From 7447b8bf041d93bb6944816f7869959a100b3db2 Mon Sep 17 00:00:00 2001
From: Sebastien Blot <sebastien@crowdsec.net>
Date: Mon, 15 Apr 2024 14:06:11 +0200
Subject: [PATCH] better handling of multiple matched zones

---
 pkg/acquisition/modules/appsec/utils.go | 35 ++++++++++++++++---------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/pkg/acquisition/modules/appsec/utils.go b/pkg/acquisition/modules/appsec/utils.go
index b5cca5339..3eca364a3 100644
--- a/pkg/acquisition/modules/appsec/utils.go
+++ b/pkg/acquisition/modules/appsec/utils.go
@@ -15,6 +15,17 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+func appendMeta(meta models.Meta, key string, value string) models.Meta {
+	if value == "" {
+		return meta
+	}
+	meta = append(meta, &models.MetaItems0{
+		Key:   key,
+		Value: value,
+	})
+	return meta
+}
+
 func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
 	//if the request didnd't trigger inband rules, we don't want to generate an event to LAPI/CAPI
 	if !inEvt.Appsec.HasInBandMatches {
@@ -74,25 +85,23 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
 		evtRule.Meta = make(models.Meta, 0)
 
 		for _, key := range []string{"id", "name", "method", "uri", "matched_zones"} {
-			value := ""
 
 			switch matched_rule[key].(type) {
 			case string:
-				value = matched_rule[key].(string)
+				evtRule.Meta = appendMeta(evtRule.Meta, key, matched_rule[key].(string))
 			case int:
-				value = fmt.Sprintf("%d", matched_rule[key].(int))
+				evtRule.Meta = appendMeta(evtRule.Meta, key, fmt.Sprintf("%d", matched_rule[key].(int)))
+			case []string:
+				for _, v := range matched_rule[key].([]string) {
+					evtRule.Meta = appendMeta(evtRule.Meta, key, v)
+				}
+			case []int:
+				for _, v := range matched_rule[key].([]int) {
+					evtRule.Meta = appendMeta(evtRule.Meta, key, fmt.Sprintf("%d", v))
+				}
 			default:
-				value = fmt.Sprintf("%v", matched_rule[key])
+				evtRule.Meta = appendMeta(evtRule.Meta, key, fmt.Sprintf("%v", matched_rule[key]))
 			}
-
-			if value == "" {
-				continue
-			}
-
-			evtRule.Meta = append(evtRule.Meta, &models.MetaItems0{
-				Key:   key,
-				Value: value,
-			})
 		}
 		alert.Events = append(alert.Events, &evtRule)
 	}