search

falcosecurity / event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Apache License 2.0
94 stars 40 forks source link

fix(decl): use SetUint for open_mode uint32 field #238

Closed jacalvo closed 2 weeks ago

jacalvo commented 2 weeks ago

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:

The issue can be reproduced with the following test:

tests:
  - rule: DirectoryTraversalMonitoredFileRead
    name: test2
    runner: HostRunner
    before: "echo Hi"
    steps:
      - type: syscall
        name: open
        syscall: open
        args:
          pathname: "/etc/../etc/../etc/shadow"
          flags: 0
          mode: 0644
    after: "echo Bye"

It was crashing with:

panic: reflect: call of reflect.Value.SetInt on uint32 Value

After this fix it runs successfully:

2024-11-10T23:22:23.483+0100    info    root    /Users/jose.calvo/repos/event-generator/cmd/declarative/run/run.go:221  Starting test execution...  {"testName": "test2", "testIndex": 0}
2024-11-10T23:22:23.494+0100    info    root.runner.test.script /Users/jose.calvo/repos/event-generator/pkg/test/script/shell/shell.go:174  Script log line {"runnerType": "HostRunner", "testName": "test2", "testIndex": 0, "type": "stdout", "line": "Hi"}
2024-11-10T23:22:23.504+0100    debug   root.runner.test    /Users/jose.calvo/repos/event-generator/pkg/test/test/test.go:142   Executed test step  {"runnerType": "HostRunner", "testName": "test2", "testIndex": 0, "stepName": "open", "stepIndex": 0}
2024-11-10T23:22:23.510+0100    debug   root.runner.test    /Users/jose.calvo/repos/event-generator/pkg/test/test/test.go:187   Executed test step cleanup  {"runnerType": "HostRunner", "testName": "test2", "testIndex": 0, "stepName": "open", "stepIndex": 0}
2024-11-10T23:22:23.511+0100    info    root.runner.test.script /Users/jose.calvo/repos/event-generator/pkg/test/script/shell/shell.go:174  Script log line {"runnerType": "HostRunner", "testName": "test2", "testIndex": 0, "type": "stdout", "line": "Bye"}
2024-11-10T23:22:23.514+0100    info    root    /Users/jose.calvo/repos/event-generator/cmd/declarative/run/run.go:249  Test execution completed    {"testName": "test2", "testIndex": 0}

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

ekoops commented 2 weeks ago

Good catch! It looks good to me

poiana commented 2 weeks ago

LGTM label has been added.

Git tree hash: 5936cab66bbf055ef1be4ed8ca8bed6b7c87ab20

alacuku commented 2 weeks ago

/hold

alacuku commented 2 weeks ago

Hey @jacalvo, thanks for the fix! Can you have a look at the linter?

alacuku commented 2 weeks ago

/unhold

poiana commented 2 weeks ago

LGTM label has been added.

Git tree hash: 2147e67fb1f4e81d8aa9b8e92ee7c599fede48bb

poiana commented 2 weeks ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alacuku, jacalvo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/event-generator/blob/declarative-testing/OWNERS)~~ [alacuku] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment