libddwaf 1.0.12.0.0.beta1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 149b110d2839d0a87023bcb956689ecc5a65c366080979a7fbdd458a59f2f928
+  data.tar.gz: 8d5181f1cb4e98ed8aa065a948480de18a032f5a7c31f084b936e6b10800d81b
+SHA512:
+  metadata.gz: 83006f3f968659cd4701f87469bd8b570bb1f245282b4a2c037a45f2e7b71bd3f4def34cba9ace7eefdd2eb0d0ba269b9d0c1301920610bd8ad0d97138413f45
+  data.tar.gz: 31dc16a314fd59ccafb97ad828e9ac8ddfadda8b44e412f9067ae982328e5582b5d6b66e24f9d992231b0f494949b9d2cee4ce09177a3af51488d5f5c9dc304f

data/.github/workflows/package.yml

@@ -0,0 +1,135 @@
+name: Package
+on:
+  - push
+
+jobs:
+  package:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+          - os: macos-10.15
+            cpu: x86_64
+            platform: x86_64-darwin
+          - os: macos-10.15
+            cpu: arm64
+            platform: arm64-darwin
+    name: Build package (${{ matrix.platform }})
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install Linux build tools
+        if: ${{ startsWith(matrix.os, 'ubuntu-') }}
+        run: sudo apt-get install -y ruby ruby-bundler
+      - name: Bundle
+        run: |
+          bundle install
+      - name: Fetch binary library
+        run: |
+          bundle exec rake fetch[${{ matrix.platform }}]
+      - name: Extract binary library
+        run: |
+          bundle exec rake extract[${{ matrix.platform }}]
+      - name: Build package
+        run: |
+          bundle exec rake binary[${{ matrix.platform }}]
+      - name: Upload gem
+        uses: actions/upload-artifact@v2
+        with:
+          name: libddwaf-${{ matrix.platform }}-${{ github.run_id }}-${{ github.sha }}
+          path: pkg
+  test-linux:
+    needs: package
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.6
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:2.6
+            qemu: aarch64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.6-alpine
+            qemu: amd64
+            libc: musl
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:2.6-alpine
+            qemu: aarch64
+            libc: musl
+    name: Test package (${{ matrix.platform }}-${{ matrix.libc }})
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Enable ${{ matrix.qemu }} platform
+        id: qemu
+        if: ${{ matrix.cpu != 'amd64' }}
+        run: |
+          docker run --privileged --rm tonistiigi/binfmt:latest --install ${{ matrix.qemu }} | tee platforms.json
+          echo "::set-output name=platforms::$(cat platforms.json)"
+      - name: Start container
+        id: container
+        run: |
+          echo ${{ matrix.image }} > container_image
+          docker run --rm -d -v "${PWD}":"${PWD}" -w "${PWD}" --platform linux/${{ matrix.qemu }} ${{ matrix.image }} /bin/sleep 64d | tee container_id
+          docker exec -w "${PWD}" $(cat container_id) uname -a
+          echo "::set-output name=id::$(cat container_id)"
+      - uses: actions/download-artifact@v2
+        with:
+          name: libddwaf-${{ matrix.platform }}-${{ github.run_id }}-${{ github.sha }}
+          path: pkg
+      - name: List artifact files
+        run: find .
+        working-directory: pkg
+      - name: Install Alpine system dependencies
+        if: ${{ matrix.libc == 'musl' }}
+        run: docker exec -w "${PWD}" ${{ steps.container.outputs.id }} apk add --no-cache build-base
+      - name: Install gem
+        run: docker exec -w "${PWD}" ${{ steps.container.outputs.id }} gem install --verbose pkg/*.gem
+      - name: Run smoke test
+        run: |
+          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} ruby -r 'libddwaf' -e 'v = Datadog::Security::WAF::LibDDWAF::Version.new; Datadog::Security::WAF::LibDDWAF.ddwaf_get_version(v); p [v[:major], v[:minor], v[:patch]]'
+  test-darwin:
+    needs: package
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-10.15
+            cpu: x86_64
+            platform: x86_64-darwin
+        # - os: macos-11.0
+        #   cpu: arm64
+        #   platform: arm64-darwin
+    name: Test package (${{ matrix.platform }})
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/download-artifact@v2
+        with:
+          name: libddwaf-${{ matrix.platform }}-${{ github.run_id }}-${{ github.sha }}
+          path: pkg
+      - name: List artifact files
+        run: find .
+        working-directory: pkg
+      - name: Install gem
+        run: gem install --verbose pkg/*.gem
+      - name: Run smoke test
+        run: |
+          ruby -r 'libddwaf' -e 'v = Datadog::Security::WAF::LibDDWAF::Version.new; Datadog::Security::WAF::LibDDWAF.ddwaf_get_version(v); p [v[:major], v[:minor], v[:patch]]'

