Also allow json arrays of k8s audit evts

Currently, the json object POSTed to the /k8s_audit endpoint is assumed to be an obect, with a "type" of either "Event" or "EventList". When the K8s API Server POSTs events, it aggregates them into an EventList, ensuring that there is always a single object. However, we're going to add some intermediate tools that tail log files and send them to the endpoint, and the easiest way to send a batch of events is to pass them as a json array instead of a single object. To properly handle this, modify parse_k8s_audit_event_json to also handle a json array. For arrays, it iterates over the objects, calling parse_k8s_audit_json recursively. This only iterates an initial top level array to avoid excessive recursion/attacks involving degenerate json objects with excessively nested arrays. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
falcosecurity · Dec 17, 2019 · 4c576f3 · 4c576f3
1 parent cd94d05
commit 4c576f3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -364,11 +364,34 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json
 	return res;
 }
 
-bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts)
+bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top)
 {
 	// Note that nlohmann::basic_json::value can throw  nlohmann::basic_json::type_error (302, 306)
 	try
 	{
+		// If the object is an array, call parse_k8s_audit_json again for each item.
+		if(j.is_array())
+		{
+			if(top)
+			{
+				for(auto &item : j)
+				{
+					// Note we only handle a single top level array, to
+					// avoid excessive recursion.
+					if(! parse_k8s_audit_json(item, evts, false))
+					{
+						return false;
+					}
+				}
+
+				return true;
+			}
+			else
+			{
+				return false;
+			}
+		}
+
 		// If the kind is EventList, split it into individual events
 		if(j.value("kind", "<NA>") == "EventList")
 		{

diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h
@@ -163,7 +163,7 @@ class falco_engine : public falco_common
 	// Returns true if the json object was recognized as a k8s
 	// audit event(s), false otherwise.
 	//
-	bool parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts);
+	bool parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top=true);
 
 	//
 	// Given an event, check it against the set of rules in the