libddwaf 1.0.14.2.1.beta1-x86_64-linux → 1.3.0.1.0.beta1-x86_64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cbbad6a0fc8e957d7110a4b66d42d64e7dd3aade7116b442c38b8bf270b54c86
-  data.tar.gz: '0181b7399b0a59a4e14e455ad2737c8ec15820c7365913fae22e34679a5bfc22'
+  metadata.gz: 455c3b407e1d128e7ac7079fc8a115b244e345e2dfaff8ef028bd815fc96ee9f
+  data.tar.gz: 7866484c0ebe431a5d132cbb13d405c9d07fdf740e727bf3baf4800b46b1c43e
 SHA512:
-  metadata.gz: 493dec85beac29a1dbb4c0319177b09839248896d4f91f3478013031082858c6ea33aa9df5e6da3f5aa4ac2b822ed0168690c82b27076d27179ed9afa0559391
-  data.tar.gz: d89ee2e9c995ee60c4f52563c95dc313be90cd271f86efe4b614213829e65ea2d7e874e1a1b235f7fc6ac6df0503ade24ac5ed9d32cfcc307de341d67321bacc
+  metadata.gz: 76f413e1b71d4b4c49d1b16d6903a61eba7df7bec601a0dc1f75ba20d06e2d2c9a8dd24f73d0d8f7fe8139ad29b155aecfcf22f223e76713e1d98bd2e663ec9a
+  data.tar.gz: fe8bbb720edcd57a3212d5052d7c64f28a69982620c941ba23938b8615c433f4912d052e259d39477b50a720406bf7d87a55e78ee8565db5f1f1dd76c4c2b048

data/lib/datadog/appsec/waf/version.rb

@@ -2,8 +2,8 @@ module Datadog
   module AppSec
     module WAF
       module VERSION
-        BASE_STRING = '1.0.14'
-        STRING = "#{BASE_STRING}.2.1.beta1"
+        BASE_STRING = '1.3.0'
+        STRING = "#{BASE_STRING}.1.0.beta1"
         MINIMUM_RUBY_VERSION = '2.1'
       end
     end

data/lib/datadog/appsec/waf.rb

@@ -6,7 +6,13 @@ module Datadog
   module AppSec
     module WAF
       module LibDDWAF
-        class Error < StandardError; end
+        class Error < StandardError
+          attr_reader :ruleset_info
+
+          def initialize(msg, ruleset_info: nil)
+            @ruleset_info = ruleset_info
+          end
+        end
 
         extend ::FFI::Library
 
@@ -73,6 +79,25 @@ module Datadog
                               :ddwaf_obj_map,      1 << 4
 
         typedef :pointer, :charptr
+        typedef :pointer, :charptrptr
+
+        class UInt32Ptr < ::FFI::Struct
+          layout :value, :uint32
+        end
+
+        typedef UInt32Ptr.by_ref, :uint32ptr
+
+        class UInt64Ptr < ::FFI::Struct
+          layout :value, :uint64
+        end
+
+        typedef UInt64Ptr.by_ref, :uint64ptr
+
+        class SizeTPtr < ::FFI::Struct
+          layout :value, :size_t
+        end
+
+        typedef SizeTPtr.by_ref, :sizeptr
 
         class ObjectValueUnion < ::FFI::Union
           layout :stringValue, :charptr,
@@ -91,6 +116,8 @@ module Datadog
 
         typedef Object.by_ref, :ddwaf_object
 
+        ## setters
+
         attach_function :ddwaf_object_invalid, [:ddwaf_object], :ddwaf_object
         attach_function :ddwaf_object_string, [:ddwaf_object, :string], :ddwaf_object
         attach_function :ddwaf_object_stringl, [:ddwaf_object, :charptr, :size_t], :ddwaf_object
@@ -108,6 +135,19 @@ module Datadog
         attach_function :ddwaf_object_map_addl, [:ddwaf_object, :charptr, :size_t, :pointer], :bool
         attach_function :ddwaf_object_map_addl_nc, [:ddwaf_object, :charptr, :size_t, :pointer], :bool
 
