Prevent mutable script params reference from leaking into pipeline (#…

…23534) A reference to a list contained in the `script` processor's `params` was leaking into the rest of the pipeline and then being modified by later processors. Now a copy of the List is written into the event. For concurrent processing this resulted in `ConcurrentModificationException`s, but I assume it led to incorrect `event.type` values in single worker deployments because the `params` object was modified.
elastic · Jan 15, 2021 · c5e2cb3 · c5e2cb3
1 parent 8d2c723
commit c5e2cb3
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -366,6 +366,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add support for organization and custom prefix in AWS/CloudTrail fileset. {issue}23109[23109] {pull}23126[23126]
 - Simplify regex for organization custom prefix in AWS/CloudTrail fileset. {issue}23203[23203] {pull}23204[23204]
 - Fix syslog header parsing in infoblox module. {issue}23272[23272] {pull}23273[23273]
+- Fix concurrent modification exception in Suricata ingest node pipeline. {pull}23534[23534]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
@@ -96,6 +96,8 @@ processors:
                 } else {
                     ctx.network.protocol = v;
                 }
+            } else if (v instanceof List) {
+                ctx.event[k] = new ArrayList(v);
             } else {
                 ctx.event[k] = v;
             }