From abad20b3784849057316910f25ca8b2d41dd54fa Mon Sep 17 00:00:00 2001
From: Nadav Strahilevitz <nadav.strahilevitz@aquasec.com>
Date: Wed, 29 May 2024 12:47:13 +0000
Subject: [PATCH] feat(rego): parse event arguments in sig
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removing default argument parsing will break rego signatures, whose
implementation depends on parsed arguments. In order to keep the option
of readability in REGO signatures, events will be parsed by default in
the context of evaluating these kind of signatures.
This will also ensure that they will not be broken depending on the
selection of parse-arguments.

Co-authored-by: Geyslan Gregório <geyslan@gmail.com>
---
 pkg/signatures/regosig/aio.go             |  7 +++++++
 pkg/signatures/regosig/traceerego.go      | 15 ++++++++++++++-
 pkg/signatures/regosig/traceerego_test.go |  1 +
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/pkg/signatures/regosig/aio.go b/pkg/signatures/regosig/aio.go
index 38dea29db2e1..2e95b86c37b6 100644
--- a/pkg/signatures/regosig/aio.go
+++ b/pkg/signatures/regosig/aio.go
@@ -11,6 +11,7 @@ import (
 	"github.com/open-policy-agent/opa/compile"
 	"github.com/open-policy-agent/opa/rego"
 
+	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -194,6 +195,12 @@ func (a *aio) OnEvent(event protocol.Event) error {
 	if !ok {
 		return fmt.Errorf("failed to cast event's payload")
 	}
+
+	err := events.ParseArgs(&ee)
+	if err != nil {
+		return fmt.Errorf("rego aio: failed to parse event data: %v", err)
+	}
+
 	input := rego.EvalInput(ee)
 
 	ctx := context.TODO()
diff --git a/pkg/signatures/regosig/traceerego.go b/pkg/signatures/regosig/traceerego.go
index 37aae756bd36..81cea2977915 100644
--- a/pkg/signatures/regosig/traceerego.go
+++ b/pkg/signatures/regosig/traceerego.go
@@ -11,8 +11,10 @@ import (
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
 
+	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
 )
 
 // RegoSignature is an abstract signature that is implemented in rego
@@ -158,7 +160,18 @@ func (sig *RegoSignature) getSelectedEvents(pkgName string) ([]detect.SignatureE
 // if bool is "returned", a true evaluation will generate a Finding with no data
 // if document is "returned", any non-empty evaluation will generate a Finding with the document as the Finding's "Data"
 func (sig *RegoSignature) OnEvent(event protocol.Event) error {
-	input := rego.EvalInput(event.Payload)
+	ee, ok := event.Payload.(trace.Event)
+
+	if !ok {
+		return fmt.Errorf("failed to cast event's payload")
+	}
+
+	err := events.ParseArgs(&ee)
+	if err != nil {
+		return fmt.Errorf("rego aio: failed to parse event data: %v", err)
+	}
+
+	input := rego.EvalInput(ee)
 	results, err := sig.matchPQ.Eval(context.TODO(), input)
 	if err != nil {
 		return fmt.Errorf("evaluating rego: %w", err)
diff --git a/pkg/signatures/regosig/traceerego_test.go b/pkg/signatures/regosig/traceerego_test.go
index 82e4ae1f212a..5269a99048c9 100644
--- a/pkg/signatures/regosig/traceerego_test.go
+++ b/pkg/signatures/regosig/traceerego_test.go
@@ -349,6 +349,7 @@ func OnEventSpec(t *testing.T, target string, partial bool) {
 				Payload: "just some stuff",
 			},
 			finding: nil,
+			error:   "failed to cast event's payload",
 		},
 	}