feat: Add ParseKVLax for Flexible Key-Value Parsing (#4007)

* feat: improve ParseKV function to handle unquoted values with spaces

- Replace regex-based parsing with scanner approach for better handling of complex key-value pairs
- Add support for unquoted values containing spaces (e.g., UNIFIhost=Express 7)
- Maintain backward compatibility with existing quoted and simple unquoted values
- Add robust filtering to prevent false positives from invalid key patterns
- Improve quote handling and escaping for quoted values
- Add comprehensive test cases covering edge cases and mixed scenarios

Fixes parsing issues with CEF logs and other formats where values contain spaces without quotes.

* fix: minor formatting cleanup in ParseKVLax helpers

* refactor: improve code style in isInsideQuotedValue using early continue (gocritic)

* fix: work on mmetc feedback

* fix: change backslash logic to even check

---------

Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com>
Co-authored-by: marco <marco@crowdsec.net>

Author: LaurenceJJones

pkg/exprhelpers/expr_lib.go

@@ -461,6 +461,13 @@ var exprFuncs = []exprCustomFunc{
 			new(func(string, map[string]any, string) error),
 		},
 	},
+	{
+		name:     "ParseKVLax",
+		function: ParseKVLax,
+		signature: []any{
+			new(func(string, map[string]any, string) error),
+		},
+	},
 	{
 		name:     "Hostname",
 		function: Hostname,

pkg/exprhelpers/exprlib_test.go

@@ -2201,3 +2201,146 @@ func TestParseKv(t *testing.T) {
 		})
 	}
 }
+
+func TestParseKvLax(t *testing.T) {
+	err := Init(nil)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name           string
+		value          string
+		want           map[string]string
+		expr           string
+		wantBuildErr   bool
+		wantRuntimeErr bool
+	}{
+		{
+			name:  "ParseKVLax() test: valid string",
+			value: "foo=bar",
+			want:  map[string]string{"foo": "bar"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: valid string multiple",
+			value: "foo=bar bar=foo",
+			want:  map[string]string{"foo": "bar", "bar": "foo"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: quoted string",
+			value: `foo="bar=toto"`,
+			want:  map[string]string{"foo": "bar=toto"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: empty unquoted string",
+			value: `foo= bar=toto`,
+			want:  map[string]string{"bar": "toto", "foo": ""},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: empty quoted string",
+			value: `foo="" bar=toto`,
+			want:  map[string]string{"bar": "toto", "foo": ""},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: unquoted value with spaces",
+			value: `UNIFIhost=Express 7 port=443`,
+			want:  map[string]string{"UNIFIhost": "Express 7", "port": "443"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: mixed quoted and unquoted with spaces",
+			value: `msg="Hello World" host=My Server name=test`,
+			want:  map[string]string{"msg": "Hello World", "host": "My Server", "name": "test"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: escaped quotes in quoted value",
+			value: `msg="He said \"Hello\"" status=ok`,
+			want:  map[string]string{"msg": `He said "Hello"`, "status": "ok"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: escaped backslashes in quoted value",
+			value: `path="C:\\Program Files\\App" status=running`,
+			want:  map[string]string{"path": `C:\Program Files\App`, "status": "running"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: empty unquoted value at end",
+			value: `host=server port=443 debug=`,
+			want:  map[string]string{"host": "server", "port": "443", "debug": ""},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: complex CEF-like log extension",
+			value: `src=192.168.1.100 duser=admin msg=User login successful UNIFIhost=Express 7 UNIFIport=443`,
+			want:  map[string]string{"src": "192.168.1.100", "duser": "admin", "msg": "User login successful", "UNIFIhost": "Express 7", "UNIFIport": "443"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: iptables-style values with flags",
+			value: `RES=0x00 SYN URGP=0 ID=25029 DF PROTO=TCP`,
+			want:  map[string]string{"RES": "0x00 SYN", "URGP": "0", "ID": "25029 DF", "PROTO": "TCP"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: keycloak-style JSON values",
+			value: `error=user_not_found, code_id=e44d80b4-058d-4b45-b2ee-fac3d174e10c, userId=null, type=LOGIN_ERROR`,
+			want:  map[string]string{"error": "user_not_found,", "code_id": "e44d80b4-058d-4b45-b2ee-fac3d174e10c,", "userId": "null,", "type": "LOGIN_ERROR"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: key= after escaped quotes inside quoted value",
+			value: `msg="say \"fake=val\" here" real=value`,
+			want:  map[string]string{"msg": `say "fake=val" here`, "real": "value"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:  "ParseKVLax() test: escaped backslash before closing quote",
+			value: `path="C:\\" next=val`,
+			want:  map[string]string{"path": `C:\`, "next": "val"},
+			expr:  `ParseKVLax(value, out, "a")`,
+		},
+		{
+			name:         "ParseKVLax() test: invalid type for first argument",
+			value:        "",
+			expr:         `ParseKVLax(42, out, "a")`,
+			wantBuildErr: true,
+		},
+		{
+			name:           "ParseKVLax() test: no key=value pairs",
+			value:          "no pairs here",
+			expr:           `ParseKVLax(value, out, "a")`,
+			wantRuntimeErr: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			outMap := make(map[string]any)
+			env := map[string]any{
+				"value": tc.value,
+				"out":   outMap,
+			}
+			vm, err := expr.Compile(tc.expr, GetExprOptions(env)...)
+			if tc.wantBuildErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			_, err = expr.Run(vm, env)
+			if tc.wantRuntimeErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			assert.Equal(t, tc.want, outMap["a"])
+		})
+	}
+}

