fix(plugins/container): redefine port binding port and IP as integers

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

Author: ekoops

plugins/container/CMakeLists.txt

@@ -9,7 +9,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
 # project metadata
 project(
         container
-        VERSION 0.2.4
+        VERSION 0.2.5
         DESCRIPTION "Falco container metadata enrichment Plugin"
         LANGUAGES CXX)
 

plugins/container/go-worker/pkg/container/docker.go

@@ -139,9 +139,19 @@ func (dc *dockerEngine) ctrToInfo(ctx context.Context, ctr types.ContainerJSON)
 		}
 		containerPort := port.Int()
 		for _, portBinding := range portBindings {
+			hostIP, err := parsePortBindingHostIP(portBinding.HostIP)
+			if err != nil {
+				continue
+			}
+
+			hostPort, err := parsePortBindingHostPort(portBinding.HostPort)
+			if err != nil {
+				continue
+			}
+
 			portMappings = append(portMappings, event.PortMapping{
-				HostIp:        portBinding.HostIP,
-				HostPort:      portBinding.HostPort,
+				HostIP:        hostIP,
+				HostPort:      hostPort,
 				ContainerPort: containerPort,
 			})
 		}
@@ -301,9 +311,10 @@ func (dc *dockerEngine) get(ctx context.Context, containerId string) (*event.Eve
 	if err != nil {
 		return nil, err
 	}
+
 	return &event.Event{
-		IsCreate: true,
 		Info:     dc.ctrToInfo(ctx, ctrJson),
+		IsCreate: true,
 	}, nil
 }
 
@@ -341,8 +352,8 @@ func (dc *dockerEngine) List(ctx context.Context) ([]event.Event, error) {
 			}
 		}
 		evts[idx] = event.Event{
-			IsCreate: true,
 			Info:     dc.ctrToInfo(ctx, ctrJson),
+			IsCreate: true,
 		}
 	}
 	return evts, nil

plugins/container/go-worker/pkg/container/engine.go

@@ -2,8 +2,11 @@ package container
 
 import (
 	"context"
+	"encoding/binary"
+	"fmt"
 	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/config"
 	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
+	"net/netip"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -150,3 +153,30 @@ func shortContainerID(id string) string {
 	}
 	return id
 }
+
+// parsePortBindingHostIP parses the provided address string and returns a numerical representation of it.
+// TODO(ekoops): add IPv6 addresses support.
+func parsePortBindingHostIP(hostIP string) (uint32, error) {
+	addr, err := netip.ParseAddr(hostIP)
+	if err != nil {
+		return 0, err
+	}
+
+	if addr.Is6() {
+		// TODO(ekoops): handle IPv6 addresses.
+		return 0, fmt.Errorf("ipv6 addresses are not supported")
+	}
+
+	ipv4Addr := addr.As4()
+	return binary.BigEndian.Uint32(ipv4Addr[:]), nil
+}
+
+// parsePortBindingHostPort parses the provided port string and returns a numerical representation of it.
+func parsePortBindingHostPort(port string) (uint16, error) {
+	convertedPort, err := strconv.ParseUint(port, 10, 16)
+	if err != nil {
+		return 0, err
+	}
+
+	return uint16(convertedPort), nil
+}

plugins/container/go-worker/pkg/container/engine_test.go

@@ -1,6 +1,7 @@
 package container
 
 import (
+	"encoding/binary"
 	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/assert"
 	"testing"
@@ -65,3 +66,77 @@ func TestCountCPUSet(t *testing.T) {
 		})
 	}
 }
+
+func TestParsePortBindingHostIP(t *testing.T) {
+	tCases := map[string]struct {
+		hostIP          string
+		parsedHostIP    uint32
+		successExpected bool
+	}{
+		"127.0.0.1": {
+			hostIP:          "127.0.0.1",
+			parsedHostIP:    binary.BigEndian.Uint32([]byte{127, 0, 0, 1}),
+			successExpected: true,
+		},
+		"Wrong literal": {
+			hostIP:          "Wrong literal",
+			parsedHostIP:    0,
+			successExpected: false,
+		},
+		"IPv6 address": {
+			hostIP:          "fe80::1",
+			parsedHostIP:    0,
+			successExpected: false,
+		},
+	}
+
+	for name, tc := range tCases {
+		t.Run(name, func(t *testing.T) {
+			if !tc.successExpected {
+				_, err := parsePortBindingHostIP(tc.hostIP)
+				assert.Error(t, err)
+			} else {
+				parsedHostIP, err := parsePortBindingHostIP(tc.hostIP)
+				assert.NoError(t, err)
+				assert.Equal(t, tc.parsedHostIP, parsedHostIP)
+			}
+		})
+	}
+}
+
+func TestParsePortBindingHostPort(t *testing.T) {
+	tCases := map[string]struct {
+		hostPort        string
+		parsedHostPort  uint16
+		successExpected bool
+	}{
+		"1000": {
+			hostPort:        "1000",
+			parsedHostPort:  1000,
+			successExpected: true,
+		},
+		"Wrong literal": {
+			hostPort:        "Wrong literal",
+			parsedHostPort:  0,
+			successExpected: false,
+		},
+		"Out of range port": {
+			hostPort:        "65536",
+			parsedHostPort:  0,
+			successExpected: false,
+		},
+	}
+
+	for name, tc := range tCases {
+		t.Run(name, func(t *testing.T) {
+			if !tc.successExpected {
+				_, err := parsePortBindingHostPort(tc.hostPort)
+				assert.Error(t, err)
+			} else {
+				parsedHostPort, err := parsePortBindingHostPort(tc.hostPort)
+				assert.NoError(t, err)
+				assert.Equal(t, tc.parsedHostPort, parsedHostPort)
+			}
+		})
+	}
+}

plugins/container/go-worker/pkg/container/podman.go

@@ -80,9 +80,19 @@ func (pc *podmanEngine) ctrToInfo(ctr *define.InspectContainerData) event.Info {
 			continue
 		}
 		for _, portBinding := range portBindings {
+			hostIP, err := parsePortBindingHostIP(portBinding.HostIP)
+			if err != nil {
+				continue
+			}
+
+			hostPort, err := parsePortBindingHostPort(portBinding.HostPort)
+			if err != nil {
+				continue
+			}
+
 			portMappings = append(portMappings, event.PortMapping{
-				HostIp:        portBinding.HostIP,
-				HostPort:      portBinding.HostPort,
+				HostIP:        hostIP,
+				HostPort:      hostPort,
 				ContainerPort: containerPort,
 			})
 		}
@@ -192,6 +202,7 @@ func (pc *podmanEngine) get(_ context.Context, containerId string) (*event.Event
 	if err != nil {
 		return nil, err
 	}
+
 	return &event.Event{
 		Info:     pc.ctrToInfo(ctrInfo),
 		IsCreate: true,

plugins/container/go-worker/pkg/event/event.go

@@ -3,8 +3,8 @@ package event
 import "encoding/json"
 
 type PortMapping struct {
-	HostIp        string `json:"HostIp"`
-	HostPort      string `json:"HostPort"`
+	HostIP        uint32 `json:"HostIp"`
+	HostPort      uint16 `json:"HostPort"`
 	ContainerPort int    `json:"ContainerPort"`
 }