data/.github/workflows/test.yml

@@ -0,0 +1,201 @@
+name: Test
+on:
+  - push
+
+jobs:
+  test-linux:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:3.0
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:3.0
+            qemu: arm64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.7
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:2.7
+            qemu: arm64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.6
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:2.6
+            qemu: arm64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.5
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.4
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.3
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.2
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.1
+            qemu: amd64
+            libc: gnu
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:3.0-alpine
+            qemu: amd64
+            libc: musl
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:3.0-alpine
+            qemu: arm64
+            libc: musl
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.7-alpine
+            qemu: amd64
+            libc: musl
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:2.7-alpine
+            qemu: arm64
+            libc: musl
+          - os: ubuntu-20.04
+            cpu: x86_64
+            platform: x86_64-linux
+            image: ruby:2.6-alpine
+            qemu: amd64
+            libc: musl
+          - os: ubuntu-20.04
+            cpu: aarch64
+            platform: aarch64-linux
+            image: ruby:2.6-alpine
+            qemu: arm64
+            libc: musl
+        # TODO: jruby images have no sudo so apt-get can't get a lock
+        # - os: ubuntu-20.04
+        #   cpu: x86_64
+        #   platform: x86_64-linux
+        #   image: jruby:9.3
+        #   qemu: amd64
+        #   libc: gnu
+        # - os: ubuntu-20.04
+        #   cpu: x86_64
+        #   platform: x86_64-linux
+        #   image: jruby:9.2
+        #   qemu: amd64
+        #   libc: gnu
+        # - os: ubuntu-20.04
+        #   cpu: x86_64
+        #   platform: x86_64-linux
+        #   image: jruby:9.1
+        #   qemu: amd64
+        #   libc: gnu
+    name: Test (${{ matrix.image }}, ${{ matrix.cpu }})
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Enable ${{ matrix.qemu }} platform
+        id: qemu
+        if: ${{ matrix.cpu != 'amd64' }}
+        run: |
+          docker run --privileged --rm tonistiigi/binfmt:latest --install ${{ matrix.qemu }} | tee platforms.json
+          echo "::set-output name=platforms::$(cat platforms.json)"
+      - name: Start container
+        id: container
+        run: |
+          echo ${{ matrix.image }} > container_image
+          docker run --rm -d -v "${PWD}":"${PWD}" -w "${PWD}" --platform linux/${{ matrix.qemu }} ${{ matrix.image }} /bin/sleep 64d | tee container_id
+          docker exec -w "${PWD}" $(cat container_id) uname -a
+          echo "::set-output name=id::$(cat container_id)"
+      - name: Install Alpine system dependencies
+        if: ${{ matrix.libc == 'musl' }}
+        run: docker exec -w "${PWD}" ${{ steps.container.outputs.id }} apk add --no-cache build-base git
+      - name: Install JRuby system dependencies
+        if: ${{ startsWith(matrix.image, 'jruby') }}
+        run: |
+          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} sudo apt-get update
+          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} sudo apt-get install -y build-essential git
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Bundle
+        run: |
+          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle install
+      - name: Fetch binary library
+        run: |
+          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle exec rake fetch[${{ matrix.platform }}]
+      - name: Extract binary library
+        run: |
+          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle exec rake extract[${{ matrix.platform }}]
+      - name: Run specs
+        run: |
+          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle exec rake spec
+  test-darwin:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-10.15
+            cpu: x86_64
+            platform: x86_64-darwin
+          - os: macos-11.0
+            cpu: x86_64
+            platform: x86_64-darwin
+        # - os: macos-11.0
+        #   cpu: arm64
+        #   platform: arm64-darwin
+    name: Test (${{ matrix.os }} ${{ matrix.cpu }})
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Bundle
+        run: |
+          bundle install
+      - name: Fetch binary library
+        run: |
+          bundle exec rake fetch[${{ matrix.platform }}]
+      - name: Extract binary library
+        run: |
+          bundle exec rake extract[${{ matrix.platform }}]
+      - name: Run specs
+        run: |
+          bundle exec rake spec
+

