MCPcopy
hub / github.com/crowdsecurity/crowdsec / EvalAlertContextRules

Function EvalAlertContextRules

pkg/alertcontext/alertcontext.go:159–226  ·  view source on GitHub ↗
(evt pipeline.Event, match *pipeline.MatchedRule, request *http.Request, tmpContext map[string][]string)

Source from the content-addressed store, hash-verified

157}
158
159func EvalAlertContextRules(evt pipeline.Event, match *pipeline.MatchedRule, request *http.Request, tmpContext map[string][]string) []error {
160 var errors []error
161
162 // if we're evaluating context for appsec event, match and request will be present.
163 // otherwise, only evt will be.
164 if match == nil {
165 match = pipeline.NewMatchedRule()
166 }
167
168 if request == nil {
169 request = &http.Request{}
170 }
171
172 ac := getAlertContext()
173
174 for key, values := range ac.ContextToSendCompiled {
175 if _, ok := tmpContext[key]; !ok {
176 tmpContext[key] = make([]string, 0)
177 }
178
179 for _, value := range values {
180 var val string
181
182 output, err := expr.Run(value, map[string]any{"match": match, "evt": evt, "req": request})
183 if err != nil {
184 errors = append(errors, fmt.Errorf("failed to get value for %s: %w", key, err))
185 continue
186 }
187
188 switch out := output.(type) {
189 case string:
190 val = out
191 if val != "" && !slices.Contains(tmpContext[key], val) {
192 tmpContext[key] = append(tmpContext[key], val)
193 }
194 case []string:
195 for _, v := range out {
196 if v != "" && !slices.Contains(tmpContext[key], v) {
197 tmpContext[key] = append(tmpContext[key], v)
198 }
199 }
200 case int:
201 val = strconv.Itoa(out)
202 if val != "" && !slices.Contains(tmpContext[key], val) {
203 tmpContext[key] = append(tmpContext[key], val)
204 }
205 case []int:
206 for _, v := range out {
207 val = strconv.Itoa(v)
208 if val != "" && !slices.Contains(tmpContext[key], val) {
209 tmpContext[key] = append(tmpContext[key], val)
210 }
211 }
212 default:
213 r := reflect.ValueOf(output)
214 if r.IsZero() || r.IsNil() {
215 continue
216 }

Callers 3

AppsecEventToContextFunction · 0.85
EventToContextFunction · 0.85

Calls 4

NewMatchedRuleFunction · 0.92
getAlertContextFunction · 0.85
IsZeroMethod · 0.80
RunMethod · 0.65

Tested by 1

Used in the wild real call sites across dependent graphs

searching dependent graphs…