refactor(userspace/engine): restrict unsafe-na-check warning to k8s a…

…udit fields Signed-off-by: Jason Dellaluce <[email protected]>
falcosecurity · Apr 21, 2022 · 0bf53f0 · 0bf53f0
1 parent 37d03cf
commit 0bf53f0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 12 deletions.
diff --git a/tests/engine/test_filter_warning_resolver.cpp b/tests/engine/test_filter_warning_resolver.cpp
@@ -28,17 +28,19 @@ static bool warns(const std::string& condition)
 
 TEST_CASE("Should spot warnings in filtering conditions", "[rule_loader]")
 {
-	SECTION("for unsafe usage of <NA>")
+	SECTION("for unsafe usage of <NA> in k8s audit fields")
 	{
-		REQUIRE(false == warns("sample.field exists"));
-		REQUIRE(true == warns("sample.field = <NA>"));
-		REQUIRE(true == warns("sample.field == <NA>"));
-		REQUIRE(true == warns("sample.field != <NA>"));
-		REQUIRE(true == warns("sample.field in (<NA>)"));
-		REQUIRE(true == warns("sample.field in (otherval, <NA>)"));
-		REQUIRE(true == warns("sample.field intersects (<NA>)"));
-		REQUIRE(true == warns("sample.field intersects (otherval, <NA>)"));
-		REQUIRE(true == warns("sample.field pmatch (<NA>)"));
-		REQUIRE(true == warns("sample.field pmatch (otherval, <NA>)"));
+		REQUIRE(false == warns("ka.field exists"));
+		REQUIRE(false == warns("some.field = <NA>"));
+		REQUIRE(true == warns("jevt.field = <NA>"));
+		REQUIRE(true == warns("ka.field = <NA>"));
+		REQUIRE(true == warns("ka.field == <NA>"));
+		REQUIRE(true == warns("ka.field != <NA>"));
+		REQUIRE(true == warns("ka.field in (<NA>)"));
+		REQUIRE(true == warns("ka.field in (otherval, <NA>)"));
+		REQUIRE(true == warns("ka.field intersects (<NA>)"));
+		REQUIRE(true == warns("ka.field intersects (otherval, <NA>)"));
+		REQUIRE(true == warns("ka.field pmatch (<NA>)"));
+		REQUIRE(true == warns("ka.field pmatch (otherval, <NA>)"));
 	}
 }
diff --git a/userspace/engine/filter_warning_resolver.cpp b/userspace/engine/filter_warning_resolver.cpp
@@ -20,6 +20,12 @@ limitations under the License.
 static const char* no_value = "<NA>";
 static const char* warn_unsafe_na_check = "unsafe-na-check";
 
+static inline bool is_unsafe_field(const string& f)
+{
+	return !strncmp(f.c_str(), "ka.", strlen("ka."))
+		|| !strncmp(f.c_str(), "jevt.", strlen("jevt."));
+}
+
 static inline bool is_equality_operator(const string& op)
 {
 	return op == "==" || op == "=" || op == "!="
@@ -57,7 +63,7 @@ bool filter_warning_resolver::format(
 void filter_warning_resolver::visitor::visit(
 	libsinsp::filter::ast::binary_check_expr* e)
 {
-	if (is_equality_operator(e->op))
+	if (is_unsafe_field(e->field) && is_equality_operator(e->op))
 	{
 		m_is_equality_check = true;
 		e->value->accept(this);