improve datasource validation (goccy/go-yaml) (#3646)

Author: mmetc

.golangci.yml

@@ -97,22 +97,7 @@ linters:
               desc: errors.Wrap() is deprecated in favor of fmt.Errorf()
         yaml:
           files:
-            - '!**/pkg/acquisition/acquisition.go'
-            - '!**/pkg/acquisition/acquisition_test.go'
-            - '!**/pkg/acquisition/modules/appsec/appsec.go'
-            - '!**/pkg/acquisition/modules/cloudwatch/cloudwatch.go'
-            - '!**/pkg/acquisition/modules/docker/docker.go'
-            - '!**/pkg/acquisition/modules/file/file.go'
-            - '!**/pkg/acquisition/modules/journalctl/journalctl.go'
-            - '!**/pkg/acquisition/modules/kafka/kafka.go'
-            - '!**/pkg/acquisition/modules/kinesis/kinesis.go'
-            - '!**/pkg/acquisition/modules/kubernetesaudit/k8s_audit.go'
-            - '!**/pkg/acquisition/modules/loki/loki.go'
             - '!**/pkg/acquisition/modules/loki/timestamp_test.go'
-            - '!**/pkg/acquisition/modules/victorialogs/victorialogs.go'
-            - '!**/pkg/acquisition/modules/s3/s3.go'
-            - '!**/pkg/acquisition/modules/syslog/syslog.go'
-            - '!**/pkg/acquisition/modules/wineventlog/wineventlog_windows.go'
             - '!**/pkg/appsec/appsec.go'
             - '!**/pkg/appsec/loader.go'
             - '!**/pkg/csplugin/broker.go'
@@ -382,19 +367,19 @@ linters:
       # tolerate long functions in tests
       - linters:
           - revive
-        path: pkg/(.+)_test.go
+        path: (.+)_test.go
         text: 'function-length: .*'
 
       # tolerate long lines in tests
       - linters:
           - revive
-        path: pkg/(.+)_test.go
+        path: (.+)_test.go
         text: 'line-length-limit: .*'
 
       # we use t,ctx instead of ctx,t in tests
       - linters:
           - revive
-        path: pkg/(.+)_test.go
+        path: (.+)_test.go
         text: 'context-as-argument: context.Context should be the first parameter of a function'
 
       # tolerate deep exit in cobra's OnInitialize, for now
@@ -496,9 +481,12 @@ linters:
       - linters:
           - noctx
         text: "net.LookupHost must not be called"
+
+      - linters:
+          - staticcheck
+        text: "SA1019: yamlpatch.NewPatcher is deprecated: use csyaml.NewPatcher instead"
+
     paths:
-      - pkg/yamlpatch/merge.go
-      - pkg/yamlpatch/merge_test.go
       - pkg/time/rate
       - pkg/metabase
       - third_party$

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/corazawaf/coraza/v3 v3.3.3
 	github.com/corazawaf/libinjection-go v0.2.2
 	github.com/crowdsecurity/dlog v0.0.2
-	github.com/crowdsecurity/go-cs-lib v0.0.20
+	github.com/crowdsecurity/go-cs-lib v0.0.21-0.20250723121452-e1c07273af36
 	github.com/crowdsecurity/grokky v0.2.2
 	github.com/crowdsecurity/machineid v1.0.2
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
@@ -38,7 +38,8 @@ require (
 	github.com/go-openapi/swag v0.22.3
 	github.com/go-openapi/validate v0.20.0
 	github.com/go-sql-driver/mysql v1.6.0
-	github.com/goccy/go-yaml v1.11.0
+	github.com/goccy/go-yaml v1.18.0
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-querystring v1.1.0
 	github.com/google/uuid v1.6.0
@@ -129,7 +130,6 @@ require (
 	github.com/go-playground/validator/v10 v10.23.0 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/goccy/go-json v0.10.4 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/glog v1.2.4 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
@@ -214,7 +214,6 @@ require (
 	golang.org/x/arch v0.12.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

