From 6da123e799881230e94e13a5c6054bdeb1e7cd1d Mon Sep 17 00:00:00 2001
From: Al Stockdill-Mander <asm@uk.ibm.com>
Date: Tue, 9 Feb 2021 16:29:18 +0000
Subject: [PATCH] Add listenaddress option

I've added an explicit listenaddress option in addition to listenport.
In my particular use case I'm running falcosidekick in a net=host
container and don't want it to bound to external IPs.
Also fixed a gosec complaint about json.Unmarshal

Signed-off-by: Al Stockdill-Mander <asm@uk.ibm.com>
---
 README.md           |  2 ++
 config.go           |  6 ++++++
 config_example.yaml |  1 +
 main.go             | 10 +++++-----
 outputs/webui.go    |  5 +++--
 types/types.go      |  1 +
 6 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 88f1ab039..e09ca4c4c 100644
--- a/README.md
+++ b/README.md
@@ -126,6 +126,7 @@ vars_ override values from _file_.
 See **config_example.yaml** :
 
 ```yaml
+#listenaddress: "" # ip address to bind falcosidekick to (default: "" meaning all addresses)
 #listenport: 2801 # port to listen for daemon (default: 2801)
 debug: false # if true all outputs will print in stdout the payload they send (default: false)
 customfields: # custom fields are added to falco events
@@ -320,6 +321,7 @@ override these from _yaml file_.
 The _env vars_ "match" field names in \*yaml file with this structure (**take
 care of lower/uppercases**) : `yaml: a.b --> envvar: A_B` :
 
+- **LISTENADDRESS** : ip address to bind falcosidekick to (default: "" meaning all addresses)
 - **LISTENPORT** : port to listen for daemon (default: `2801`)
 - **DEBUG** : if _true_ all outputs will print in stdout the payload they send
   (default: false)
diff --git a/config.go b/config.go
index 0183493cf..02be3b94f 100644
--- a/config.go
+++ b/config.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"log"
+	"net"
 	"os"
 	"path"
 	"path/filepath"
@@ -26,6 +27,7 @@ func getConfig() *types.Configuration {
 	kingpin.Parse()
 
 	v := viper.New()
+	v.SetDefault("ListenAddress", "")
 	v.SetDefault("ListenPort", 2801)
 	v.SetDefault("Debug", false)
 	v.SetDefault("CheckCert", true)
@@ -198,6 +200,10 @@ func getConfig() *types.Configuration {
 		log.Fatalf("[ERROR] : Bad port number\n")
 	}
 
+	if ip := net.ParseIP(c.ListenAddress); c.ListenAddress != "" && ip == nil {
+		log.Fatalf("[ERROR] : Failed to parse ListenAddress")
+	}
+
 	c.Slack.MinimumPriority = checkPriority(c.Slack.MinimumPriority)
 	c.Rocketchat.MinimumPriority = checkPriority(c.Rocketchat.MinimumPriority)
 	c.Mattermost.MinimumPriority = checkPriority(c.Mattermost.MinimumPriority)
diff --git a/config_example.yaml b/config_example.yaml
index 948dd26bc..fea956a1a 100644
--- a/config_example.yaml
+++ b/config_example.yaml
@@ -1,3 +1,4 @@
+#listenaddress: "" # ip address to bind falcosidekick to (default: "" meaning all addresses)
 #listenport: 2801 # port to listen for daemon (default: 2801)
 debug: false # if true all outputs will print in stdout the payload they send (default: false)
 customfields: # custom fields are added to falco events
diff --git a/main.go b/main.go
index 88cb84978..399818a76 100644
--- a/main.go
+++ b/main.go
@@ -1,9 +1,9 @@
 package main
 
 import (
+	"fmt"
 	"log"
 	"net/http"
-	"strconv"
 	"strings"
 
 	"github.com/DataDog/datadog-go/statsd"
@@ -371,12 +371,12 @@ func main() {
 	http.HandleFunc("/test", testHandler)
 	http.Handle("/metrics", promhttp.Handler())
 
-	log.Printf("[INFO]  : Falco Sidekick is up and listening on port %v\n", config.ListenPort)
+	log.Printf("[INFO]  : Falco Sidekick is up and listening on %s:%d", config.ListenAddress, config.ListenPort)
 	if config.Debug {
-		log.Printf("[INFO]  : Debug mode : %v\n", config.Debug)
+		log.Printf("[INFO]  : Debug mode : %v", config.Debug)
 	}
 
-	if err := http.ListenAndServe(":"+strconv.Itoa(config.ListenPort), nil); err != nil {
-		log.Fatalf("[ERROR] : %v\n", err.Error())
+	if err := http.ListenAndServe(fmt.Sprintf("%s:%d", config.ListenAddress, config.ListenPort), nil); err != nil {
+		log.Fatalf("[ERROR] : %v", err.Error())
 	}
 }
diff --git a/outputs/webui.go b/outputs/webui.go
index aa4430c9f..446753833 100644
--- a/outputs/webui.go
+++ b/outputs/webui.go
@@ -3,7 +3,6 @@ package outputs
 import (
 	"encoding/json"
 	"expvar"
-	"fmt"
 	"log"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -19,7 +18,9 @@ type WebUIPayload struct {
 func newWebUIPayload(falcopayload types.FalcoPayload, config *types.Configuration) WebUIPayload {
 	s := new(map[string]int64)
 
-	json.Unmarshal([]byte(fmt.Sprintf("%v", expvar.Get("falco.priority"))), &s)
+	if err := json.Unmarshal([]byte(expvar.Get("falco.priority").String()), &s); err != nil {
+		log.Printf("[ERROR] : WebUI - failed to unmarshal expvar : %s", err)
+	}
 
 	return WebUIPayload{
 		UUID:    config.UUID,
diff --git a/types/types.go b/types/types.go
index cf3d99f34..fda42b761 100644
--- a/types/types.go
+++ b/types/types.go
@@ -22,6 +22,7 @@ type Configuration struct {
 	UUID          string
 	CheckCert     bool
 	Debug         bool
+	ListenAddress string
 	ListenPort    int
 	Customfields  map[string]string
 	Slack         SlackOutputConfig