Implement & doc ONLY_LOG_JSON_MAX_CONTENT_LENGTH env var

Author: TheTeaCat

README.md

@@ -12,6 +12,7 @@ POC for a FireTail Kubernetes Sensor.
 | `BPF_EXPRESSION`                                | ❌         | `tcp and (port 80 or port 443)`                              | The BPF filter used by the sensor. See docs for syntax info: https://www.tcpdump.org/manpages/pcap-filter.7.html |
 | `DISABLE_SERVICE_IP_FILTERING`                  | ❌         | `true`                                                       | Disables polling Kubernetes for the IP addresses of services & subsequently ignoring all requests captured that aren't made to one of those IPs. |
 | `ENABLE_ONLY_LOG_JSON`                          | ❌         | `true`                                                       | Enables only logging requests where the content-type implies the payload should be JSON, or the payload is valid JSON regardless of the content-type. |
+| `ONLY_LOG_JSON_MAX_CONTENT_LENGTH`              | ❌         | `1048576`                                                    | When `ENABLE_ONLY_LOG_JSON` is `true`, the sensor will only read request or response bodies to check if they're valid JSON if their length is less than `ONLY_LOG_JSON_MAX_CONTENT_LENGTH` bytes. |
 | `FIRETAIL_API_URL`                              | ❌         | `https://api.logging.eu-west-1.prod.firetail.app/logs/bulk`  | The API url the sensor will send logs to. Defaults to the EU region production environment. |
 | `FIRETAIL_KUBERNETES_SENSOR_DEV_MODE`           | ❌         | `true`                                                       | Enables debug logging when set to `true`, and reduces the max age of a log in a batch to be sent to FireTail. |
 | `FIRETAIL_KUBERNETES_SENSOR_DEV_SERVER_ENABLED` | ❌         | `true`                                                       | Enables a demo web server when set to `true`; useful for sending test requests to. |

src/is_json.go

@@ -9,8 +9,8 @@ import (
 	"strings"
 )
 
-func isJson(req_and_resp *httpRequestAndResponse) bool {
-	for _, headers := range []http.Header{req_and_resp.request.Header, req_and_resp.response.Header} {
+func isJson(reqAndResp *httpRequestAndResponse, maxContentLength int64) bool {
+	for _, headers := range []http.Header{reqAndResp.request.Header, reqAndResp.response.Header} {
 		contentTypeHeader := headers.Get("Content-Type")
 		mediaType, _, err := mime.ParseMediaType(contentTypeHeader)
 		if err == nil && mediaType == "application/json" {
@@ -21,20 +21,29 @@ func isJson(req_and_resp *httpRequestAndResponse) bool {
 		}
 	}
 
-	bodyBytes, err := io.ReadAll(req_and_resp.request.Body)
-	req_and_resp.request.Body = io.NopCloser(io.MultiReader(bytes.NewReader(bodyBytes)))
-	if err != nil {
-		return false
-	}
-	var v map[string]interface{}
-	if json.Unmarshal(bodyBytes, &v) == nil {
-		return true
+	if reqAndResp.request.ContentLength <= maxContentLength {
+		bodyBytes, err := io.ReadAll(reqAndResp.request.Body)
+		reqAndResp.request.Body = io.NopCloser(io.MultiReader(bytes.NewReader(bodyBytes)))
+		if err != nil {
+			return false
+		}
+		var v map[string]interface{}
+		if json.Unmarshal(bodyBytes, &v) == nil {
+			return true
+		}
 	}
 
-	bodyBytes, err = io.ReadAll(req_and_resp.response.Body)
-	req_and_resp.response.Body = io.NopCloser(io.MultiReader(bytes.NewReader(bodyBytes)))
-	if err != nil {
-		return false
+	if reqAndResp.response.ContentLength <= maxContentLength {
+		bodyBytes, err := io.ReadAll(reqAndResp.response.Body)
+		reqAndResp.response.Body = io.NopCloser(io.MultiReader(bytes.NewReader(bodyBytes)))
+		if err != nil {
+			return false
+		}
+		var v map[string]interface{}
+		if json.Unmarshal(bodyBytes, &v) == nil {
+			return true
+		}
 	}
-	return json.Unmarshal(bodyBytes, &v) == nil
+
+	return false
 }

