[Crowdstrike Falcon] unsupported_operation_exception on removeIf #4746
Description
If crowdstrike.event.CommandLine contains two consecutive spaces like "here are two spaces-> <-." in the following PoC, the script processor fails due to UnsupportedOperationException in the middle.
POST /_ingest/pipeline/_simulate
{
"pipeline": {
"processors": [
{
"script": {
"lang": "painless",
"source": """
// https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml#L303-L321
def commandLine = ctx?.crowdstrike?.event?.CommandLine;
if (commandLine != null) {
commandLine = commandLine.trim();
if (commandLine != "") {
def args = Arrays.asList(/ /.split(commandLine));
args.removeIf(arg -> arg == "");
ctx.process = [
'command_line': commandLine,
'args': args,
'executable': args.get(0)
]
}
}
"""
}
}
]
},
"docs": [
{
"_source": {
"crowdstrike": {
"event": {
"CommandLine": "here are two spaces-> <-."
}
}
}
}
]
}
error response
{
"docs": [
{
"error": {
"root_cause": [
{
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"java.base/java.util.Iterator.remove(Iterator.java:102)",
"java.base/java.util.Collection.removeIf(Collection.java:577)",
"""arg -> arg == "");
""",
"^---- HERE"
],
"script": " ...",
"lang": "painless",
"position": {
"offset": 435,
"start": 435,
"end": 468
}
}
],
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"java.base/java.util.Iterator.remove(Iterator.java:102)",
"java.base/java.util.Collection.removeIf(Collection.java:577)",
"""arg -> arg == "");
""",
"^---- HERE"
],
"script": " ...",
"lang": "painless",
"position": {
"offset": 435,
"start": 435,
"end": 468
},
"caused_by": {
"type": "unsupported_operation_exception",
"reason": "remove"
}
}
}
]
}
A quick fix would be something like this.
15c15
< def args = Arrays.asList(/ /.split(commandLine));
---
> def args = new ArrayList(Arrays.asList(/ /.split(commandLine)));