data/.gitignore

@@ -0,0 +1,8 @@
+Gemfile.lock
+/.envrc
+/vendor/bundle
+/vendor/libddwaf
+/*.nix
+/pkg
+*.gem
+*.vim

data/CONTRIBUTING.md

@@ -0,0 +1,84 @@
+# Contributing
+
+Community contributions to the Datadog bindings to libddwaf for Ruby are welcome! See below for some basic guidelines.
+
+## Want to request a new feature?
+
+Many great ideas for new features come from the community, and we'd be happy to consider yours!
+
+To share your request, you can [open a Github issue](https://github.com/DataDog/libddwaf-rb/issues/new) with the details about what you'd like to see. At a minimum, please provide:
+
+ - The goal of the new feature
+ - A description of how it might be used or behave
+ - Links to any important resources (e.g. Github repos, websites, screenshots, specifications, diagrams)
+
+Additionally, if you can, include:
+
+ - A description of how it could be accomplished
+ - Code snippets that might demonstrate its use or implementation
+ - Screenshots or mockups that visually demonstrate the feature
+ - Links to similar features that would serve as a good comparison
+ - (Any other details that would be useful for implementing this feature!)
+
+Feature requests will be reviewed and discussed.
+
+## Found a bug?
+
+For any urgent matters (such as outages) or issues concerning the Datadog service or UI, contact our support team via https://docs.datadoghq.com/help/ for direct, faster assistance.
+
+You may submit bug reports concerning the Datadog bindings to libddwaf for Ruby by [opening a Github issue](https://github.com/DataDog/libddwaf-rb/issues/new). At a minimum, please provide:
+
+ - A description of the problem
+ - Steps to reproduce
+ - Expected behavior
+ - Actual behavior
+ - Errors (with stack traces) or warnings received
+ - Any details you can share about your configuration including:
+    - Ruby version & platform
+    - `libddwaf` version
+    - Versions of any other relevant gems (or a `Gemfile.lock` if available)
+
+If at all possible, also provide:
+
+ - Logs from the application or other diagnostics
+ - Screenshots, links, or other visual aids that are publicly accessible
+ - Code sample or test that reproduces the problem
+ - An explanation of what causes the bug and/or how it can be fixed
+
+Reports that include rich detail are better, and ones with code that reproduce the bug are best. Bug requests will be triaged and reviewed by our collaborators.
+
+## Have a patch?
+
+We welcome code contributions to the library, which you can [submit as a pull request](https://github.com/DataDog/libddwaf-rb/pull/new/master). To create a pull request:
+
+1. **Fork the repository** from https://github.com/DataDog/libddwaf-rb
+2. **Make any changes** for your patch.
+3. **Write tests** that demonstrate how the feature works or how the bug is fixed.
+4. **Update any documentation** especially for new features.
+5. **Submit the pull request** from your fork back to the latest revision of the `master` branch on https://github.com/DataDog/libddwaf-rb.
+
+The pull request will be run through our CI pipeline, and a project member will review the changes with you. At a minimum, to be accepted and merged, pull requests must:
+
+ - Have a stated goal and detailed description of the changes made
+ - Include thorough test coverage and documentation, where applicable
+ - Pass all tests and code quality checks (linting/coverage) on CI
+ - Receive at least one approval from a project member with push permissions
+
+We also recommend that you share in your description:
+
+ - Any motivations or intent for the contribution
+ - Links to any issues/pull requests it might be related to
+ - Links to any webpages or other external resources that might be related to the change
+ - Screenshots, code samples, or other visual aids that demonstrate the changes or how they are implemented
+ - Benchmarks if the feature is anticipated to have performance implications
+ - Any limitations, constraints or risks that are important to consider
+
+Pull requests will be reviewed by our collaborators.
+
+For more information on common topics such as debugging locally, or how to write new integrations, check out [our development guide](https://github.com/DataDog/libddwaf-rb/blob/master/README.md#development). If at any point you have a question or need assistance with your pull request, feel free to mention a project member! We're always happy to help contributors with their pull requests.
+
+## Final word
+
+Many thanks to all of our contributors, and looking forward to seeing you on Github! :tada:
+
+ - Datadog Ruby Team