go.sum

@@ -111,8 +111,8 @@ github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20250609 h1:t0fgUIJ7FnDKQSigu
 github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20250609/go.mod h1:q/LGNBRelJdzJZK08U1Rm5cNHv9DKp98p0esMDhJ5tE=
 github.com/crowdsecurity/dlog v0.0.2 h1:nj/7jLKO0o8tYn79O+g51ASeGLr5oOVahSoJ6Umq51g=
 github.com/crowdsecurity/dlog v0.0.2/go.mod h1:zpv7r+7KXwgVUZnUNjyP22zc/D7LKjyoY02weH2RBbk=
-github.com/crowdsecurity/go-cs-lib v0.0.20 h1:9rbuXqBaHBleXW67mytJQKF5KXKreJiI8zBTpAj8S00=
-github.com/crowdsecurity/go-cs-lib v0.0.20/go.mod h1:hz2FOHFXc0vWzH78uxo2VebtPQ9Snkbdzy3TMA20tVQ=
+github.com/crowdsecurity/go-cs-lib v0.0.21-0.20250723121452-e1c07273af36 h1:06kHMukxynCWhflcySfKmh6qYfDY/NXrOD6mLI8gkss=
+github.com/crowdsecurity/go-cs-lib v0.0.21-0.20250723121452-e1c07273af36/go.mod h1:qSsIKFEmRZgRREf3BTWznXDR+e+uLTXo7xSSx5DR6pk=
 github.com/crowdsecurity/grokky v0.2.2 h1:yALsI9zqpDArYzmSSxfBq2dhYuGUTKMJq8KOEIAsuo4=
 github.com/crowdsecurity/grokky v0.2.2/go.mod h1:33usDIYzGDsgX1kHAThCbseso6JuWNJXOzRQDGXHtWM=
 github.com/crowdsecurity/machineid v1.0.2 h1:wpkpsUghJF8Khtmn/tg6GxgdhLA1Xflerh5lirI+bdc=
@@ -300,8 +300,8 @@ github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/V
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
 github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
 github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.11.0 h1:n7Z+zx8S9f9KgzG6KtQKf+kwqXZlLNR2F6018Dgau54=
-github.com/goccy/go-yaml v1.11.0/go.mod h1:H+mJrWtjPTJAHvRbV09MCK9xYwODM+wRTVFFTWckfng=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
@@ -941,8 +941,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=

pkg/acquisition/acquisition.go

@@ -1,23 +1,26 @@
 package acquisition
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"maps"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/expr-lang/expr"
 	"github.com/expr-lang/expr/vm"
+	"github.com/goccy/go-yaml"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	tomb "gopkg.in/tomb.v2"
-	"gopkg.in/yaml.v2"
 
 	"github.com/crowdsecurity/go-cs-lib/csstring"
+	"github.com/crowdsecurity/go-cs-lib/csyaml"
 	"github.com/crowdsecurity/go-cs-lib/trace"
 
 	"github.com/crowdsecurity/crowdsec/pkg/acquisition/configuration"
@@ -70,6 +73,10 @@ func GetDataSourceIface(dataSourceType string) (DataSource, error) {
 
 	built, known := component.Built["datasource_"+dataSourceType]
 
+	if dataSourceType == "" {
+		return nil, errors.New("data source type is empty")
+	}
+
 	if !known {
 		return nil, fmt.Errorf("unknown data source %s", dataSourceType)
 	}
@@ -114,14 +121,7 @@ func setupLogger(source, name string, level *log.Level) (*log.Entry, error) {
 // if the configuration is not valid it returns an error.
 // If the datasource can't be run (eg. journalctl not available), it still returns an error which
 // can be checked for the appropriate action.
-func DataSourceConfigure(commonConfig configuration.DataSourceCommonCfg, metricsLevel int) (DataSource, error) {
-	// we dump it back to []byte, because we want to decode the yaml blob twice:
-	// once to DataSourceCommonCfg, and then later to the dedicated type of the datasource
-	yamlConfig, err := yaml.Marshal(commonConfig)
-	if err != nil {
-		return nil, fmt.Errorf("unable to serialize back interface: %w", err)
-	}
-
+func DataSourceConfigure(commonConfig configuration.DataSourceCommonCfg, yamlConfig []byte, metricsLevel int) (DataSource, error) {
 	dataSrc, err := GetDataSourceIface(commonConfig.Source)
 	if err != nil {
 		return nil, err
@@ -144,23 +144,6 @@ func DataSourceConfigure(commonConfig configuration.DataSourceCommonCfg, metrics
 	return dataSrc, nil
 }
 
-// detectBackwardCompatAcquis: try to magically detect the type for backward compat (type was not mandatory then)
-func detectBackwardCompatAcquis(sub configuration.DataSourceCommonCfg) string {
-	if _, ok := sub.Config["filename"]; ok {
-		return "file"
-	}
-
-	if _, ok := sub.Config["filenames"]; ok {
-		return "file"
-	}
-
-	if _, ok := sub.Config["journalctl_filter"]; ok {
-		return "journalctl"
-	}
-
-	return ""
-}
-
 func LoadAcquisitionFromDSN(dsn string, labels map[string]string, transformExpr string) ([]DataSource, error) {
 	frags := strings.Split(dsn, ":")
 	if len(frags) == 1 {
@@ -216,6 +199,36 @@ func GetMetricsLevelFromPromCfg(prom *csconfig.PrometheusCfg) int {
 	return configuration.METRICS_FULL
 }
 
