search

objective-see / ProcessMonitor

Process Monitor Library (based on Apple's new Endpoint Security Framework)
GNU General Public License v3.0
422 stars 65 forks source link

Invalid JSON Output for Signing Info #5

Open weslambert opened 2 years ago

weslambert commented 2 years ago

Thanks for all the work on this project!

It looks like there is at least one instance of invalid JSON output being produced.

Example:

The comma in the following, even though there is nothing else following it...

cdHash": "4359DA5622EA566C0DC27AC9D3FCEAE3FEE9051F",

...from the following:

    "event": "ES_EVENT_TYPE_NOTIFY_EXIT",
    "timestamp": "2022-08-01 02:09:08 +0000",
    "process": {
        "pid": 22103,
        "path": "/Applications/Little Snitch.app/Contents/Components/Little Snitch Software Update.app/Contents/MacOS/Little Snitch Software Update",
        "uid": 501,
        "arguments": [],
        "ppid": 1,
        "ancestors": [1],
        "signing info (reported)": {
            "csFlags": 570505985,
            "platformBinary": 0,
            "signingID": "at.obdev.littlesnitch.softwareupdate",
            "teamID": "MLZF7K7B5R",
            "cdHash": "4359DA5622EA566C0DC27AC9D3FCEAE3FEE9051F",
        },
weslambert commented 2 years ago

@objective-see, any thoughts around this issue?

teeberg commented 2 months ago

There are some more JSON escaping issues that I came across:

{"event":"ES_EVENT_TYPE_NOTIFY_EXEC","timestamp":"2024-06-30 13:36:46 +0000","process":{"pid":43658,"name":"egrep","path":"/usr/bin/egrep","uid":501,"architecture":"unknown","arguments":["egrep","([\$~]|//)"],"ppid":43654,"rpid":29729,"ancestors":[29729,1],"signing info (reported)":{"csFlags":570522385,"platformBinary":1,"signingID":"com.apple.zegrep","teamID":"","cdHash":"2E3833E5CF00C1972C39DCA146E20A3ED64D58C1"},"signing info (computed)":{"signatureID":"com.apple.zegrep","signatureStatus":0,"signatureSigner":"Apple","signatureAuthorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"]}}}

Note the argument to egrep: ([\$~]|//). The \$ is an invalid escape in JSON, as noted by jq:

jq: parse error: Invalid escape at line 1, column 207

Also, multiline arguments are printed as is, without linebreaks escaped as \n, also resulting in decoding errors:

{"event":"ES_EVENT_TYPE_NOTIFY_EXEC","timestamp":"2024-06-30 13:36:46 +0000","process":{"pid":43606,"name":"bash","path":"/usr/local/Cellar/bash/5.2.26/bin/bash","uid":501,"architecture":"unknown","arguments":["bash","--norc","-ec","IFS=:; paths=($PATH);
for i in ${!paths[@]}; do
if [[ ${paths[i]} == \"/Users/teeberg/.pyenv/shims\" ]]; then unset 'paths[i]';
fi; done;
echo \"${paths[*]}\""],"ppid":43590,"rpid":29729,"ancestors":[29729,1],"signing info (reported)":{"csFlags":0,"platformBinary":0,"signingID":"","teamID":"","cdHash":"0000000000000000000000000000000000000000"},"signing info (computed)":{"signatureStatus":-67062}}}

Dumping the log to a JSON file and opening it in VIM highlights it very well too :)

image

Trying to parse a file with those lines with jq results in:

jq: parse error: Invalid string: control characters from U+0000 through U+001F must be escaped at line 5, column 21

I'd be happy to propose a PR, but there are some long-standing open PRs without comments. Is this still actively watched/maintained?