Attempting to use proc.a* fields (%proc.aname, %proc.apid...) in output w/o argument results in undefined behavior

[LucaGuerra]

Describe the bug

According to the documentation, fields like proc.aname do not make sense in output by themselves but only in filters. So proc.aname = bash is legit, My aname is '%proc.aname' is not.

Currently, you can still write an output string like the one above, and this is what happens:

• If "%proc.aname" is evaluated as-is or at the end of an output string, it'll return proc.aname[0]
• If the formatting token %proc.aname is in the middle of the output string this results in an unintialized read, as m_argid is NOT set in sinsp_filter_check_thread::parse_field_name and so the behavior is undefined

How to reproduce it

TEST_F(sinsp_formatter_test, repro) {
	format("hello |%proc.name| |%proc.aname| end");
	std::cout << "----- last_output -----" << std::endl;
	std::cout << m_last_output << std::endl;
}

Expected behaviour

Either a NULL which is properly handled or a syntax error. Both are acceptable I think. I prefer a syntax error at this point.

Screenshots

Environment

• Falco version:

• System info:

• Cloud provider or hardware configuration:
• OS:

• Kernel:

• Installation method:

Additional context

[FedeDP]

/milestone 0.21.0

[FedeDP]

I don't think we will have time to work on this during this release cycle. Moving to next one
/milestone 0.22.0

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[FedeDP]

/remove-lifecycle stale