feat(dynamicpathdetector): wildcards in exec arg vectors (CompareExecArgs matcher)#23
Closed
feat(dynamicpathdetector): wildcards in exec arg vectors (CompareExecArgs matcher)#23
Conversation
2 tasks
|
Summary:
|
entlein
force-pushed
the
feat/exec-arg-wildcards
branch
from
3fc2872 to
0de34eb
Compare
|
Summary:
|
2 similar comments
|
Summary:
|
|
Summary:
|
…in exec arg vectors
User-defined ApplicationProfile entries can now express argument-vector
patterns containing two wildcard tokens, exposed via the existing
constants:
DynamicIdentifier ("⋯") — matches exactly one argument position.
WildcardIdentifier ("*") — matches zero or more consecutive args.
Anything else is a literal-equality match. The match is anchored at
both ends — every runtime arg must be consumed by the profile vector,
either by a literal, a single-position ⋯, or a *-absorbing run.
Implementation is recursive backtracking. Real exec arg vectors are
short (typically ≤ a dozen entries) with at most a handful of
wildcards, so the worst case stays well below a regex compile and we
avoid the ReDoS surface that comes with regex.
40 unit subtests cover empty/literal/dynamic/wildcard/mixed/realistic
patterns; matcher is consumer-ready for node-agent's CEL exec rule.
entlein
force-pushed
the
feat/exec-arg-wildcards
branch
from
4ab95fb to
43795bb
Compare
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughA new function ChangesArgument Pattern Matching Implementation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Review rate limit: 9/10 reviews remaining, refill in 6 minutes. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
|
Summary:
|
entlein
pushed a commit
to k8sstormcenter/node-agent
that referenced
this pull request
May 4, 2026
…ompareExecArgs Routes ap.was_executed_with_args(...) through the new dynamicpathdetector.CompareExecArgs matcher so user-defined ApplicationProfile entries can express argument-vector patterns: '⋯' (DynamicIdentifier) — matches exactly one arg position. '*' (WildcardIdentifier) — matches zero or more consecutive args. Previously the function used slices.Compare for exact equality, which silently ignored wildcard tokens in the profile (a profile entry of [--user, ⋯] would not match runtime args [--user, alice]). The new matcher anchors both ends, treats '⋯' / '*' as wildcards, and falls back to literal-equality otherwise. 13 new unit subtests under TestExecWithArgsWildcardInProfile cover curl-with-any-URL, sh -c with arbitrary payload, ls -l with any directory, and echo with arbitrary trailing args, plus negative cases (literal-anchor mismatch, ⋯ over- and under-consumed, * mid-profile that fails to re-anchor on a literal). Storage dep bumped to k8sstormcenter/storage@3fc287210729 which adds the matcher (k8sstormcenter/storage#23). Note: default-rules.yaml R0001 'Unexpected process launched' currently uses path-only ap.was_executed. End-to-end exercise of the wildcard path requires either a rule update or a custom RuleSet — deferred to a follow-up so this PR stays scoped to the matcher wiring.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds `CompareExecArgs(profileArgs, runtimeArgs []string) bool` to the
`dynamicpathdetector` package. The matcher honours two wildcard tokens
inside a profile's argument vector:
Anything else is literal-equality. Both ends are anchored — every runtime arg
must be consumed by the profile vector (either by a literal, a single-position
`⋯`, or absorbed into a `*` run). This is what enables user-defined
ApplicationProfile entries like `[--user, ⋯]` for `/usr/bin/curl` or
`[-c, *]` for `/bin/sh` to match arbitrary runtime arguments without
listing every variant.
Recursive backtracking — short profile/runtime vectors keep worst-case below
a regex compile and avoid the ReDoS surface a regex would introduce.
Why now
Sibling work to the wildcard-port endpoint fix (#21). Node-agent will route
its CEL `ap.was_executed_with_args(...)` rule through this matcher in a
separate PR; this storage PR is the consumer-ready primitive.
Tests
`literal` / `dynamic` / `wildcard` / `mixed-tokens` / `realistic`.
`⋯` followed by `` (and vice versa), and concrete realistic patterns
(curl with any URL, sh -c with any command, ls -l with any directory).
Test plan