+        ## getters
+
+        attach_function :ddwaf_object_type, [:ddwaf_object], DDWAF_OBJ_TYPE
+        attach_function :ddwaf_object_size, [:ddwaf_object], :uint64
+        attach_function :ddwaf_object_length, [:ddwaf_object], :size_t
+        attach_function :ddwaf_object_get_key, [:ddwaf_object, :sizeptr], :charptr
+        attach_function :ddwaf_object_get_string, [:ddwaf_object, :sizeptr], :charptr
+        attach_function :ddwaf_object_get_unsigned, [:ddwaf_object], :uint64
+        attach_function :ddwaf_object_get_signed, [:ddwaf_object], :int64
+        attach_function :ddwaf_object_get_index, [:ddwaf_object, :size_t], :ddwaf_object
+
+        ## freeers
+
         ObjectFree = attach_function :ddwaf_object_free, [:ddwaf_object], :void
         ObjectNoFree = ::FFI::Pointer::NULL
 
@@ -117,17 +157,39 @@ module Datadog
         typedef Object.by_ref, :ddwaf_rule
 
         class Config < ::FFI::Struct
-          layout :maxArrayLength, :uint64,
-                 :maxMapDepth,    :uint64,
-                 :maxTimeStore,   :uint64
+          class Limits < ::FFI::Struct
+            layout :max_container_size,  :uint32,
+                   :max_container_depth, :uint32,
+                   :max_string_length,   :uint32
+          end
+
+          class Obfuscator < ::FFI::Struct
+            layout :key_regex,   :pointer, # :charptr
+                   :value_regex, :pointer  # :charptr
+          end
+
+          layout :limits,     Limits,
+                 :obfuscator, Obfuscator
         end
 
         typedef Config.by_ref, :ddwaf_config
 
-        attach_function :ddwaf_init, [:ddwaf_rule, :ddwaf_config], :ddwaf_handle
+        class RuleSetInfo < ::FFI::Struct
+          layout :loaded, :uint16,
+                 :failed, :uint16,
+                 :errors, Object,
+                 :version, :string
+        end
+
+        typedef RuleSetInfo.by_ref, :ddwaf_ruleset_info
+        RuleSetInfoNone = Datadog::AppSec::WAF::LibDDWAF::RuleSetInfo.new(::FFI::Pointer::NULL)
+
+        attach_function :ddwaf_ruleset_info_free, [:ddwaf_ruleset_info], :void
+
+        attach_function :ddwaf_init, [:ddwaf_rule, :ddwaf_config, :ddwaf_ruleset_info], :ddwaf_handle
         attach_function :ddwaf_destroy, [:ddwaf_handle], :void
 
-        attach_function :ddwaf_required_addresses, [:ddwaf_handle, :pointer], :pointer
+        attach_function :ddwaf_required_addresses, [:ddwaf_handle, UInt32Ptr], :charptrptr
 
         # running
 
@@ -138,19 +200,17 @@ module Datadog
         attach_function :ddwaf_context_init, [:ddwaf_handle, :ddwaf_object_free_fn], :ddwaf_context
         attach_function :ddwaf_context_destroy, [:ddwaf_context], :void
 
-        DDWAF_RET_CODE = enum :ddwaf_err_internal,         -4,
-                              :ddwaf_err_invalid_object,   -3,
-                              :ddwaf_err_invalid_argument, -2,
-                              :ddwaf_err_timeout,          -1,
+        DDWAF_RET_CODE = enum :ddwaf_err_internal,         -3,
+                              :ddwaf_err_invalid_object,   -2,
+                              :ddwaf_err_invalid_argument, -1,
                               :ddwaf_good,                  0,
                               :ddwaf_monitor,               1,
                               :ddwaf_block,                 2
 
         class Result < ::FFI::Struct
-          layout :action,           DDWAF_RET_CODE,
+          layout :timeout,          :bool,
                  :data,             :string,
-                 :perfData,         :string,
-                 :perfTotalRuntime, :uint32 # in us
+                 :total_runtime,    :uint64
         end
 
         typedef Result.by_ref, :ddwaf_result
@@ -287,7 +347,7 @@ module Datadog
 
       def self.logger=(logger)
         @log_cb = proc do |level, func, file, line, message, len|
-          logger.debug { { level: level, func: func, file: file, message: message.read_bytes(len) }.inspect }
+          logger.debug { { level: level, func: func, file: file, line: line, message: message.read_bytes(len) }.inspect }
         end
 
