Also allow json arrays of k8s audit evts

Currently, the json object POSTed to the /k8s_audit endpoint is assumed
to be an obect, with a "type" of either "Event" or "EventList". When the
K8s API Server POSTs events, it aggregates them into an EventList,
ensuring that there is always a single object.

However, we're going to add some intermediate tools that tail log files
and send them to the endpoint, and the easiest way to send a batch of
events is to pass them as a json array instead of a single object.

To properly handle this, modify parse_k8s_audit_event_json to also
handle a json array. For arrays, it iterates over the objects, calling
parse_k8s_audit_json recursively. This only iterates an initial top
level array to avoid excessive recursion/attacks involving degenerate
json objects with excessively nested arrays.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

userspace/engine/falco_engine.cpp

@@ -364,11 +364,34 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json
 	return res;
 }
 
-bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts)
+bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top)
 {
 	// Note that nlohmann::basic_json::value can throw  nlohmann::basic_json::type_error (302, 306)
 	try
 	{
+		// If the object is an array, call parse_k8s_audit_json again for each item.
+		if(j.is_array())
+		{
+			if(top)
+			{
+				for(auto &item : j)
+				{
+					// Note we only handle a single top level array, to
+					// avoid excessive recursion.
+					if(! parse_k8s_audit_json(item, evts, false))
+					{
+						return false;
+					}
+				}
+
+				return true;
+			}
+			else
+			{
+				return false;
+			}
+		}
+
 		// If the kind is EventList, split it into individual events
 		if(j.value("kind", "<NA>") == "EventList")
 		{