libddwaf 1.14.0.0.0-arm64-darwin → 1.18.0.0.0-arm64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8504c955727644f532a1bf86f97e4531780bc12aaf617972f77f6d47858d624
-  data.tar.gz: b934852060eef0354e1be5d500aaa8409c70d31dc12f417cd7bec33241617009
+  metadata.gz: 9b529e469cd72c13ad59ec392cbf6b1266daeea44871e388a048a34ec4f0bdf9
+  data.tar.gz: d2c5354d770987587743b2c4ad19b0a38085021c1770118492a2ed2eb6166c51
 SHA512:
-  metadata.gz: 6fafdc08a74b09f2faed8a3b74de401e16fe52d085bcb74250fd59d3ed8eb5cb7e137eb9a25e9e99a91e891d20aa14ced288ae6956fbb5de1d8874a86acedf05
-  data.tar.gz: 1818e719ec5dc119ff56944c7c25323880c336235886b6df146f5b4e68b61b72271bb340f64f55c9b5b1e6b342c4ed3b9fbae581a8d37671c7b2e74233e0e9e2
+  metadata.gz: 6f1f32f96ab7ee0c99fd7461f52a3cd184dee1c56ca96915453e1a62349bd2f67948ca1f8ff12c8500332a1fff1108383188d0b84150031e035aba3b9db9f545
+  data.tar.gz: 9eda1af4cd84f265f361177133e100e672a7ffa120e89e5285bb9177b536569fcecad59e85933043593344de4651dea1382791e79221508cf03762684397f551

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 2024-10-29 v.1.15.0.0.0
+- Update to libddwaf 1.15.0
+- Changed `Datadog::AppSec::WAF::Context#run` interface to accommodate ephemeral data ([Breaking change](https://github.com/DataDog/libddwaf/blob/master/CHANGELOG.md#v1150-unstable))
+
 # 2023-09-11 v.1.14.0.0.0
 - Update to libddwaf 1.14.0
 - Add support for `Float` and `Nil` scalar values when converting from ruby to WAF Object and vice versa.
@@ -6,7 +10,7 @@
 # 2023-08-29 v.1.11.0.0.0
 
 - Update to libddwaf 1.11.0
-- Changed `Datadog::AppSec::WAF::Handle#ruleset_info` to `Datadog::AppSec::WAF::Handle#diagnostics``. (Breaking change)
+- Changed `Datadog::AppSec::WAF::Handle#ruleset_info` to `Datadog::AppSec::WAF::Handle#diagnostics`. (Breaking change)
   The schema of the diagnostics variable can be found [here](https://github.com/DataDog/libddwaf/blob/master/schema/diagnostics.json)
 - Changed `Datadog::AppSec::WAF::Result#data` to `Datadog::AppSec::WAF::Result#events`. (Breaking change)
   The schema of the events variable can be found [here](https://github.com/DataDog/libddwaf/blob/master/schema/events.json)

data/lib/datadog/appsec/waf/context.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module WAF
+      # Ruby representation of the ddwaf_context in libddwaf
+      # See https://github.com/DataDog/libddwaf/blob/10e3a1dfc7bc9bb8ab11a09a9f8b6b339eaf3271/BINDING_IMPL_NOTES.md?plain=1#L125-L158
+      class Context
+        RESULT_CODE = {
+          ddwaf_ok: :ok,
+          ddwaf_match: :match,
+          ddwaf_err_internal: :err_internal,
+          ddwaf_err_invalid_object: :err_invalid_object,
+          ddwaf_err_invalid_argument: :err_invalid_argument
+        }.freeze
+
+        attr_reader :context_obj
+
+        def initialize(handle)
+          handle_obj = handle.handle_obj
+          retain(handle)
+
+          @context_obj = LibDDWAF.ddwaf_context_init(handle_obj)
+          raise LibDDWAF::Error, 'Could not create context' if @context_obj.null?
+
+          validate!
+        end
+
+        def finalize
+          invalidate!
+
+          retained.each do |retained_obj|
+            next unless retained_obj.is_a?(LibDDWAF::Object)
+
+            LibDDWAF.ddwaf_object_free(retained_obj)
+          end
+
+          LibDDWAF.ddwaf_context_destroy(context_obj)
+        end
+
+        def run(persistent_data, ephemeral_data, timeout = LibDDWAF::DDWAF_RUN_TIMEOUT)
+          valid!
+
+          persistent_data_obj = Converter.ruby_to_object(
+            persistent_data,
+            max_container_size: LibDDWAF::DDWAF_MAX_CONTAINER_SIZE,
+            max_container_depth: LibDDWAF::DDWAF_MAX_CONTAINER_DEPTH,
+            max_string_length: LibDDWAF::DDWAF_MAX_STRING_LENGTH,
+            coerce: false
+          )
+          if persistent_data_obj.null?
