-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make it possible to disallow slow queries (or warn user about the problem) #315
Changes from all commits
175417f
527aacd
fcb9088
b23a95d
8a9f337
8318280
0dc4f1b
581a043
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -326,7 +326,7 @@ def query( | |
) | ||
|
||
if not rules: | ||
raise HTTPException(status_code=400, detail=f"No rule was specified.") | ||
raise HTTPException(status_code=400, detail="No rule was specified.") | ||
|
||
if data.method == RequestQueryMethod.parse: | ||
return [ | ||
|
@@ -335,11 +335,34 @@ def query( | |
rule_author=rule.author, | ||
is_global=rule.is_global, | ||
is_private=rule.is_private, | ||
is_degenerate=rule.parse().is_degenerate, | ||
parsed=rule.parse().query, | ||
) | ||
for rule in rules | ||
] | ||
|
||
degenerate_rules = [r.name for r in rules if r.parse().is_degenerate] | ||
allow_slow = db.get_mquery_config_key("query_allow_slow") == "true" | ||
msm-code marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if degenerate_rules and not (allow_slow and data.force_slow_queries): | ||
if allow_slow: | ||
# Warning: "You can force a slow query" literal is used to | ||
# pattern match on the error message in the frontend. | ||
help_message = "You can force a slow query if you want." | ||
else: | ||
help_message = "This is not allowed by this server." | ||
degenerate_rule_names = ", ".join(degenerate_rules) | ||
doc_url = "https://cert-polska.github.io/mquery/docs/yara.html" | ||
raise HTTPException( | ||
status_code=400, | ||
detail=( | ||
"Invalid query. Some of the rules require a full Yara scan of" | ||
"every indexed file. " | ||
f"{help_message} " | ||
f"Slow rules: {degenerate_rule_names}. " | ||
f"Read {doc_url} for more details." | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. link is not clickable, I guess it should :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not possible with an error message (without severe hacks, like putting HTML code into a Python exception, or - even worse - parsing the error message on the frontend). I guess I'll do it the harder way, and put the related alert logic into the frontend. This will require some changes, so I'll address this a bit later (in this PR). |
||
), | ||
) | ||
|
||
active_agents = db.get_active_agents() | ||
|
||
for agent, agent_spec in active_agents.items(): | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could probably call
rule.parse()
just once, somewhere above? In case it gets expensive in the futureThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Performance hit is negliglible, and even if it wasn't, it's already cached:
I worry more about readability. There's no way to assign it to a temporary variable in a list comprehension, but I can rewrite this all to an explicit for loop if you prefer 🤔 It would look like this:
I prefer the current version, but I'm not overly attached to it if you prefer this one.