[Bug] Rule Toml Write Formatting Wrongly Formats \\\\x

detection_rules/etc/test_toml.json

@@ -48,6 +48,14 @@
       ]
     }
   },
+  {
+    "metadata": {
+      "field": "value"
+    },
+    "rule": {
+      "path": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
+    }
+  },
   {
     "metadata": {
       "field": "value"

detection_rules/rule_formatter.py

@@ -123,7 +123,6 @@ class RuleTomlEncoder(toml.TomlEncoder):  # type: ignore[reportMissingTypeArgume
     def __init__(self, *args: Any, **kwargs: Any) -> None:
         """Create the encoder but override some default functions."""
         super().__init__(*args, **kwargs)  # type: ignore[reportUnknownMemberType]
-        self._old_dump_str = toml.TomlEncoder().dump_funcs[str]
         self._old_dump_list = toml.TomlEncoder().dump_funcs[list]
         self.dump_funcs[str] = self.dump_str
         self.dump_funcs[str] = self.dump_str
@@ -148,10 +147,12 @@ def dump_str(self, v: str | NonformattedField) -> str:
         if multiline:
             if raw:
                 return "".join([TRIPLE_DQ, *initial_newline, *lines, TRIPLE_DQ])
-            return "\n".join([TRIPLE_SQ] + [self._old_dump_str(line)[1:-1] for line in lines] + [TRIPLE_SQ])
+            return "\n".join([TRIPLE_SQ] + [json.dumps(line)[1:-1] for line in lines] + [TRIPLE_SQ])
         if raw:
             return f"'{lines[0]:s}'"
-        return self._old_dump_str(v)
+        # In the toml library there is a magic replace for \\\\x -> u00 that we wish to avoid until #4979 is resolved
+        # Also addresses an issue where backslashes in certain strings are not properly escaped in self._old_dump_str(v)
+        return json.dumps(v)
 
     def _dump_flat_list(self, v: Iterable[Any]) -> str:
         """A slightly tweaked version of original dump_list, removing trailing commas."""

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.24"
+version = "1.3.25"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"