Check for unknown sources earlier (to handle exceptions)

If a rule has an unknown source, *and* has exceptions, loading the rule will result in an error and not skipping the rule. This is because exceptions are also validated for unknown fields, and that occurs before the current check for unknown sources. The fix is to move the check for unknown sources as soon as the rules object is read. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-09-08 10:09:40 +00:00 · 2022-03-01 16:46:01 -08:00
parent 31111ab87b
commit ad42baed7a
1 changed files with 10 additions and 8 deletions
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@@ -542,6 +542,14 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end

+	 valid = falco_rules.is_source_valid(rules_mgr, v['source'])
+
+	 if valid == false then
+	    msg = "Rule "..v['rule']..": warning (unknown-source): unknown source "..v['source']..", skipping"
+	    warnings[#warnings + 1] = msg
+	    goto next_object
+	 end
+
 	 -- Add an empty exceptions property to the rule if not defined
 	 if v['exceptions'] == nil then
 	    v['exceptions'] = {}
@@ -735,6 +743,8 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
 	 warnings[#warnings + 1] = arr[1]
      end
+
+      ::next_object::
   end

   return true, {}, warnings
@@ -1008,14 +1018,6 @@ function load_rules(rules_content,

      if (filter_ast.type == "Rule") then

-	 valid = falco_rules.is_source_valid(rules_mgr, v['source'])
-
-	 if valid == false then
-	    msg = "Rule "..v['rule']..": warning (unknown-source): unknown source "..v['source']..", skipping"
-	    warnings[#warnings + 1] = msg
-	    goto next_rule
-	 end
-
 	 state.n_rules = state.n_rules + 1

 	 state.rules_by_idx[state.n_rules] = v