Open andrewkroh opened 1 year ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
This is not a full solution to the problem but it does avoid the URL being included (like in the case of Fleet). It reads the id
from the config rather than getting from the input v2 runner.
diff --git a/x-pack/filebeat/input/httpjson/config.go b/x-pack/filebeat/input/httpjson/config.go
index 74043594a6..4d0cf6c4f8 100644
--- a/x-pack/filebeat/input/httpjson/config.go
+++ b/x-pack/filebeat/input/httpjson/config.go
@@ -14,6 +14,7 @@ import (
)
type config struct {
+ ID string `config:"id"`
Interval time.Duration `config:"interval" validate:"required"`
Auth *authConfig `config:"auth"`
Request *requestConfig `config:"request" validate:"required"`
diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go
index 6e1d3e8ca3..5634a9ed9a 100644
--- a/x-pack/filebeat/input/httpjson/input.go
+++ b/x-pack/filebeat/input/httpjson/input.go
@@ -114,7 +114,12 @@ func run(
stdCtx := ctxtool.FromCanceller(ctx.Cancelation)
if config.Request.Tracer != nil {
- id := sanitizeFileName(ctx.ID)
+ id := ctx.ID
+ if config.ID != "" {
+ // If the user explicitly configured an ID use it.
+ id = config.ID
+ }
+ id = sanitizeFileName(id)
config.Request.Tracer.Filename = strings.ReplaceAll(config.Request.Tracer.Filename, "*", id)
}
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
It's worse than this. I have seen recently in a support case where, due to input ID elaboration, ends up with a base path that is short enough to be written into the zip, but then too long to be able to be extracted without significant effort.
When the request tracer feature with input ID substitution the ID can be come longer than the maximum allowed file name.
An input
id
can be set to any value by a user and for stateful inputs (e.g. has cursor) Filebeat also appends the URL. So this substituted ID value could get really long.If the filename surpasses the max file name then you end up with no tracer logs and an error coming out of the logger that is written directly to stderr (bypassing the Beat logger).
This is probably a rare edge case, but given that users might not be able to control the URL (and Filebeat forces it into the input ID) I think consideration should be given to guarding against this problem.
Observed error:
Config used:
For confirmed bugs, please report:
Related: