Open weslambert opened 2 years ago
@objective-see, any thoughts around this issue?
There are some more JSON escaping issues that I came across:
{"event":"ES_EVENT_TYPE_NOTIFY_EXEC","timestamp":"2024-06-30 13:36:46 +0000","process":{"pid":43658,"name":"egrep","path":"/usr/bin/egrep","uid":501,"architecture":"unknown","arguments":["egrep","([\$~]|//)"],"ppid":43654,"rpid":29729,"ancestors":[29729,1],"signing info (reported)":{"csFlags":570522385,"platformBinary":1,"signingID":"com.apple.zegrep","teamID":"","cdHash":"2E3833E5CF00C1972C39DCA146E20A3ED64D58C1"},"signing info (computed)":{"signatureID":"com.apple.zegrep","signatureStatus":0,"signatureSigner":"Apple","signatureAuthorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"]}}}
Note the argument to egrep
: ([\$~]|//)
. The \$
is an invalid escape in JSON, as noted by jq
:
jq: parse error: Invalid escape at line 1, column 207
Also, multiline arguments are printed as is, without linebreaks escaped as \n
, also resulting in decoding errors:
{"event":"ES_EVENT_TYPE_NOTIFY_EXEC","timestamp":"2024-06-30 13:36:46 +0000","process":{"pid":43606,"name":"bash","path":"/usr/local/Cellar/bash/5.2.26/bin/bash","uid":501,"architecture":"unknown","arguments":["bash","--norc","-ec","IFS=:; paths=($PATH);
for i in ${!paths[@]}; do
if [[ ${paths[i]} == \"/Users/teeberg/.pyenv/shims\" ]]; then unset 'paths[i]';
fi; done;
echo \"${paths[*]}\""],"ppid":43590,"rpid":29729,"ancestors":[29729,1],"signing info (reported)":{"csFlags":0,"platformBinary":0,"signingID":"","teamID":"","cdHash":"0000000000000000000000000000000000000000"},"signing info (computed)":{"signatureStatus":-67062}}}
Dumping the log to a JSON file and opening it in VIM highlights it very well too :)
Trying to parse a file with those lines with jq
results in:
jq: parse error: Invalid string: control characters from U+0000 through U+001F must be escaped at line 5, column 21
I'd be happy to propose a PR, but there are some long-standing open PRs without comments. Is this still actively watched/maintained?
Thanks for all the work on this project!
It looks like there is at least one instance of invalid JSON output being produced.
Example:
The comma in the following, even though there is nothing else following it...
cdHash": "4359DA5622EA566C0DC27AC9D3FCEAE3FEE9051F",
...from the following: