iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard
verified publisher icon dfir-iris

[BUG] Allowed to set NULL values in Alerts via API

Open wrharding opened this issue 1 year ago • 1 comments

Describe the bug When creating a new alert via the API we are allowed to provide IOC's. When setting the IOC description field to NULL I do not get any errors from the API, nor are there web errors when viewing the IOC in the alert. The description is simply empty. However, when merging an alert that has a null description field into a case, I am experiencing a perpetual ellipses on the IOC tab in the case view. The web console produced the following error:

common.js:103 Uncaught TypeError: Cannot read properties of null (reading 'length')
    at ellipsis_field_raw (common.js:103:14)
    at ret_obj_dt_description (common.js:83:15)
    at render (case.ioc.js:399:26)
    at datatables.min.js:17:6970
    at n.fnGetData (datatables.min.js:17:3728)
    at _ (datatables.min.js:17:6174)
    at P (datatables.min.js:17:10069)
    at D (datatables.min.js:17:5951)
    at Vt.<anonymous> (datatables.min.js:17:56611)
    at Vt.iterator (datatables.min.js:17:48247)

When viewing the network traffic in the browser, I see ioc_description: null, as opposed to ioc_description: "" on IOCs manually submitted without adding a description.

To Reproduce Steps to reproduce the behavior:

  1. Submit an alert via the API with an IOC that has ioc_description set to null.
  2. Merge alert into a new or existing Case.
  3. View the IOC tab in the Case.
  4. A perpetual ellipses will be shown. The UI will be broken/off centered. After a few moments "Updates available" will be shown in the top right.

Expected behavior Null values are handled appropriately at some point by IRIS. Either by rejecting alerts with null values in required fields or translating null values to empty strings.

Desktop (please complete the following information):

  • OS: Windows 11
  • Browser Chrome 124.0.6367.119
  • Version 2.3.7 (Alert submitted via API v2.0.2); 2.4.7 (Alert submission not tested on API v v2.0.4)

Additional context I am submitting alerts via the API without using the provided python client.

wrharding avatar May 03 '24 16:05 wrharding

Discord discussion context:

https://discord.com/channels/922879298786975774/1086175654799745065/1235972930706604084

wrharding avatar May 03 '24 16:05 wrharding