Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Properly parse numbers in condition fields
Falco won't properly parse a rule like this: --- - rule: Some Rule desc: Some Desc condition: evt.type=execve and container.image.repository = 271931939120.dkr output: Some output priority: INFO --- This is the error when validating the rules: Tue Mar 30 12:00:40 2021: Validating rules file(s): Tue Mar 30 12:00:40 2021: /home/mstemm/test.yaml 1 errors: Compilation error when compiling "evt.type=execve and container.image.repository = 271931939120.dkr": 63: syntax error, unexpected 'dkr', expecting 'or', 'and' The parsing of the string on the right hand side stops at the period before the dkr. The dkr then doesn't match the grammar, resulting in the error. Looking at the parser implementation more closely, the problem is in the definition of "Number": --- - Number = C(V "Hex" + V "Float" + V "Int") / function(n) return tonumber(n) end, --- Note that it stops after the number, but does not have any requirement about what follows. This changes the definition of number to require that what follows the number is not an identifier character. With this change, values that are only numbers are parsed as numbers, and values that start with numbers don't match the Number definition and are parsed as BareStrings instead. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
- Loading branch information