+func detectTypes(r io.Reader) ([]string, error) {
+	collectedKeys, err := csyaml.GetDocumentKeys(r)
+	if err != nil {
+		return nil, err
+	}
+
+	ret := make([]string, len(collectedKeys))
+
+	for idx, keys := range collectedKeys {
+		var detected string
+
+		switch {
+		case slices.Contains(keys, "source"):
+			detected = ""
+		case slices.Contains(keys, "filename"):
+			detected = "file"
+		case slices.Contains(keys, "filenames"):
+			detected = "file"
+		case slices.Contains(keys, "journalctl_filter"):
+			detected = "journalctl"
+		default:
+			detected = ""
+		}
+
+		ret[idx] = detected
+	}
+
+	return ret, nil
+}
+
 // sourcesFromFile reads and parses one acquisition file into DataSources.
 func sourcesFromFile(acquisFile string, metrics_level int) ([]DataSource, error) {
 	var sources []DataSource
@@ -236,29 +249,31 @@ func sourcesFromFile(acquisFile string, metrics_level int) ([]DataSource, error)
 
 	expandedAcquis := csstring.StrictExpand(string(acquisContent), os.LookupEnv)
 
-	dec := yaml.NewDecoder(strings.NewReader(expandedAcquis))
-	dec.SetStrict(true)
+	detectedTypes, err := detectTypes(strings.NewReader(expandedAcquis))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse %s: %w", yamlFile.Name(), err)
+	}
+
+	documents, err := csyaml.SplitDocuments(strings.NewReader(expandedAcquis))
+	if err != nil {
+		return nil, err
+	}
 
 	idx := -1
 
-	for {
-		var sub configuration.DataSourceCommonCfg
-
+	for _, yamlDoc := range documents {
 		idx += 1
 
-		err = dec.Decode(&sub)
-		if err != nil {
-			if !errors.Is(err, io.EOF) {
-				return nil, fmt.Errorf("failed to parse %s: %w", acquisFile, err)
-			}
-
-			log.Tracef("End of yaml file")
+		var sub configuration.DataSourceCommonCfg
 
-			break
+		// can't be strict here, the doc contains specific datasource config too but we won't collect them now.
+		err := yaml.UnmarshalWithOptions(yamlDoc, &sub)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %s: %w", yamlFile.Name(), errors.New(yaml.FormatError(err, false, false)))
 		}
 
 		// for backward compat ('type' was not mandatory, detect it)
-		if guessType := detectBackwardCompatAcquis(sub); guessType != "" {
+		if guessType := detectedTypes[idx]; guessType != "" {
 			log.Debugf("datasource type missing in %s (position %d): detected 'source=%s'", acquisFile, idx, guessType)
 
 			if sub.Source != "" && sub.Source != guessType {
@@ -267,33 +282,40 @@ func sourcesFromFile(acquisFile string, metrics_level int) ([]DataSource, error)
 
 			sub.Source = guessType
 		}
+
 		// it's an empty item, skip it
-		if len(sub.Labels) == 0 {
-			if sub.Source == "" {
-				log.Debugf("skipping empty item in %s", acquisFile)
-				continue
-			}
 
+		empty, err := csyaml.IsEmptyYAML(bytes.NewReader(yamlDoc))
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %s (position %d): %w", acquisFile, idx, err)
+		}
+
+		if empty {
+			// there are no keys or only comments, skip the document
+			continue
+		}
+
+		if len(sub.Labels) == 0 {
 			if sub.Source != "docker" {
 				// docker is the only source that can be empty
 				return nil, fmt.Errorf("missing labels in %s (position %d)", acquisFile, idx)
 			}
 		}
 
 		if sub.Source == "" {
-			return nil, fmt.Errorf("data source type is empty ('source') in %s (position %d)", acquisFile, idx)
+			return nil, fmt.Errorf("missing 'source' field in %s (position %d)", acquisFile, idx)
 		}
 
 		// pre-check that the source is valid
-		_, err := GetDataSourceIface(sub.Source)
+		_, err = GetDataSourceIface(sub.Source)
 		if err != nil {
 			return nil, fmt.Errorf("in file %s (position %d) - %w", acquisFile, idx, err)
 		}
 
 		uniqueId := uuid.NewString()
 		sub.UniqueId = uniqueId
 
-		src, err := DataSourceConfigure(sub, metrics_level)
+		src, err := DataSourceConfigure(sub, yamlDoc, metrics_level)
 		if err != nil {
 			var dserr *DataSourceUnavailableError
 			if errors.As(err, &dserr) {
@@ -376,7 +398,6 @@ func copyEvent(evt types.Event, line string) types.Event {
 
 func transform(transformChan chan types.Event, output chan types.Event, acquisTomb *tomb.Tomb, transformRuntime *vm.Program, logger *log.Entry) {
 	defer trace.CatchPanic("crowdsec/acquis")
-
 	logger.Infof("transformer started")
 
 	for {