Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid distinct expression leads to crash at runtime #3351

Open
buixor opened this issue Dec 2, 2024 · 1 comment
Open

Invalid distinct expression leads to crash at runtime #3351

buixor opened this issue Dec 2, 2024 · 1 comment
Assignees
@mmetc
Labels
kind/bug Something isn't working needs/triage os/linux
Milestone
1.6.5

Comments

@buixor
Copy link
Contributor

buixor commented Dec 2, 2024

What happened?

Creating a scenario with an invalid distinct (invalid as in invalid expr expression) results to a runtime crash. The crash seems to happen when the bucket is poured/instantiated for the first time.

What did you expect to happen?

No crash

How can we reproduce it (as minimally and precisely as possible)?

Having a scenario such as:

type: leaky
format: 3.0
debug: true
name: crowdsecurity/appsec-outofband-ban-HEADER-VALUE
description: "Ban IPs repeateadly triggering out of band rules"
filter: "evt.Meta.log_type == 'appsec-info' && evt.Meta.rule_name == 'crowdsecurity/foobar-access'"
distinct: foobar == something
#distinct: req.Header.Get('something')
leakspeed: "60s"
capacity: 1
groupby: evt.Meta.source_ip
blackhole: 1m

(notice the invalid distinct expr)

Leads to a crash at runtime (when event is poured to bucket) :

DEBU[2024-12-02T15:47:05+01:00] Creating Live bucket                          cfg=red-field name=crowdsecurity/appsec-outofband-ban-HEADER-VALUE
ERRO[2024-12-02T15:47:05+01:00] crowdsec - goroutine crowdsec/LeakRoutine/crowdsecurity/appsec-outofband-ban-HEADER-VALUE crashed: runtime error: invalid memory address or nil pointer dereference 
ERRO[2024-12-02T15:47:05+01:00] please report this error to https://github.com/crowdsecurity/crowdsec/issues 
DEBU[2024-12-02T15:47:05+01:00] Created new bucket 1823a94770a3ab5ec73dd6800337a84dabaccfd1  cfg=red-field name=crowdsecurity/appsec-outofband-ban-HEADER-VALUE
ERRO[2024-12-02T15:47:05+01:00] stacktrace/report is written to ...crowdsec/crowdsec-v1.6.4-rc4-2-gbbe77529/tests/data/trace/crowdsec-crash.1373402735.txt: please join it to your issue 
FATA[2024-12-02T15:47:05+01:00] crowdsec stopped

Trace being:

error: runtime error: invalid memory address or nil pointer dereference
version: v1.6.4-rc4-2-gbbe77529
BuildDate: 2024-11-29_16:55:04
GoVersion: 1.23.3
Platform: linux
goroutine 294 [running]:
runtime/debug.Stack()
	runtime/debug/stack.go:26 +0x5e
github.com/crowdsecurity/go-cs-lib/trace.(*traceKeeper).writeStackTrace(0x347d900, {0x1d83ec0, 0x345b780})
	github.com/crowdsecurity/[email protected]/trace/trace.go:152 +0x16e
github.com/crowdsecurity/go-cs-lib/trace.(*traceKeeper).catchPanic(0x347d900, {0xc00004e0a0, 0x44})
	github.com/crowdsecurity/[email protected]/trace/trace.go:168 +0x134
github.com/crowdsecurity/go-cs-lib/trace.CatchPanic(...)
	github.com/crowdsecurity/[email protected]/trace/trace.go:37
panic({0x1d83ec0?, 0x345b780?})
	runtime/panic.go:785 +0x132
github.com/crowdsecurity/crowdsec/pkg/leakybucket.(*Uniq).OnBucketInit(0xc001584b28, 0xc000910288)
	github.com/crowdsecurity/crowdsec/pkg/leakybucket/uniq.go:78 +0x379
github.com/crowdsecurity/crowdsec/pkg/leakybucket.LeakRoutine(0xc000bd8000)
	github.com/crowdsecurity/crowdsec/pkg/leakybucket/bucket.go:233 +0x5e5
github.com/crowdsecurity/crowdsec/pkg/leakybucket.LoadOrStoreBucketFromHolder.func1()
	github.com/crowdsecurity/crowdsec/pkg/leakybucket/manager_run.go:269 +0x17
gopkg.in/tomb%2ev2.(*Tomb).run(0x3532ea0, 0xc000e24870?)
	gopkg.in/[email protected]/tomb.go:163 +0x2b
created by gopkg.in/tomb%2ev2.(*Tomb).Go in goroutine 12
	gopkg.in/[email protected]/tomb.go:159 +0xdb

Anything else we need to know?

N/A

Crowdsec version

$ cscli version
# paste output here

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here

Prometheus metrics

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
@buixor buixor added the kind/bug Something isn't working label Dec 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 2, 2024

@buixor: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@buixor buixor added this to the 1.6.5 milestone Dec 3, 2024
@mmetc mmetc self-assigned this Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmetc mmetc

Labels
kind/bug Something isn't working needs/triage os/linux
Projects
None yet
Milestone
1.6.5
Development

No branches or pull requests
2 participants
@buixor @mmetc