         Datadog::AppSec::WAF::LibDDWAF.ddwaf_set_log_cb(@log_cb, :ddwaf_log_trace)
@@ -296,11 +356,13 @@ module Datadog
       class Handle
         attr_reader :handle_obj
 
-        DEFAULT_MAX_ARRAY_LENGTH = 0
-        DEFAULT_MAX_MAP_DEPTH = 0
-        DEFAULT_MAX_TIME_STORE = 0
+        DEFAULT_MAX_CONTAINER_SIZE  = 0
+        DEFAULT_MAX_CONTAINER_DEPTH = 0
+        DEFAULT_MAX_STRING_LENGTH   = 0
 
-        def initialize(rule, config = {})
+        attr_reader :ruleset_info
+
+        def initialize(rule, limits: {}, obfuscator: {})
           rule_obj = Datadog::AppSec::WAF.ruby_to_object(rule)
           if rule_obj.null? || rule_obj[:type] == :ddwaf_object_invalid
             fail LibDDWAF::Error, "Could not convert object #{rule.inspect}"
@@ -311,17 +373,30 @@ module Datadog
             fail LibDDWAF::Error, 'Could not create config struct'
           end
 
-          config_obj[:maxArrayLength] = config[:max_array_length] || DEFAULT_MAX_ARRAY_LENGTH
-          config_obj[:maxMapDepth]    = config[:max_map_depth]    || DEFAULT_MAX_MAP_DEPTH
-          config_obj[:maxTimeStore]   = config[:max_time_store]   || DEFAULT_MAX_TIME_STORE
+          config_obj[:limits][:max_container_size]  = limits[:max_container_size]  || DEFAULT_MAX_CONTAINER_SIZE
+          config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || DEFAULT_MAX_CONTAINER_DEPTH
+          config_obj[:limits][:max_string_length]   = limits[:max_string_length]   || DEFAULT_MAX_STRING_LENGTH
+          config_obj[:obfuscator][:key_regex]       = FFI::MemoryPointer.from_string(obfuscator[:key_regex])   if obfuscator[:key_regex]
+          config_obj[:obfuscator][:value_regex]     = FFI::MemoryPointer.from_string(obfuscator[:value_regex]) if obfuscator[:value_regex]
+
+          ruleset_info = LibDDWAF::RuleSetInfo.new
+
+          @handle_obj = Datadog::AppSec::WAF::LibDDWAF.ddwaf_init(rule_obj, config_obj, ruleset_info)
+
+          @ruleset_info = {
+            loaded: ruleset_info[:loaded],
+            failed: ruleset_info[:failed],
+            errors: WAF.object_to_ruby(ruleset_info[:errors]),
+            version: ruleset_info[:version],
+          }
 
-          @handle_obj = Datadog::AppSec::WAF::LibDDWAF.ddwaf_init(rule_obj, config_obj)
           if @handle_obj.null?
-            fail LibDDWAF::Error, 'Could not create handle'
+            fail LibDDWAF::Error.new('Could not create handle', ruleset_info: @ruleset_info)
           end
 
           ObjectSpace.define_finalizer(self, Handle.finalizer(handle_obj))
         ensure
+          Datadog::AppSec::WAF::LibDDWAF.ddwaf_ruleset_info_free(ruleset_info) if ruleset_info
           Datadog::AppSec::WAF::LibDDWAF.ddwaf_object_free(rule_obj) if rule_obj
         end
 
@@ -330,9 +405,18 @@ module Datadog
             Datadog::AppSec::WAF::LibDDWAF.ddwaf_destroy(handle_obj)
           end
         end
+
+        def required_addresses
+          count = Datadog::AppSec::WAF::LibDDWAF::UInt32Ptr.new
+          list = Datadog::AppSec::WAF::LibDDWAF.ddwaf_required_addresses(handle_obj, count)
+
+          return [] if count == 0 # list is null
+
+          list.get_array_of_string(0, count[:value])
+        end
       end
 
