diff --git a/detection_rules/etc/test_toml.json b/detection_rules/etc/test_toml.json index 081222bbb20..af72ed62fa9 100644 --- a/detection_rules/etc/test_toml.json +++ b/detection_rules/etc/test_toml.json @@ -170,5 +170,15 @@ } ] } + }, + { + "metadata": { + "creation_date": "2020/02/26", + "maturity": "development", + "updated_date": "2020/02/26" + }, + "rule": { + "query": "file.path: \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" file.path: Hello\\:World" + } } ] diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index 16fe4733a5d..c5dd4aef017 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -154,9 +154,12 @@ def dump_str(self, v: str | NonformattedField) -> str: raw = (multiline or (DQ in v and SQ not in v)) and TRIPLE_DQ not in v if multiline: - if raw: - return "".join([TRIPLE_DQ, *initial_newline, *lines, TRIPLE_DQ]) - return "\n".join([TRIPLE_SQ] + [json.dumps(line)[1:-1] for line in lines] + [TRIPLE_SQ]) + # Triple-double-quoted basic strings allow literal newlines and literal ``"`` + # (as long as ``"""`` doesn't appear, which is guarded above via ``TRIPLE_DQ not in v``), + # but backslashes must be escaped so that e.g. ``Hello\:World`` is serialized as + # ``Hello\\:World`` -- otherwise ``\:`` is an invalid TOML escape sequence (issue #5182). + escaped_lines = [line.replace("\\", "\\\\") for line in lines] + return "".join([TRIPLE_DQ, *initial_newline, *escaped_lines, TRIPLE_DQ]) if raw: return f"'{lines[0]:s}'" # In the toml library there is a magic replace for \\\\x -> u00 that we wish to avoid until #4979 is resolved diff --git a/pyproject.toml b/pyproject.toml index ae81f56061a..e756a083069 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.33" +version = "1.6.34" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"