 18 Aug 2025 17:03:51 -0400
Subject: [PATCH] [Bug] Rule Toml Write Formatting Wrongly Formats \\\\x
 (#4978)

* Fix rule and mitigate py toml

* Bump patch version

* Add reference to issue

* Add unit test for path issues

* Update comment

* Certain strings were not properly escaped

* Updated to use json instead of repr

* replace _old_dump_str with json.dumps

* Bump Version
---
 detection_rules/etc/test_toml.json | 8 ++++++++
 detection_rules/rule_formatter.py  | 7 ++++---
 pyproject.toml                     | 2 +-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/detection_rules/etc/test_toml.json b/detection_rules/etc/test_toml.json
index c17376cbe..081222bbb 100644
--- a/detection_rules/etc/test_toml.json
+++ b/detection_rules/etc/test_toml.json
@@ -48,6 +48,14 @@
       ]
     }
   },
+  {
+    "metadata": {
+      "field": "value"
+    },
+    "rule": {
+      "path": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
+    }
+  },
   {
     "metadata": {
       "field": "value"
diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py
index 0702bdf8a..46469f24d 100644
--- a/detection_rules/rule_formatter.py
+++ b/detection_rules/rule_formatter.py
@@ -123,7 +123,6 @@ class RuleTomlEncoder(toml.TomlEncoder):  # type: ignore[reportMissingTypeArgume
     def __init__(self, *args: Any, **kwargs: Any) -> None:
         """Create the encoder but override some default functions."""
         super().__init__(*args, **kwargs)  # type: ignore[reportUnknownMemberType]
-        self._old_dump_str = toml.TomlEncoder().dump_funcs[str]
         self._old_dump_list = toml.TomlEncoder().dump_funcs[list]
         self.dump_funcs[str] = self.dump_str
         self.dump_funcs[str] = self.dump_str
@@ -148,10 +147,12 @@ class RuleTomlEncoder(toml.TomlEncoder):  # type: ignore[reportMissingTypeArgume
         if multiline:
             if raw:
                 return "".join([TRIPLE_DQ, *initial_newline, *lines, TRIPLE_DQ])
-            return "\n".join([TRIPLE_SQ] + [self._old_dump_str(line)[1:-1] for line in lines] + [TRIPLE_SQ])
+            return "\n".join([TRIPLE_SQ] + [json.dumps(line)[1:-1] for line in lines] + [TRIPLE_SQ])
         if raw:
             return f"'{lines[0]:s}'"
-        return self._old_dump_str(v)
+        # In the toml library there is a magic replace for \\\\x -> u00 that we wish to avoid until #4979 is resolved
+        # Also addresses an issue where backslashes in certain strings are not properly escaped in self._old_dump_str(v)
+        return json.dumps(v)
 
     def _dump_flat_list(self, v: Iterable[Any]) -> str:
         """A slightly tweaked version of original dump_list, removing trailing commas."""
diff --git a/pyproject.toml b/pyproject.toml
index 08c32aa9b..8303f0fcb 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.24"
+version = "1.3.25"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"