First crack at a fix to prevent clients from stomping on their own

headers.
falcosecurity · Oct 25, 2022 · d30703a · d30703a
1 parent 76a29e9
commit d30703a
Show file tree

Hide file tree

Showing 14 changed files with 26 additions and 8 deletions.
diff --git a/go.sum b/go.sum
@@ -165,8 +165,6 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.35.28/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k=
-github.com/aws/aws-sdk-go v1.44.88 h1:9jhiZsTx9koQQsM29RTgwI0g4mfyphCdc3bkUcKrdwA=
-github.com/aws/aws-sdk-go v1.44.88/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go v1.44.89 h1:Xf5Pp9GsNSMRinAuWNiQd0vusXXb3IgYbNlxldhWS2Q=
 github.com/aws/aws-sdk-go v1.44.89/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@@ -182,7 +180,6 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2
 github.com/caio/go-tdigest v3.1.0+incompatible h1:uoVMJ3Q5lXmVLCCqaMGHLBWnbGoN6Lpu7OAUPR60cds=
 github.com/caio/go-tdigest v3.1.0+incompatible/go.mod h1:sHQM/ubZStBUmF1WbB8FAm8q9GjDajLC5T7ydxE3JHI=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=

diff --git a/outputs/client.go b/outputs/client.go
@@ -15,6 +15,7 @@ import (
 	"net/url"
 	"regexp"
 	"strings"
+	"sync"
 
 	crdClient "github.com/kubernetes-sigs/wg-policy-prototypes/policy-report/kube-bench-adapter/pkg/generated/v1alpha2/clientset/versioned"
 
@@ -103,6 +104,7 @@ type Client struct {
 	DogstatsdClient         *statsd.Client
 	GCPTopicClient          *pubsub.Topic
 	GCPCloudFunctionsClient *gcpfunctions.CloudFunctionsClient
+	m                       sync.Mutex
 
 	GCSStorageClient  *storage.Client
 	KafkaProducer     *kafka.Writer
@@ -200,7 +202,6 @@ func (c *Client) Post(payload interface{}) error {
 			}
 		}
 	}
-
 	client := &http.Client{
 		Transport: customTransport,
 	}
@@ -227,7 +228,6 @@ func (c *Client) Post(payload interface{}) error {
 
 	// Clear out headers - they will be set for the next request.
 	c.HeaderList = []Header{}
-
 	go c.CountMetric("outputs", 1, []string{"output:" + strings.ToLower(c.OutputType), "status:" + strings.ToLower(http.StatusText(resp.StatusCode))})
 
 	switch resp.StatusCode {

diff --git a/outputs/cliq.go b/outputs/cliq.go
@@ -155,7 +155,8 @@ func newCliqPayload(falcopayload types.FalcoPayload, config *types.Configuration
 // CliqPost posts event to cliq
 func (c *Client) CliqPost(falcopayload types.FalcoPayload) {
 	c.Stats.Cliq.Add(Total, 1)
-
+	c.m.Lock()
+	defer c.m.Unlock()
 	c.AddHeader(ContentTypeHeaderKey, "application/json")
 	err := c.Post(newCliqPayload(falcopayload, c.Config))
 	if err != nil {

diff --git a/outputs/fission.go b/outputs/fission.go
@@ -81,6 +81,8 @@ func (c *Client) FissionCall(falcopayload types.FalcoPayload) {
 		}
 		log.Printf("[INFO]  : %s - Function Response : %v\n", Fission, string(rawbody))
 	} else {
+		c.m.Lock()
+		defer c.m.Unlock()
 		c.AddHeader(FissionEventIDKey, uuid.New().String())
 		c.ContentType = FissionContentType
 

diff --git a/outputs/gcpcloudrun.go b/outputs/gcpcloudrun.go
@@ -11,6 +11,8 @@ func (c *Client) CloudRunFunctionPost(falcopayload types.FalcoPayload) {
 	c.Stats.GCPCloudRun.Add(Total, 1)
 
 	if c.Config.GCP.CloudRun.JWT != "" {
+		c.m.Lock()
+		defer c.m.Unlock()
 		c.AddHeader(AuthorizationHeaderKey, "Bearer "+c.Config.GCP.CloudRun.JWT)
 	}
 

diff --git a/outputs/gotify.go b/outputs/gotify.go
@@ -92,6 +92,8 @@ func (c *Client) GotifyPost(falcopayload types.FalcoPayload) {
 	c.Stats.Gotify.Add(Total, 1)
 
 	if c.Config.Gotify.Token != "" {
+		c.m.Lock()
+		defer c.m.Unlock()
 		c.AddHeader("X-Gotify-Key", c.Config.Gotify.Token)
 	}
 

