Prefer explicit construction to coercion in record initialization

While we support initializing records via coercion from an expression list, e.g., local x: X = [$x1=1, $x2=2]; this can sometimes obscure the code to readers, e.g., when assigning to value declared and typed elsewhere. The language runtime has a similar overhead since instead of just constructing a known type it needs to check at runtime that the coercion from the expression list is valid; this can be slower than just writing the readible code in the first place, see #4559. With this patch we use explicit construction, e.g., local x = X($x1=1, $x2=2);
2025-10-02 06:38:20 +00:00 · 2025-07-10 09:42:44 +02:00 · 2025-07-10 09:42:44 +02:00 · d5fd29edcd
commit d5fd29edcd
parent 54f9e45597
139 changed files with 786 additions and 788 deletions
--- a/scripts/policy/protocols/http/detect-sqli.zeek
+++ b/scripts/policy/protocols/http/detect-sqli.zeek
@ -87,43 +87,43 @@ event zeek_init() &priority=3
 	# Add filters to the metrics so that the metrics framework knows how to
 	# determine when it looks like an actual attack and how to respond when
 	# thresholds are crossed.
-	local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
-	SumStats::create([$name="detect-sqli-attackers",
-	                  $epoch=sqli_requests_interval,
-	                  $reducers=set(r1),
-	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
-	                  	{
-	                  	return result["http.sqli.attacker"]$sum;
-	                  	},
-	                  $threshold=sqli_requests_threshold,
-	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
-	                  	{
-	                  	local r = result["http.sqli.attacker"];
-	                  	NOTICE([$note=SQL_Injection_Attacker,
-	                  	        $msg="An SQL injection attacker was discovered!",
-	                  	        $email_body_sections=vector(format_sqli_samples(r$samples)),
-	                  	        $src=key$host,
-	                  	        $identifier=cat(key$host)]);
-	                  	}]);
+	local r1 = SumStats::Reducer($stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
+	SumStats::create(SumStats::SumStat($name="detect-sqli-attackers",
+		$epoch=sqli_requests_interval,
+		$reducers=set(r1),
+		$threshold_val(key: SumStats::Key, result: SumStats::Result) =
+			{
+			return result["http.sqli.attacker"]$sum;
+			},
+		$threshold=sqli_requests_threshold,
+		$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
+			{
+			local r = result["http.sqli.attacker"];
+			NOTICE(Notice::Info($note=SQL_Injection_Attacker,
+			                    $msg="An SQL injection attacker was discovered!",
+			                    $email_body_sections=vector(format_sqli_samples(r$samples)),
+			                    $src=key$host,
+			                    $identifier=cat(key$host)));
+			}));

-	local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
-	SumStats::create([$name="detect-sqli-victims",
-	                  $epoch=sqli_requests_interval,
-	                  $reducers=set(r2),
-	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
-	                  	{
-	                  	return result["http.sqli.victim"]$sum;
-	                  	},
-	                  $threshold=sqli_requests_threshold,
-	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
-	                  	{
-	                  	local r = result["http.sqli.victim"];
-	                  	NOTICE([$note=SQL_Injection_Victim,
-	                  	        $msg="An SQL injection victim was discovered!",
-	                  	        $email_body_sections=vector(format_sqli_samples(r$samples)),
-	                  	        $src=key$host,
-	                  	        $identifier=cat(key$host)]);
-	                  	}]);
+	local r2 = SumStats::Reducer($stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
+	SumStats::create(SumStats::SumStat($name="detect-sqli-victims",
+		$epoch=sqli_requests_interval,
+		$reducers=set(r2),
+		$threshold_val(key: SumStats::Key, result: SumStats::Result) =
+			{
+			return result["http.sqli.victim"]$sum;
+			},
+		$threshold=sqli_requests_threshold,
+		$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
+			{
+			local r = result["http.sqli.victim"];
+			NOTICE(Notice::Info($note=SQL_Injection_Victim,
+			                    $msg="An SQL injection victim was discovered!",
+			                    $email_body_sections=vector(format_sqli_samples(r$samples)),
+			                    $src=key$host,
+			                    $identifier=cat(key$host)));
+			}));
 	}

 event http_request(c: connection, method: string, original_URI: string,
@ -136,7 +136,7 @@ event http_request(c: connection, method: string, original_URI: string,
 		{
 		add c$http$tags[URI_SQLI];

-		SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
-		SumStats::observe("http.sqli.victim",   [$host=c$id$resp_h], [$str=original_URI]);
+		SumStats::observe("http.sqli.attacker", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=original_URI));
+		SumStats::observe("http.sqli.victim",   SumStats::Key($host=c$id$resp_h), SumStats::Observation($str=original_URI));
 		}
 	}