EQL: Forbid usage of ['] for string literals (#62458) (#62496)

The usage of single quotes to wrap a string literal is forbidden and an error encouraging the user to user double quotes is returned. Tests are properly adjusted. Relates to #61659 (cherry picked from commit 8be400b)
elastic · Sep 17, 2020 · abce048 · abce048
1 parent 11cef15
commit abce048
Show file tree

Hide file tree

Showing 19 changed files with 327 additions and 325 deletions.
diff --git a/...in/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java b/...in/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java
@@ -181,7 +181,7 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where serial_event_id < 4] by exit_code" + 
                 "  [process where opcode == 1] by user" + 
                 "  [process where opcode == 2] by user" + 
-                "  [file where parent_process_name == 'file_delete_event'] by exit_code" +
+                "  [file where parent_process_name == \\\"file_delete_event\\\"] by exit_code" +
                 " until [process where opcode=1] by ppid" + 
                 " | head 4" + 
                 " | tail 2");
@@ -220,7 +220,7 @@ public void testEqlRestUsage() throws IOException {
             runEql("sequence by user, ppid, exit_code with maxspan=1m" + 
                 "  [process where serial_event_id < 4]" + 
                 "  [process where opcode == 1]" + 
-                "  [file where parent_process_name == 'file_delete_event']" +
+                "  [file where parent_process_name == \\\"file_delete_event\\\"]" +
                 "  [process where serial_event_id < 4]" + 
                 "  [process where opcode == 1]" + 
                 "| tail 4");

diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml b/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml
@@ -62,7 +62,7 @@ network where cidrMatch(source_address, "0.0.0.0/0") == true
 name = "concatEquals1"
 description = "test string concatenation. update test to avoid case-sensitivity issues"
 query = '''
-process where concat(serial_event_id, '::', process_name, '::', opcode) == '5::wininit.exe::3'
+process where concat(serial_event_id, "::", process_name, "::", opcode) == "5::wininit.exe::3"
 '''
 expected_event_ids  = [5]
 
@@ -138,24 +138,24 @@ expected_event_ids  = [98]
 notes = "regexp doesn't support character classes"
 query = '''
 //
-//                                ?'.*?net1\s+localgroup.*?')
-process where match(command_line, ?'.*?net1[ ]+localgroup.*?')
+//                                ?".*?net1\s+localgroup.*?")
+process where match(command_line, ?".*?net1[ ]+localgroup.*?")
 '''
 
 [[queries]]
 name = "matchLiteAdditional"
 expected_event_ids  = [98]
 query = '''
-process where matchLite(command_line, ?'.*?net1.*?')
+process where matchLite(command_line, ?".*?net1.*?")
 '''
 
 [[queries]]
 name = "matchWithCharacterClasses2"
 expected_event_ids  = [98]
 notes = "regexp doesn't support predefined character classes (like \\s)"
 query = '''
-//                                ?'.*?net1\s+\w{4,15}\s+.*?'
-process where match(command_line, ?'.*?net1[ ]+[a-z]{4,15}[ ]+.*?')
+//                                ?".*?net1\s+\w{4,15}\s+.*?"
+process where match(command_line, ?".*?net1[ ]+[a-z]{4,15}[ ]+.*?")
 '''
 
 
@@ -164,14 +164,14 @@ process where match(command_line, ?'.*?net1[ ]+[a-z]{4,15}[ ]+.*?')
 name = "multiPatternMatch"
 expected_event_ids  = [50, 97, 98]
 query = '''
-process where match(command_line, '.*?net[1]?  localgroup.*?', '.*? myappserver.py .*?')
+process where match(command_line, ".*?net[1]?  localgroup.*?", ".*? myappserver.py .*?")
 '''
 
 [[queries]]
 name = "matchWithSubstring"
 expected_event_ids  = [50, 98]
 query = '''
-process where match(substring(command_line, 5), '.*?net[1]?  localgroup.*?', '.*? myappserver.py .*?')
+process where match(substring(command_line, 5), ".*?net[1]?  localgroup.*?", ".*? myappserver.py .*?")
 '''
 
 [[queries]]