[CWS] Allow using 'in' and 'not in' for comparisons between string arrays (#46847)

### What does this PR do?

Allow using 'in' and 'not in' for comparisons between string arrays

### Motivation

Allow writing rules such as

connect.addr.hostname not in ${var_string_array}

### Describe how you validated your changes

### Additional Notes


Co-authored-by: sylvain.baubeau <sylvain.baubeau@datadoghq.com>

Author: lebauce

pkg/security/secl/compiler/eval/eval.go

@@ -964,13 +964,18 @@ func nodeToEvaluator(obj interface{}, opts *Opts, state *State) (interface{}, le
 					if err != nil {
 						return nil, pos, err
 					}
-					if *obj.ArrayComparison.Op == "notin" {
-						return Not(boolEvaluator, state), obj.Pos, nil
+				case *StringArrayEvaluator:
+					boolEvaluator, err = StringArrayMatchesStringArray(unary, nextStringArray, state)
+					if err != nil {
+						return nil, pos, err
 					}
-					return boolEvaluator, obj.Pos, nil
 				default:
 					return nil, pos, NewArrayTypeError(pos, reflect.Array, reflect.String)
 				}
+				if *obj.ArrayComparison.Op == "notin" {
+					return Not(boolEvaluator, state), obj.Pos, nil
+				}
+				return boolEvaluator, obj.Pos, nil
 			case *IntEvaluator:
 				switch nextInt := next.(type) {
 				case *IntArrayEvaluator:

pkg/security/secl/compiler/eval/eval_test.go

@@ -943,6 +943,12 @@ func TestRegister(t *testing.T) {
 		{Expr: `process.list[A].value not in [~"ZZ*", "AAA", "nnnnn"]`, Expected: true},
 		{Expr: `process.list[A].value not in [~"ZZ*", ~"AA*", "nnnnn"]`, Expected: true},
 
+		// StringArrayEvaluator in/not in StringArrayEvaluator — previously unhandled, would fail at compile time
+		{Expr: `process.list.value in process.array.value`, Expected: false}, // ["AAA","BBB","CCC"] ∩ ["EEEE","DDDD"] = ∅
+		{Expr: `process.list.value not in process.array.value`, Expected: true},
+		{Expr: `process.array.value in process.list.value`, Expected: false},
+		{Expr: `process.array.value not in process.list.value`, Expected: true},
+
 		{Expr: `process.list[A].key == 10 && process.list[A].value == "AAA"`, Expected: true},
 		{Expr: `process.list[A].key == 9999 && process.list[A].value == "AAA"`, Expected: false},
 		{Expr: `process.list[A].key == 100 && process.list[A].value == "BBB"`, Expected: true},

pkg/security/secl/compiler/eval/operators.go

@@ -780,6 +780,96 @@ func StringArrayMatches(a *StringArrayEvaluator, b *StringValuesEvaluator, state
 	}, nil
 }
 
+// StringArrayMatchesStringArray weak comparison, at least one element of a should be in b. Neither side can contain regexp
+func StringArrayMatchesStringArray(a *StringArrayEvaluator, b *StringArrayEvaluator, state *State) (*BoolEvaluator, error) {
+	isDc := isArithmDeterministic(a, b, state)
+
+	if a.Field != "" {
+		for _, value := range b.Values {
+			if err := state.UpdateFieldValues(a.Field, FieldValue{Value: value}); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	arrayOp := func(a []string, b []string) (bool, string) {
+		for _, va := range a {
+			for _, vb := range b {
+				if va == vb {
+					return true, vb
+				}
+			}
+		}
+		return false, ""
+	}
+
+	if a.EvalFnc != nil && b.EvalFnc != nil {
+		ea, eb := a.EvalFnc, b.EvalFnc
+
+		evalFnc := func(ctx *Context) bool {
+			va, vb := ea(ctx), eb(ctx)
+			res, vm := arrayOp(va, vb)
+			if res {
+				ctx.AddMatchingSubExpr(MatchingValue{Field: a.Field, Value: va, Offset: a.Offset}, MatchingValue{Value: vm, Offset: b.Offset})
+			}
+			return res
+		}
+
+		return &BoolEvaluator{
+			EvalFnc:         evalFnc,
+			Weight:          a.Weight + b.Weight,
+			isDeterministic: isDc,
+		}, nil
+	}
+
+	if a.EvalFnc == nil && b.EvalFnc == nil {
+		ea, eb := a.Values, b.Values
+		res, _ := arrayOp(ea, eb)
+
+		return &BoolEvaluator{
+			Value:           res,
+			Weight:          a.Weight + InArrayWeight*len(eb),
+			isDeterministic: isDc,
+		}, nil
+	}
+
+	if a.EvalFnc != nil {
+		ea, eb := a.EvalFnc, b.Values
+
+		evalFnc := func(ctx *Context) bool {
+			va, vb := ea(ctx), eb
+			res, vm := arrayOp(va, vb)
+			if res {
+				ctx.AddMatchingSubExpr(MatchingValue{Field: a.Field, Value: va, Offset: a.Offset}, MatchingValue{Value: vm, Offset: b.Offset})
+			}
+			return res
+		}
+
+		return &BoolEvaluator{
+			EvalFnc:         evalFnc,
+			Weight:          a.Weight + InArrayWeight*len(eb),
+			isDeterministic: isDc,
+		}, nil
+	}
+
+	ea, eb := a.Values, b.EvalFnc
+
+	evalFnc := func(ctx *Context) bool {
+		va, vb := ea, eb(ctx)
+		res, vm := arrayOp(va, vb)
+		if res {
+			ctx.AddMatchingSubExpr(MatchingValue{Field: a.Field, Value: va, Offset: a.Offset}, MatchingValue{Field: b.Field, Value: vm, Offset: b.Offset})
+		}
+		return res
+	}
+
+	return &BoolEvaluator{
+		EvalFnc:         evalFnc,
+		Weight:          b.Weight,
+		isDeterministic: isDc,
+	}, nil
+}
+
 // IntArrayMatches weak comparison, a least one element of a should be in b
 func IntArrayMatches(a *IntArrayEvaluator, b *IntArrayEvaluator, state *State) (*BoolEvaluator, error) {
 	isDc := isArithmDeterministic(a, b, state)