-      Result = Struct.new(:action, :data, :perf_data, :perf_total_runtime)
+      Result = Struct.new(:action, :data, :total_runtime, :timeout)
 
       class Context
         attr_reader :context_obj
@@ -365,7 +449,6 @@ module Datadog
           ddwaf_err_internal:         :err_internal,
           ddwaf_err_invalid_object:   :err_invalid_object,
           ddwaf_err_invalid_argument: :err_invalid_argument,
-          ddwaf_err_timeout:          :err_timeout,
           ddwaf_good:                 :good,
           ddwaf_monitor:              :monitor,
           ddwaf_block:                :block,
@@ -388,10 +471,10 @@ module Datadog
           code = Datadog::AppSec::WAF::LibDDWAF.ddwaf_run(@context_obj, input_obj, result_obj, timeout)
 
           result = Result.new(
-            ACTION_MAP_OUT[result_obj[:action]],
+            ACTION_MAP_OUT[code],
             (JSON.parse(result_obj[:data]) if result_obj[:data] != nil),
-            (JSON.parse(result_obj[:perfData]) if result_obj[:perfData] != nil),
-            result_obj[:perfTotalRuntime],
+            result_obj[:total_runtime],
+            result_obj[:timeout],
           )
 
           [ACTION_MAP_OUT[code], result]

data/vendor/libddwaf/{libddwaf-1.0.14-linux-x86_64 → libddwaf-1.3.0-linux-x86_64}/include/ddwaf.h

@@ -17,8 +17,8 @@ extern "C"
 #include <stddef.h>
 
 #define DDWAF_MAX_STRING_LENGTH 4096
-#define DDWAF_MAX_MAP_DEPTH 20
-#define DDWAF_MAX_ARRAY_LENGTH 256
+#define DDWAF_MAX_CONTAINER_DEPTH 20
+#define DDWAF_MAX_CONTAINER_SIZE 256
 #define DDWAF_RUN_TIMEOUT 5000
 
 /**
@@ -48,10 +48,9 @@ typedef enum
  **/
 typedef enum
 {
-    DDWAF_ERR_INTERNAL     = -4,
-    DDWAF_ERR_INVALID_OBJECT = -3,
-    DDWAF_ERR_INVALID_ARGUMENT = -2,
-    DDWAF_ERR_TIMEOUT      = -1,
+    DDWAF_ERR_INTERNAL     = -3,
+    DDWAF_ERR_INVALID_OBJECT = -2,
+    DDWAF_ERR_INVALID_ARGUMENT = -1,
     DDWAF_GOOD             = 0,
     DDWAF_MONITOR          = 1,
     DDWAF_BLOCK            = 2
@@ -72,13 +71,21 @@ typedef enum
     DDWAF_LOG_OFF,
 } DDWAF_LOG_LEVEL;
 
+#ifdef __cplusplus
+class PowerWAF;
+class PWAdditive;
+using ddwaf_handle = PowerWAF *;
+using ddwaf_context = PWAdditive *;
+#else
 typedef struct _ddwaf_handle* ddwaf_handle;
 typedef struct _ddwaf_context* ddwaf_context;
+#endif
+
 typedef struct _ddwaf_object ddwaf_object;
 typedef struct _ddwaf_config ddwaf_config;
 typedef struct _ddwaf_result ddwaf_result;
 typedef struct _ddwaf_version ddwaf_version;
-
+typedef struct _ddwaf_ruleset_info ddwaf_ruleset_info;
 /**
  * @struct ddwaf_object
  *
@@ -94,7 +101,7 @@ struct _ddwaf_object
         const char* stringValue;
         uint64_t uintValue;
         int64_t intValue;
-        const ddwaf_object* array;
+        ddwaf_object* array;
     };
     uint64_t nbEntries;
     DDWAF_OBJ_TYPE type;
@@ -107,12 +114,22 @@ struct _ddwaf_object
  **/
 struct _ddwaf_config
 {
-    /** Maximum length of ddwaf::object arrays. */
-    uint64_t maxArrayLength;
-    /** Maximum depth of ddwaf::object maps. */
-    uint64_t maxMapDepth;
-    /** Maximum size of the rule run time store. **/
-    int32_t maxTimeStore;
+    struct {
+        /** Maximum size of ddwaf::object containers. */
+        uint32_t max_container_size;
+        /** Maximum depth of ddwaf::object containers. */
+        uint32_t max_container_depth;
+        /** Maximum length of ddwaf::object strings. */
+        uint32_t max_string_length;
+    } limits;
+
+    /** Obfuscator regexes - the strings are owned by the caller */
+    struct {
+        /** Regular expression for key-based obfuscation */
+        const char *key_regex;
+        /** Regular expression for value-based obfuscation */
+        const char *value_regex;
+    } obfuscator;
 };
 
