Skip to content

fix(apps::protocols::http): handle nested JSON path in collection mode#6038

Merged
omercier merged 5 commits intodevelopfrom
CTOR-865-http-collection-deep-path-tests
Mar 30, 2026
Merged

fix(apps::protocols::http): handle nested JSON path in collection mode#6038
omercier merged 5 commits intodevelopfrom
CTOR-865-http-collection-deep-path-tests

Conversation

@vuntz
Copy link
Copy Markdown
Member

@vuntz vuntz commented Mar 12, 2026
edited by aikido-pr-checks bot
Loading

Description

Fixes: CTOR-865

Add Robot Framework tests demonstrating that parse_structure in HTTP collection mode fails to traverse JSON paths deeper than 2 levels. The regex ^(.+?)\.(.*)$ at line 477 of collection.pm only splits on the first dot, treating the remainder as a literal key instead of recursively traversing the hash.

The test uses:

  • A Mockoon mock returning nested JSON (up to 4 levels deep)
  • A collection config parsing paths at 1, 2, 3, and 4 levels of nesting
  • A Robot Framework test verifying the deep path values are correctly extracted

These tests will fail until the fix for deep path traversal is applied, then pass after.

Type of change

  • Test (addition of tests for existing functionality)

Target serie

  • 24.04.x
  • 24.10.x
  • 25.04.x
  • 25.10.x
  • master

Summary by Aikido

Security Issues: 0 🔍 Quality Issues: 1 Resolved Issues: 0

⚡ Enhancements

  • Added Robot Framework tests for deep JSON path extraction.

🐛 Bugfixes

  • Fixed deep JSON path traversal in HTTP collection mode.

📚 Documentation

  • Updated copyright year and header comments in collection.pm.

