github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-04 16:20:18 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/engine): support tranformers in exception fields

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce
2024-03-27 12:31:57 +00:00
committed by poiana
parent fa8e780b07
commit f18ea1e8b7
2 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
userspace/engine/falco_source.h
View File

@@ -56,12 +56,30 @@ struct falco_source
// matches an event.
mutable std::vector<falco_rule> m_rules;
inline bool is_field_defined(const std::string& field) const
inline bool is_valid_lhs_field(const std::string& field) const
{
if (filter_factory->new_filtercheck(field.c_str()) != nullptr)
// if there's at least one parenthesis we may be parsing a field
// wrapped inside one or more transformers. In those cases, the most
// rigorous analysis we can do is compiling a simple filter using
// the field as left-hand side of a comparison, and see if any error
// occurs.
if (field.find('(') != std::string::npos)
{
return true;
try
{
auto filter = field;
filter.append(" exists");
sinsp_filter_compiler(filter_factory, filter).compile();
return true;
}
catch (...)
{
return false;
}
}
return false;
// otherwise, simply attempt creating a filtercheck with the given
// field name and see if we succeed
return filter_factory->new_filtercheck(field.c_str()) != nullptr;
}
};