Feat/rework ddos vulnerable parsers#3130
Merged
Merged
Conversation
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
The feature commit accidentally committed unresolved stash conflict markers into parser_cef.py, making it invalid Python. Resolves to _parse_cef_ext(). Also fixes an O(n²) scan in _parse_cef_ext: when the key scanner reaches end-of-string with no '=' remaining, the old code rewound to start+1 and rescanned — degenerating to quadratic on '='-free input. Now breaks out of the loop immediately. Co-Authored-By: Claude <noreply@anthropic.com>
dcdf117 to
f9c7db0
Compare
Replace the imperative _split_alert_text scanner with one non-backtracking
regex (`([^:;]+):\s*([^;]*)`) that extracts all "key: value" pairs directly,
mirroring the finditer idiom already used in parser_kvqf. Leading prose is
split off the first key with rfind, no greedy regex.
This also fixes a latent bug: the old `^(.*[.!?])?(.*:.*)` regex split the kv
body at the last '.' before a colon, so any value containing a '.' (e.g. an
FQDN like REDACTEDHOST.ABC.EFG.CORP) was split mid-value and the downstream
`split(": ")` raised ValueError, failing the whole event. Add that real-world
log as a test case and assert on an extracted AlertTextValues.* field.
Co-Authored-By: Claude <noreply@anthropic.com>
The CEF extension is a documented format (space-separated key=value pairs with '\=' escaping in-value equals), so replace the ~60-line hand-rolled scanner with a bounded, backtrack-free key regex plus positional value slicing. This keeps the SonarQube S5852 fix while matching the finditer idiom used in parser_kvqf. Verified against real Imperva/ArcSight/Trellix logs and 100k spec-compliant fuzz inputs (0 mismatches vs the original regex); pathological inputs run in milliseconds. The one intentional behavior change is on spec-violating input: a bare (unescaped) '=' inside a value no longer splits the value into a bogus key, e.g. cs8=http://h/x?action=down is kept intact instead of yielding a spurious "action" field. Co-Authored-By: Claude <noreply@anthropic.com>
Kawron
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This should fix polynomial run time for both parsers, on top of that it turns out they were both actually kind of bugged.
Cef parser would look for '=' sigh to split key/value pairs, even if this sign was part of url passed as a string, now it should work properly.
EDIT: Sonarqube scan doesn't show the two issues mentioned after scanning this branch anymore.