data/LICENSE

@@ -0,0 +1,6 @@
+## License
+
+This work is dual-licensed under Apache 2.0 or BSD3.
+You may select, at your option, one of the above-listed licenses.
+
+`SPDX-License-Identifier: Apache-2.0 OR BSD-3-Clause`

data/LICENSE-3rdparty.csv

@@ -0,0 +1,2 @@
+Component,Origin,License,Copyright
+core,https://github.com/ffi/ffi,BSD-3-Clause,"Copyright (c) 2008-2016, Ruby FFI project contributors"

data/LICENSE.Apache

@@ -0,0 +1,200 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2021 Datadog, Inc.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/LICENSE.BSD3

@@ -0,0 +1,24 @@
+Copyright (c) 2021, Datadog <info@datadoghq.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of Datadog nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/NOTICE

@@ -0,0 +1,4 @@
+Datadog libddwaf-rb
+Copyright 2021-Present Datadog, Inc.
+
+This product includes software developed at Datadog, Inc. (https://www.datadoghq.com/).

data/README.md

@@ -0,0 +1,6 @@
+# libddwaf Ruby bindings
+
+``libddwaf-rb`` is library exposing the libddwaf C++ library to Ruby, packaging it in a multiplatform gem.
+
+For the libddwaf implementation, see this repository:
+ - [``libddwaf``: libddwaf](https://github.com/DataDog/libddwaf.git)

data/lib/datadog/security/waf/version.rb

@@ -0,0 +1,12 @@
+module Datadog
+  module Security
+    module WAF
+      module VERSION
+        BASE_STRING = '1.0.12'
+        STRING = "#{BASE_STRING}.0.0.beta1"
+        MINIMUM_RUBY_VERSION = '2.1'
+        MAXIMUM_RUBY_VERSION = '3.1'
+      end
+    end
+  end
+end

