You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
We are getting the error Syntax error at offset in our logs. The occurs when any special character of ,.<>{}[]"':;!@#$%^&*()+=~ is added to the Search bar of the Events section in the UI.
How to reproduce it
Install the Falco Helm chart with Falcosidekick (using version 4.3.0, which corresponds to app version 0.37.1) and search for an event (with any of the following special character: ,.<>{}[]"':;!@#$%^&*()+=~) in the Search bar of the Events section.
Expected behaviour
No Syntax error at offset when special characters ,.<>{}[]"':;!@#$%^&*()+=~ is added to the Search bar of the Events section in the UI.
Screenshots
When I search for the event time 06:47:14:398, that has the special character :, I get the error:
But then when I properly escape the : using \ (i.e., 06\:47\:14\:398), I don't get the error:
Environment
Falco version:
0.37.1
System info:
Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024
Kernel:
Linux falco-falcosidekick-ui-5f89b8bc9d-zn869 5.15.148.2-2.cm2 UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024 x86_64 Linux
Installation method:
Kubernetes
Additional context
I believe the issue occurs with the API call /api/v1/events/count/:groupby that calls the CountBy function, then the CountKeyBy function, then the newQuery function that calls the erroneous Escape function that doesn’t escape all punctuation correctly (see screenshot below). The function correctly escapes hyphens (with the use of a single backslash), but then incorrectly escapes forward slashes and periods by using two backslashes (and omits all other special characters). This is why when we put one of those characters in the search field, we get the error.
Describe the bug
We are getting the error
Syntax error at offset
in our logs. The occurs when any special character of,.<>{}[]"':;!@#$%^&*()+=~
is added to theSearch
bar of theEvents
section in the UI.How to reproduce it
Install the Falco Helm chart with Falcosidekick (using version
4.3.0
, which corresponds to app version0.37.1
) and search for an event (with any of the following special character:,.<>{}[]"':;!@#$%^&*()+=~
) in theSearch
bar of theEvents
section.Expected behaviour
No
Syntax error at offset
when special characters,.<>{}[]"':;!@#$%^&*()+=~
is added to theSearch
bar of theEvents
section in the UI.Screenshots
When I search for the event time
06:47:14:398
, that has the special character:
, I get the error:But then when I properly escape the
:
using\
(i.e.,06\:47\:14\:398
), I don't get the error:Environment
0.37.1
Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024
AKS
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.15.10
PRETTY_NAME="Alpine Linux v3.15"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
/app $
Linux falco-falcosidekick-ui-5f89b8bc9d-zn869 5.15.148.2-2.cm2 UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024 x86_64 Linux
Kubernetes
Additional context
I believe the issue occurs with the API call
/api/v1/events/count/:groupby
that calls theCountBy
function, then theCountKeyBy
function, then thenewQuery
function that calls the erroneousEscape
function that doesn’t escape all punctuation correctly (see screenshot below). The function correctly escapes hyphens (with the use of a single backslash), but then incorrectly escapes forward slashes and periods by using two backslashes (and omits all other special characters). This is why when we put one of those characters in the search field, we get the error.In Redis, when you query for tags that contain punctuation, you must escape that punctuation with a backslash character (). If not, then you’ll get the error we are seeing (see: https://redis.io/docs/latest/develop/interact/search-and-query/advanced-concepts/tags/ and https://redis.io/docs/latest/develop/interact/search-and-query/advanced-concepts/escaping/).
The text was updated successfully, but these errors were encountered: