github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity

Don't require quoting for non-alphanum characters

Browse Source 
This commit removes the one remaining (known) difference with the sysdig
c++ parser: relational expression right-hand sides now _only_ need to be
quoted if they contain a paren or a space.

So you can now do things like "fd.name contains (.log and event.dir = <"
without needing to quote "*.log" or "<".
This commit is contained in:
Henri DF 2016-02-12 15:03:09 -08:00
parent 41ee6e49a5
commit 48685f4f2f
2 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lua/parser-smoke.sh
View File

@ -50,17 +50,19 @@ good "a.b icontains 'bla'"
good "a.g in ()" good "a.g in ()"
good "a.g in (1, 'a', b)" good "a.g in (1, 'a', b)"
good "a.g in ( 1 ,, , b)" good "a.g in ( 1 ,, , b)"
good "evt.dir=> and fd.name=*.log"
good "evt.dir=> and fd.name=/var/log/httpd.log"
good "a.g in (1, 'a', b.c)"
good "a.b = a.a"
bad "a.g in (1, 'a', b.c)"
bad "a.b = a.a"
bad "(a.b = 1" bad "(a.b = 1"
# Macros # Macros
good "a: a.b exists" good "a: a.b exists"
good "a: b and c" good "a: b and c"
good "a: b" good "a: b"
good "a : b" good "a : b"
good "a : evt.dir=>"
good "inbound: (syscall.type=listen and evt.dir='>') or (syscall.type=accept and evt.dir='<')" good "inbound: (syscall.type=listen and evt.dir='>') or (syscall.type=accept and evt.dir='<')"
bad "a:" bad "a:"

13
lua/sysdig-parser.lua
View File

@ -7,14 +7,9 @@
inbound: (syscall.type=listen and evt.dir='>') or (syscall.type=accept and evt.dir='<') inbound: (syscall.type=listen and evt.dir='>') or (syscall.type=accept and evt.dir='<')
(*) There are a few minor differences with the syntax implemented in libsinsp: (*) There currently one known difference with the syntax implemented in libsinsp:
- (Feature!) In libsinsp, field names cannot start with 'a', 'o', or 'n'. With this parser they can - In libsinsp, field names cannot start with 'a', 'o', or 'n'. With this parser they can
- (Bug!) In libsinsp, operator right-hand sides only need to be quoted if they contain spaces or parens. With this parser, they need to be quoted if they contain any non-alphanumeric character. For example:
(libsinsp) fd.name = mylog or fd.name contains .log and event.dir = <
(this parser) fd.name = mylog or fd.name contains '.log' and event.dir = '<'
]]-- ]]--
@ -197,7 +192,7 @@ local G = {
MacroDef = (C(V"Macro") * V"Skip" * V"Colon" * (V"Filter")); MacroDef = (C(V"Macro") * V"Skip" * V"Colon" * (V"Filter"));
-- Terminals -- Terminals
Value = terminal "Number" + terminal "String" + terminal "Identifier"; Value = terminal "Number" + terminal "String" + terminal "BareString";
InList = symb("(") * list(V"Value", symb(",")) * symb(")"); InList = symb("(") * list(V"Value", symb(",")) * symb(")");
@ -220,6 +215,8 @@ local G = {
Number = C(V"Hex" + V"Float" + V"Int") / Number = C(V"Hex" + V"Float" + V"Int") /
function (n) return tonumber(n) end; function (n) return tonumber(n) end;
String = (P'"' * C(((P'\\' * P(1)) + (P(1) - P'"'))^0) * P'"' + P"'" * C(((P"\\" * P(1)) + (P(1) - P"'"))^0) * P"'") / function (s) return fix_str(s) end; String = (P'"' * C(((P'\\' * P(1)) + (P(1) - P'"'))^0) * P'"' + P"'" * C(((P"\\" * P(1)) + (P(1) - P"'"))^0) * P"'") / function (s) return fix_str(s) end;
BareString = C(((P(1) - S' (),'))^1);
OrOp = kw("or") / "or"; OrOp = kw("or") / "or";
AndOp = kw("and") / "and"; AndOp = kw("and") / "and";
Colon = kw(":"); Colon = kw(":");