[Bug] KQL does not properly escape leading forward slash - Githubissues

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Other

1.9k stars 484 forks source link

[Bug] KQL does not properly escape leading forward slash #441

Open brokensound77 opened 3 years ago

brokensound77 commented 3 years ago

Describe the bug Unquoted leading / must be escaped in KQL, since this is used for regex syntax with lucene

This

process.args:/lockscreenurl\:http*

should become

`"\\/lockscreenurl\\:http*"`

to mimic expected DSL conversion

but instead it is converted to

`"/lockscreenurl\\:http*"`

To Reproduce Steps to reproduce the behavior:

search process.args:/lockscreenurl\:http* in kibana
this is converted to: "\\/lockscreenurl\\:http*"
run kql.to_dsl("process.args:/lockscreenurl\:http*") 4 compare diffs

rw-access commented 3 years ago

Here is how Kibana does escaping of wildcard queries: https://github.com/elastic/kibana/blob/321430ecad5c05bef10e3549dc3b97663cb657dd/src/plugins/data/common/es_query/kuery/node_types/wildcard.ts#L26-L68