From 0e46cb6fdcd2624aea03f6db98b65aaee5d2ba56 Mon Sep 17 00:00:00 2001 From: Melih Sivri Date: Wed, 19 Jun 2024 16:58:23 +0300 Subject: [PATCH 1/5] Add required flags for allowed hosts and IPs --- cmd/cli/tracer.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/cli/tracer.go b/cmd/cli/tracer.go index 674e13b..d535aaa 100644 --- a/cmd/cli/tracer.go +++ b/cmd/cli/tracer.go @@ -21,7 +21,9 @@ func initTracerCommand() *cobra.Command { tracerCMD.Flags().Bool("allow-local-ranges", true, "allows access to local IP ranges") tracerCMD.Flags().Bool("allow-github-meta", false, "allows access to GitHub meta IP ranges (https://api.github.com/meta)") tracerCMD.Flags().String("allowed-hosts", "", "enter allowed hostnames (example.com, .github.com)") + tracerCMD.MarkFlagRequired("allowed-hosts") tracerCMD.Flags().String("allowed-ips", "", "enter allowed IP addresses") + tracerCMD.MarkFlagRequired("allowed-ips") tracerCMD.Flags().StringP("output-file-name", "o", "/tmp/kntrl.out", "output file name") return tracerCMD From 39ba2e63bb54a9a7417d1cae401b7e2236e446e1 Mon Sep 17 00:00:00 2001 From: Melih Sivri Date: Wed, 19 Jun 2024 16:59:30 +0300 Subject: [PATCH 2/5] Scheme validation for host parsing and some improvements --- pkg/parser/flag.go | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/pkg/parser/flag.go b/pkg/parser/flag.go index d0a19c3..2a0f6d6 100644 --- a/pkg/parser/flag.go +++ b/pkg/parser/flag.go @@ -3,6 +3,7 @@ package parser import ( "bufio" "net" + "net/url" "os" "strings" @@ -49,12 +50,9 @@ func parseAllowedIPAddr(ips string) (iplist []net.IP) { func parseAllowedHosts(hosts string) (hl []string) { for _, host := range strings.Split(hosts, ",") { - hl = append(hl, host) - //alias, err := net.LookupCNAME(host) - //if err != nil { - // continue - //} - //hl = append(hl, strings.TrimRight(alias, ".")) + if res, err := url.Parse(host); err != nil && res.Host != "" { + hl = append(hl, res.Host) + } } return hl @@ -85,9 +83,6 @@ func getDNSServers() (hosts []string, ips []net.IP) { } defer file.Close() - var srvhosts []string - var srvips []net.IP - scanner := bufio.NewScanner(file) for scanner.Scan() { line := scanner.Text() @@ -95,9 +90,9 @@ func getDNSServers() (hosts []string, ips []net.IP) { if len(fields) >= 2 && fields[0] == "nameserver" { if ok := net.ParseIP(fields[1]); ok == nil { - srvhosts = append(srvhosts, fields[1]) + hosts = append(hosts, fields[1]) } else { - srvips = append(srvips, net.ParseIP(fields[1])) + ips = append(ips, net.ParseIP(fields[1])) } } } @@ -106,5 +101,5 @@ func getDNSServers() (hosts []string, ips []net.IP) { return nil, nil } - return srvhosts, srvips + return } From 6a92960104d070e3d5ef287b595a6ea317bd328e Mon Sep 17 00:00:00 2001 From: Melih Sivri Date: Wed, 19 Jun 2024 16:59:57 +0300 Subject: [PATCH 3/5] Nil pointer check --- pkg/policy/policy.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index bfb476c..1080ce4 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -85,7 +85,12 @@ func (p *Policy) Eval(ctx context.Context, input map[string]interface{}) (bool, return false, fmt.Errorf("failed to eval rego query: %w", err) } - // TODO: check for nil pointer + if len(result) == 0 || + len(result[0].Expressions) == 0 || + result[0].Expressions[0].Value == nil { + return false, fmt.Errorf("failed to get result from rego query") + } + return result[0].Expressions[0].Value.(bool), nil } @@ -94,8 +99,11 @@ func (p *Policy) EvalEvent(ctx context.Context, event domain.ReportEvent) (bool, if err != nil { return false, err } - var outmap map[string]any - json.Unmarshal(data, &outmap) + + outmap, err := unmarshal(data) + if err != nil { + return false, err + } return p.Eval(ctx, outmap) } From e3646fc50d43d176809ef87b1902f01fce191324 Mon Sep 17 00:00:00 2001 From: Melih Sivri Date: Wed, 19 Jun 2024 17:00:15 +0300 Subject: [PATCH 4/5] refactor: Optimize memory allocation in PrintReportTable function --- pkg/reporter/report.go | 2 +- pkg/utils/filter.go | 16 +++------------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/pkg/reporter/report.go b/pkg/reporter/report.go index 4dc2591..6fa006f 100644 --- a/pkg/reporter/report.go +++ b/pkg/reporter/report.go @@ -107,7 +107,7 @@ func (r *Reporter) PrintReportTable() { } for _, v := range r.events { - res := make([]string, 0) + res := make([]string, 0, len(v.Domains)+5) res = append(res, strconv.FormatUint(uint64(v.ProcessID), 10)) res = append(res, v.TaskName) res = append(res, v.Protocol) diff --git a/pkg/utils/filter.go b/pkg/utils/filter.go index 2a77b08..a264b77 100644 --- a/pkg/utils/filter.go +++ b/pkg/utils/filter.go @@ -2,19 +2,9 @@ package utils import "strings" -// OneOf returns true if the given string is one of the given values -func OneOf(s string, values []string) bool { - for _, v := range values { - if s == v { - return true - } - } - - return false -} - -// OneOfInt32 returns true if the given string is one of the given values -func OneOfInt32(s int32, values []int32) bool { +// OneOf returns true if the given value is in the given list +// Note: This func is not used in the project. +func OneOf[T comparable](s T, values []T) bool { for _, v := range values { if s == v { return true From 1d42410a1469998f0a45072d10ed0a469433aeed Mon Sep 17 00:00:00 2001 From: msrexe Date: Wed, 19 Jun 2024 17:31:11 +0300 Subject: [PATCH 5/5] Fix URL parsing logic in parseAllowedHosts function --- pkg/parser/flag.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/parser/flag.go b/pkg/parser/flag.go index 2a0f6d6..484e182 100644 --- a/pkg/parser/flag.go +++ b/pkg/parser/flag.go @@ -3,7 +3,6 @@ package parser import ( "bufio" "net" - "net/url" "os" "strings" @@ -50,12 +49,12 @@ func parseAllowedIPAddr(ips string) (iplist []net.IP) { func parseAllowedHosts(hosts string) (hl []string) { for _, host := range strings.Split(hosts, ",") { - if res, err := url.Parse(host); err != nil && res.Host != "" { - hl = append(hl, res.Host) + if parts := strings.Split(host, "."); len(parts) > 1 { + hl = append(hl, host) } } - return hl + return } // find a better solution