App errors with unexpected keyword "export"

[NDietrich]

originally reported by @knewbetter.

This is a frustratingly intermittetent bug that I can't seem to track down. Issue is not platform specific (i've seen it on Windows, Ubuntu, and it's been reported on RHEL).

The issue is that sometimes (not always) when you run a SPL search, you get an error when the App tries to load the cyberchef node libraries, error is unexpected keyword "export". Sometimes if you wait a day the error goes away (hapened to me on my windows box).

[NDietrich]

@knewbetter had luck playing around and enabling experimental modules, but I can't verify if that acutally fixed it. the CyberChef node api doesn't technically support node 8.17 (the version that comes with Splunk), but seems to work (most of the time). It looks like the cyberchef node libraries are using webpack/babel to transpile the code to commonjs so that we can use use it with node 8.

you can verify this is the case by looking at the package.json for the cyberchef node app, and you'll see these two lines:

  "main": "src/node/cjs.js",
  "module": "src/node/index.mjs",

the first line is what's used with node 8 / commonJs, and loads the following comment: Export the main ESM module as CommonJS. So everything should be working correctly, I don't know why this issue is so intermittent and hard to track down. I've added additional code to the loading of the cyberchef modules to log the full error to the debug log, and we can see if that provides more information if the error comes back up.

I'm not sure if there's some sort of caching that hapens in the node_modules folder by the ESM libraries (maybe?) that could be causing the issue. I'll probably need a javascript/node expert to help out if i can get more data.

[NDietrich]

i've dropped v1.1.1 on GitHub that logs the complete error to the debug log if the cyberchef node modules fail to load. The info is written to the debug.log (in the search's dispatch dir) even if you don't enable logging in the SPL.

So if anyone sees this error, please send me the debug.log from your searches dispatch_dir ($SPLUNK_HOME/var/run/splunk/dispatch/nnnnnnnnnn.nn). you can determine the correct directory (nnn...) by clicking 'inspect job' in the web interface for your search, and looking for the SID listed there.

[NDietrich]

managed to get more log info: Running on my windows system with 1.1.0 (added additional logging manually to the code):

(PID:9388) Fatal Error loading Cyberchef module: SyntaxError: Unexpected token import  at undefined. text: undefined
(PID:9388) Error Stack: 
file:///C:/Program%20Files/Splunk/etc/apps/cyberchef/bin/node_modules/cyberchef/src/node/index.mjs:12
import NodeDish from "./NodeDish.mjs";
^^^^^^

SyntaxError: Unexpected token import
(PID:9388) halt_on_error: Error loading required module Cyberchef: SyntaxError: Unexpected token import

however, when i ran this same code a few minutes later, it ran with no error. I suspect there's some caching that happens with ESM that gets cleared out, but that's a guess. I'll keep digging.

[gsmortimer]

We're experiencing this issue with a brand new Installation of the Plugin. Tried the example SPL and it worked, then started getting these errors. Early indicators show it seems to effect some users more than others, It's not a Cluster issue is it (we've hit a few other issues caused by using search head cluster recently). But I'm not a Splunk Administrator.

[NDietrich]

It seems to be intermittent, and on my test system it started working after an hour or so for some reason. I'm going to try preloading the esm modules as a workaround to see if that works

On Fri, Jan 7, 2022, 10:16 AM gsmortimer @.***> wrote:

We're experiencing this issue with a brand new Installation of the Plugin. Tried the example SPL and it worked, then started getting these errors. Early indicators show it seems to effect some users more than others, It's not a Cluster issue is it (we've hit a few other issues caused by using search head cluster recently). But I'm not a Splunk Administrator.

— Reply to this email directly, view it on GitHub https://github.com/NDietrich/CyberChef-for-Splunk/issues/12#issuecomment-1007252684, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFY3L7YSCJAEEY64PEL2DBLUU2VPTANCNFSM5K5P5N3Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were assigned.Message ID: @.***>

[rsaadoun]

I compared the content of a working version of the cyberchef app and a version of the app with this error, and I have seen a lot javascript files (nearly 300) created in cyberchef\bin\node_modules\cyberchef\node_modules\ .cache\esm in the broken version of the App. Those javascript files added in cache contain syntax errors that seem to be responsible for the UI message of the error : "SyntaxError: Unexpected token import" ( To be confirmed) I can confirm that the issue seems to be linked to cache in ESM.

[NDietrich]

@rsaadoun : thanks for checking into that. I think the solution will be to pre-load the ESM libraries and add the config option to disable the ESM caching function. Should be fairly simple to implement, and I suspect that the performance hit won't be terrible.

[NDietrich]

this code should fix it (working in my testing so far), but I need to test it.

[NDietrich]

I've released an update that I hope fixes this issue: v1.1.3. Please test and let me know. I've tested this release and I can't make it throw any errors, so hopefully it's fixed.

[Guitaraholic]

tested new 1.1.3 release but still getting the same errors

02-16-2022 12:16:34.476 ERROR SearchOrchestrator [49521 searchOrchestrator] - Phase_1 failed due to : Error in 'cyberchef' command: Fatal Error in function modify_payload:  csv-parse error on payload: parse_csv is not a function
02-16-2022 12:16:34.476 INFO  ReducePhaseExecutor [49521 searchOrchestrator] - ReducePhaseExecutor=1 action=CANCEL
02-16-2022 12:16:34.476 INFO  DispatchExecutor [49521 searchOrchestrator] - User applied action=CANCEL while status=0
02-16-2022 12:16:34.476 ERROR SearchStatusEnforcer [49521 searchOrchestrator] - sid:1645013793.180_D9A4C29E-54E6-44F5-8C11-0C5C91F448C0 Error in 'cyberchef' command: Fatal Error in function modify_payload:  csv-parse error on payload: parse_csv is not a function

when using the example makeresults search.

