cmd/crowdsec: assign overflow after parsing (#4225)

mmetc · web-flow · commit eacc81922833 · 2026-01-23T10:36:06.000+01:00
diff --git a/cmd/crowdsec/output.go b/cmd/crowdsec/output.go
@@ -105,9 +105,8 @@ func runOutput(
 			}
 			return nil
 		case event := <-overflow:
-			ov := event.Overflow
 			// if alert is empty and mapKey is present, the overflow is just to cleanup bucket
-			if ov.Alert == nil && ov.Mapkey != "" {
+			if event.Overflow.Alert == nil && event.Overflow.Mapkey != "" {
 				buckets.Bucket_map.Delete(event.Overflow.Mapkey)
 				break
 			}
@@ -118,6 +117,7 @@ func runOutput(
 				return fmt.Errorf("postoverflow failed: %w", err)
 			}
 
+			ov := event.Overflow
 			log.Info(*ov.Alert.Message)
 
 			// if the Alert is nil, it's to signal bucket is ready for GC, don't track this
diff --git a/test/bats/41-postoverflows.bats b/test/bats/41-postoverflows.bats
@@ -0,0 +1,60 @@
+#!/usr/bin/env bats
+
+set -u
+
+fake_log() {
+    for _ in $(seq 1 6); do
+        echo "$(LC_ALL=C date '+%b %d %H:%M:%S ')"'sd-126005 sshd[12422]: Invalid user netflix from 1.1.1.172 port 35424'
+    done
+}
+
+setup_file() {
+    load "../lib/setup_file.sh"
+    # we reset config and data, and only run the daemon once for all the tests in this file
+    ./instance-data load
+
+    cscli collections install crowdsecurity/sshd --error >/dev/null
+    cscli parsers install crowdsecurity/syslog-logs --error >/dev/null
+    cscli parsers install crowdsecurity/dateparse-enrich --error >/dev/null
+
+    ./instance-crowdsec start
+}
+
+teardown_file() {
+    load "../lib/teardown_file.sh"
+}
+
+setup() {
+    load "../lib/setup.sh"
+}
+
+#----------
+
+@test "apply postoverflow" {
+    CONFIG_DIR=$(dirname "$CONFIG_YAML")
+    mkdir -p "$CONFIG_DIR"/postoverflows/s01-whitelist
+    cat > "$CONFIG_DIR"/postoverflows/s01-whitelist/po-test.yaml <<-EOT
+	name: crowdsecurity/po-test
+	description: "foo"
+	whitelist:
+	  reason: "foo"
+	  expression: 
+	    - "evt.Overflow.Alert.Source.IP == '1.1.1.172'"
+	EOT
+
+    rune -0 "$CROWDSEC" -dsn file://<(fake_log) -type syslog -no-api
+    refute_output
+    assert_stderr --regexp "Adding file .* to filelist"
+    assert_stderr --regexp "reading .* at once"
+    assert_stderr --partial "Ban for 1.1.1.172 whitelisted"
+    assert_stderr --regexp "Acquisition is finished, shutting down"
+    assert_stderr --regexp "Killing parser routines"
+    assert_stderr --regexp "Bucket routine exiting"
+    assert_stderr --regexp "crowdsec shutdown"
+}
+
+@test "we have no decision" {
+    rune -0 cscli decisions list -o json
+    rune -0 jq '. | length' <(output)
+    assert_output 0
+}

Original file line number	Diff line number	Diff line change
`@@ -105,9 +105,8 @@ func runOutput(`
`105`	`105`	`}`
`106`	`106`	`return nil`
`107`	`107`	`case event := <-overflow:`
`108`		`- ov := event.Overflow`
`109`	`108`	`// if alert is empty and mapKey is present, the overflow is just to cleanup bucket`
`110`		`- if ov.Alert == nil && ov.Mapkey != "" {`
	`109`	`+ if event.Overflow.Alert == nil && event.Overflow.Mapkey != "" {`
`111`	`110`	`buckets.Bucket_map.Delete(event.Overflow.Mapkey)`
`112`	`111`	`break`
`113`	`112`	`}`
`@@ -118,6 +117,7 @@ func runOutput(`
`118`	`117`	`return fmt.Errorf("postoverflow failed: %w", err)`
`119`	`118`	`}`
`120`	`119`
	`120`	`+ ov := event.Overflow`
`121`	`121`	`log.Info(*ov.Alert.Message)`
`122`	`122`
`123`	`123`	`// if the Alert is nil, it's to signal bucket is ready for GC, don't track this`