diff --git a/outputs/grafana.go b/outputs/grafana.go
@@ -56,7 +56,8 @@ func newGrafanaPayload(falcopayload types.FalcoPayload, config *types.Configurat
 func (c *Client) GrafanaPost(falcopayload types.FalcoPayload) {
 	c.Stats.Grafana.Add(Total, 1)
 	c.ContentType = GrafanaContentType
-
+	c.m.Lock()
+	defer c.m.Unlock()
 	c.AddHeader("Authorization", "Bearer "+c.Config.Grafana.APIKey)
 
 	err := c.Post(newGrafanaPayload(falcopayload, c.Config))

diff --git a/outputs/influxdb.go b/outputs/influxdb.go
@@ -33,7 +33,8 @@ func newInfluxdbPayload(falcopayload types.FalcoPayload, config *types.Configura
 // InfluxdbPost posts event to InfluxDB
 func (c *Client) InfluxdbPost(falcopayload types.FalcoPayload) {
 	c.Stats.Influxdb.Add(Total, 1)
-
+	c.m.Lock()
+	defer c.m.Unlock()
 	c.AddHeader("Accept", "application/json")
 
 	if c.Config.Influxdb.Token != "" {

diff --git a/outputs/kubeless.go b/outputs/kubeless.go
@@ -80,6 +80,8 @@ func (c *Client) KubelessCall(falcopayload types.FalcoPayload) {
 		}
 		log.Printf("[INFO]  : Kubeless - Function Response : %v\n", string(rawbody))
 	} else {
+		c.m.Lock()
+		defer c.m.Unlock()
 		c.AddHeader(KubelessEventIDKey, uuid.New().String())
 		c.AddHeader(KubelessEventTypeKey, KubelessEventTypeValue)
 		c.AddHeader(KubelessEventNamespaceKey, c.Config.Kubeless.Namespace)

diff --git a/outputs/loki.go b/outputs/loki.go
@@ -63,6 +63,8 @@ func (c *Client) LokiPost(falcopayload types.FalcoPayload) {
 	c.Stats.Loki.Add(Total, 1)
 	c.ContentType = LokiContentType
 	if c.Config.Loki.Tenant != "" {
+		c.m.Lock()
+		defer c.m.Unlock()
 		c.AddHeader("X-Scope-OrgID", c.Config.Loki.Tenant)
 	}
 

diff --git a/outputs/nodered.go b/outputs/nodered.go
@@ -11,6 +11,8 @@ import (
 func (c *Client) NodeRedPost(falcopayload types.FalcoPayload) {
 	c.Stats.NodeRed.Add(Total, 1)
 
+	c.m.Lock()
+	defer c.m.Unlock()
 	if c.Config.NodeRed.User != "" && c.Config.NodeRed.Password != "" {
 		c.AddHeader("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(c.Config.NodeRed.User+":"+c.Config.NodeRed.Password)))
 	}

diff --git a/outputs/opsgenie.go b/outputs/opsgenie.go
@@ -59,6 +59,8 @@ func newOpsgeniePayload(falcopayload types.FalcoPayload, config *types.Configura
 // OpsgeniePost posts event to OpsGenie
 func (c *Client) OpsgeniePost(falcopayload types.FalcoPayload) {
 	c.Stats.Opsgenie.Add(Total, 1)
+	c.m.Lock()
+	defer c.m.Unlock()
 	c.AddHeader(AuthorizationHeaderKey, "GenieKey "+c.Config.Opsgenie.APIKey)
 
 	err := c.Post(newOpsgeniePayload(falcopayload, c.Config))

diff --git a/outputs/spyderbat.go b/outputs/spyderbat.go
@@ -199,6 +199,8 @@ func NewSpyderbatClient(config *types.Configuration, stats *types.Statistics, pr
 func (c *Client) SpyderbatPost(falcopayload types.FalcoPayload) {
 	c.Stats.Spyderbat.Add(Total, 1)
 
+	c.m.Lock()
+	defer c.m.Unlock()
 	c.AddHeader("Authorization", "Bearer "+c.Config.Spyderbat.APIKey)
 	c.AddHeader("Content-Encoding", "gzip")
 

diff --git a/outputs/webhook.go b/outputs/webhook.go
@@ -10,6 +10,8 @@ import (
 func (c *Client) WebhookPost(falcopayload types.FalcoPayload) {
 	c.Stats.Webhook.Add(Total, 1)
 
+	c.m.Lock()
+	defer c.m.Unlock()
 	if len(c.Config.Webhook.CustomHeaders) != 0 {
 		for i, j := range c.Config.Webhook.CustomHeaders {
 			c.AddHeader(i, j)