src/is_json_test.go

@@ -9,92 +9,139 @@ import (
 
 func TestIsJson(t *testing.T) {
 	tests := []struct {
-		name            string
-		reqContentType  string
-		reqBody         string
-		respContentType string
-		respBody        string
-		expectedResult  bool
+		name             string
+		reqContentType   string
+		reqBody          string
+		respContentType  string
+		respBody         string
+		maxContentLength int64
+		expectedResult   bool
 	}{
 		{
-			name:            "Valid JSON in both request and response with correct content types",
-			reqContentType:  "application/json",
-			reqBody:         `{"key": "value"}`,
-			respContentType: "application/json",
-			respBody:        `{"key": "value"}`,
-			expectedResult:  true,
+			name:             "Valid JSON in both request and response with correct content types",
+			reqContentType:   "application/json",
+			reqBody:          `{"key": "value"}`,
+			respContentType:  "application/json",
+			respBody:         `{"key": "value"}`,
+			maxContentLength: 1024,
+			expectedResult:   true,
 		},
 		{
-			name:            "XML in request and response with correct Content-Type",
-			reqContentType:  "application/xml",
-			reqBody:         `<key>value</key>`,
-			respContentType: "application/xml",
-			respBody:        `<key>value</key>`,
-			expectedResult:  false,
+			name:             "XML in request and response with correct Content-Type",
+			reqContentType:   "application/xml",
+			reqBody:          `<key>value</key>`,
+			respContentType:  "application/xml",
+			respBody:         `<key>value</key>`,
+			maxContentLength: 1024,
+			expectedResult:   false,
 		},
 		{
-			name:            "XML in request with JSON in response",
-			reqContentType:  "application/xml",
-			reqBody:         `<key>value</key>`,
-			respContentType: "application/json",
-			respBody:        `{"key": "value"}`,
-			expectedResult:  true,
+			name:             "XML in request with JSON in response",
+			reqContentType:   "application/xml",
+			reqBody:          `<key>value</key>`,
+			respContentType:  "application/json",
+			respBody:         `{"key": "value"}`,
+			maxContentLength: 1024,
+			expectedResult:   true,
 		},
 		{
-			name:            "JSON in request with XML in response",
-			reqContentType:  "application/json",
-			reqBody:         `{"key": "value"}`,
-			respContentType: "application/xml",
-			respBody:        `<key>value</key>`,
-			expectedResult:  true,
+			name:             "JSON in request with XML in response",
+			reqContentType:   "application/json",
+			reqBody:          `{"key": "value"}`,
+			respContentType:  "application/xml",
+			respBody:         `<key>value</key>`,
+			maxContentLength: 1024,
+			expectedResult:   true,
 		},
 		{
-			name:            "Empty request and response bodies and headers",
-			reqContentType:  "",
-			reqBody:         "",
-			respContentType: "",
-			respBody:        "",
-			expectedResult:  false,
+			name:             "Empty request and response bodies and headers",
+			reqContentType:   "",
+			reqBody:          "",
+			respContentType:  "",
+			respBody:         "",
+			maxContentLength: 1024,
+			expectedResult:   false,
 		},
 		{
-			name:            "No content-type headers with valid JSON in request",
-			reqContentType:  "",
-			reqBody:         `{"key": "value"}`,
-			respContentType: "",
-			respBody:        ``,
-			expectedResult:  true,
+			name:             "No content-type headers with valid JSON in request",
+			reqContentType:   "",
+			reqBody:          `{"key": "value"}`,
+			respContentType:  "",
+			respBody:         ``,
+			maxContentLength: 1024,
+			expectedResult:   true,
 		},
 		{
-			name:            "No content-type headers with valid JSON in response",
-			reqContentType:  "",
-			reqBody:         ``,
-			respContentType: "",
-			respBody:        `{"key": "value"}`,
-			expectedResult:  true,
+			name:             "No content-type headers with valid JSON in response",
+			reqContentType:   "",
+			reqBody:          ``,
+			respContentType:  "",
+			respBody:         `{"key": "value"}`,
+			maxContentLength: 1024,
+			expectedResult:   true,
 		},
 		{
-			name:            "No content-type headers with invalid JSON in request",
-			reqContentType:  "",
-			reqBody:         `{"key": "value"`,
-			respContentType: "",
-			respBody:        ``,
-			expectedResult:  false,
+			name:             "No content-type headers with invalid JSON in request",
+			reqContentType:   "",
+			reqBody:          `{"key": "value"`,
+			respContentType:  "",
+			respBody:         ``,
+			maxContentLength: 1024,
+			expectedResult:   false,
 		},
 		{
-			name:            "No content-type headers with invalid JSON in response",
-			reqContentType:  "",
-			reqBody:         ``,
-			respContentType: "",
-			respBody:        `{"key": "value"`,
-			expectedResult:  false,
+			name:             "No content-type headers with invalid JSON in response",
+			reqContentType:   "",
+			reqBody:          ``,
+			respContentType:  "",
+			respBody:         `{"key": "value"`,
+			maxContentLength: 1024,
+			expectedResult:   false,
 		},
 		{
-			name:            "Content-type geo+json in request with invalid body",
-			reqContentType:  "application/geo+json",
-			reqBody:         ``,
-			respContentType: "",
-			respBody:        ``,
-			expectedResult:  true,
+			name:             "Content-type geo+json in request with invalid body",
+			reqContentType:   "application/geo+json",
+			reqBody:          ``,
+			respContentType:  "",
+			respBody:         ``,
+			maxContentLength: 1024,
+			expectedResult:   true,
+		},
+		{
+			name:             "No content-type headers with request payload longer than max length",
+			reqContentType:   "",
+			reqBody:          strings.Repeat("a", 1025),
+			respContentType:  "",
+			respBody:         ``,
+			maxContentLength: 1024,
+			expectedResult:   false,
+		},
+		{
+			name:             "No content-type headers with response payload longer than max length",
+			reqContentType:   "",
+			reqBody:          ``,
+			respContentType:  "",
+			respBody:         strings.Repeat("a", 1025),
+			maxContentLength: 1024,
+			expectedResult:   false,
+		},
+		{
+			name:             "No content-type headers with request payload longer than max length and response payload shorter",
+			reqContentType:   "",
+			reqBody:          strings.Repeat("a", 1025),
+			respContentType:  "",
+			respBody:         `{"key": "value"}`,
+			maxContentLength: 1024,
+			expectedResult:   true,
+		},
+		{
+			name:             "No content-type headers with request payload shorter than max length and response payload longer",
+			reqContentType:   "",
+			reqBody:          `{"key": "value"}`,
+			respContentType:  "",
+			respBody:         strings.Repeat("a", 1025),
+			maxContentLength: 1024,
+			expectedResult:   true,
 		},
 	}
 