data/lib/datadog/security/waf.rb

@@ -0,0 +1,402 @@
+require 'ffi'
+require 'json'
+require 'datadog/security/waf/version'
+
+module Datadog
+  module Security
+    module WAF
+      module LibDDWAF
+        class Error < StandardError; end
+
+        extend ::FFI::Library
+
+        def self.local_os
+          if RUBY_ENGINE == 'jruby'
+            os_name = java.lang.System.get_property('os.name')
+
+            os = case os_name
+                when /linux/i then 'linux'
+                when /mac/i   then 'darwin'
+                else raise Error, "unsupported JRuby os.name: #{os_name.inspect}"
+                end
+
+            return os
+          end
+
+          Gem::Platform.local.os
+        end
+
+        def self.local_cpu
+          if RUBY_ENGINE == 'jruby'
+            os_arch = java.lang.System.get_property('os.arch')
+
+            cpu = case os_arch
+                  when 'amd64' then 'x86_64'
+                  else raise Error, "unsupported JRuby os.arch: #{os_arch.inspect}"
+                  end
+
+            return cpu
+          end
+
+          Gem::Platform.local.cpu
+        end
+
+        def self.shared_lib_extname
+          Gem::Platform.local.os == 'darwin' ? '.dylib' : '.so'
+        end
+
+        def self.shared_lib_path
+          File.join(__dir__, "../../../vendor/libddwaf/libddwaf-#{Datadog::Security::WAF::VERSION::BASE_STRING}-#{local_os}-#{local_cpu}/lib/libddwaf#{shared_lib_extname}")
+        end
+
+        ffi_lib [shared_lib_path]
+
+        # version
+
+        class Version < ::FFI::Struct
+          layout :major, :uint16,
+                :minor, :uint16,
+                :patch, :uint16
+        end
+
+        typedef Version.by_ref, :ddwaf_version
+
+        attach_function :ddwaf_get_version, [:ddwaf_version], :void
+
+        # ddwaf::object data structure
+
+        DDWAF_OBJ_TYPE = enum :ddwaf_obj_invalid,  0,
+                              :ddwaf_obj_signed,   1 << 0,
+                              :ddwaf_obj_unsigned, 1 << 1,
+                              :ddwaf_obj_string,   1 << 2,
+                              :ddwaf_obj_array,    1 << 3,
+                              :ddwaf_obj_map,      1 << 4
+
+        typedef :pointer, :charptr
+
+        class ObjectValueUnion < ::FFI::Union
+          layout :stringValue, :charptr,
+                :uintValue,   :uint64,
+                :intValue,    :int64,
+                :array,       :pointer
+        end
+
+        class Object < ::FFI::Struct
+          layout :parameterName,       :charptr,
+                :parameterNameLength, :uint64,
+                :valueUnion,          ObjectValueUnion,
+                :nbEntries,           :uint64,
+                :type,                DDWAF_OBJ_TYPE
+        end
+
+        typedef Object.by_ref, :ddwaf_object
+
+        attach_function :ddwaf_object_invalid, [:ddwaf_object], :ddwaf_object
+        attach_function :ddwaf_object_string, [:ddwaf_object, :string], :ddwaf_object
+        attach_function :ddwaf_object_stringl, [:ddwaf_object, :charptr, :size_t], :ddwaf_object
+        attach_function :ddwaf_object_stringl_nc, [:ddwaf_object, :charptr, :size_t], :ddwaf_object
+        attach_function :ddwaf_object_unsigned, [:ddwaf_object, :uint64], :ddwaf_object
+        attach_function :ddwaf_object_signed, [:ddwaf_object, :int64], :ddwaf_object
+        attach_function :ddwaf_object_unsigned_force, [:ddwaf_object, :uint64], :ddwaf_object
+        attach_function :ddwaf_object_signed_force, [:ddwaf_object, :int64], :ddwaf_object
+
+        attach_function :ddwaf_object_array, [:ddwaf_object], :ddwaf_object
+        attach_function :ddwaf_object_array_add, [:ddwaf_object, :ddwaf_object], :bool
+
+        attach_function :ddwaf_object_map, [:ddwaf_object], :ddwaf_object
+        attach_function :ddwaf_object_map_add, [:ddwaf_object, :string, :pointer], :bool
+        attach_function :ddwaf_object_map_addl, [:ddwaf_object, :charptr, :size_t, :pointer], :bool
+        attach_function :ddwaf_object_map_addl_nc, [:ddwaf_object, :charptr, :size_t, :pointer], :bool
+
+        ObjectFree = attach_function :ddwaf_object_free, [:ddwaf_object], :void
+        ObjectNoFree = ::FFI::Pointer::NULL
+
+        # main handle
+
+        typedef :pointer, :ddwaf_handle
+        typedef Object.by_ref, :ddwaf_rule
+
+        class Config < ::FFI::Struct
+          layout :maxArrayLength, :uint64,
+                :maxMapDepth,    :uint64,
+                :maxTimeStore,   :uint64
+        end
+
+        typedef Config.by_ref, :ddwaf_config
+
+        attach_function :ddwaf_init, [:ddwaf_rule, :ddwaf_config], :ddwaf_handle
