security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Bug] Rule Toml Write Formatting Wrongly Formats \\\\x (#4978)

Browse Source 
* Fix rule and mitigate py toml

* Bump patch version

* Add reference to issue

* Add unit test for path issues

* Update comment

* Certain strings were not properly escaped

* Updated to use json instead of repr

* replace _old_dump_str with json.dumps

* Bump Version
This commit is contained in:
Eric Forte
2025-08-18 17:03:51 -04:00
committed by GitHub
parent fb76ec1b2d
commit dde448ee6b
3 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/test_toml.json
+8
View File
@@ -48,6 +48,14 @@
]
}
},
{
"metadata": {
"field": "value"
},
"rule": {
"path": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
}
},
{
"metadata": {
"field": "value"
detection_rules/rule_formatter.py
+4 -3
View File
@@ -123,7 +123,6 @@ class RuleTomlEncoder(toml.TomlEncoder): # type: ignore[reportMissingTypeArgume
def __init__(self, *args: Any, **kwargs: Any) -> None:
"""Create the encoder but override some default functions."""
super().__init__(*args, **kwargs) # type: ignore[reportUnknownMemberType]
self._old_dump_str = toml.TomlEncoder().dump_funcs[str]
self._old_dump_list = toml.TomlEncoder().dump_funcs[list]
self.dump_funcs[str] = self.dump_str
self.dump_funcs[str] = self.dump_str
@@ -148,10 +147,12 @@ class RuleTomlEncoder(toml.TomlEncoder): # type: ignore[reportMissingTypeArgume
if multiline:
if raw:
return "".join([TRIPLE_DQ, *initial_newline, *lines, TRIPLE_DQ])
return "\n".join([TRIPLE_SQ] + [self._old_dump_str(line)[1:-1] for line in lines] + [TRIPLE_SQ])
return "\n".join([TRIPLE_SQ] + [json.dumps(line)[1:-1] for line in lines] + [TRIPLE_SQ])
if raw:
return f"'{lines[0]:s}'"
return self._old_dump_str(v)
# In the toml library there is a magic replace for \\\\x -> u00 that we wish to avoid until #4979 is resolved
# Also addresses an issue where backslashes in certain strings are not properly escaped in self._old_dump_str(v)
return json.dumps(v)
def _dump_flat_list(self, v: Iterable[Any]) -> str:
"""A slightly tweaked version of original dump_list, removing trailing commas."""
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.3.24"
version = "1.3.25"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"