Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-05 14:28:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143
fleet/orbit/pkg/table/crowdstrike/falconctl/parser.go
Ian Littman a5299d4eb6
Make various fixes to falconctl parsing to remove errors on selecting from the falconctl_options table (#35479) 
Fixes #32239.

This changes tags to return a comma-delimited list on multiple tags, the
single tag when there's only one, and "is not set" (similar to other
values) when no tags are set.

Confirmed that this allows us to run `SELECT * FROM falconctl_options`
without issue on various configurations of Crowdstrike Falcon on Linux.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] Added/updated automated tests

- [x] QA'd all new/changed functionality manually

## fleetd/orbit/Fleet Desktop

- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
2025-11-11 18:11:04 -06:00

93 lines
2.5 KiB
Go
Raw Blame History

// based on github.com/kolide/launcher/pkg/osquery/tables
package falconctl
import (
"bufio"
"fmt"
"io"
"strings"
)
// parseOptions parses the stdout returned from falconctl's displayed options. As far as we know, output is a single
// line, comma-separated. We parse multiple lines, but assume data does not space that. e.g. linebreaks and commas
// treated as separators.
func parseOptions(reader io.Reader) (any, error) {
results := make(map[string]interface{})
errors := make([]error, 0)
// rfm-reason, oddly, produces two KV pairs on a single line. We need to track the last key we saw, and
// append to that value.
var lastKey string
scanner := bufio.NewScanner(reader)
for scanner.Scan() {
line := scanner.Text()
// sometimes lines end in , or ., remove them.
line = strings.TrimRight(line, ",.")
if line == "" {
continue
}
pairs := strings.Split(line, ", ")
for _, pair := range pairs {
pair = strings.TrimSpace(pair)
if pair == "" {
continue
}
// The format is quite inconsistent. The following sample shows 5 possible
// outputs. We'll try to parse them all:
//
// cid="ac917ab****************************"
// aid is not set
// aph is not set
// app is not set
// rfm-state is not set
// rfm-reason is not set
// Sensor grouping tags are not set
// rfm-reason=None, code=0x0,
// feature is not set
// metadata-query=enable (unset default)
// version = 6.38.13501.0
// We see 5 different formats. We'll try to parse them all.
if strings.HasSuffix(pair, " is not set") {
// What should this be set to? nil? "is not set"? TBD!
results[pair[:len(pair)-len(" is not set")]] = "is not set"
continue
}
if pair == "Sensor grouping tags are not set" {
results["tags"] = "is not set" // might as well be consistent with the above
continue
}
kv := strings.SplitN(pair, "=", 2)
if len(kv) == 2 {
// remove quotes and extra spaces
kv[0] = strings.Trim(kv[0], `" `)
kv[1] = strings.Trim(kv[1], `" `)
// Remove parenthetical note about an unset default
kv[1] = strings.TrimSuffix(kv[1], " (unset default)")
if lastKey == "rfm-reason" && kv[0] == "code" {
kv[0] = "rfm-reason-code"
}
results[kv[0]] = kv[1]
lastKey = kv[0]
continue
}
// Unknown format. Note the error
errors = append(errors, fmt.Errorf("unknown format: `%s` on line `%s`", pair, line))
}
}
if len(errors) > 0 {
return results, fmt.Errorf("errors parsing: %v", errors)
}
return results, nil
}
Reference in a new issue View git blame Copy permalink