+        attach_function :ddwaf_destroy, [:ddwaf_handle], :void
+
+        # running
+
+        typedef :pointer, :ddwaf_context
+
+        callback :ddwaf_object_free_fn, [:ddwaf_object], :void
+
+        attach_function :ddwaf_context_init, [:ddwaf_handle, :ddwaf_object_free_fn], :ddwaf_context
+        attach_function :ddwaf_context_destroy, [:ddwaf_context], :void
+
+
+        DDWAF_RET_CODE = enum :ddwaf_err_internal,         -4,
+                              :ddwaf_err_invalid_object,   -3,
+                              :ddwaf_err_invalid_argument, -2,
+                              :ddwaf_err_timeout,          -1,
+                              :ddwaf_good,                  0,
+                              :ddwaf_monitor,               1,
+                              :ddwaf_block,                 2
+
+        class Result < ::FFI::Struct
+          layout :action,           DDWAF_RET_CODE,
+                :data,             :string,
+                :perfData,         :string,
+                :perfTotalRuntime, :uint32 # in us
+        end
+
+        typedef Result.by_ref, :ddwaf_result
+        typedef :uint64, :timeout_us
+
+        attach_function :ddwaf_run, [:ddwaf_context, :ddwaf_object, :ddwaf_result, :timeout_us], DDWAF_RET_CODE, blocking: true
+        attach_function :ddwaf_result_free, [:ddwaf_result], :void
+
+        # logging
+
+        DDWAF_LOG_LEVEL = enum :ddwaf_log_trace,
+                              :ddwaf_log_debug,
+                              :ddwaf_log_info,
+                              :ddwaf_log_warn,
+                              :ddwaf_log_error,
+                              :ddwaf_log_off
+
+        callback :ddwaf_log_cb, [DDWAF_LOG_LEVEL, :string, :string, :uint, :charptr, :uint64], :void
+
+        attach_function :ddwaf_set_log_cb, [:ddwaf_log_cb, DDWAF_LOG_LEVEL], :bool
+      end
+
+      def self.version
+        version = LibDDWAF::Version.new
+        LibDDWAF.ddwaf_get_version(version.pointer)
+
+        [version[:major], version[:minor], version[:patch]]
+      end
+
+      def self.ruby_to_object(val)
+        case val
+        when Array
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_array(obj)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          val.each do |e|
+            res = LibDDWAF.ddwaf_object_array_add(obj, ruby_to_object(e))
+            unless res
+              fail LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
+            end
+          end
+
+          obj
+        when Hash
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_map(obj)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          val.each do |k, v|
+            res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.size, ruby_to_object(v))
+            unless res
+              fail LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
+            end
+          end
+
+          obj
+        when String
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_stringl(obj, val, val.size)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          obj
+        when Symbol
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_stringl(obj, val.to_s, val.size)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          obj
+        when Integer
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_string(obj, val.to_s)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          obj
+        when Float
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_string(obj, val.to_s)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          obj
+        when TrueClass, FalseClass
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_string(obj, val.to_s)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          obj
+        else
+          obj = LibDDWAF::Object.new
+          res = LibDDWAF.ddwaf_object_invalid(obj)
+          if res.null?
+            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+          end
+
+          obj
+        end
+      end
+
+      def self.object_to_ruby(obj)
+        case obj[:type]
+        when :ddwaf_obj_invalid
+          nil
+        when :ddwaf_obj_string
+          obj[:valueUnion][:stringValue].read_bytes(obj[:nbEntries])
+        when :ddwaf_obj_signed
+          obj[:valueUnion][:intValue]
+        when :ddwaf_obj_unsigned
+          obj[:valueUnion][:uintValue]
+        when :ddwaf_obj_array
+          (0...obj[:nbEntries]).each.with_object([]) do |i, a|
+            ptr = obj[:valueUnion][:array] + i * LibDDWAF::Object.size
+            e = object_to_ruby(LibDDWAF::Object.new(ptr))
+            a << e
