From 70710f95e640e5cff5e635832ab2ddd8f0c91ffd Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Fri, 21 Jun 2024 06:08:54 +0930
Subject: [PATCH 1/2] x-pack/filebeat/input/cel: fix handling of infinite
 values in rates (#39940)

The protobuf.Value.AsInterface method encodes +Inf as "Infinity" so
ensure that we accept that string.

(cherry picked from commit 1f8ad02e63f461b95bbb72f598c7c38763cc3cdd)
---
 CHANGELOG.next.asciidoc            | 41 ++++++++++++++++++++++++++++++
 x-pack/filebeat/input/cel/input.go |  2 +-
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index e3d33cc6b3df..28f249a4f507 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -140,6 +140,47 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Add setup option `--force-enable-module-filesets`, that will act as if all filesets have been enabled in a module during setup. {issue}30915[30915] {pull}99999[99999]
 - Made Azure Blob Storage input GA and updated docs accordingly. {pull}37128[37128]
 - Made GCS input GA and updated docs accordingly. {pull}37127[37127]
+- Suppress and log max HTTP request retry errors in CEL input. {pull}37160[37160]
+- Prevent CEL input from re-entering the eval loop when an evaluation failed. {pull}37161[37161]
+- Update CEL extensions library to v1.7.0. {pull}37172[37172]
+- Add support for complete URL replacement in HTTPJSON chain steps. {pull}37486[37486]
+- Add support for user-defined query selection in EntraID entity analytics provider. {pull}37653[37653]
+- Update CEL extensions library to v1.8.0 to provide runtime error location reporting. {issue}37304[37304] {pull}37718[37718]
+- Add request trace logging for chained API requests. {issue}37551[36551] {pull}37682[37682]
+- Relax TCP/UDP metric polling expectations to improve metric collection. {pull}37714[37714]
+- Add support for PEM-based Okta auth in HTTPJSON. {pull}37772[37772]
+- Prevent complete loss of long request trace data. {issue}37826[37826] {pull}37836[37836]
+- Added experimental version of the Websocket Input. {pull}37774[37774]
+- Add support for PEM-based Okta auth in CEL. {pull}37813[37813]
+- Add Salesforce input. {pull}37331[37331]
+- Add ETW input. {pull}36915[36915]
+- Update CEL mito extensions to v1.9.0 to add keys/values helper. {pull}37971[37971]
+- Add logging for cache processor file reads and writes. {pull}38052[38052]
+- Add parseDateInTZ value template for the HTTPJSON input {pull}37738[37738]
+- Support VPC endpoint for aws-s3 input SQS queue url. {pull}38189[38189]
+- Improve rate limit handling by HTTPJSON {issue}36207[36207] {pull}38161[38161] {pull}38237[38237]
+- Add parseDateInTZ value template for the HTTPJSON input. {pull}37738[37738]
+- Add support for complex event objects in the HTTP Endpoint input. {issue}37910[37910] {pull}38193[38193]
+- Parse more fields from Elasticsearch slowlogs {pull}38295[38295]
+- Update CEL mito extensions to v1.10.0 to add base64 decode functions. {pull}38504[38504]
+- Add support for Active Directory an entity analytics provider. {pull}37919[37919]
+- Add AWS AWSHealth metricset. {pull}38370[38370]
+- Add debugging breadcrumb to logs when writing request trace log. {pull}38636[38636]
+- added benchmark input {pull}37437[37437]
+- added benchmark input and discard output {pull}37437[37437]
+- Ensure all responses sent by HTTP Endpoint are HTML-escaped. {pull}39329[39329]
+- Update CEL mito extensions to v1.11.0 to improve type checking. {pull}39460[39460]
+- Improve logging of request and response with request trace logging in error conditions. {pull}39455[39455]
+- Implement Elastic Agent status and health reporting for CEL Filebeat input. {pull}39209[39209]
+- Add HTTP metrics to CEL input. {issue}39501[39501] {pull}39503[39503]
+- Add default user-agent to CEL HTTP requests. {issue}39502[39502] {pull}39587[39587]
+- Improve reindexing support in security module pipelines. {issue}38224[38224] {pull}39588[39588]
+- Make HTTP Endpoint input GA. {issue}38979[38979] {pull}39410[39410]
+- Update CEL mito extensions to v1.12.2. {pull}39755[39755]
+- Add support for base64-encoded HMAC headers to HTTP Endpoint. {pull}39655[39655]
+- Add user group membership support to Okta entity analytics provider. {issue}39814[39814] {pull}39815[39815]
+- Add request trace support for Okta and EntraID entity analytics providers. {pull}39821[39821]
+- Fix handling of infinite rate values in CEL rate limit handling logic. {pull}39940[39940]
 
