libddwaf 1.14.0.0.0 → 1.18.0.0.0

data/.github/workflows/test.yml

@@ -3,220 +3,116 @@ on:
   - push
 
 jobs:
-  test-linux:
+  test-cruby-linux:
     strategy:
       fail-fast: false
       matrix:
+        os: [ubuntu-24.04]
+        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2", "3.3"]
+        arch: [amd64, arm64]
+        libc: [gnu, musl]
         include:
-          - os: ubuntu-20.04
-            cpu: x86_64
+          - arch: amd64
             platform: x86_64-linux
-            image: ruby:3.1
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: aarch64
+          - arch: arm64
             platform: aarch64-linux
-            image: ruby:3.1
-            qemu: arm64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:3.0
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: aarch64
-            platform: aarch64-linux
-            image: ruby:3.0
-            qemu: arm64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.7
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: aarch64
-            platform: aarch64-linux
-            image: ruby:2.7
-            qemu: arm64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.6
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: aarch64
-            platform: aarch64-linux
-            image: ruby:2.6
-            qemu: arm64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.5
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.4
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.3
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.2
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.1
-            qemu: amd64
-            libc: gnu
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:3.1-alpine
-            qemu: amd64
-            libc: musl
-          - os: ubuntu-20.04
-            cpu: aarch64
-            platform: aarch64-linux
-            image: ruby:3.1-alpine
-            qemu: arm64
-            libc: musl
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:3.0-alpine
-            qemu: amd64
-            libc: musl
-          - os: ubuntu-20.04
-            cpu: aarch64
-            platform: aarch64-linux
-            image: ruby:3.0-alpine
-            qemu: arm64
-            libc: musl
-          - os: ubuntu-20.04
-            cpu: x86_64
-            platform: x86_64-linux
-            image: ruby:2.7-alpine
-            qemu: amd64
-            libc: musl
-          - os: ubuntu-20.04
-            cpu: aarch64
-            platform: aarch64-linux
-            image: ruby:2.7-alpine
-            qemu: arm64
-            libc: musl
-          - os: ubuntu-20.04
-            cpu: x86_64
+
+    name: Test (Ruby ${{ matrix.ruby }}, ${{ matrix.arch }}, ${{ matrix.libc }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build docker image
+        id: build-image
+        uses: ./.github/actions/docker-build-ruby
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          arch: ${{ matrix.arch }}
+          libc: ${{ matrix.libc }}
+
+      - name: Bundle install
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle install
+
+      - name: Fetch binary library
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake fetch[${{ matrix.platform }}]
+
+      - name: Extract binary library
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake extract[${{ matrix.platform }}]
+
+      - name: Run specs
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake spec
+
+  test-jruby-linux:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04]
+        jruby: ["9.3", "9.4"]
+        arch: [amd64, arm64]
+        include:
+          - arch: amd64
             platform: x86_64-linux
-            image: ruby:2.6-alpine
-            qemu: amd64
-            libc: musl
-          - os: ubuntu-20.04
-            cpu: aarch64
+          - arch: arm64
             platform: aarch64-linux
-            image: ruby:2.6-alpine
-            qemu: arm64
-            libc: musl
-        # TODO: jruby images have no sudo so apt-get can't get a lock
-        # - os: ubuntu-20.04
-        #   cpu: x86_64
-        #   platform: x86_64-linux-gnu
-        #   image: jruby:9.3.0.0
-        #   qemu: amd64
-        #   libc: gnu
-        # - os: ubuntu-20.04
-        #   cpu: x86_64
-        #   platform: x86_64-linux-gnu
-        #   image: jruby:9.2.8.0
-        #   qemu: amd64
-        #   libc: gnu
-        # - os: ubuntu-20.04
-        #   cpu: x86_64
-        #   platform: aarch64-linux-gnu
-        #   image: jruby:9.3.4.0
-        #   qemu: arm64
-        #   libc: gnu
-    name: Test (${{ matrix.image }}, ${{ matrix.cpu }})
+
+    name: Test (Jruby ${{ matrix.jruby }}, ${{ matrix.arch }})
     runs-on: ${{ matrix.os }}
+
     steps:
-      - name: Enable ${{ matrix.qemu }} platform
-        id: qemu
-        if: ${{ matrix.cpu != 'amd64' }}
-        run: |
-          docker run --privileged --rm tonistiigi/binfmt:latest --install ${{ matrix.qemu }} | tee platforms.json
-          echo "::set-output name=platforms::$(cat platforms.json)"
-      - name: Start container
-        id: container
-        run: |
-          echo ${{ matrix.image }} > container_image
-          docker run --rm -d -v "${PWD}":"${PWD}" -w "${PWD}" --platform linux/${{ matrix.qemu }} ${{ matrix.image }} /bin/sleep 64d | tee container_id
-          docker exec -w "${PWD}" $(cat container_id) uname -a
-          echo "::set-output name=id::$(cat container_id)"
-      - name: Install Alpine system dependencies
-        if: ${{ matrix.libc == 'musl' }}
-        run: docker exec -w "${PWD}" ${{ steps.container.outputs.id }} apk add --no-cache build-base git
-      - name: Install JRuby system dependencies
-        if: ${{ startsWith(matrix.image, 'jruby') }}
-        run: |
-          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} sudo apt-get update
-          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} sudo apt-get install -y build-essential git
       - name: Checkout
-        uses: actions/checkout@v2
-      - name: Bundle
-        run: |
-          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle install
+        uses: actions/checkout@v4
+
+      - name: Build docker image
+        id: build-image
+        uses: ./.github/actions/docker-build-ruby
+        with:
+          ruby-version: ${{ matrix.jruby }}
+          jruby: true
+          arch: ${{ matrix.arch }}
+          libc: gnu
+
+      - name: Bundle install
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle install
+
       - name: Fetch binary library
-        run: |
-          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle exec rake fetch[${{ matrix.platform }}]
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake fetch[${{ matrix.platform }}]
+
       - name: Extract binary library
-        run: |
-          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle exec rake extract[${{ matrix.platform }}]
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake extract[${{ matrix.platform }}]
+
       - name: Run specs
-        run: |
-          docker exec -w "${PWD}" ${{ steps.container.outputs.id }} bundle exec rake spec
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake spec
+
   test-darwin:
     strategy:
       fail-fast: false
       matrix:
+        os: [macos-15, macos-15-large]
         include:
-          - os: macos-12
-            cpu: x86_64
+          - os: macos-15
+            platform: arm64-darwin
+          - os: macos-15-large
             platform: x86_64-darwin
-        # - os: macos-12
-        #   cpu: arm64
-        #   platform: arm64-darwin
-    name: Test (${{ matrix.os }} ${{ matrix.cpu }})
+
+    name: Test (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+
       - name: Bundle
-        run: |
-          bundle install
+        run: bundle install
+
       - name: Fetch binary library
-        run: |
-          bundle exec rake fetch[${{ matrix.platform }}]
+        run: bundle exec rake fetch[${{ matrix.platform }}]
+
       - name: Extract binary library
-        run: |
-          bundle exec rake extract[${{ matrix.platform }}]
-      - name: Run specs
-        run: |
-          bundle exec rake spec
+        run: bundle exec rake extract[${{ matrix.platform }}]
 