+          end
+        when :ddwaf_obj_map
+          (0...obj[:nbEntries]).each.with_object({}) do |i, h|
+            ptr = obj[:valueUnion][:array] + i * Datadog::Security::WAF::LibDDWAF::Object.size
+            o = Datadog::Security::WAF::LibDDWAF::Object.new(ptr)
+            l = o[:parameterNameLength]
+            k = o[:parameterName].read_bytes(l)
+            v = object_to_ruby(LibDDWAF::Object.new(ptr))
+            h[k] = v
+          end
+        end
+      end
+
+      def self.logger=(logger)
+        @log_cb = proc do |level, func, file, line, message, len|
+          logger.debug { { level: level, func: func, file: file, message: message.read_bytes(len) }.inspect }
+        end
+
+        Datadog::Security::WAF::LibDDWAF.ddwaf_set_log_cb(@log_cb, :ddwaf_log_trace)
+      end
+
+      class Handle
+        attr_reader :handle_obj
+
+        DEFAULT_MAX_ARRAY_LENGTH = 0
+        DEFAULT_MAX_MAP_DEPTH = 0
+        DEFAULT_MAX_TIME_STORE = 0
+
+        def initialize(rule, config = {})
+          rule_obj = Datadog::Security::WAF.ruby_to_object(rule)
+          if rule_obj.null? || rule_obj[:type] == :ddwaf_object_invalid
+            fail LibDDWAF::Error, "Could not convert object #{rule.inspect}"
+          end
+
+          config_obj = Datadog::Security::WAF::LibDDWAF::Config.new
+          if config_obj.null?
+            fail LibDDWAF::Error, 'Could not create config struct'
+          end
+
+          config_obj[:maxArrayLength] = config[:max_array_length] || DEFAULT_MAX_ARRAY_LENGTH
+          config_obj[:maxMapDepth]    = config[:max_map_depth]    || DEFAULT_MAX_MAP_DEPTH
+          config_obj[:maxTimeStore]   = config[:max_time_store]   || DEFAULT_MAX_TIME_STORE
+
+          @handle_obj = Datadog::Security::WAF::LibDDWAF.ddwaf_init(rule_obj, config_obj)
+          if @handle_obj.null?
+            fail LibDDWAF::Error, 'Could not create handle'
+          end
+
+          ObjectSpace.define_finalizer(self, Handle.finalizer(handle_obj))
+        ensure
+          Datadog::Security::WAF::LibDDWAF.ddwaf_object_free(rule_obj) if rule_obj
+        end
+
+        def self.finalizer(handle_obj)
+          proc do |object_id|
+            Datadog::Security::WAF::LibDDWAF.ddwaf_destroy(handle_obj)
+          end
+        end
+      end
+
+      Result = Struct.new(:action, :data, :perf_data, :perf_total_runtime)
+
+      class Context
+        attr_reader :context_obj
+
+        def initialize(handle)
+          handle_obj = handle.handle_obj
+          free_func = Datadog::Security::WAF::LibDDWAF::ObjectNoFree
+
+          @context_obj = Datadog::Security::WAF::LibDDWAF.ddwaf_context_init(handle_obj, free_func)
+          if @context_obj.null?
+            fail LibDDWAF::Error, 'Could not create context'
+          end
+
+          ObjectSpace.define_finalizer(self, Context.finalizer(context_obj))
+        end
+
+        def self.finalizer(context_obj)
+          proc do |object_id|
+            Datadog::Security::WAF::LibDDWAF.ddwaf_context_destroy(context_obj)
+          end
+        end
+
+        DEFAULT_TIMEOUT_US = 10_0000
+        ACTION_MAP_OUT = {
+          ddwaf_err_internal:         :err_internal,
+          ddwaf_err_invalid_object:   :err_invalid_object,
+          ddwaf_err_invalid_argument: :err_invalid_argument,
+          ddwaf_err_timeout:          :err_invalid_object,
+          ddwaf_good:                 :good,
+          ddwaf_monitor:              :monitor,
+          ddwaf_block:                :block,
+        }
+
+        def run(input, timeout = DEFAULT_TIMEOUT_US)
+          input_obj = Datadog::Security::WAF.ruby_to_object(input)
+          if input_obj.null?
+            fail LibDDWAF::Error, "Could not convert input: #{input.inspect}"
+          end
+
+          result_obj = Datadog::Security::WAF::LibDDWAF::Result.new
+          if result_obj.null?
+            fail LibDDWAF::Error, "Could not create result object"
+          end
+
+          code = Datadog::Security::WAF::LibDDWAF.ddwaf_run(@context_obj, input_obj, result_obj, timeout)
+
+          result = Result.new(
+            ACTION_MAP_OUT[result_obj[:action]],
+            (JSON.parse(result_obj[:data]) if result_obj[:data] != nil),
+            (JSON.parse(result_obj[:perfData]) if result_obj[:perfData] != nil),
+            result_obj[:perfTotalRuntime],
+          )
+
+          [ACTION_MAP_OUT[code], result]
+        ensure
+          Datadog::Security::WAF::LibDDWAF.ddwaf_object_free(input_obj) if input_obj
+          Datadog::Security::WAF::LibDDWAF.ddwaf_result_free(result_obj) if result_obj
+        end
+      end
+    end
+  end
+end