+            raise LibDDWAF::Error, "Could not convert persistent data: #{persistent_data.inspect}"
+          end
+
+          # retain C objects in memory for subsequent calls to run
+          retain(persistent_data_obj)
+
+          ephemeral_data_obj = Converter.ruby_to_object(
+            ephemeral_data,
+            max_container_size: LibDDWAF::DDWAF_MAX_CONTAINER_SIZE,
+            max_container_depth: LibDDWAF::DDWAF_MAX_CONTAINER_DEPTH,
+            max_string_length: LibDDWAF::DDWAF_MAX_STRING_LENGTH,
+            coerce: false
+          )
+          if ephemeral_data_obj.null?
+            raise LibDDWAF::Error, "Could not convert ephemeral data: #{ephemeral_data.inspect}"
+          end
+
+          result_obj = LibDDWAF::Result.new
+          raise LibDDWAF::Error, 'Could not create result object' if result_obj.null?
+
+          code = LibDDWAF.ddwaf_run(@context_obj, persistent_data_obj, ephemeral_data_obj, result_obj, timeout)
+
+          result = Result.new(
+            RESULT_CODE[code],
+            Converter.object_to_ruby(result_obj[:events]),
+            result_obj[:total_runtime],
+            result_obj[:timeout],
+            Converter.object_to_ruby(result_obj[:actions]),
+            Converter.object_to_ruby(result_obj[:derivatives])
+          )
+
+          [RESULT_CODE[code], result]
+        ensure
+          LibDDWAF.ddwaf_result_free(result_obj) if result_obj
+        end
+
+        private
+
+        def validate!
+          @valid = true
+        end
+
+        def invalidate!
+          @valid = false
+        end
+
+        def valid?
+          @valid
+        end
+
+        def valid!
+          return if valid?
+
+          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+        end
+
+        def retained
+          @retained ||= []
+        end
+
+        def retain(object)
+          retained << object
+        end
+
+        def release(object)
+          retained.delete(object)
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/waf/converter.rb

@@ -0,0 +1,172 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module WAF
+      # Module responsible for Ruby-to-C and C-to-Ruby conversions
+      module Converter
+        module_function
+
+        # rubocop:disable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        def ruby_to_object(val, max_container_size: nil, max_container_depth: nil, max_string_length: nil, coerce: true)
+          case val
+          when Array
+            obj = LibDDWAF::Object.new
+            res = LibDDWAF.ddwaf_object_array(obj)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val}"
+            end
+
+            max_index = max_container_size - 1 if max_container_size
+            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
+              member = Converter.ruby_to_object(e,
+                                                max_container_size: max_container_size,
+                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
+                                                max_string_length: max_string_length,
+                                                coerce: coerce)
+              e_res = LibDDWAF.ddwaf_object_array_add(obj, member)
+              raise LibDDWAF::Error, "Could not add to array object: #{e.inspect}" unless e_res
+
+              break val if max_index && i >= max_index
+            end unless max_container_depth == 0
+
+            obj
+          when Hash
+            obj = LibDDWAF::Object.new
+            res = LibDDWAF.ddwaf_object_map(obj)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val}"
+            end
+
+            max_index = max_container_size - 1 if max_container_size
+            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
+              # for Steep, which doesn't handle |(k, v), i|
+              k, v = e[0], e[1] # rubocop:disable Style/ParallelAssignment
+
+              k = k.to_s[0, max_string_length] if max_string_length
+              member = Converter.ruby_to_object(v,
+                                                max_container_size: max_container_size,
+                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
+                                                max_string_length: max_string_length,
+                                                coerce: coerce)
+              kv_res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, member)
+              unless kv_res
+                raise LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
+              end
+
+              break val if max_index && i >= max_index
+            end unless max_container_depth == 0
+
+            obj
+          when String
+            obj = LibDDWAF::Object.new
+            encoded_val = val.to_s.encode('utf-8', invalid: :replace, undef: :replace)
+            val = encoded_val[0, max_string_length] if max_string_length
+            str = val.to_s
+            res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when Symbol
+            obj = LibDDWAF::Object.new
+            val = val.to_s[0, max_string_length] if max_string_length
+            str = val.to_s
+            res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when Integer
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                  elsif val < 0
+                    LibDDWAF.ddwaf_object_signed(obj, val)
+                  else
+                    LibDDWAF.ddwaf_object_unsigned(obj, val)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when Float
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                  else
+                    LibDDWAF.ddwaf_object_float(obj, val)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when TrueClass, FalseClass
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                  else
+                    LibDDWAF.ddwaf_object_bool(obj, val)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when NilClass
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, '')
+                  else
+                    LibDDWAF.ddwaf_object_null(obj)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          else
+            Converter.ruby_to_object('')
+          end
+        end
+        # rubocop:enable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+
+        def object_to_ruby(obj)
+          case obj[:type]
+          when :ddwaf_obj_invalid, :ddwaf_obj_null
+            nil
+          when :ddwaf_obj_bool
+            obj[:valueUnion][:boolean]
+          when :ddwaf_obj_string
+            obj[:valueUnion][:stringValue].read_bytes(obj[:nbEntries])
+          when :ddwaf_obj_signed
+            obj[:valueUnion][:intValue]
+          when :ddwaf_obj_unsigned
+            obj[:valueUnion][:uintValue]
+          when :ddwaf_obj_float
+            obj[:valueUnion][:f64]
+          when :ddwaf_obj_array
+            (0...obj[:nbEntries]).each.with_object([]) do |i, a|
+              ptr = obj[:valueUnion][:array] + i * LibDDWAF::Object.size
+              e = Converter.object_to_ruby(LibDDWAF::Object.new(ptr))
+              a << e # steep:ignore
+            end
+          when :ddwaf_obj_map
+            (0...obj[:nbEntries]).each.with_object({}) do |i, h|
+              ptr = obj[:valueUnion][:array] + i * Datadog::AppSec::WAF::LibDDWAF::Object.size
+              o = Datadog::AppSec::WAF::LibDDWAF::Object.new(ptr)
+              l = o[:parameterNameLength]
+              k = o[:parameterName].read_bytes(l)
+              v = Converter.object_to_ruby(LibDDWAF::Object.new(ptr))
+              h[k] = v # steep:ignore
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/waf/handle.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module WAF
+      # Ruby representation of the ddwaf_handle in libddwaf
+      # See https://github.com/DataDog/libddwaf/blob/10e3a1dfc7bc9bb8ab11a09a9f8b6b339eaf3271/BINDING_IMPL_NOTES.md?plain=1#L4-L19
+      class Handle
+        attr_reader :handle_obj, :diagnostics, :config
+
+        def initialize(rule, limits: {}, obfuscator: {})
+          rule_obj = Converter.ruby_to_object(rule)
+          if rule_obj.null? || rule_obj[:type] == :ddwaf_object_invalid
+            raise LibDDWAF::Error, "Could not convert object #{rule.inspect}"
+          end
+
+          config_obj = Datadog::AppSec::WAF::LibDDWAF::Config.new
+          if config_obj.null?
+            raise LibDDWAF::Error, 'Could not create config struct'
+          end
+
+          config_obj[:limits][:max_container_size]  = limits[:max_container_size]  || LibDDWAF::DEFAULT_MAX_CONTAINER_SIZE
+          config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || LibDDWAF::DEFAULT_MAX_CONTAINER_DEPTH
+          config_obj[:limits][:max_string_length]   = limits[:max_string_length]   || LibDDWAF::DEFAULT_MAX_STRING_LENGTH
+          config_obj[:obfuscator][:key_regex]       = FFI::MemoryPointer.from_string(obfuscator[:key_regex])   if obfuscator[:key_regex]
+          config_obj[:obfuscator][:value_regex]     = FFI::MemoryPointer.from_string(obfuscator[:value_regex]) if obfuscator[:value_regex]
+          config_obj[:free_fn] = LibDDWAF::ObjectNoFree
+
+          @config = config_obj
+
+          diagnostics_obj = LibDDWAF::Object.new
+
+          @handle_obj = LibDDWAF.ddwaf_init(rule_obj, config_obj, diagnostics_obj)
+
+          @diagnostics = Converter.object_to_ruby(diagnostics_obj)
+
+          if @handle_obj.null?
+            raise LibDDWAF::Error.new('Could not create handle', diagnostics: @diagnostics)
+          end
+
+          validate!
+        ensure
+          LibDDWAF.ddwaf_object_free(diagnostics_obj) if diagnostics_obj
+          LibDDWAF.ddwaf_object_free(rule_obj) if rule_obj
+        end
+
+        def finalize
+          invalidate!
+
+          LibDDWAF.ddwaf_destroy(handle_obj)
+        end
+
+        def required_addresses
+          valid!
+
+          count = LibDDWAF::UInt32Ptr.new
+          list = LibDDWAF.ddwaf_known_addresses(handle_obj, count)
+
+          return [] if count == 0 # list is null
+
+          list.get_array_of_string(0, count[:value])
+        end
+
+        def merge(data)
+          data_obj = Converter.ruby_to_object(data, coerce: false)
+          diagnostics_obj = LibDDWAF::Object.new
+          new_handle = LibDDWAF.ddwaf_update(handle_obj, data_obj, diagnostics_obj)
+
+          return if new_handle.null?
+
+          diagnostics = Converter.object_to_ruby(diagnostics_obj)
+          new_from_handle(new_handle, diagnostics, config)
+        ensure
+          LibDDWAF.ddwaf_object_free(data_obj) if data_obj
+          LibDDWAF.ddwaf_object_free(diagnostics_obj) if diagnostics_obj
+        end
+
+        private
+
+        def new_from_handle(handle_object, diagnostics, config)
+          obj = Handle.allocate
+          obj.instance_variable_set(:@handle_obj, handle_object)
+          obj.instance_variable_set(:@diagnostics, diagnostics)
+          obj.instance_variable_set(:@config, config)
+          obj
+        end
+
+        def validate!
+          @valid = true
+        end
+
+        def invalidate!
+          @valid = false
+        end
+
+        def valid?
+          @valid
+        end
+
+        def valid!
+          return if valid?
+
+          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+        end
+      end
+    end
+  end
+end