+      - name: Run specs
+        run: bundle exec rake spec

data/.gitignore

@@ -1,7 +1,10 @@
-Gemfile.lock
 /.envrc
 /vendor/bundle
 /vendor/libddwaf
 /pkg
+/tmp
 *.gem
 *.vim
+.ruby-version
+.github-token
+Gemfile.lock

data/.steepignore

@@ -0,0 +1,4 @@
+ffi/library.rbs:36:45 "Type `::FFI::DataConverter` is generic but used as a non generic type"
+ffi/struct.rbs:5:15 "Type application of `::FFI::Type::Mapped` doesn't satisfy the constraints"
+ffi/struct.rbs:23:29 "Type application of `::FFI::Type::Mapped` doesn't satisfy the constraints"
+ffi/auto_pointer.rbs:15:65 "Type application of `::FFI::AutoPointer::Releaser::_Proc` doesn't satisfy the constraints"

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 2024-10-29 v.1.15.0.0.0
+- Update to libddwaf 1.15.0
+- Changed `Datadog::AppSec::WAF::Context#run` interface to accommodate ephemeral data ([Breaking change](https://github.com/DataDog/libddwaf/blob/master/CHANGELOG.md#v1150-unstable))
+
 # 2023-09-11 v.1.14.0.0.0
 - Update to libddwaf 1.14.0
 - Add support for `Float` and `Nil` scalar values when converting from ruby to WAF Object and vice versa.
@@ -6,7 +10,7 @@
 # 2023-08-29 v.1.11.0.0.0
 