 /**
@@ -122,14 +139,12 @@ struct _ddwaf_config
  **/
 struct _ddwaf_result
 {
-    /** Run result action **/
-    DDWAF_RET_CODE action;
+    /** Whether there has been a timeout during the operation **/
+    bool timeout;
     /** Run result in JSON format **/
     const char* data;
-    /** Performance data in JSON format **/
-    const char* perfData;
-    /** Total run time in microseconds **/
-    uint32_t perfTotalRuntime;
+    /** Total WAF runtime in nanoseconds **/
+    uint64_t total_runtime;
 };
 
 /**
@@ -144,6 +159,24 @@ struct _ddwaf_version
     uint16_t patch;
 };
 
+/**
+ * @ddwaf_ruleset_info
+ *
+ * Structure containing diagnostics on the provided ruleset.
+ * */
+struct _ddwaf_ruleset_info
+{
+    /** Number of rules successfully loaded **/
+    uint16_t loaded;
+    /** Number of rules which failed to parse **/
+    uint16_t failed;
+    /** Map from an error string to an array of all the rule ids for which
+     *  that error was raised. {error: [rule_ids]} **/
+    ddwaf_object errors;
+    /** Ruleset version **/
+    const char *version;
+};
+
 /**
  * @typedef ddwaf_object_free_fn
  *
@@ -174,10 +207,12 @@ typedef void (*ddwaf_log_cb)(
  *
  * @param rule ddwaf::object containing the patterns to be used by the WAF. (nonnull)
  * @param config Optional configuration of the WAF. (nullable)
+ * @param info Optional ruleset parsing diagnostics. (nullable)
  *
  * @return Handle to the WAF instance.
  **/
-ddwaf_handle ddwaf_init(const ddwaf_object *rule, const ddwaf_config* config);
+ddwaf_handle ddwaf_init(const ddwaf_object *rule,
+    const ddwaf_config* config, ddwaf_ruleset_info *info);
 
 /**
  * ddwaf_destroy
@@ -187,7 +222,14 @@ ddwaf_handle ddwaf_init(const ddwaf_object *rule, const ddwaf_config* config);
  * @param Handle to the WAF instance.
  */
 void ddwaf_destroy(ddwaf_handle handle);
-
+/**
+ * ddwaf_ruleset_info_free
+ *
+ * Free the memory associated with the ruleset info structure.
+ *
+ * @param info Ruleset info to free.
+ * */
+void ddwaf_ruleset_info_free(ddwaf_ruleset_info *info);
 /**
  * ddwaf_required_addresses
  *
@@ -248,7 +290,8 @@ ddwaf_context ddwaf_context_init(const ddwaf_handle handle, ddwaf_object_free_fn
  *                           data is unknown. The result structure will not be
  *                           filled if this error occurs.
  **/
-DDWAF_RET_CODE ddwaf_run(ddwaf_context context, ddwaf_object *data, ddwaf_result *result, uint64_t timeout);
+DDWAF_RET_CODE ddwaf_run(ddwaf_context context, ddwaf_object *data,
+                         ddwaf_result *result,  uint64_t timeout);
 
