fix(userspace/libsinsp): fixed CO_IN filter crafted value.

Signed-off-by: Federico Di Pierro <[email protected]> Co-authored-by: Luca Guerra <[email protected]>
falcosecurity · Aug 26, 2024 · 84b459f · 84b459f
1 parent 839efec
commit 84b459f
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/userspace/libsinsp/sinsp_filtercheck.cpp b/userspace/libsinsp/sinsp_filtercheck.cpp
@@ -1069,15 +1069,16 @@ bool sinsp_filter_check::compare_rhs(cmpop op, ppm_param_type type, const void*
 			return false;
 		default:
 			auto item = craft_filter_value(type, operand1, op1_len);
+
 			if (op == CO_IN || op == CO_INTERSECTS)
 			{
 				// CO_INTERSECTS is really more interesting when a filtercheck can extract
 				// multiple values, and you're comparing the set of extracted values
 				// against the set of rhs values. sinsp_filter_checks only extract a
 				// single value, so CO_INTERSECTS is really the same as CO_IN.
 				ensure_unique_ptr_allocated(m_val_storages_members);
-				if(op1_len >= m_val_storages_min_size &&
-				   op1_len <= m_val_storages_max_size &&
+				if(item.second >= m_val_storages_min_size &&
+				   item.second <= m_val_storages_max_size &&
 				   m_val_storages_members->find(item) != m_val_storages_members->end())
 				{
 					return true;

diff --git a/userspace/libsinsp/test/filterchecks/proc.cpp b/userspace/libsinsp/test/filterchecks/proc.cpp
@@ -106,6 +106,24 @@ TEST_F(sinsp_with_test_input, PROC_FILTER_pexepath_aexepath)
 	ASSERT_FALSE(field_has_value(evt, "proc.aexepath[6]"));
 }
 
+TEST_F(sinsp_with_test_input, PROC_FILTER_aname)
+{
+	DEFAULT_TREE
+
+	// proc.aname[0]=good-exe, proc.aname[1]=bash, proc.aname[2]=bash, proc.aname[3]=bash, proc.aname[4]=bash, proc.aname[5]=init
+	auto evt = generate_execve_enter_and_exit_event(0, p6_t1_tid, p6_t1_tid, p6_t1_pid, p6_t1_ptid, "/good-exe", "good-exe", "/good-exe");
+
+	EXPECT_TRUE(eval_filter(evt, "proc.aname in (init)"));
+	EXPECT_TRUE(eval_filter(evt, "proc.aname in (bash)"));
+	EXPECT_TRUE(eval_filter(evt, "proc.aname in (good-exe, init)"));
+	EXPECT_TRUE(eval_filter(evt, "proc.aname = bash"));
+	EXPECT_TRUE(eval_filter(evt, "proc.aname = init"));
+
+	EXPECT_FALSE(eval_filter(evt, "proc.aname in (good-exe)"));
+	EXPECT_FALSE(eval_filter(evt, "proc.aname = good-exe"));
+	EXPECT_FALSE(eval_filter(evt, "proc.aname in (bad-exe)"));
+}
+
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(__APPLE__)
 TEST_F(sinsp_with_test_input, PROC_FILTER_stdin_stdout_stderr)
 {