 - Update to libddwaf 1.11.0
-- Changed `Datadog::AppSec::WAF::Handle#ruleset_info` to `Datadog::AppSec::WAF::Handle#diagnostics``. (Breaking change)
+- Changed `Datadog::AppSec::WAF::Handle#ruleset_info` to `Datadog::AppSec::WAF::Handle#diagnostics`. (Breaking change)
   The schema of the diagnostics variable can be found [here](https://github.com/DataDog/libddwaf/blob/master/schema/diagnostics.json)
 - Changed `Datadog::AppSec::WAF::Result#data` to `Datadog::AppSec::WAF::Result#events`. (Breaking change)
   The schema of the events variable can be found [here](https://github.com/DataDog/libddwaf/blob/master/schema/events.json)

data/lib/datadog/appsec/waf/context.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module WAF
+      # Ruby representation of the ddwaf_context in libddwaf
+      # See https://github.com/DataDog/libddwaf/blob/10e3a1dfc7bc9bb8ab11a09a9f8b6b339eaf3271/BINDING_IMPL_NOTES.md?plain=1#L125-L158
+      class Context
+        RESULT_CODE = {
+          ddwaf_ok: :ok,
+          ddwaf_match: :match,
+          ddwaf_err_internal: :err_internal,
+          ddwaf_err_invalid_object: :err_invalid_object,
+          ddwaf_err_invalid_argument: :err_invalid_argument
+        }.freeze
+
+        attr_reader :context_obj
+
+        def initialize(handle)
+          handle_obj = handle.handle_obj
+          retain(handle)
+
+          @context_obj = LibDDWAF.ddwaf_context_init(handle_obj)
+          raise LibDDWAF::Error, 'Could not create context' if @context_obj.null?
+
+          validate!
+        end
+
+        def finalize
+          invalidate!
+
+          retained.each do |retained_obj|
+            next unless retained_obj.is_a?(LibDDWAF::Object)
+
+            LibDDWAF.ddwaf_object_free(retained_obj)
+          end
+
+          LibDDWAF.ddwaf_context_destroy(context_obj)
+        end
+
+        def run(persistent_data, ephemeral_data, timeout = LibDDWAF::DDWAF_RUN_TIMEOUT)
+          valid!
+
+          persistent_data_obj = Converter.ruby_to_object(
+            persistent_data,
+            max_container_size: LibDDWAF::DDWAF_MAX_CONTAINER_SIZE,
+            max_container_depth: LibDDWAF::DDWAF_MAX_CONTAINER_DEPTH,
+            max_string_length: LibDDWAF::DDWAF_MAX_STRING_LENGTH,
+            coerce: false
+          )
+          if persistent_data_obj.null?
+            raise LibDDWAF::Error, "Could not convert persistent data: #{persistent_data.inspect}"
+          end
+
+          # retain C objects in memory for subsequent calls to run
+          retain(persistent_data_obj)
+
+          ephemeral_data_obj = Converter.ruby_to_object(
+            ephemeral_data,
+            max_container_size: LibDDWAF::DDWAF_MAX_CONTAINER_SIZE,
+            max_container_depth: LibDDWAF::DDWAF_MAX_CONTAINER_DEPTH,
+            max_string_length: LibDDWAF::DDWAF_MAX_STRING_LENGTH,
+            coerce: false
+          )
+          if ephemeral_data_obj.null?
+            raise LibDDWAF::Error, "Could not convert ephemeral data: #{ephemeral_data.inspect}"
+          end
+
+          result_obj = LibDDWAF::Result.new
+          raise LibDDWAF::Error, 'Could not create result object' if result_obj.null?
+
+          code = LibDDWAF.ddwaf_run(@context_obj, persistent_data_obj, ephemeral_data_obj, result_obj, timeout)
+
+          result = Result.new(
+            RESULT_CODE[code],
+            Converter.object_to_ruby(result_obj[:events]),
+            result_obj[:total_runtime],
+            result_obj[:timeout],
+            Converter.object_to_ruby(result_obj[:actions]),
+            Converter.object_to_ruby(result_obj[:derivatives])
+          )
+
+          [RESULT_CODE[code], result]
+        ensure
+          LibDDWAF.ddwaf_result_free(result_obj) if result_obj
+        end
+
+        private
+
+        def validate!
+          @valid = true
+        end
+
+        def invalidate!
+          @valid = false
+        end
+
+        def valid?
+          @valid
+        end
+
+        def valid!
+          return if valid?
+
+          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+        end
+
+        def retained
+          @retained ||= []
+        end
+
+        def retain(object)
+          retained << object
+        end
+
+        def release(object)
+          retained.delete(object)
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/waf/converter.rb

