santa icon indicating copy to clipboard operation
santa copied to clipboard
verified publisher icon google

Investigate the use of an array for both AllowedPathRegex, BlockedPathRegex, & FileChangesRegex

Open built2order opened this issue 2 years ago • 3 comments

When attempting to support users developing applications using go, node (ie. the use of npm binaries), python etc. the regex string supporting either AllowedPathRegex, BlockedPathRegex & FileChangesRegex can become unwieldily.

The use of strings in an array would allow for clean configuration rules, as well as the ability of a Google Santa Admin to create and conditional assign appropriate strings to specific users thereby reducing the risk associated with the availability of all rules for all users.

built2order avatar May 23 '23 09:05 built2order

Unfortunately all of these regexes are processed in a very hot path and allowing multiple regexes here very quickly has a negative effect on performance compared to a single regex achieving the same goal. Consider this (somewhat contrived) example:

2 regexes: /Users/.*/Downloads/.* and /Users/.*/Library/.* 1 regex: /Users/.*/(?:Downloads|Library)/.*

The time to match the string /Users/rah/Library/Caches/Test takes 93% longer with the two regexes than the single regex. For a single match we're talking about microseconds of difference but if you were to add 10 regexes we're now talking about a significant amount of time, especially when considering the FileChangesRegex, which is processed for every single file change operation. It's not quite so bad for the AllowedPathRegex and BlockedPathRegex, as those should only be used when an existing rule hasn't already caught the execution in question, but it can have an outsize effect on developers, where toolchains can often execute hundreds of times a second and are more likely to be executing unknown binaries.

I'm a little surprised to hear that the regexes are needed for Node and Python; I'd expect it to only be necessary to allow the respective interpreters.

russellhancox avatar May 23 '23 14:05 russellhancox

My contrived example, in case anyone wants to reproduce and point out an optimization that would make this more usable: https://gist.github.com/russellhancox/461d7773b8c17a1619f8b71a9589ca5a

russellhancox avatar May 23 '23 14:05 russellhancox

For AllowedPathRegex and BlockedPathRegex, Can we use line by line for mutiple string? If yes, how can I do it or could you show me example? Example; I want two allowpathregex, /app/1.* /app/2.* line by line for each path to keep clean and track easily.

waiphyomaxbit avatar Jan 26 '24 07:01 waiphyomaxbit