Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

imperva_cloud_waf: step over non-UTF-8 data work items #13152

Merged
merged 1 commit into from
Mar 18, 2025
Merged

imperva_cloud_waf: step over non-UTF-8 data work items #13152

merged 1 commit into from
Mar 18, 2025

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Mar 18, 2025
edited
Loading

Proposed commit message

imperva_cloud_waf: step over non-UTF-8 data work items

It is possible for users to incorrectly configure their Imperva Cloud
WAF logging to send compressed data (this is the default). This results
in a CEL evaluation failure since we depend on the data being string
CEF. When the non-UTF-8 data is converted to a string, CEL refuses to
peform the conversion by design. When a user has done this, it appears
that logs in the compressed form persist, so the agent is unable to move
past the integration-invalid data. This change tries to perform the
conversion, falling back to an error message being sent to the index
when it is not possible. This helps identify cases where the
configuration is incorrect, and allows the collection to step over the
bodies that are not consumable.

Unfortunately we cannot make use of fleet health notifications since
sending object errors prevents cursor updates, and so would result in
continuing to be stuck.

Warning

The CEL input in this integration is not tested in system tests. Please review with extra care.

PoC:

mito src.cel
! stderr .
cmp stdout want.txt

-- src.cel --
[
	b"\xc3\x28",
	b"good message",
].map(body,
	{
		"events": try(string(body), "error").as(body, type(body) == type("") ?
			[{"message": body}]
		:
			[{"error": {"message": body.error}}]
		),
	}
)
-- want.txt --
[
	{
		"events": [
			{
				"error": {
					"message": "invalid UTF-8 in bytes, cannot convert to string"
				}
			}
		]
	},
	{
		"events": [
			{
				"message": "good message"
			}
		]
	}
]

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:imperva_cloud_waf Imperva Cloud WAF labels Mar 18, 2025
@efd6 efd6 self-assigned this Mar 18, 2025
@efd6 efd6 force-pushed the s5733-imperva_cloud_waf_unwedge branch from 6a31f3a to 8f5776e Compare March 18, 2025 05:45
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 18, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review March 18, 2025 06:16
@efd6 efd6 requested a review from a team as a code owner March 18, 2025 06:16
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6
imperva_cloud_waf: step over non-UTF-8 data work items
975b717 
It is possible for users to incorrectly configure their Imperva Cloud
WAF logging to send compressed data (this is the default). This results
in a CEL evaluation failure since we depend on the data being string
CEF. When the non-UTF-8 data is converted to a string, CEL refuses to
peform the conversion by design. When a user has done this, it appears
that logs in the compressed form persist, so the agent is unable to move
past the integration-invalid data. This change tries to perform the
conversion, falling back to an error message being sent to the index
when it is not possible. This helps identify cases where the
configuration is incorrect, and allows the collection to step over the
bodies that are not consumable.

Unfortunately we cannot make use of fleet health notifications since
sending object errors prevents cursor updates, and so would result in
continuing to be stuck.
@efd6 efd6 force-pushed the s5733-imperva_cloud_waf_unwedge branch from 8f5776e to 975b717 Compare March 18, 2025 20:48
chrisberkhout
chrisberkhout approved these changes Mar 18, 2025
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice.

The commit description is good and clear.

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@efd6 efd6 merged commit 80d5dfd into elastic:main Mar 18, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package imperva_cloud_waf - 1.11.0 containing this change is available at https://epr.elastic.co/package/imperva_cloud_waf/1.11.0/

flexitrev pushed a commit that referenced this pull request Mar 20, 2025
@efd6 @flexitrev
imperva_cloud_waf: step over non-UTF-8 data work items (#13152)
9efd380 
It is possible for users to incorrectly configure their Imperva Cloud
WAF logging to send compressed data (this is the default). This results
in a CEL evaluation failure since we depend on the data being string
CEF. When the non-UTF-8 data is converted to a string, CEL refuses to
peform the conversion by design. When a user has done this, it appears
that logs in the compressed form persist, so the agent is unable to move
past the integration-invalid data. This change tries to perform the
conversion, falling back to an error message being sent to the index
when it is not possible. This helps identify cases where the
configuration is incorrect, and allows the collection to step over the
bodies that are not consumable.

Unfortunately we cannot make use of fleet health notifications since
sending object errors prevents cursor updates, and so would result in
continuing to be stuck.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisberkhout chrisberkhout

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:imperva_cloud_waf Imperva Cloud WAF Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@efd6 @elasticmachine @chrisberkhout