Skip to content

add json.dumps to fix multiline escape issue#6074

Closed
wingiti wants to merge 1 commit into
elastic:mainfrom
wingiti:fix-multiline-issue
Closed

add json.dumps to fix multiline escape issue#6074
wingiti wants to merge 1 commit into
elastic:mainfrom
wingiti:fix-multiline-issue

Conversation

@wingiti
Copy link
Copy Markdown
Contributor

@wingiti wingiti commented May 4, 2026

Pull Request

Issue link(s): Related #6071

Summary - What I changed

I changed the return value to be also json dumped for "multiline Triple Double Quoted" stuff.
Because it is also done for Triple Single Quoted things and usual single lines which don't have this issue.

Issue before fix:
Backslashes will not be escaped here and therefore will get lost when saved as toml file:
grafik

Single line string for example will be escaped:
grafik

The fix probably looks a little bit ugly as I had to remove the last line break before dumping and then adding it again.
I tried to do the dump already one step before at:

detection-rules/detection_rules/rule_formatter.py

Line 88 in 0b15511

lines = [line + "\n" for line in lines]

But this broke other things.

How To Test

  1. Export the example rule from the related issue or use whatever rule with a filter containing backslashes and being longer than 120 characters.
  2. Check the exported toml file for the number of backslashes.

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@botelastic botelastic Bot added the python Internal python for the repository label May 4, 2026
wingiti
wingiti commented May 5, 2026
View reviewed changes
Comment thread detection_rules/rule_formatter.py
if multiline:
if raw:
return "".join([TRIPLE_DQ, *initial_newline, *lines, TRIPLE_DQ])
return "".join([TRIPLE_DQ] + initial_newline + [json.dumps(line.strip("\n"))[1:-1] + "\n" for line in lines] + [TRIPLE_DQ])
Copy link
Copy Markdown
Contributor Author

@wingiti wingiti May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will fix the issue with the filter but will break the fields "note", "setup", "description", "osquery" if they are multiline as they are somehow additionally escaped below in lines 250-271.

Same issue applies to fix in PR #6000

Filter needs to be handled in another way or, from my perspective preferred, multiline should be escaped in general (like in this PR) but lines 250-271 needs to be removed. As I don't know what impact this might have I will wait for some further feedback for now.

Copy link
Copy Markdown
Contributor

@eric-forte-elastic eric-forte-elastic May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For more details on this see: https://github.com/elastic/detection-rules/pull/6000/changes#r3191141974

@wingiti wingiti mentioned this pull request May 5, 2026
Open
5 tasks
@eric-forte-elastic eric-forte-elastic mentioned this pull request May 5, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson Mikaayenson is a code owner

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic eric-forte-elastic is a code owner

Assignees

No one assigned

Labels

backport: auto community python Internal python for the repository

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wingiti @eric-forte-elastic