[Bug] Rule Toml Write Formatting Wrongly Formats \\\\x (#4978)

eric-forte-elastic · tradebot-elastic · commit bf20e1ac0056 · 2025-08-18T21:07:29.000Z
* Fix rule and mitigate py toml * Bump patch version * Add reference to issue * Add unit test for path issues * Update comment * Certain strings were not properly escaped * Updated to use json instead of repr * replace _old_dump_str with json.dumps * Bump Version (cherry picked from commit dde448e)
diff --git a/detection_rules/etc/test_toml.json b/detection_rules/etc/test_toml.json
@@ -48,6 +48,14 @@
       ]
     }
   },
+  {
+    "metadata": {
+      "field": "value"
+    },
+    "rule": {
+      "path": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
+    }
+  },
   {
     "metadata": {
       "field": "value"
diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py
@@ -123,7 +123,6 @@ class RuleTomlEncoder(toml.TomlEncoder):  # type: ignore[reportMissingTypeArgume
     def __init__(self, *args: Any, **kwargs: Any) -> None:
         """Create the encoder but override some default functions."""
         super().__init__(*args, **kwargs)  # type: ignore[reportUnknownMemberType]
-        self._old_dump_str = toml.TomlEncoder().dump_funcs[str]
         self._old_dump_list = toml.TomlEncoder().dump_funcs[list]
         self.dump_funcs[str] = self.dump_str
         self.dump_funcs[str] = self.dump_str
@@ -148,10 +147,12 @@ def dump_str(self, v: str | NonformattedField) -> str:
         if multiline:
             if raw:
                 return "".join([TRIPLE_DQ, *initial_newline, *lines, TRIPLE_DQ])
-            return "\n".join([TRIPLE_SQ] + [self._old_dump_str(line)[1:-1] for line in lines] + [TRIPLE_SQ])
+            return "\n".join([TRIPLE_SQ] + [json.dumps(line)[1:-1] for line in lines] + [TRIPLE_SQ])
         if raw:
             return f"'{lines[0]:s}'"
-        return self._old_dump_str(v)
+        # In the toml library there is a magic replace for \\\\x -> u00 that we wish to avoid until #4979 is resolved
+        # Also addresses an issue where backslashes in certain strings are not properly escaped in self._old_dump_str(v)
+        return json.dumps(v)
 
     def _dump_flat_list(self, v: Iterable[Any]) -> str:
         """A slightly tweaked version of original dump_list, removing trailing commas."""
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.24"
+version = "1.3.25"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,14 @@`
`48`	`48`	`]`
`49`	`49`	`}`
`50`	`50`	`},`
	`51`	`+ {`
	`52`	`+ "metadata": {`
	`53`	`+ "field": "value"`
	`54`	`+ },`
	`55`	`+ "rule": {`
	`56`	`+ "path": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"`
	`57`	`+ }`
	`58`	`+ },`
`51`	`59`	`{`
`52`	`60`	`"metadata": {`
`53`	`61`	`"field": "value"`