data/lib/libddwaf.rb

@@ -0,0 +1 @@
+require 'datadog/security/waf'

data/libddwaf.gemspec

@@ -0,0 +1,40 @@
+# coding: utf-8
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'datadog/security/waf/version'
+
+Gem::Specification.new do |spec|
+  spec.name                  = 'libddwaf'
+  spec.version               = Datadog::Security::WAF::VERSION::STRING
+  spec.required_ruby_version = [">= #{Datadog::Security::WAF::VERSION::MINIMUM_RUBY_VERSION}", "< #{Datadog::Security::WAF::VERSION::MAXIMUM_RUBY_VERSION}"]
+  spec.required_rubygems_version = '>= 2.0.0'
+  spec.authors               = ['Datadog, Inc.']
+  spec.email                 = ['dev@datadoghq.com']
+
+  spec.summary     = 'Datadog WAF'
+  spec.description = <<-EOS.gsub(/^[\s]+/, '')
+    libddwaf packages a WAF implementation in C++, exposed to Ruby
+  EOS
+
+  spec.homepage = 'https://github.com/DataDog/libddwaf'
+  spec.license  = 'BSD-3-Clause'
+
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = 'https://rubygems.org'
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against public gem pushes.'
+  end
+
+  spec.files =
+    `git ls-files -z`
+    .split("\x0")
+    .reject { |f| f.match(%r{^(spec|[.]circleci)/}) }
+    .reject do |f|
+      ['.dockerignore', '.env', '.rspec', '.rubocop.yml', '.rubocop_todo.yml',
+      '.simplecov', 'Gemfile', 'Rakefile', 'docker-compose.yml'].include?(f)
+    end
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'ffi'
+end

metadata

@@ -0,0 +1,77 @@
+--- !ruby/object:Gem::Specification
+name: libddwaf
+version: !ruby/object:Gem::Version
+  version: 1.0.12.0.0.beta1
+platform: ruby
+authors:
+- Datadog, Inc.
+autorequire:
+bindir: bin
+cert_chain: []
+date: 1980-01-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 'libddwaf packages a WAF implementation in C++, exposed to Ruby
+
+  '
+email:
+- dev@datadoghq.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/package.yml"
+- ".github/workflows/test.yml"
+- ".gitignore"
+- CONTRIBUTING.md
+- LICENSE
+- LICENSE-3rdparty.csv
+- LICENSE.Apache
+- LICENSE.BSD3
+- NOTICE
+- README.md
+- lib/datadog/security/waf.rb
+- lib/datadog/security/waf/version.rb
+- lib/libddwaf.rb
+- libddwaf.gemspec
+homepage: https://github.com/DataDog/libddwaf
+licenses:
+- BSD-3-Clause
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.1'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: '3.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.0.0
+requirements: []
+rubygems_version: 3.2.16
+signing_key:
+specification_version: 4
+summary: Datadog WAF
+test_files: []