Prevent input name collision with db name for refs (#6056)

[labo-flg]

Several refs attributes have the same input name as their db name, resulting in bugs during stream event publishing.

If the attribute is multiple, the event published in stream contains null in patch.
If it's a single value, the stream event won't be sent and an error will be thrown (store update event error)

Proposed changes

• on schema registration, check the names collisions and throw an error
• fix all collisions found by prefixing the name
• rename API keys that require changes (--> only MalwareAnalysisAddInput.sample to rename MalwareAnalysisAddInput.analysisSample

Related issues

• Worker error when importing Network-Traffic object with nested properties #6056

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant uses case
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

e2e tests would be added in #6073 to cover network traffic creation + ref, I won't add it here (or improve on it here once merge and rebase)

To test this PR, test the following:

• open the raw stream at http://localhost:3000/stream
• Create an observable > network traffic, with a random dst port
• Open it, go to knowledge, and add a nested object
• check single ref
  • select an ipv4 address, and create a "src" relationship (not dst, you will end up in Having Network Traffic observable with a dst ref makes the observable listing crash #6070)
  • BEFORE --> store update event, NOW -> no error
  • check in stream the update event is correct
• check multiple ref
  • create 2 other network traffic using just some random DST port values
  • select the inital network traffic, and create 2 "encapsulates" relationship with the 2 other network traffic
  • BEFORE --> no store update event but NULL in the stream events, NOW -> no error, correct values in the stream events

[labo-flg]

None of the input names modified here are exposed in the graphql API

The refs can only be created through stixRefRelationShipAdd, using relationship_type key and it does not need to change there.

[labo-flg]

just an improvement on the way, to finally have a clear feedback on what is the precise version used.

[labo-flg]

This is the only breaking change to the API.

All other renaming are on attribute never exposed in the API for now.

[richard-julien]

Why not objectSample?

[labo-flg]

this one was tricky.

"from" is a key used in 2 different context: it's the "from" of a relationship, and the "from" in an email message.

INPUT_FROM was defined for use with email message only, but it was also imported and used in places related to relationship.

Now that we renamed for email to emailFrom it's not working anymore for relationships. But it was never meant to work like that in the first place.

[richard-julien]

Now that email is now on INPUT_EMAIL_FROM, are you sure is still needed to not used the constant?

[labo-flg]

Most of the time the constant INPUT_NAME was not used, its' the string "from".
It was an input for email, but as for relationship it's not in any schema def, it's not an input.
We think it's an old confusion (email 'from' being used in place where we actually meant "from" of a relationship).

We removed the constant INPUT_NAME. It's not used in any schema def.

[SouadHadjiat]

This part was causing the test "should all elements correctly deleted" in middleware-test to fail, because the "from" was not resolved for one of the entity (it was a stix ref relationship). and yes we think "INPUT_FROM" was used by mistake because it was "from" until we changed it to "emailFrom", since it was an input specific to email message. And it was the only place where it was used as a constant, in all other places in middleware we use the string 'from' directly.

[richard-julien]

I thought we talk about pushing the objectXXX convention

[labo-flg]

the convention objectXXX produces the change contains -> objectContains
but objectContains was an old filter key still renamed on the fly to objects, so we can't use objectContains

one thing leading to another, we thought it would be better to prefix with the entity they're used for as per the schema description. It's the case for a lot of other keys.

[Kedae]

Need Julien eye on that

On it

[SouadHadjiat]

Related python client PR open for malwareAnalysis : OpenCTI-Platform/client-python#563