[BUG] Empty JSON key names and JSON key names including dots are not quoted in JQ as they should

Question

[BUG] Empty JSON key names and JSON key names including dots are not quoted in JQ as they should

Closed this issue a year ago · 1 comments

Describe the bug
If the JSON keys contain dotted names (for example user.name), or keys with no name (like ""), the JQ generated by OC Admin is misleading for the Open Collector.

To Reproduce
Steps to reproduce the behavior:

Go to Field Mapping Builder
Import the following log:

{
  "content":{
    "falsePositive":false,
    "fields":{
      "":"this field has no name",
      "user.name":"this one has a dot in it",
      "container.id":"this one too",
      "proc.aname[0]":"and now an array index",
      "proc.aname[1]":"and now an array index",
      "proc.aname[2]":"and now an array index",
      "proc.aname[3]":"and now an array index"
    }
  }
}

Assign user.name to a LogRhythm field
Check JQ generated: it's trying to map content.fields.user.name.

Expected behavior
Weird key names should be encapsulated in quotes.
For example, user.name from the same above should be mapped as content.fields."user.name".

Screenshots

Desktop (please complete the following information):

OS: Any
Browser: Any
Version: Any

Additional context
Thanks Jeff (@hackdefendr) for finding and reporting this one out.

Answer 1 · 2023-04-27T20:22:34.000Z

Fixed.
Published new image (https://hub.docker.com/layers/tonymasse/oc-admin/v1.2.1/images/sha256-690887693caf98c56abc50c0fc54db46edbde8043c44a5a948ff49571c4741bf?context=explore) with the fix.
Customer tested that version and reported the JQ problem gone.