More info

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 12, 2026

Logo
Checkmarx One – Scan Summary & Details54d433d3-aad5-44ed-ad1d-b636111b5eff

Fixed Issues (951) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/backends.pm: 212
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/hitratio.pm: 161
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/querytime.pm: 142
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/locks.pm: 146
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/vacuum.pm: 77
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/timesync.pm: 66
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/connectedusers.pm: 65
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/listdatabases.pm: 55
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/tablespaceusage.pm: 557
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/multiservices.pm: 445
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/multiservices.pm: 380
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/tablespaceusage.pm: 265
CRITICAL Second_Order_SQL_Injection /src/centreon/common/protocols/sql/mode/collection.pm: 219
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/virtualservice.pm: 328
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/databasessize.pm: 257
CRITICAL Second_Order_SQL_Injection /src/database/oracle/sqlpluscmd.pm: 292
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/virtualservice.pm: 306
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/listtablespaces.pm: 290
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/backupage.pm: 260
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/replication.pm: 267
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/databasessize.pm: 282
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/replication.pm: 253
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/databasessize.pm: 175
CRITICAL Second_Order_SQL_Injection /src/database/db2/mode/tablespaces.pm: 173
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/tables.pm: 170
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/databasessize.pm: 168
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/replication.pm: 190
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/asmdiskgroupusage.pm: 205
CRITICAL Second_Order_SQL_Injection /src/apps/toshiba/storemate/sql/mode/posstatus.pm: 237
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/replication.pm: 186
CRITICAL Second_Order_SQL_Injection /src/database/firebird/mode/memory.pm: 166
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/datafilesstatus.pm: 176
CRITICAL Second_Order_SQL_Injection /src/database/db2/mode/hadr.pm: 167
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/datafilesstatus.pm: 166
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/dataguard.pm: 163
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/statistics.pm: 162
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/bloat.pm: 162
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/failedjobs.pm: 160
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/threadsconnected.pm: 153
CRITICAL Second_Order_SQL_Injection /src/database/db2/mode/databaselogs.pm: 152
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/passwordexpiration.pm: 150
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/eventwaitsusage.pm: 161
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/passwordexpiration.pm: 158
CRITICAL Second_Order_SQL_Injection /src/centreon/common/microsoft/skype/mssql/mode/audioqoe.pm: 155
CRITICAL Second_Order_SQL_Injection /src/centreon/common/microsoft/skype/mssql/mode/sessionstypes.pm: 142
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/threadsconnected.pm: 149
CRITICAL Second_Order_SQL_Injection /src/database/sybase/mode/databasessize.pm: 148
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/countservices.pm: 164
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/databasessize.pm: 264
CRITICAL Second_Order_SQL_Injection /src/database/sap/hana/mode/volumeusage.pm: 142
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/tables.pm: 131
CRITICAL Second_Order_SQL_Injection /src/database/sap/hana/mode/diskusage.pm: 142
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/threadsconnected.pm: 131
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/eventwaitsusage.pm: 133
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/bloat.pm: 135
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/countservices.pm: 136
CRITICAL Second_Order_SQL_Injection /src/database/sap/hana/mode/hostmemory.pm: 136
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/threadsconnected.pm: 140
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/librarycacheusage.pm: 123
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/rollbacksegmentusage.pm: 150
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/dataguard.pm: 149
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/longqueries.pm: 128
CRITICAL Second_Order_SQL_Injection /src/database/firebird/mode/queries.pm: 124
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/dataguard.pm: 121
CRITICAL Second_Order_SQL_Injection /src/centreon/common/microsoft/skype/mssql/mode/videoqoe.pm: 120
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/blockedprocesses.pm: 118
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/dataguard.pm: 141
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/dataguard.pm: 132
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/rollbacksegmentusage.pm: 129
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/passwordexpiration.pm: 118
CRITICAL Second_Order_SQL_Injection /src/database/sap/hana/mode/hostcpu.pm: 116
CRITICAL Second_Order_SQL_Injection /src/centreon/common/protocols/sql/mode/sqlstring.pm: 111
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/backup.pm: 115
CRITICAL Second_Order_SQL_Injection /src/centreon/common/protocols/sql/mode/sql.pm: 113
CRITICAL Second_Order_SQL_Injection /src/database/oracle/dbi.pm: 107
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/frausage.pm: 104
CRITICAL Second_Order_SQL_Injection /src/apps/toshiba/storemate/sql/mode/maintenanceplan.pm: 108
CRITICAL Second_Order_SQL_Injection /src/apps/dynamics/ax/mode/ediorder.pm: 108
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/passwordexpiration.pm: 108
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/eventwaitsusage.pm: 109
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/frausage.pm: 109
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/passwordexpiration.pm: 108
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/tablelocks.pm: 107
CRITICAL Second_Order_SQL_Injection /src/centreon/common/microsoft/skype/mssql/mode/appsharingqoe.pm: 105
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/invalidobject.pm: 102
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/threadsconnected.pm: 102
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/rmanbackupproblems.pm: 104
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/rmanbackupage.pm: 102
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/dsmqueue.pm: 95
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/queries.pm: 95
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/dsmqueue.pm: 111
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/redologusage.pm: 98
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/dsmqueue.pm: 101
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/checkpoints.pm: 95
CRITICAL Second_Order_SQL_Injection /src/database/firebird/mode/pages.pm: 92
CRITICAL Second_Order_SQL_Injection /src/centreon/common/microsoft/skype/mssql/mode/poorcalls.pm: 89
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/executiontime.pm: 88
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/dbspacesusage.pm: 76
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/partitioning.pm: 86
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/datacachehitratio.pm: 86
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/dictionarycacheusage.pm: 85
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/qcachehitrate.pm: 85
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/transactions.pm: 83
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/chunkstates.pm: 82
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/passwordexpiration.pm: 82
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/globalcache.pm: 79
CRITICAL Second_Order_SQL_Injection /src/apps/jive/sql/mode/etljobstatus.pm: 79
CRITICAL Second_Order_SQL_Injection /src/apps/lync/2013/mssql/mode/lyncusers.pm: 78
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/tablespace.pm: 76
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/innodbbufferpoolhitrate.pm: 73
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/myisamkeycachehitrate.pm: 73
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/opentables.pm: 73
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/qcachehitrate.pm: 73
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/rmanonlinebackupage.pm: 72
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/slowqueries.pm: 72
CRITICAL Second_Order_SQL_Injection /src/database/postgres/dbi.pm: 72
CRITICAL Second_Order_SQL_Injection /src/apps/biztalk/sql/mode/rlocationdisabled.pm: 71
CRITICAL Second_Order_SQL_Injection /src/database/postgres/mode/databasesize.pm: 76
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/local/mode/bamservice.pm: 74
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/uptime.pm: 73
CRITICAL Second_Order_SQL_Injection /src/database/sap/hana/mode/connectedusers.pm: 73
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/openfiles.pm: 70
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/logfilesusage.pm: 70
CRITICAL Second_Order_SQL_Injection /src/database/firebird/mode/longqueries.pm: 71
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/archivelevel0.pm: 70
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/pollerdelay.pm: 70
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/longqueries.pm: 68
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/countnotifications.pm: 65
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/lockoverflow.pm: 68
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/opentables.pm: 67
CRITICAL Second_Order_SQL_Injection /src/database/sap/hana/mode/blockedtransactions.pm: 65
CRITICAL Second_Order_SQL_Injection /src/database/mysql/mode/openfiles.pm: 64
CRITICAL Second_Order_SQL_Injection /src/database/db2/mode/connectedusers.pm: 64
CRITICAL Second_Order_SQL_Injection /src/apps/centreon/sql/mode/countproblems.pm: 64
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/sessions.pm: 64
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/deadlocks.pm: 63
CRITICAL Second_Order_SQL_Injection /src/database/sybase/mode/blockedprocesses.pm: 62
CRITICAL Second_Order_SQL_Injection /src/database/mssql/mode/lockswaits.pm: 63
CRITICAL Second_Order_SQL_Injection /src/database/informix/sql/mode/longtxs.pm: 63
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/processusage.pm: 61
CRITICAL Second_Order_SQL_Injection /src/database/oracle/mode/sessionusage.pm: 61

