From 9a7118d3f2aa6fabd90164b9c7921150c1891d0e Mon Sep 17 00:00:00 2001
From: Federico Di Pierro <nierro92@gmail.com>
Date: Tue, 23 Jan 2024 10:17:34 +0100
Subject: [PATCH 1/3] update(cmake): bumped falcoctl to v0.7.1.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
---
 cmake/modules/falcoctl.cmake | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmake/modules/falcoctl.cmake b/cmake/modules/falcoctl.cmake
index 3f47d49fdde..71085b4b1f5 100644
--- a/cmake/modules/falcoctl.cmake
+++ b/cmake/modules/falcoctl.cmake
@@ -16,14 +16,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.7.0")
+set(FALCOCTL_VERSION "0.7.1")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "d9ccff287bffd847752f2ec2d65566032f097a38219c6ca87dbcf1cd0fe3cbe4")
+    set(FALCOCTL_HASH "f142507c0e2b1e7dc03fd0b1ec36b479eb171f1f58c17f90d2d8edeb00668ef5")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "5db283cd0ba15c875ef8b95037f18c01a95d683fdc177a4f5f1b5b92450b6602")
+    set(FALCOCTL_HASH "93e4800b68e21057da82c8c7aafa0970598594d62cd9929ebb9b38a9c02159a6")
 endif()
 
 ExternalProject_Add(

From b72169c102fa33aae2b34abb6cdee1054862c812 Mon Sep 17 00:00:00 2001
From: Jason Dellaluce <jasondellaluce@gmail.com>
Date: Mon, 22 Jan 2024 10:38:48 +0000
Subject: [PATCH 2/3] fix(userspace/engine): avoid storing escaped strings in
 engine defs

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
---
 userspace/engine/rule_loader_compiler.cpp | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/userspace/engine/rule_loader_compiler.cpp b/userspace/engine/rule_loader_compiler.cpp
index b16a8eea5e7..b45c14d861a 100644
--- a/userspace/engine/rule_loader_compiler.cpp
+++ b/userspace/engine/rule_loader_compiler.cpp
@@ -181,6 +181,7 @@ static bool resolve_list(std::string& cnd, const falco_list& list)
 {
 	static std::string blanks = " \t\n\r";
 	static std::string delims = blanks + "(),=";
+	std::string tmp;
 	std::string new_cnd;
 	size_t start, end;
 	bool used = false;
@@ -212,7 +213,9 @@ static bool resolve_list(std::string& cnd, const falco_list& list)
 				{
 					sub += ", ";
 				}
-				sub += v;
+				tmp = v;
+				quote_item(tmp);
+				sub += tmp;
 			}
 			// if substituted list is empty, we need to
 			// remove a comma from the left or the right
@@ -339,7 +342,6 @@ void rule_loader::compiler::compile_list_infos(
 		const collector& col,
 		indexed_vector<falco_list>& out) const
 {
-	std::string tmp;
 	std::list<std::string> used;
 	falco_list v;
 	for (const auto &list : col.lists())
@@ -352,17 +354,14 @@ void rule_loader::compiler::compile_list_infos(
 			if (ref && ref->index < list.visibility)
 			{
 				used.push_back(ref->name);
-				for (auto val : ref->items)
+				for (const auto &val : ref->items)
 				{
-					quote_item(val);
 					v.items.push_back(val);
 				}
 			}
 			else
 			{
-				tmp = item;
-				quote_item(tmp);
-				v.items.push_back(tmp);
+				v.items.push_back(item);
 			}
 		}
 		v.used = false;

From 6e7a385d01353bb46381a7c599f6b62c85443538 Mon Sep 17 00:00:00 2001
From: Jason Dellaluce <jasondellaluce@gmail.com>
Date: Mon, 22 Jan 2024 17:53:03 +0000
Subject: [PATCH 3/3] test(engine): assess proper list escaping in engine
 collector

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
---
 unit_tests/engine/test_rule_loader.cpp | 27 ++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/unit_tests/engine/test_rule_loader.cpp b/unit_tests/engine/test_rule_loader.cpp
index a6b7d1da2eb..28366020409 100644
--- a/unit_tests/engine/test_rule_loader.cpp
+++ b/unit_tests/engine/test_rule_loader.cpp
@@ -941,3 +941,30 @@ TEST_F(engine_loader_test, required_engine_version_invalid)
 	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
 	ASSERT_TRUE(check_error_message("Unable to parse engine version"));
 }
+
+// checks for issue described in https://github.com/falcosecurity/falco/pull/3028
+TEST_F(engine_loader_test, list_value_with_escaping)
+{
+    std::string rules_content = R"END(
+- list: my_list
+  items: [non_escaped_val, "escaped val"]
+)END";
+
+	ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(m_load_result->successful());
+  ASSERT_TRUE(m_load_result->has_warnings()); // a warning for the unused list
+
+  auto rule_description = m_engine->describe_rule(nullptr, {});
+  ASSERT_TRUE(m_load_result->successful());
+  ASSERT_EQ(rule_description["rules"].size(), 0);
+  ASSERT_EQ(rule_description["macros"].size(), 0);
+  ASSERT_EQ(rule_description["lists"].size(), 1);
+
+  // escaped values must not be interpreted as list refs by mistake
+  ASSERT_EQ(rule_description["lists"][0]["details"]["lists"].size(), 0);
+
+  // values should be escaped correctly
+  ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"].size(), 2);
+  ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][0].template get<std::string>(), "non_escaped_val");
+  ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][1].template get<std::string>(), "escaped val");
+}
\ No newline at end of file