TheHive4py icon indicating copy to clipboard operation
TheHive4py copied to clipboard

Published 20 hours ago verified publisher icon TheHive-Project

[Question] Are multiple API Calls handled in parallel?

Open Passimist opened this issue 3 years ago • 3 comments

(Probably) a very simple question but I didn't find an answer to it: Does TheHives API answer multiple requests in parallel? I am trying to automate an observable creation and I dont want to run into a race condition (TheHive not noticing that the same observable is simultaneously beein created by another API Call)

Passimist avatar Oct 30 '20 15:10 Passimist

So I started submitting multiple url observables (some identical) in paralell. If they are added to the case successfully I store the obsId if I get a conflicterror (obs already exists in case) I get all case observables via the api, look for the identical one and get it's obsId. This is where I noticed that sometimes creating an observable is answered with a conflicterror but the case observables list does not yet contain the observable, when I request this list right after the conflicterror.

Passimist avatar Nov 03 '20 11:11 Passimist

Hello @Passimist I'm not sure to understand the use case.

The API calls are not particularly queued

nadouani avatar Nov 09 '20 15:11 nadouani

Hello @nadouani thanks for the reply. I am very confused myself by the issues I faced in the last days. I hope this is helpful. If you want me to open seperate issues for each of the following topics I can do that instead.

What I noticed is in steps: 1: I create an observable via thehive4py 2a: I try to create the same observable again and get a conflict error 2b: I get all case observables of this case and the observable is not part of the list of returned observables (tho it should already be part of this case since I got the conflict error telling me the observable already exists)

Step 1 and 2 run in parallel while 2a is done before 2b.

Another issue I noticed while adding a lot of file observables this way is that sometimes when I create a file observable the logs show a NoSuchFileException like in https://github.com/TheHive-Project/TheHive/issues/1089 and https://github.com/TheHive-Project/TheHive/issues/1098 But while in those two issues the observable has not been created or was not downloadable I now noticed a file observable beeing created but its SHA256 beeing that of an empty file (which is not what I uploaded) and all analyzers analyzing an emtpy file. (This might be dangerous I hope I have the time and skill to reproduce this in a few days) The Error in TheHive/application.log:

2020-11-09 13:31:06,213 [ERROR] from akka.actor.RepointableActorRef in application-akka.actor.default-dispatcher-3 - Error during preStart in [FileSource(/tmp/playtemp6353343187215886743/multipartBody9054269108493492983asTemporaryFile, 51200)]: /tmp/playtemp6353343187215886743/multipartBody9054269108493492983asTemporaryFile java.nio.file.NoSuchFileException: /tmp/playtemp6353343187215886743/multipartBody9054269108493492983asTemporaryFile at akka.stream.impl.io.FileSource$$anon$2.preStart(IOSources.scala:74) at akka.stream.impl.fusing.GraphInterpreter.init(GraphInterpreter.scala:291) at akka.stream.impl.fusing.GraphInterpreterShell.init(ActorGraphInterpreter.scala:557) at akka.stream.impl.fusing.ActorGraphInterpreter.tryInit(ActorGraphInterpreter.scala:664) at akka.stream.impl.fusing.ActorGraphInterpreter.preStart(ActorGraphInterpreter.scala:712) at akka.actor.Actor.aroundPreStart(Actor.scala:528) at akka.actor.Actor.aroundPreStart$(Actor.scala:528) at akka.stream.impl.fusing.ActorGraphInterpreter.aroundPreStart(ActorGraphInterpreter.scala:655) at akka.actor.ActorCell.create(ActorCell.scala:656) at akka.actor.ActorCell.invokeAll$1(ActorCell.scala:527) at akka.actor.ActorCell.systemInvoke(ActorCell.scala:549) at akka.dispatch.Mailbox.processAllSystemMessages(Mailbox.scala:283) at akka.dispatch.Mailbox.run(Mailbox.scala:224) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

I then installed TheHive 4 to test if I face this issues in that version too. The NoSuchFileException has not occurred so far. But I noticed something else that confuses me:

  1. I create an URL observable.
  2. I try to create the same one again and get a Create Error because the observable already exists
  3. I run any analyzer on the created observable
  4. I try again to create the same observable and it suddenly succeeds creating this identical observable after I ran an analyzer on the first one. Is this intended? Edit: it has nothing to do with running an analyzer. Just waiting for a few seconds lets me create another identical observable via thehive4py.

Now this post is a huge mess... sorry. I hope you can still help me.

Passimist avatar Nov 10 '20 12:11 Passimist