Skip to content

Fix add_host_metadata host.geo map sharing across events#49722

Draft
github-actions[bot] wants to merge 1 commit intomainfrom
fix-add-host-geo-corruption-49721-279ca6e4b1cdf175
Draft

Fix add_host_metadata host.geo map sharing across events#49722
github-actions[bot] wants to merge 1 commit intomainfrom
fix-add-host-geo-corruption-49721-279ca6e4b1cdf175

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Mar 26, 2026

Summary

This change fixes add_host_metadata geodata corruption caused by shared map reuse.

When enriching events, host data was cloned before DeepUpdate, but geo data was not. Because DeepUpdate can merge map values by reference, mutating host.geo in one processed event could affect later events.

What changed

  • In libbeat/processors/add_host_metadata/add_host_metadata.go, clone cached geo data before merging:
    • event.Fields.DeepUpdate(p.geoData.Clone())
  • Added regression test in libbeat/processors/add_host_metadata/add_host_metadata_test.go:
    • TestGeoFieldsAreNotMutatedAcrossEvents
    • Verifies mutating host.geo on one event does not leak to a subsequent event.

Validation

  • go test ./libbeat/processors/add_host_metadata -run TestGeoFieldsAreNotMutatedAcrossEvents
  • ⚠️ go test ./libbeat/processors/add_host_metadata fails in this CI container due to existing environment assumptions in pre-existing tests (no valid /etc/(distrib)-release file found), unrelated to this change.

Notes

Note

🔒 Integrity filtering filtered 1 item

Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

What is this? | From workflow: Mention in Issue

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions
Fix add_host_metadata geo map sharing
59aa3bf 
Clone cached geo data before DeepUpdate so per-event host.geo mutations cannot leak into subsequent events.

Add a regression test that mutates host.geo on one event and verifies later events are unaffected.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions bot added the ai label Mar 26, 2026
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 26, 2026
@botelastic
Copy link
Copy Markdown

botelastic bot commented Mar 26, 2026

This pull request doesn't have a Team:<team> label.

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 26, 2026

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @github-actions[bot]? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai needs_team Indicates that the issue/PR needs a Team:* label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add_host_metadata Geodata Corruption

0 participants