@@ -0,0 +1,172 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module WAF
+      # Module responsible for Ruby-to-C and C-to-Ruby conversions
+      module Converter
+        module_function
+
+        # rubocop:disable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        def ruby_to_object(val, max_container_size: nil, max_container_depth: nil, max_string_length: nil, coerce: true)
+          case val
+          when Array
+            obj = LibDDWAF::Object.new
+            res = LibDDWAF.ddwaf_object_array(obj)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val}"
+            end
+
+            max_index = max_container_size - 1 if max_container_size
+            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
+              member = Converter.ruby_to_object(e,
+                                                max_container_size: max_container_size,
+                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
+                                                max_string_length: max_string_length,
+                                                coerce: coerce)
+              e_res = LibDDWAF.ddwaf_object_array_add(obj, member)
+              raise LibDDWAF::Error, "Could not add to array object: #{e.inspect}" unless e_res
+
+              break val if max_index && i >= max_index
+            end unless max_container_depth == 0
+
+            obj
+          when Hash
+            obj = LibDDWAF::Object.new
+            res = LibDDWAF.ddwaf_object_map(obj)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val}"
+            end
+
+            max_index = max_container_size - 1 if max_container_size
+            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
+              # for Steep, which doesn't handle |(k, v), i|
+              k, v = e[0], e[1] # rubocop:disable Style/ParallelAssignment
+
+              k = k.to_s[0, max_string_length] if max_string_length
+              member = Converter.ruby_to_object(v,
+                                                max_container_size: max_container_size,
+                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
+                                                max_string_length: max_string_length,
+                                                coerce: coerce)
+              kv_res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, member)
+              unless kv_res
+                raise LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
+              end
+
+              break val if max_index && i >= max_index
+            end unless max_container_depth == 0
+
+            obj
+          when String
+            obj = LibDDWAF::Object.new
+            encoded_val = val.to_s.encode('utf-8', invalid: :replace, undef: :replace)
+            val = encoded_val[0, max_string_length] if max_string_length
+            str = val.to_s
+            res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when Symbol
+            obj = LibDDWAF::Object.new
+            val = val.to_s[0, max_string_length] if max_string_length
+            str = val.to_s
+            res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when Integer
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                  elsif val < 0
+                    LibDDWAF.ddwaf_object_signed(obj, val)
+                  else
+                    LibDDWAF.ddwaf_object_unsigned(obj, val)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when Float
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                  else
+                    LibDDWAF.ddwaf_object_float(obj, val)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when TrueClass, FalseClass
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                  else
+                    LibDDWAF.ddwaf_object_bool(obj, val)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          when NilClass
+            obj = LibDDWAF::Object.new
+            res = if coerce
+                    LibDDWAF.ddwaf_object_string(obj, '')
+                  else
+                    LibDDWAF.ddwaf_object_null(obj)
+                  end
+            if res.null?
+              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+            end
+
+            obj
+          else
+            Converter.ruby_to_object('')
+          end
+        end
+        # rubocop:enable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+
+        def object_to_ruby(obj)
+          case obj[:type]
+          when :ddwaf_obj_invalid, :ddwaf_obj_null
+            nil
+          when :ddwaf_obj_bool
+            obj[:valueUnion][:boolean]
+          when :ddwaf_obj_string
+            obj[:valueUnion][:stringValue].read_bytes(obj[:nbEntries])
+          when :ddwaf_obj_signed
+            obj[:valueUnion][:intValue]
+          when :ddwaf_obj_unsigned
+            obj[:valueUnion][:uintValue]
+          when :ddwaf_obj_float
+            obj[:valueUnion][:f64]
+          when :ddwaf_obj_array
+            (0...obj[:nbEntries]).each.with_object([]) do |i, a|
+              ptr = obj[:valueUnion][:array] + i * LibDDWAF::Object.size
+              e = Converter.object_to_ruby(LibDDWAF::Object.new(ptr))
+              a << e # steep:ignore
+            end
+          when :ddwaf_obj_map
+            (0...obj[:nbEntries]).each.with_object({}) do |i, h|
+              ptr = obj[:valueUnion][:array] + i * Datadog::AppSec::WAF::LibDDWAF::Object.size
+              o = Datadog::AppSec::WAF::LibDDWAF::Object.new(ptr)
+              l = o[:parameterNameLength]
+              k = o[:parameterName].read_bytes(l)
+              v = Converter.object_to_ruby(LibDDWAF::Object.new(ptr))
+              h[k] = v # steep:ignore
+            end
+          end
+        end
+      end
+    end
+  end
+end