 *Auditbeat*
 
diff --git a/x-pack/filebeat/input/cel/input.go b/x-pack/filebeat/input/cel/input.go
index d53a6580b0bf..36d2d59e883b 100644
--- a/x-pack/filebeat/input/cel/input.go
+++ b/x-pack/filebeat/input/cel/input.go
@@ -675,7 +675,7 @@ func getLimit(which string, rateLimit map[string]interface{}, log *logp.Logger)
 	case float64:
 		limit = rate.Limit(r)
 	case string:
-		if !strings.EqualFold(r, "inf") {
+		if !strings.EqualFold(strings.TrimPrefix(r, "+"), "inf") && !strings.EqualFold(strings.TrimPrefix(r, "+"), "infinity") {
 			log.Errorw("unexpected value returned for rate limit "+which, "value", r, "rate_limit", mapstr.M(rateLimit))
 			return limit, false
 		}

From 90649265a72f8630fa49f67bb0dcd705e8cadc01 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Fri, 21 Jun 2024 06:11:31 +0930
Subject: [PATCH 2/2] remove irrelevant changelog entry

---
 CHANGELOG.next.asciidoc | 40 ----------------------------------------
 1 file changed, 40 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 28f249a4f507..e9eb21844b8d 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -140,46 +140,6 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Add setup option `--force-enable-module-filesets`, that will act as if all filesets have been enabled in a module during setup. {issue}30915[30915] {pull}99999[99999]
 - Made Azure Blob Storage input GA and updated docs accordingly. {pull}37128[37128]
 - Made GCS input GA and updated docs accordingly. {pull}37127[37127]
-- Suppress and log max HTTP request retry errors in CEL input. {pull}37160[37160]
-- Prevent CEL input from re-entering the eval loop when an evaluation failed. {pull}37161[37161]
-- Update CEL extensions library to v1.7.0. {pull}37172[37172]
-- Add support for complete URL replacement in HTTPJSON chain steps. {pull}37486[37486]
-- Add support for user-defined query selection in EntraID entity analytics provider. {pull}37653[37653]
-- Update CEL extensions library to v1.8.0 to provide runtime error location reporting. {issue}37304[37304] {pull}37718[37718]
-- Add request trace logging for chained API requests. {issue}37551[36551] {pull}37682[37682]
-- Relax TCP/UDP metric polling expectations to improve metric collection. {pull}37714[37714]
-- Add support for PEM-based Okta auth in HTTPJSON. {pull}37772[37772]
-- Prevent complete loss of long request trace data. {issue}37826[37826] {pull}37836[37836]
-- Added experimental version of the Websocket Input. {pull}37774[37774]
-- Add support for PEM-based Okta auth in CEL. {pull}37813[37813]
-- Add Salesforce input. {pull}37331[37331]
-- Add ETW input. {pull}36915[36915]
-- Update CEL mito extensions to v1.9.0 to add keys/values helper. {pull}37971[37971]
-- Add logging for cache processor file reads and writes. {pull}38052[38052]
-- Add parseDateInTZ value template for the HTTPJSON input {pull}37738[37738]
-- Support VPC endpoint for aws-s3 input SQS queue url. {pull}38189[38189]
-- Improve rate limit handling by HTTPJSON {issue}36207[36207] {pull}38161[38161] {pull}38237[38237]
-- Add parseDateInTZ value template for the HTTPJSON input. {pull}37738[37738]
-- Add support for complex event objects in the HTTP Endpoint input. {issue}37910[37910] {pull}38193[38193]
-- Parse more fields from Elasticsearch slowlogs {pull}38295[38295]
-- Update CEL mito extensions to v1.10.0 to add base64 decode functions. {pull}38504[38504]
-- Add support for Active Directory an entity analytics provider. {pull}37919[37919]
-- Add AWS AWSHealth metricset. {pull}38370[38370]
-- Add debugging breadcrumb to logs when writing request trace log. {pull}38636[38636]
-- added benchmark input {pull}37437[37437]
-- added benchmark input and discard output {pull}37437[37437]
-- Ensure all responses sent by HTTP Endpoint are HTML-escaped. {pull}39329[39329]
-- Update CEL mito extensions to v1.11.0 to improve type checking. {pull}39460[39460]
-- Improve logging of request and response with request trace logging in error conditions. {pull}39455[39455]
-- Implement Elastic Agent status and health reporting for CEL Filebeat input. {pull}39209[39209]
-- Add HTTP metrics to CEL input. {issue}39501[39501] {pull}39503[39503]
-- Add default user-agent to CEL HTTP requests. {issue}39502[39502] {pull}39587[39587]
-- Improve reindexing support in security module pipelines. {issue}38224[38224] {pull}39588[39588]
-- Make HTTP Endpoint input GA. {issue}38979[38979] {pull}39410[39410]
-- Update CEL mito extensions to v1.12.2. {pull}39755[39755]
-- Add support for base64-encoded HMAC headers to HTTP Endpoint. {pull}39655[39655]
-- Add user group membership support to Okta entity analytics provider. {issue}39814[39814] {pull}39815[39815]
-- Add request trace support for Okta and EntraID entity analytics providers. {pull}39821[39821]
 - Fix handling of infinite rate values in CEL rate limit handling logic. {pull}39940[39940]
 
 *Auditbeat*