[BUG] Empty JSON key names and JSON key names including dots are not quoted in JQ as they should
Closed this issue · 1 comments
Describe the bug
If the JSON keys contain dotted names (for example user.name
), or keys with no name (like ""
), the JQ generated by OC Admin is misleading for the Open Collector.
To Reproduce
Steps to reproduce the behavior:
- Go to Field Mapping Builder
- Import the following log:
{
"content":{
"falsePositive":false,
"fields":{
"":"this field has no name",
"user.name":"this one has a dot in it",
"container.id":"this one too",
"proc.aname[0]":"and now an array index",
"proc.aname[1]":"and now an array index",
"proc.aname[2]":"and now an array index",
"proc.aname[3]":"and now an array index"
}
}
}
- Assign
user.name
to a LogRhythm field - Check JQ generated: it's trying to map
content.fields.user.name
.
Expected behavior
Weird key names should be encapsulated in quotes.
For example, user.name
from the same above should be mapped as content.fields."user.name"
.
Desktop (please complete the following information):
- OS: Any
- Browser: Any
- Version: Any
Additional context
Thanks Jeff (@hackdefendr) for finding and reporting this one out.
Fixed.
Published new image (https://hub.docker.com/layers/tonymasse/oc-admin/v1.2.1/images/sha256-690887693caf98c56abc50c0fc54db46edbde8043c44a5a948ff49571c4741bf?context=explore) with the fix.
Customer tested that version and reported the JQ problem gone.