fix: enhance file existence checks to include regular file validation in FileRuleEvaluator

Author: jr0me

src/modules/sca/src/sca_policy_check.cpp

@@ -42,9 +42,9 @@ RuleResult FileRuleEvaluator::Evaluate()
 
 RuleResult FileRuleEvaluator::CheckFileForContents()
 {
-    if (!m_fileSystemWrapper->exists(m_ctx.rule))
+    if (!m_fileSystemWrapper->exists(m_ctx.rule) || !m_fileSystemWrapper->is_regular_file(m_ctx.rule))
     {
-        return m_ctx.isNegated ? RuleResult::Found : RuleResult::NotFound;
+        return RuleResult::Invalid;
     }
 
     const auto pattern = *m_ctx.pattern; // NOLINT(bugprone-unchecked-optional-access)
@@ -77,8 +77,8 @@ RuleResult FileRuleEvaluator::CheckFileForContents()
 
 RuleResult FileRuleEvaluator::CheckFileExistence()
 {
-    const bool exists = m_fileSystemWrapper->exists(m_ctx.rule);
-    const RuleResult result = exists ? RuleResult::Found : RuleResult::NotFound;
+    const auto exists = m_fileSystemWrapper->exists(m_ctx.rule) && m_fileSystemWrapper->is_regular_file(m_ctx.rule);
+    const auto result = exists ? RuleResult::Found : RuleResult::NotFound;
 
     return m_ctx.isNegated ? (result == RuleResult::Found ? RuleResult::NotFound : RuleResult::Found) : result;
 }

src/modules/sca/tests/file_rule_evaluator_test.cpp

@@ -49,6 +49,7 @@ TEST_F(FileRuleEvaluatorTest, FileExistsReturnsFound)
     m_ctx.rule = "some/file";
 
     EXPECT_CALL(*m_rawFsMock, exists(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
+    EXPECT_CALL(*m_rawFsMock, is_regular_file(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
 
     auto evaluator = CreateEvaluator();
     EXPECT_EQ(evaluator.Evaluate(), RuleResult::Found);
@@ -60,6 +61,7 @@ TEST_F(FileRuleEvaluatorTest, PatternRegexMatchesContentReturnsFound)
     m_ctx.rule = "some/file";
 
     EXPECT_CALL(*m_rawFsMock, exists(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
+    EXPECT_CALL(*m_rawFsMock, is_regular_file(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
     EXPECT_CALL(*m_rawIoMock, getFileContent("some/file")).WillOnce(::testing::Return("foo"));
 
     auto evaluator = CreateEvaluator();
@@ -72,6 +74,7 @@ TEST_F(FileRuleEvaluatorTest, PatternRegexDoesNotMatchContentReturnsNotFound)
     m_ctx.rule = "some/file";
 
     EXPECT_CALL(*m_rawFsMock, exists(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
+    EXPECT_CALL(*m_rawFsMock, is_regular_file(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
     EXPECT_CALL(*m_rawIoMock, getFileContent("some/file")).WillOnce(::testing::Return("bar"));
 
     auto evaluator = CreateEvaluator();
@@ -84,6 +87,7 @@ TEST_F(FileRuleEvaluatorTest, PatternExactLineMatchesReturnsFound)
     m_ctx.rule = "some/file";
 
     EXPECT_CALL(*m_rawFsMock, exists(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
+    EXPECT_CALL(*m_rawFsMock, is_regular_file(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
     EXPECT_CALL(*m_rawIoMock, readLineByLine(std::filesystem::path("some/file"), ::testing::_))
         .WillOnce(::testing::Invoke(
             [](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
@@ -102,6 +106,7 @@ TEST_F(FileRuleEvaluatorTest, PatternExactLineNoMatchReturnsNotFound)
     m_ctx.rule = "some/file";
 
     EXPECT_CALL(*m_rawFsMock, exists(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
+    EXPECT_CALL(*m_rawFsMock, is_regular_file(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
     EXPECT_CALL(*m_rawIoMock, readLineByLine(std::filesystem::path("some/file"), ::testing::_))
         .WillOnce(::testing::Invoke(
             [](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
@@ -114,13 +119,25 @@ TEST_F(FileRuleEvaluatorTest, PatternExactLineNoMatchReturnsNotFound)
     EXPECT_EQ(evaluator.Evaluate(), RuleResult::NotFound);
 }
 
-TEST_F(FileRuleEvaluatorTest, PatternGivenButFileDoesNotExistReturnsNotFound)
+TEST_F(FileRuleEvaluatorTest, PatternGivenButFileDoesNotExistReturnsInvalid)
 {
     m_ctx.pattern = std::string("r:foo");
     m_ctx.rule = "some/file";
 
     EXPECT_CALL(*m_rawFsMock, exists(std::filesystem::path("some/file"))).WillOnce(::testing::Return(false));
 
     auto evaluator = CreateEvaluator();
-    EXPECT_EQ(evaluator.Evaluate(), RuleResult::NotFound);
+    EXPECT_EQ(evaluator.Evaluate(), RuleResult::Invalid);
+}
+
+TEST_F(FileRuleEvaluatorTest, PatternGivenButPathIsNotRegularFileReturnsInvalid)
+{
+    m_ctx.pattern = std::string("r:foo");
+    m_ctx.rule = "some/file";
+
+    EXPECT_CALL(*m_rawFsMock, exists(std::filesystem::path("some/file"))).WillOnce(::testing::Return(true));
+    EXPECT_CALL(*m_rawFsMock, is_regular_file(std::filesystem::path("some/file"))).WillOnce(::testing::Return(false));
+
+    auto evaluator = CreateEvaluator();
+    EXPECT_EQ(evaluator.Evaluate(), RuleResult::Invalid);
 }