Fix splitlines bug. #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@richard-julien This is the issue I discussed in email. |
|
Bumping this up again. This problem has re-occurred (and my local workaround was not in place at the time). A Shodan enrichment for the IP address: 149.210.166.136 contains 0xc2 0x85 (UTF-16 character) in the description. This causes the SSEclient to split on these characters disrupting processing of stream data. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
There are a number of connectors (which specific ones is still under investigation; but at least Mandiant and Domaintools contribute to this issue) that provide description fields containing UTF-16 characters. Some of these UTF-16 characters include the 0x85 character. This is treated as a line terminator by the python splitlines function (it is an old IBM mainframe line terminator). When these characters are encountered by the SSEclient within the pycti library the JSON bundles are split at the 0x85 character causing the connector to generate an exception when processing json.loads.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/pycti/connector/opencti_connector_helper.py", line 460, in run
self.callback(msg)
File "/opt/opencti-highside-sync/connectors-master/stream/backup-files/src/backup-files.py", line 78, in _process_message
data = json.loads(msg.data)
ujson.JSONDecodeError: Unmatched '"' when decoding 'string'
Terminated
Expected Output
The bundle in question written to an output file.
Actual Output
The bundle does not get written, and the backup-files connector restarts at the last saved timestamp,
and re-processes files until it gets to the bundle in question, and then dies again. The process repeats
until the connector is stopped.
Additional information
N/A
Screenshots (optional)
N/A