 /**
  * ddwaf_context_destroy
@@ -451,6 +494,101 @@ bool ddwaf_object_map_addl(ddwaf_object *map, const char *key, size_t length, dd
  **/
 bool ddwaf_object_map_addl_nc(ddwaf_object *map, const char *key, size_t length, ddwaf_object *object);
 
+/**
+ * ddwaf_object_type
+ *
+ * Returns the type of the object.
+ *
+ * @param object The object from which to get the type.
+ *
+ * @return The object type of DDWAF_OBJ_INVALID if NULL.
+ **/
+DDWAF_OBJ_TYPE ddwaf_object_type(ddwaf_object *object);
+
+/**
+ * ddwaf_object_size
+ *
+ * Returns the size of the container object.
+ *
+ * @param object The object from which to get the size.
+ *
+ * @return The object size or 0 if the object is not a container (array, map).
+ **/
+size_t ddwaf_object_size(ddwaf_object *object);
+
+/**
+ * ddwaf_object_length
+ *
+ * Returns the length of the string object.
+ *
+ * @param object The object from which to get the length.
+ *
+ * @return The string length or 0 if the object is not a string.
+ **/
+size_t ddwaf_object_length(ddwaf_object *object);
+
+/**
+ * ddwaf_object_get_key
+ *
+ * Returns the key contained within the object.
+ *
+ * @param object The object from which to get the key.
+ * @param length Output parameter on which to return the length of the key,
+ *               this parameter is optional / nullable.
+ *
+ * @return The key of the object or NULL if the object doesn't contain a key.
+ **/
+const char* ddwaf_object_get_key(ddwaf_object *object, size_t *length);
+
+/**
+ * ddwaf_object_get_string
+ *
+ * Returns the string contained within the object.
+ *
+ * @param object The object from which to get the string.
+ * @param length Output parameter on which to return the length of the string,
+ *               this parameter is optional / nullable.
+ *
+ * @return The string of the object or NULL if the object is not a string.
+ **/
+const char* ddwaf_object_get_string(ddwaf_object *object, size_t *length);
+
+/**
+ * ddwaf_object_get_unsigned
+ *
+ * Returns the uint64 contained within the object.
+ *
+ * @param object The object from which to get the integer.
+ *
+ * @return The integer or 0 if the object is not an unsigned.
+ **/
+uint64_t ddwaf_object_get_unsigned(ddwaf_object *object);
+
+/**
+ * ddwaf_object_get_signed
+ *
+ * Returns the int64 contained within the object.
+ *
+ * @param object The object from which to get the integer.
+ *
+ * @return The integer or 0 if the object is not a signed.
+ **/
+int64_t ddwaf_object_get_signed(ddwaf_object *object);
+
+/**
+ * ddwaf_object_get_index
+ *
+ * Returns the object contained in the container at the given index.
+ *
+ * @param object The container from which to extract the object.
+ * @param index The position of the required object within the container.
+ *
+ * @return The requested object or NULL if the index is out of bounds or the
+ *         object is not a container.
+ **/
+ddwaf_object* ddwaf_object_get_index(ddwaf_object *object, size_t index);
+
+
 /**
  * ddwaf_object_free
  *

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: libddwaf
 version: !ruby/object:Gem::Version
-  version: 1.0.14.2.1.beta1
+  version: 1.3.0.1.0.beta1
 platform: x86_64-linux
 authors:
 - Datadog, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-03 00:00:00.000000000 Z
+date: 2022-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -41,8 +41,8 @@ files:
 - lib/datadog/appsec/waf.rb
 - lib/datadog/appsec/waf/version.rb
 - lib/libddwaf.rb
-- vendor/libddwaf/libddwaf-1.0.14-linux-x86_64/include/ddwaf.h
-- vendor/libddwaf/libddwaf-1.0.14-linux-x86_64/lib/libddwaf.so
+- vendor/libddwaf/libddwaf-1.3.0-linux-x86_64/include/ddwaf.h
+- vendor/libddwaf/libddwaf-1.3.0-linux-x86_64/lib/libddwaf.so
 homepage: https://github.com/DataDog/libddwaf
 licenses:
 - BSD-3-Clause