Do not allow escaped pipe in extensions

bhapas · bhapas · commit 10fc6ec1570a · 2025-04-02T15:12:11.000+02:00
diff --git a/modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/CefParser.java b/modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/CefParser.java
@@ -60,7 +60,7 @@ final class CefParser {
     // New patterns for extension parsing
     private static final String EXTENSION_KEY_PATTERN = "(?:[\\w-]+(?:\\.[^\\.=\\s\\|\\\\\\[\\]]+)*(?:\\[[0-9]+\\])?(?==))";
     private static final Pattern EXTENSION_KEY_ARRAY_CAPTURE = Pattern.compile("^([^\\[\\]]+)((?:\\[[0-9]+\\])+)$");
-    private static final String EXTENSION_VALUE_PATTERN = "(?:\\S|\\s(?!" + EXTENSION_KEY_PATTERN + "=))*";
+    private static final String EXTENSION_VALUE_PATTERN = "(?:[^\\s\\\\]|\\\\[^|]|\\s(?!" + EXTENSION_KEY_PATTERN + "=))*";
     private static final Pattern EXTENSION_NEXT_KEY_VALUE_PATTERN = Pattern.compile(
         "(" + EXTENSION_KEY_PATTERN + ")=(" + EXTENSION_VALUE_PATTERN + ")(?:\\s+|$)"
     );
diff --git a/modules/ingest-common/src/test/java/org/elasticsearch/ingest/common/CefProcessorTests.java b/modules/ingest-common/src/test/java/org/elasticsearch/ingest/common/CefProcessorTests.java
@@ -282,24 +282,7 @@ public void testEscapedPipeInExtension() {
         source.put("message", message);
         document = new IngestDocument("index", "id", 1L, null, null, source);
         CefProcessor processor = new CefProcessor("tag", "description", "message", "cef", false, true, null);
-        processor.execute(document);
-
-        Map<String, Object> expectedMap = Map.ofEntries(
-            entry(
-                "cef",
-                Map.ofEntries(
-                    entry("version", "0"),
-                    entry("device", Map.of("vendor", "security", "product", "threatmanager", "version", "1.0", "event_class_id", "100")),
-                    entry("name", "trojan successfully stopped"),
-                    entry("severity", "10"),
-                    entry("extensions", Map.of("moo", "this\\|has an escaped pipe"))
-                )
-            ),
-            entry("event", Map.of("code", "100")),
-            entry("observer", Map.of("product", "threatmanager", "vendor", "security", "version", "1.0")),
-            entry("message", message)
-        );
-        assertThat(document.getSource(), equalTo(expectedMap));
+        expectThrows(IllegalArgumentException.class, () -> processor.execute(document));
     }
 
     public void testPipeInMessage() {