More results are available on the CxOne platform

vuntz and others added 5 commits March 26, 2026 10:03
@vuntz @omercier
test(apps::protocols::http): add tests for deep JSON path traversal i…
d2c11ec 
…n collection mode

Add Robot Framework tests demonstrating that parse_structure fails to
traverse JSON paths deeper than 2 levels. The regex at line 477 of
collection.pm only splits on the first dot, treating the remainder as
a literal key instead of recursively traversing the hash.

Test uses a Mockoon mock returning nested JSON (up to 4 levels) and
a collection config that parses paths like location.rack.row and
location.rack.position.slot. These tests will fail until the fix
is applied.

CTOR-865
@vuntz @omercier
fix(apps::protocols::http): traverse deep JSON paths in collection mode
ef9e065 
Replace the single-dot regex split with a loop that walks each segment
of the dotted path. The old code split on the first dot only, so paths
like location.rack.row resolved to $value->{location}->{'rack.row'}
which is undefined. The new code splits on all dots and traverses each
key in turn, supporting arbitrary depth.

CTOR-865
@omercier
apply the fix suggested by the user using a recursive function
a9dfb51
@omercier
simplify
fdd07f4
@omercier
function simplified a bit more by claude and doc added
cc9eed5
@omercier omercier force-pushed the CTOR-865-http-collection-deep-path-tests branch from 6ad8630 to cc9eed5 Compare March 26, 2026 13:47
@omercier
Copy link
Copy Markdown
Contributor

omercier commented Mar 26, 2026

This PR should fix #5118

@omercier omercier linked an issue Mar 26, 2026 that may be closed by this pull request
[apps::protocols::http::plugin] - mode(collection): JSON path depth #5118
Closed
@omercier omercier changed the title test(apps::protocols::http): add tests for deep JSON path in collection mode fix(apps::protocols::http): handle nested JSON path in collection mode Mar 26, 2026
@omercier omercier marked this pull request as ready for review March 26, 2026 13:50
@omercier omercier requested review from a team as code owners March 26, 2026 13:50
@omercier omercier requested review from Evan-Adam and scresto31 March 26, 2026 13:50
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Mar 26, 2026
View reviewed changes
Comment thread src/apps/protocols/http/mode/collection.pm
@omercier omercier merged commit f8ee1d7 into develop Mar 30, 2026
98 of 102 checks passed
@omercier omercier deleted the CTOR-865-http-collection-deep-path-tests branch March 30, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@omercier omercier omercier approved these changes

@Evan-Adam Evan-Adam Awaiting requested review from Evan-Adam Evan-Adam is a code owner automatically assigned from centreon/owners-robot-e2e

@scresto31 scresto31 Awaiting requested review from scresto31 scresto31 is a code owner automatically assigned from centreon/owners-robot-e2e

+1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

skip-workflow-plugins

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[apps::protocols::http::plugin] - mode(collection): JSON path depth

2 participants

@vuntz @omercier