Summary
payloadText in normalise.go processes structured payloads (map[string]any) by iterating over the map and concatenating string values. Because Go map iteration order is non-deterministic, the same input can produce different CanonicalText values across runs.
Example
Input:
{
"name": "shell",
"args": "rm -rf /"
}Possible Output A:
Possible Output B:
The output depends entirely on Go's random map iteration order at runtime.
Root Cause
Go's map iteration order is intentionally randomised. Iterating over a map[string]any and concatenating values without first sorting the keys produces output that varies between runs, even for identical inputs.
Why This Is an Issue
| Area |
Impact |
| Canonical Text |
Identical inputs produce different CanonicalText values |
| Scan Behaviour |
Detection becomes non-deterministic |
| Aho-Corasick Matching |
Patterns may match in one run and silently fail in another |
| Signals & Scores |
Results become inconsistent and unreliable |
| Reproducibility |
Bugs are difficult to reproduce and investigate |
| Multi-field Patterns |
Patterns spanning multiple fields are especially vulnerable |
Expected vs. Actual Behaviour
|
Behaviour |
| Expected |
Same input → Same CanonicalText (every run) |
| Actual |
Same input → Different CanonicalText (random map iteration) |
Severity
Medium–High
- Directly affects correctness and reliability of detection logic
- Can cause inconsistent outcomes for identical inputs in security-sensitive scenarios
- Produces flaky signals, scores, and decisions that are hard to debug or reproduce
Affected File
normalise.go — payloadText function
Summary
payloadTextinnormalise.goprocesses structured payloads (map[string]any) by iterating over the map and concatenating string values. Because Go map iteration order is non-deterministic, the same input can produce differentCanonicalTextvalues across runs.Example
Input:
{ "name": "shell", "args": "rm -rf /" }Possible Output A:
Possible Output B:
The output depends entirely on Go's random map iteration order at runtime.
Root Cause
Go's map iteration order is intentionally randomised. Iterating over a
map[string]anyand concatenating values without first sorting the keys produces output that varies between runs, even for identical inputs.Why This Is an Issue
CanonicalTextvaluesExpected vs. Actual Behaviour
Same input → Same CanonicalText(every run)Same input → Different CanonicalText(random map iteration)Severity
Medium–High
Affected File
normalise.go—payloadTextfunction