Issue with ParseJsonToObject causing agent (0.73.3) crashes on Linux

[chaoticmachinery]

Hello,

We are seeing 0.73.3 Linux agent crashes when parsing returned JSON data. The hunt that was used worked find in agent version 0.72.4 and returns data.

Below is the error message from the client when it crashes.

panic: runtime error: index out of range [0] with length 0

goroutine 292 [running]:
www.velocidex.com/golang/velociraptor/utils.ParseJsonToObject({0x3e00120?, 0x0?, 0x0?})
        /home/runner/work/velociraptor/velociraptor/utils/json.go:17 +0x105
www.velocidex.com/golang/velociraptor/vql/parsers.ParseJsonFunction.Call({}, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0}, 0xc001e06100)
        /home/runner/work/velociraptor/velociraptor/vql/parsers/json.go:76 +0x19c
www.velocidex.com/golang/vfilter.(*_SymbolRef).callFunction(0xc001756d00, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0}, {0x28b2110, 0x3e00120})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1776 +0x5a8
www.velocidex.com/golang/vfilter.(*_SymbolRef).Reduce(0xc001756d00, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1623 +0x52e
www.velocidex.com/golang/vfilter.(*_Value).Reduce(0xc001756d80, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1503 +0x13f
www.velocidex.com/golang/vfilter.(*_MemberExpression).Reduce(0xc001ca7140, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1182 +0x45
www.velocidex.com/golang/vfilter.(*_MultiplicationExpression).Reduce(0xc001ca7180, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1439 +0x3d
www.velocidex.com/golang/vfilter.(*_AdditionExpression).Reduce(0xc001ca71c0, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1354 +0x3d
www.velocidex.com/golang/vfilter.(*_ConditionOperand).Reduce(0xc001e24630, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1392 +0x5a
www.velocidex.com/golang/vfilter.(*_OrExpression).Reduce(0xc001ca7200, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1316 +0x45
www.velocidex.com/golang/vfilter.(*_AndExpression).Reduce(0xc001ca7240, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc000dfa0c0})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1276 +0x45
www.velocidex.com/golang/vfilter.(*_AliasedExpression).Reduce(0x40?, {0x28bf040?, 0xc002230f50?}, {0x28e3310?, 0xc000dfa0c0?})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:712 +0x90
www.velocidex.com/golang/vfilter.(*_SelectExpression).Transform.func2({0x28bf040, 0xc002230f50}, {0xc000a92278?, 0x6?})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:970 +0x55
www.velocidex.com/golang/vfilter.MaterializedLazyRow({0x28bf040, 0xc002230f50}, {0x21c08a0?, 0xc000470000}, {0x28e3310, 0xc000dfa000})
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/lazy.go:108 +0x1c7
www.velocidex.com/golang/vfilter.(*_Select).processSingleRow(0xc0017389c0, {0x28bf040, 0xc002230f50}, {0x28e3310, 0xc001347680}, {0x1f75380, 0xc001e254a0}, 0xc00080bdc0)
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:588 +0x145
www.velocidex.com/golang/vfilter.(*_Select).Eval.func3()
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:570 +0x13b
created by www.velocidex.com/golang/vfilter.(*_Select).Eval in goroutine 291
        /home/runner/go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:553 +0x295

Below is the hunt that was ran to cause the agent to crash:

name: GPS.Linux.Applications.Docker.RunningProcesses
author: Keven Murphy
description: |
  Get Dockers running process for each container thru commandline.

  Date: 12/07/23

parameters:
  
name: CommandContainer
  default: "docker container ls -a --no-trunc --format='{{json . }}' 2>/dev/null " 
name: CommandDockerTop
default: "docker top "
name: TopOptions
default: " -ef "
name: ConvertPSOutput
default: ' '
sources:
  
precondition: |
    SELECT OS From info() where OS = 'linux'
  query: |//| awk NF=NF OFS='',''  2>/dev/null
      LET currenttime = now()
      LET containerdata <= SELECT parse_json(data=Stdout) as CDJSON FROM execve(argv=["/bin/bash", "-c", CommandContainer],sep='\n')

        LET containertop <= SELECT
             *
          FROM foreach(
            row={SELECT CDJSON.ID as ContID FROM containerdata}, 
            query={
              SELECT ,ContID FROM execve(argv=["/bin/bash", "-c", CommandDockerTop+" "+ContID+" "+TopOptions+" "+ConvertPSOutput],sep='\n') WHERE Stdout != ""
        })
        LET cpipe <= pipe(query={SELECT FROM containertop})

        SELECT 
           *,
           timestamp(epoch=currenttime) As ClientRunTime
        //Working
        FROM containertop
        where ContID!=null

[scudette]

This issue was recently fixed here 0f93a9c

It happens because parse_json() received an empty string.

As a workaround you can use something like this parse_json(data=Stdout || '{}')

[chaoticmachinery]

Thank you I will give that a try.