search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.63k stars 591 forks source link

Deleting "manual events" timeline can render whole sketch inaccessible #2829

Open jkppr opened 1 year ago

jkppr commented 1 year ago

Describe the bug When the "manual events" timeline is deleted from a sketch and someone tries to add a new manual event via the UI, the web server crashes with the following error, rendering the whole sketch inaccessible. 

[2023-07-10 09:48:40 +0000] [145] [DEBUG] GET /api/v1/sketches/3/
[2023-07-10 09:48:40,818] timesketch.opensearch/ERROR Unable to count indices (index not found)
[2023-07-10 09:48:40 +0000] [145] [ERROR] Error handling request /api/v1/sketches/3/
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/gunicorn/workers/sync.py", line 135, in handle
    self.handle_request(listener, req, client, addr)
  File "/usr/local/lib/python3.10/dist-packages/gunicorn/workers/sync.py", line 176, in handle_request
    respiter = self.wsgi(environ, resp.start_response)
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2213, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2193, in wsgi_app
    response = self.handle_exception(e)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 298, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2190, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1486, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 298, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 489, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 604, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask_login/utils.py", line 290, in decorated_view
    return current_app.ensure_sync(func)(*args, **kwargs)
  File "/usr/local/src/timesketch/timesketch/api/v1/resources/sketch.py", line 393, in get
    count_agg = self.datastore.client.search(
  File "/usr/local/lib/python3.10/dist-packages/opensearchpy/client/utils.py", line 177, in _wrapped
    return func(*args, params=params, headers=headers, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/opensearchpy/client/__init__.py", line 1593, in search
    return self.transport.perform_request(
  File "/usr/local/lib/python3.10/dist-packages/opensearchpy/transport.py", line 412, in perform_request
    raise e
  File "/usr/local/lib/python3.10/dist-packages/opensearchpy/transport.py", line 373, in perform_request
    status, headers_response, data = connection.perform_request(
  File "/usr/local/lib/python3.10/dist-packages/opensearchpy/connection/http_urllib3.py", line 282, in perform_request
    self._raise_error(response.status, raw_data)
  File "/usr/local/lib/python3.10/dist-packages/opensearchpy/connection/base.py", line 330, in _raise_error
    raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
opensearchpy.exceptions.RequestError: RequestError(400, 'index_closed_exception', 'closed')

To Reproduce Steps to reproduce the behavior:

  1. In a test sketch, add a manual event using the "Add Manual Event" button.
  2. Reload the page to get the "Manual events" timeline.
  3. Delete the "Manual events" timeline via the UI by clicking on the three dot menu and then Delete.
  4. Reload the page and the sketch will return a Server Side error notice and only show the "It's empty around here" page.

Expected behavior It should create a new "Manual events" timeline if the first one was deleted.

jkppr commented 1 month ago

Low effort solution: Do not allow for the "Manual Events" timeline to be deleted.