And when using the CyberChef UI in browser console.log

URL.js:3 

       Uncaught (in promise) ReferenceError: i18n_register is not defined
    at URL.js:3:1
    at e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:2308799
    at Array.forEach (<anonymous>)
    at self.loadRequiredModules (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:2308640)
    at e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:2306160
    at l (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1750532)
    at Generator._invoke (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1750320)
    at Generator.next (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1750961)
    at r (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1779918)
    at s (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1780121)
(anonymous) @ URL.js:3
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
self.loadRequiredModules @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
l @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
r @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
s @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
(anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2
baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2 

       Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'URL Decode')
    at baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:97492
    at Array.map (<anonymous>)
    at e.<anonymous> (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:97425)
    at l (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1750532)
    at Generator._invoke (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1750320)
    at Generator.next (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1750961)
    at r (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1779918)
    at s (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1780121)

Environment is a Search Head Cluster running on Splunk 8.2.2.1 and RHEL hosts

[NDietrich]

Can you try deleting the app from your systems (verify the folder is removed) and then reinstall?

On Wed, Feb 16, 2022, 2:20 AM Paul McDonough @.***> wrote:

tested new 1.1.3 release but still getting the same errors

02-16-2022 12:16:34.476 ERROR SearchOrchestrator [49521 searchOrchestrator] - Phase_1 failed due to : Error in 'cyberchef' command: Fatal Error in function modify_payload: csv-parse error on payload: parse_csv is not a function 02-16-2022 12:16:34.476 INFO ReducePhaseExecutor [49521 searchOrchestrator] - ReducePhaseExecutor=1 action=CANCEL 02-16-2022 12:16:34.476 INFO DispatchExecutor [49521 searchOrchestrator] - User applied action=CANCEL while status=0 02-16-2022 12:16:34.476 ERROR SearchStatusEnforcer [49521 searchOrchestrator] - sid:1645013793.180_D9A4C29E-54E6-44F5-8C11-0C5C91F448C0 Error in 'cyberchef' command: Fatal Error in function modify_payload: csv-parse error on payload: parse_csv is not a function

when using the example makeresults search.

And when using the CyberChef UI in browser console.log

`URL.js:3

Uncaught (in promise) ReferenceError: i18n_register is not defined at URL.js:3:1 at e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:2308799 at Array.forEach () at self.loadRequiredModules (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:2308640) at e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:2306160 at l (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1750532) at Generator._invoke (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1750320) at Generator.next (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1750961) at r (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1779918) at s (e8068423-4842-47fa-9209-1ddfaeaf4ca8:2:1780121)

(anonymous) @ URL.js:3 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 self.loadRequiredModules @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 l @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 r @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 s @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 (anonymous) @ e8068423-4842-47fa-9209-1ddfaeaf4ca8:2 baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2

Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'URL Decode') at baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:97492 at Array.map () at e. (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:97425) at l (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1750532) at Generator._invoke (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1750320) at Generator.next (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1750961) at r (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1779918) at s (baf2f94f-8bf3-49ad-bcb0-f150a73fa4b8:2:1780121)`

Environment is a Search Head Cluster running on Splunk 8.2.2.1 and RHEL hosts

— Reply to this email directly, view it on GitHub https://github.com/NDietrich/CyberChef-for-Splunk/issues/12#issuecomment-1041432623, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFY3L7ZGPRMGUDKL7R3H27DU3OI7LANCNFSM5K5P5N3Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you modified the open/close state.Message ID: @.***>

[Guitaraholic]

Unfortunately even a clear SHC install with 1.13 still gets the same parse-csv error

[NDietrich]

@Guitaraholic: So I suspect this is related to the way that SHC uses the deployer to install the App to your search head and peers (I only have a stand-alone Splunk instance, not the more complex setup you have). The CyberChef app is really large compared to other Apps (as a SPL it rings in as 48 MB, and unzips to be nearly 145 MB. Because of this I've found that installing via the web interface often times out even with a local SPL file (I install updates via the command line, and that works for me).

I can't get the error to reproduce on any of my standalone systems (including my window box which is notoriously finicky)

I don't know if there is any way to verify if the App is getting correctly deployed to the search head / peers from the deployer, but can you check that on each search peer, the CyberChef App folder contains all the correct files? I'd start by making sure the .../CyberChef/bin/node_modules/ folder has ~317 folders.

The parse-csv library is the first library loaded (that's not an included library), which leads me to think not all the required node files aren't copied over or are missing (this happened to me when Splunk errored out in untaring the spl file more than once). There may be some helpful log data in your _internal index that could help see if there is a deployment error, but I don't have a system to check.

[NDietrich]

@Guitaraholic : for the web issue: did you reboot your splunk server and clear the client-side browser cache? it sounds like that may be the issue for the second problem.

[Tietos]

For people with the parse-csv error, please change the following if statement. Search SID's in Splunk on clusters are different than for single instances. The modules are not loaded and that's why you see this error: "Fatal Error in function modify_payload: csv-parse error on payload: parse_csv is not a function".

OLD:

if (searchOptions.searchinfo.sid.match(/^\d{10}\.\d+$/)){
      load_modules()
}

NEW:

if (searchOptions.searchinfo.sid.match(/^(\d{10}\.|scheduler)/)){
      load_modules()
}