Fixes issues with escaping characters in CEF parsing

.gitignore

@@ -1,2 +1,3 @@
 npm-debug.log
 node_modules
+.vscode/*

LICENSE

@@ -1,6 +1,6 @@
 (The MIT License)
 
-Copyright (c) 2017 David Gómez Matarrodona <solzimer@gmail.com>
+Copyright (c) 2021 Joseph Hanvy <hanvyj@hotmail.com>
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -1,5 +1,5 @@
 # nsyslog-parser
-[![](https://data.jsdelivr.com/v1/package/npm/nsyslog-parser/badge?style=rounded)](https://www.jsdelivr.com/package/npm/nsyslog-parser)
+This project was forked from the David Gómez Matarrodona's nsyslog-parser: [![](https://data.jsdelivr.com/v1/package/npm/nsyslog-parser/badge?style=rounded)](https://www.jsdelivr.com/package/npm/nsyslog-parser)
 
 Syslog Parser. Accepts [RFC 3164 (BSD)](https://tools.ietf.org/search/rfc3164), [RFC 5424](https://tools.ietf.org/html/rfc5424) and [CEF Common Event Format](https://community.saas.hpe.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306) formats.
 Although thought as a parser for stantard syslog messages, there are too many systems/devices out there that sends erroneous, propietary or simply malformed messages. **nsyslog-parser** is flexible enough to try and parse every single message to extract as many information as possible, without throwing any errors.

cef.js

@@ -32,9 +32,8 @@ function splitHeaders(text) {
 					fields--;
 				}
 			}
-			else if(ch=="\\") {
-				curr += ch;
-				scape = !scape;
+			else if(ch=="\\" && !scape) {
+				scape = true;
 			}
 			else {
 				scape = false;
@@ -51,32 +50,61 @@ function splitHeaders(text) {
 }
 
 function splitFields(msg) {
-	let tokens = msg.split(" ");
-	let map = {};
+	var map = {};
+	var scape = false;
+	var key = "";
+	var nextKey = "";
+	var curr = "";
 
-	let token = null;
-	while(tokens.length) {
-		if(!token) {
-			token = tokens.shift();
-			if(token.indexOf('=')>=0) {
-				let kv = token.split("=");
-				token = kv[0];
-				map[token] = kv[1];
+	msg.split("").forEach(ch=>{
+		if(ch=="=") {
+			if(scape ||
+				// false positive where our "=" has not been preceded by a space, this is likely meant to be escaped = (unless this is the first key)
+				(nextKey === curr) && Object.keys(map).length > 0) {
+				// Escape this = and treat it like any other character
+				scape = false;
+				curr += ch;
+				nextKey += ch;
 			}
 			else {
-				map[token] = "";
+				// The equals isn't escaped, so add the previous key value to the map
+				if (key) {
+					map[key] = curr.slice(0, curr.length - nextKey.length - 1);
+				}
+				// Now prepare for the next key value
+				key = nextKey;
+				curr = "";
+				nextKey = "";
 			}
 		}
+		else if(ch=="\\" && !scape) {
+			// This is the escape character, so flag the next character to be escaped
+			scape = true;
+		}
+		else if(ch==" ") {
+			scape = false;
+			curr += ch;
+			// reset the next possible key as we've seen a space
+			nextKey = "";
+		}
+		else if(ch=="n" && scape) {
+			scape = false;
+			curr += "\n";
+		}
+		else if(ch=="r" && scape) {
+			scape = false;
+			curr += "\n";
+		}
 		else {
-			let val = tokens.shift();
-			if(val.indexOf('=')<0) {
-				map[token] += ` ${val}`;
-			}
-			else {
-				token = null;
-				tokens.unshift(val);
-			}
+			scape = false;
+			// add the character to the possible key and current value
+			curr += ch;
+			nextKey += ch;
 		}
+	});
+
+	if(key && curr) {
+		map[key] = curr;
 	}
 
 	return map;