[Cloudflare Logpush]: Ingest Pipeline bug when URI starts with "//"

[avpxyyf]

Integration Name

Cloudflare Logpush [cloudflare_logpush]

Dataset Name

http_request

Integration Version

1.43.0

Agent Version

9.2.2

Agent Output Type

elasticsearch

Elasticsearch Version

9.2.2

OS Version and Architecture

Ubuntu Server 24.04 LTS

Software/API Version

No response

Error Message

No response

Event Original

{
"BotDetectionIDs": [],
"BotDetectionTags": [],
"BotScore": 80,
"BotScoreSrc": "Machine Learning",
"BotTags": [],
"ClientASN": 1241,
"ClientCity": "Athens",
"ClientCountry": "gr",
"ClientDeviceType": "mobile",
"ClientIP": "[redacted]",
"ClientIPClass": "noRecord",
"ClientLatitude": "[redacted]",
"ClientLongitude": "[redacted]",
"ClientMTLSAuthCertFingerprint": "",
"ClientMTLSAuthStatus": "unknown",
"ClientRegionCode": "I",
"ClientRequestBytes": 2716,
"ClientRequestHost": "[redacted].[redacted].gr",
"ClientRequestMethod": "GET",
"ClientRequestPath": "//android-chrome-192x192.png",
"ClientRequestProtocol": "HTTP/1.1",
"ClientRequestReferer": "",
"ClientRequestScheme": "https",
"ClientRequestSource": "eyeball",
"ClientRequestURI": "//android-chrome-192x192.png",
"ClientRequestUserAgent": "Mozilla/5.0 (Linux; Android 15; 23127PN0CG Build/AQ3A.240627.003) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.7499.34 Mobile Safari/537.36 OPX/3.0",
"ClientSSLCipher": "AEAD-AES128-GCM-SHA256",
"ClientSSLProtocol": "TLSv1.3",
"ClientSrcPort": 48176,
"ClientXRequestedWith": "",
"ContentScanObjResults": [],
"ContentScanObjSizes": [],
"ContentScanObjTypes": [],
"Cookies": {},
"EdgeEndTimestamp": "2025-12-19T09:59:23Z",
"EdgePathingOp": "wl",
"EdgePathingSrc": "undef",
"EdgePathingStatus": "nr",
"EdgeRequestHost": "[redacted].[redacted].gr",
"EdgeResponseBodyBytes": 0,
"EdgeResponseBytes": 781,
"EdgeResponseCompressionRatio": 1,
"EdgeResponseContentType": "",
"EdgeResponseStatus": 404,
"EdgeStartTimestamp": "2025-12-19T09:59:22Z",
"JA3Hash": "9b02ebd3a43b62d825e1ac605b621dc8",
"JA4": "t13d1713h1_5b57614c22b0_eca864cca44a",
"JA4Signals": {
"browser_ratio_1h": 0.03621534,
"cache_ratio_1h": 0.35994977,
"h2h3_ratio_1h": 0.00054187083,
"heuristic_ratio_1h": 0.017031986,
"ips_quantile_1h": 0.9999857,
"ips_rank_1h": 12,
"paths_rank_1h": 24,
"reqs_quantile_1h": 0.999981,
"reqs_rank_1h": 16,
"uas_rank_1h": 20
},
"JSDetectionPassed": "Missing",
"LeakedCredentialCheckResult": "none",
"OriginIP": "[redacted]",
"OriginResponseBytes": 0,
"OriginResponseHTTPExpires": "",
"OriginResponseHTTPLastModified": "",
"OriginResponseStatus": 404,
"OriginSSLProtocol": "TLSv1.3",
"ParentRayID": "00",
"RayID": "9b060c0078bd2742",
"RequestHeaders": {},
"ResponseHeaders": {},
"SecurityAction": "",
"SecurityActions": [],
"SecurityRuleDescription": "",
"SecurityRuleID": "",
"SecurityRuleIDs": [],
"SecuritySources": [],
"VerifiedBotCategory": "",
"WAFAttackScore": 87,
"WAFFlags": "0",
"WAFMatchedVar": "",
"WAFRCEAttackScore": 91,
"WAFSQLiAttackScore": 96,
"WAFXSSAttackScore": 97,
"WorkerScriptName": "",
"WorkerSubrequest": false,
"WorkerSubrequestCount": 0,
"ZoneName": "[redacted].gr"
}

What did you do?

Nothing much.

What did you see?

When the URI starts with 2 slashes (//), the url.domain field becomes invalid.

Example

"ClientRequestURI": "//test",
...
"ClientRequestHost": "example.com"

will cause url.domain = "test" (instead of example.com)

This happens because the URI parts processor parses the string after // as a domain (as it normally would with https://example.com)

What did you expect to see?

A domain instead of a path on url.domain.

Anything else?

No response

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)