@@ -121,7 +168,7 @@ func TestIsJson(t *testing.T) {
 				response: resp,
 			}
 
-			result := isJson(&reqAndResp)
+			result := isJson(&reqAndResp, tt.maxContentLength)
 			if result != tt.expectedResult {
 				t.Errorf("isJson() = %v, want %v", result, tt.expectedResult)
 			}

src/main.go

@@ -54,7 +54,21 @@ func main() {
 		ipManager = newServiceIpManager()
 	}
 
+	var maxContentLength int64
 	onlyLogJson, _ := strconv.ParseBool(os.Getenv("ENABLE_ONLY_LOG_JSON"))
+	if onlyLogJson {
+		maxContentLengthStr, maxContentLengthSet := os.LookupEnv("ONLY_LOG_JSON_MAX_CONTENT_LENGTH")
+		if !maxContentLengthSet {
+			slog.Info("ONLY_LOG_JSON_MAX_CONTENT_LENGTH environment variable not set, using default: 1MiB")
+			maxContentLength = 1048576 // 1MiB
+		} else {
+			maxContentLength, err = strconv.ParseInt(maxContentLengthStr, 10, 64)
+			if err != nil {
+				slog.Error("Failed to parse ONLY_LOG_JSON_MAX_CONTENT_LENGTH, Defaulting to 1MiB.", "Err", err.Error())
+				maxContentLength = 1048576 // 1MiB
+			}
+		}
+	}
 
 	requestAndResponseChannel := make(chan httpRequestAndResponse, 1)
 	httpRequestStreamer := &httpRequestAndResponseStreamer{
@@ -93,7 +107,7 @@ func main() {
 				)
 				continue
 			}
-			if onlyLogJson && !isJson(&requestAndResponse) {
+			if onlyLogJson && !isJson(&requestAndResponse, maxContentLength) {
 				slog.Debug(
 					"Ignoring non-JSON request:",
 					"Src", requestAndResponse.src,