pkg/exprhelpers/helpers.go

@@ -62,6 +62,7 @@ func init() { //nolint:gochecknoinits
 }
 
 var keyValuePattern = regexp.MustCompile(`(?P<key>[^=\s]+)=(?:"(?P<quoted_value>[^"\\]*(?:\\.[^"\\]*)*)"|(?P<value>[^=\s]+)|\s*)`)
+var keyStart = regexp.MustCompile(`([a-zA-Z_][a-zA-Z0-9_.-]*)=`) // More restrictive key pattern for loose parsing
 
 var (
 	geoIPCityReader  *geoip2.Reader
@@ -988,6 +989,112 @@ func ParseKV(params ...any) (any, error) {
 	return nil, nil
 }
 
+// ParseKVLax parses key-value pairs with lax matching, supporting unquoted multi-word values
+// by using a scanner approach instead of regex.
+func ParseKVLax(params ...any) (any, error) {
+	blob := params[0].(string)
+	target := params[1].(map[string]any)
+	prefix := params[2].(string)
+
+	if _, ok := target[prefix]; !ok {
+		target[prefix] = make(map[string]string)
+	} else if _, ok := target[prefix].(map[string]string); !ok {
+		log.Errorf("ParseKVLax: target is not a map[string]string")
+		return nil, errors.New("target is not a map[string]string")
+	}
+
+	km := target[prefix].(map[string]string)
+
+	// Find all key= occurrences and slice values between them.
+	idxs := keyStart.FindAllStringSubmatchIndex(blob, -1)
+	if len(idxs) == 0 {
+		log.Errorf("could not find any key/value pair in line")
+		return nil, errors.New("invalid input format")
+	}
+
+	// Filter out matches that are inside quoted values
+	validIdxs := make([][]int, 0, len(idxs))
+	for _, m := range idxs {
+		keyStartPos := m[0]
+		// Check if this key= is inside a quoted value by looking backwards
+		if !isInsideQuotedValue(blob, keyStartPos) {
+			validIdxs = append(validIdxs, m)
+		}
+	}
+
+	if len(validIdxs) == 0 {
+		log.Errorf("could not find any key/value pair in line")
+		return nil, errors.New("invalid input format")
+	}
+
+	for i, m := range validIdxs {
+		// m layout: [ fullStart, fullEnd, group1Start, group1End ]
+		key := blob[m[2]:m[3]]
+		valStart := m[1] // right after '='
+
+		var valEnd int
+		if i+1 < len(validIdxs) {
+			valEnd = validIdxs[i+1][0] // start of next key
+		} else {
+			valEnd = len(blob)
+		}
+
+		raw := strings.TrimSpace(blob[valStart:valEnd])
+		val := parseValueLax(raw)
+		km[key] = val
+	}
+
+	log.Tracef("unmarshaled KV (lax): %+v", target[prefix])
+	return nil, nil
+}
+
+// parseValueLax handles quoted and unquoted values for lax parsing.
+//   - If it begins with a quote, it removes the surrounding quotes
+//     if the closing one is present and unescapes \" and \\.
+//   - For unquoted values, returns the entire trimmed value as-is
+func parseValueLax(s string) string {
+	if s == "" {
+		return ""
+	}
+
+	if s[0] != '"' {
+		return s
+	}
+
+	if len(s) >= 2 && s[len(s)-1] == '"' {
+		body := s[1 : len(s)-1]
+		body = strings.ReplaceAll(body, `\\`, `\`)
+		body = strings.ReplaceAll(body, `\"`, `"`)
+		return body
+	}
+
+	return strings.TrimPrefix(s, `"`)
+}
+
+// isInsideQuotedValue checks if a position in the string is inside a quoted value
+// by counting unescaped quotes before the position
+func isInsideQuotedValue(s string, pos int) bool {
+	inQuote := false
+
+	for i := 0; i <= pos && i < len(s); i++ {
+		if s[i] != '"' {
+			continue
+		}
+
+		// Check if this quote is escaped
+		backslashCount := 0
+		for j := i - 1; j >= 0 && s[j] == '\\'; j-- {
+			backslashCount++
+		}
+
+		if backslashCount%2 == 0 {
+			inQuote = !inQuote
+		}
+	}
+
+	return inQuote
+}
+
 func Hostname(params ...any) (any, error) {
 	hostname, err := os.Hostname()
 	if err != nil {