feat(rego): parse event arguments in sig

Removing default argument parsing will break rego signatures, whose implementation depends on parsed arguments. In order to keep the option of readability in REGO signatures, events will be parsed by default in the context of evaluating these kind of signatures. This will also ensure that they will not be broken depending on the selection of parse-arguments. Co-authored-by: Geyslan Gregório <geyslan@gmail.com>
aquasecurity · Sep 26, 2024 · abad20b · abad20b
1 parent be7ce94
commit abad20b
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/pkg/signatures/regosig/aio.go b/pkg/signatures/regosig/aio.go
@@ -11,6 +11,7 @@ import (
 	"github.com/open-policy-agent/opa/compile"
 	"github.com/open-policy-agent/opa/rego"
 
+	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -194,6 +195,12 @@ func (a *aio) OnEvent(event protocol.Event) error {
 	if !ok {
 		return fmt.Errorf("failed to cast event's payload")
 	}
+
+	err := events.ParseArgs(&ee)
+	if err != nil {
+		return fmt.Errorf("rego aio: failed to parse event data: %v", err)
+	}
+
 	input := rego.EvalInput(ee)
 
 	ctx := context.TODO()

diff --git a/pkg/signatures/regosig/traceerego.go b/pkg/signatures/regosig/traceerego.go
@@ -11,8 +11,10 @@ import (
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
 
+	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
 )
 
 // RegoSignature is an abstract signature that is implemented in rego
@@ -158,7 +160,18 @@ func (sig *RegoSignature) getSelectedEvents(pkgName string) ([]detect.SignatureE
 // if bool is "returned", a true evaluation will generate a Finding with no data
 // if document is "returned", any non-empty evaluation will generate a Finding with the document as the Finding's "Data"
 func (sig *RegoSignature) OnEvent(event protocol.Event) error {
-	input := rego.EvalInput(event.Payload)
+	ee, ok := event.Payload.(trace.Event)
+
+	if !ok {
+		return fmt.Errorf("failed to cast event's payload")
+	}
+
+	err := events.ParseArgs(&ee)
+	if err != nil {
+		return fmt.Errorf("rego aio: failed to parse event data: %v", err)
+	}
+
+	input := rego.EvalInput(ee)
 	results, err := sig.matchPQ.Eval(context.TODO(), input)
 	if err != nil {
 		return fmt.Errorf("evaluating rego: %w", err)

diff --git a/pkg/signatures/regosig/traceerego_test.go b/pkg/signatures/regosig/traceerego_test.go
@@ -349,6 +349,7 @@ func OnEventSpec(t *testing.T, target string, partial bool) {
 				Payload: "just some stuff",
 			},
 			finding: nil,
+			error:   "failed to cast event's payload",
 		},
 	}
-Original file line number
+Diff line change
@@ Expand Up @@
     				Payload: "just some stuff",
     			},
     			finding: nil,
+    			error:   "failed to cast event's payload",
     		},
     	}
@@ Expand Down @@