-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ti_opencti] Fix processing of externalReferences #8556
[ti_opencti] Fix processing of externalReferences #8556
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
🌐 Coverage report
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changelog and manifest updates?
packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
...encti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json
Outdated
Show resolved
Hide resolved
...encti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json
Show resolved
Hide resolved
99a1ec5
to
755a7a0
Compare
Now done. I should have opened this as a draft, since I wanted to wait until community PR #8428 was merged. |
return; | ||
} | ||
for (int i = 0; i < edges.length; i++) { | ||
if (!ctx.opencti?.indicator?.containsKey('external_reference')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not safe; the ?.
operator stops the derefs being unsafe, but then we get to a look up for the method on null
, and bang!
if (!ctx.opencti?.indicator?.containsKey('external_reference')) { | |
if (ctx.opencti?.indicator != null && !ctx.opencti.indicator.containsKey('external_reference')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here the last null safe operator replaces a plain .containsKey()
method call. My rule of thumb is that ?.
will make the thing immediately to its right safe - either a field access or a method call.
This script returns "safely got a null":
POST _scripts/painless/_execute
{
"script": {
"params": {
"key": null
},
"source": """
if (params.key?.nonKey?.nonMethod("arg")?.nonMethod2("arg") == null) {
return "safely got a null";
}
"""
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I see there's a problem. The ...?.containsKey('external_reference')
is okay, but null
as the result of an if
condition is not okay. So I fixed that and other occurrences like this
if (ctx.opencti?.indicator?.containsKey('external_reference') == true) {
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, that's very informative; I've learned something new.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
Package ti_opencti - 0.3.2 containing this change is available at https://epr.elastic.co/search?package=ti_opencti |
Proposed commit message
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues