Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.43k stars 1.07k forks source link

Alert user to misuse of reserved literals in the rule source editor #7006

Closed fungusakafungus closed 10 months ago

fungusakafungus commented 4 years ago

Calling a variable "match" breaks parsing and produces {"type":"ApiError","message":""} error response.

Expected Behavior

Rule can be parsed and saved

Current Behavior

XHR returns {"type":"ApiError","message":""} Server log has

2019-12-17T18:17:54.798+01:00 ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource
java.lang.NullPointerException: null
    at org.graylog.plugins.pipelineprocessor.parser.PipelineRuleParser$RuleAstBuilder.exitVarAssignStmt(PipelineRuleParser.java:319) ~[graylog.jar:?]
    at org.graylog.plugins.pipelineprocessor.parser.RuleLangParser$VarAssignStmtContext.exitRule(RuleLangParser.java:1357) ~[graylog.jar:?]
    at org.antlr.v4.runtime.tree.ParseTreeWalker.exitRule(ParseTreeWalker.java:47) ~[graylog.jar:?]
    at org.antlr.v4.runtime.tree.ParseTreeWalker.walk(ParseTreeWalker.java:30) ~[graylog.jar:?]
    at org.antlr.v4.runtime.tree.ParseTreeWalker.walk(ParseTreeWalker.java:28) ~[graylog.jar:?]
    at org.graylog.plugins.pipelineprocessor.parser.PipelineRuleParser.parseRule(PipelineRuleParser.java:169) ~[graylog.jar:?]
    at org.graylog.plugins.pipelineprocessor.parser.PipelineRuleParser.parseRule(PipelineRuleParser.java:134) ~[graylog.jar:?]
    at org.graylog.plugins.pipelineprocessor.rest.RuleResource.parse(RuleResource.java:119) ~[graylog.jar:?]
    at sun.reflect.GeneratedMethodAccessor666.invoke(Unknown Source) ~[?:?]

Possible Solution

Should either be accepted or documented or at least show a better error message.

Steps to Reproduce (for bugs)

put this into create rule dialog:

rule "test match" when true
then let match = ""; end

Changing var name to "mach" fixes it.

Context

I was trying to write let match = regex(...);

Your Environment

patrickmann commented 11 months ago

This popped up again in the community. This reproduces all the way up to GL 5.2. The exception in the log now looks like this:

2023-11-30 09:51:38,751 ERROR: org.graylog2.shared.rest.exceptionmappers.AnyExceptionClassMapper - Unhandled exception in REST resource java.lang.NullPointerException: Cannot invoke "org.antlr.v4.runtime.Token.getText()" because "ctx.varName" is null at org.graylog.plugins.pipelineprocessor.parser.PipelineRuleParser$RuleAstBuilder.exitVarAssignStmt(PipelineRuleParser.java:297) ~[classes/:?] at org.graylog.plugins.pipelineprocessor.parser.RuleLangParser$VarAssignStmtContext.exitRule(RuleLangParser.java:1406) ~[classes/:?] at org.antlr.v4.runtime.tree.ParseTreeWalker.exitRule(ParseTreeWalker.java:62) ~[antlr4-runtime-4.13.1.jar:4.13.1] at org.antlr.v4.runtime.tree.ParseTreeWalker.walk(ParseTreeWalker.java:38) ~[antlr4-runtime-4.13.1.jar:4.13.1] at org.antlr.v4.runtime.tree.ParseTreeWalker.walk(ParseTreeWalker.java:36) ~[antlr4-runtime-4.13.1.jar:4.13.1] at org.graylog.plugins.pipelineprocessor.parser.PipelineRuleParser.parseRule(PipelineRuleParser.java:158) ~[classes/:?] at org.graylog.plugins.pipelineprocessor.rest.PipelineRuleService.parseRuleOrThrow(PipelineRuleService.java:39) ~[classes/:?] at org.graylog.plugins.pipelineprocessor.rest.RuleResource.parse(RuleResource.java:165) ~[classes/:?]

The rule editor UI does not show any error. Clicking the create or update button has no effect. Very frustrating. At least we should list all reserved names in the documentation.

patrickmann commented 11 months ago

All of these literals from the ANTRL grammar are problematic: https://github.com/Graylog2/graylog2-server/blob/ac960a5725f27a73ea604358e25a81f9c6c82a6a/graylog2-server/src/main/antlr4/org/graylog/plugins/pipelineprocessor/parser/RuleLang.g4#L127

That can't be helped. But we should give the user some indication of what the problem is.

patrickmann commented 11 months ago

Rulebuilder UI does not have this problem since you can only use existing values as parameters. We'll add the list of reserved words in the documentation. And revisit for Rulebuilder if we ever allow custom variable names.