Merge pull request #1262 from Yamato-Security/1253-remove-new-line-ch…

…aracters-in-search-output removed new line characters in search output
Yamato-Security · Feb 2, 2024 · e052fc5 · e052fc5
2 parents b138609 + c6b3378
commit e052fc5
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -16,7 +16,7 @@
 
 **バグ修正:**
 
-- XXX
+- `search`コマンドの出力に入っている不要な改行文字を削除した。 (#1253) (@hitenkoku)
 
 **その他:**
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,7 +16,7 @@
 
 **Bug Fixes:**
 
-- XXX
+- Removed newline characters in `search` command output. (#1253) (@hitenkoku)
 
 **Other:**
 

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
@@ -35,6 +35,10 @@ lazy_static! {
         Regex::new(r"^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$").unwrap();
     pub static ref CONTROL_CHAT_REPLACE_MAP: HashMap<char, CompactString> =
         create_control_chat_replace_map();
+    pub static ref ALLFIELDINFO_SPECIAL_CHARS: AhoCorasick = AhoCorasickBuilder::new()
+        .match_kind(MatchKind::LeftmostLongest)
+        .build(["🛂r", "🛂n", "🛂t"])
+        .unwrap();
 }
 
 pub struct ConfigReader {

diff --git a/src/timeline/search.rs b/src/timeline/search.rs
@@ -1,4 +1,4 @@
-use crate::detections::configs::OutputOption;
+use crate::detections::configs::{OutputOption, ALLFIELDINFO_SPECIAL_CHARS};
 use crate::detections::field_data_map::FieldDataMapKey;
 use crate::detections::message;
 use crate::detections::utils::format_time;
@@ -180,14 +180,18 @@ impl EventSearch {
             if search_condition(keywords) {
                 let (timestamp, hostname, channel, eventid, recordid, allfieldinfo) =
                     extract_search_event_info(record, eventkey_alias, output_option);
-
+                let allfieldinfo_newline_splited = ALLFIELDINFO_SPECIAL_CHARS
+                    .replace_all(&allfieldinfo, &["🦅", "🦅", "🦅"])
+                    .split('🦅')
+                    .filter(|x| !x.is_empty())
+                    .join(" ");
                 self.search_result.insert((
                     timestamp,
                     hostname,
                     channel,
                     eventid,
                     recordid,
-                    allfieldinfo,
+                    allfieldinfo_newline_splited.into(),
                     self.filepath.clone(),
                 ));
             }
@@ -222,13 +226,18 @@ impl EventSearch {
             if re.is_match(&record.data_string) {
                 let (timestamp, hostname, channel, eventid, recordid, allfieldinfo) =
                     extract_search_event_info(record, eventkey_alias, output_option);
+                let allfieldinfo_newline_splited = ALLFIELDINFO_SPECIAL_CHARS
+                    .replace_all(&allfieldinfo, &["🦅", "🦅", "🦅"])
+                    .split('🦅')
+                    .filter(|x| !x.is_empty())
+                    .join(" ");
                 self.search_result.insert((
                     timestamp,
                     hostname,
                     channel,
                     eventid,
                     recordid,
-                    allfieldinfo,
+                    allfieldinfo_newline_splited.into(),
                     self.filepath.clone(),
                 ));
             }
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,7 +16,7 @@ @@
     **バグ修正:**
-    - XXX
+    - `search`コマンドの出力に入っている不要な改行文字を削除した。 (#1253) (@hitenkoku)
     **その他:**
@@ Expand Down @@