From c6e3cfd11523bb283bebc3e7cfe0a31d8e503be2 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Fri, 12 Apr 2024 18:52:43 +0000 Subject: [PATCH] test(engine): cover transformers and field-to-field checks in exceptions Signed-off-by: Jason Dellaluce --- unit_tests/engine/test_rule_loader.cpp | 168 ++++++++++++++++++++++++- 1 file changed, 167 insertions(+), 1 deletion(-) diff --git a/unit_tests/engine/test_rule_loader.cpp b/unit_tests/engine/test_rule_loader.cpp index a9e5bda0..8e51ab90 100644 --- a/unit_tests/engine/test_rule_loader.cpp +++ b/unit_tests/engine/test_rule_loader.cpp @@ -975,4 +975,170 @@ TEST_F(test_falco_engine, exceptions_names_not_unique) ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); ASSERT_TRUE(check_warning_message("Multiple definitions of exception")); -} \ No newline at end of file +} + +static std::string s_exception_values_rule_base = R"END( +- rule: test_rule + desc: test rule + condition: evt.type = open + output: command=%proc.cmdline + priority: INFO +)END"; + +TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [proc.name] + comps: [=] + values: + - [proc.pname] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)"); + EXPECT_TRUE(check_warning_message("string 'proc.pname' may be a valid field wrongly interpreted as a string value")); +} + +TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_quoted) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [proc.name] + comps: [=] + values: + - ["proc.pname"] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)"); + EXPECT_TRUE(check_warning_message("string 'proc.pname' may be a valid field wrongly interpreted as a string value")); +} + +TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_space_quoted) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [proc.name] + comps: [=] + values: + - ["proc.pname "] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"proc.pname \")"); + EXPECT_TRUE(check_warning_message("string 'proc.pname ' may be a valid field wrongly interpreted as a string value")); +} + +TEST_F(test_falco_engine, exceptions_values_rhs_transformer) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [proc.name] + comps: [=] + values: + - [toupper(proc.pname)] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))"); +} + +TEST_F(test_falco_engine, exceptions_values_transformer_value_quoted) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [proc.name] + comps: [=] + values: + - ["toupper(proc.pname)"] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))"); +} + +TEST_F(test_falco_engine, exceptions_values_transformer_space) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [proc.name] + comps: [=] + values: + - [toupper( proc.pname)] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")"); + EXPECT_TRUE(check_warning_message("string 'toupper( proc.pname)' may be a valid field transformer wrongly interpreted as a string value")); +} + +TEST_F(test_falco_engine, exceptions_values_transformer_space_quoted) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [proc.name] + comps: [=] + values: + - ["toupper( proc.pname)"] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")"); + EXPECT_TRUE(check_warning_message("string 'toupper( proc.pname)' may be a valid field transformer wrongly interpreted as a string value")); +} + +TEST_F(test_falco_engine, exceptions_fields_transformer) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: [tolower(proc.name)] + comps: [=] + values: + - [test] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + EXPECT_FALSE(has_warnings()); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)"); +} + +TEST_F(test_falco_engine, exceptions_fields_transformer_quoted) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: ["tolower(proc.name)"] + comps: [=] + values: + - [test] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + ASSERT_FALSE(has_warnings()); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)"); +} + +TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) +{ + auto rules_content = s_exception_values_rule_base + R"END( + exceptions: + - name: test_exception + fields: ["tolower( proc.name)"] + comps: [=] + values: + - [test] +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + ASSERT_FALSE(has_warnings()); + EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)"); +}