libddwaf 1.15.0.0.2 → 1.18.0.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 66ca5ed402ac186fc8a1a0be677af6edfb2e93f8848232d6ea26895f1828ac14
-  data.tar.gz: 27e819869d4042edb1dd218324c9363a94dc4a1f77fb0185ef0449b07d20c8e1
+  metadata.gz: 2cea26919b7498876af6b3517e509939b1dfc2bfac538dccf9d4f7d6ba02bb84
+  data.tar.gz: ec604e73b223f59abcc8d001a08f46ea7d130b2ecc9e4f672313b812e91e5016
 SHA512:
-  metadata.gz: 4ea8d77ff20dc6347eb6580f0e230bfee3c98d3a7e448379fd6e992812dc386c93f505efb14d8c098843fc589489b2e48e91bebc4c0b89a96a2c258a661c6e90
-  data.tar.gz: 84a18f48f1cd2be8c5bcb7af4b25aa8b7704d82f3d80f2cf10d1ace2c7a9c5c20981698be22a191b3e999b9080d2d2479c86110124d8e4fec6dc03e4cc267c19
+  metadata.gz: 706ca9b34d702e244d74b46f2ef5633de09f37b8b8cfa3591e4421417592a9034eeabde5358879a00b113acad38c04a2827418edf8b936f8af3302d8b902bd01
+  data.tar.gz: c4c0f294b8e4d9e173ed775d6b60ecf89ebeb97360dfd67bb6c8049582f5f9d3e5cd7bc3cf179ac319518bef11b38b1bfcb7e740e18281b14c22510ee763dfcc

data/.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: File a bug report
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Current behaviour**
+<!-- What is be happening. -->
+
+**Expected behaviour**
+<!-- What should be happening. -->
+
+**Steps to reproduce**
+<!--
+  How can we reproduce this issue in order to diagnose it?
+  Code snippets, log messages, screenshots and sample apps are encouraged!
+-->
+
+**How does `libddwaf` help you?**
+<!-- Optionally, tell us why and how you're using ddtrace, and what your overall experience with it is! -->
+
+**Environment**
+
+* **libddwaf version:**
+* **libddwaf gem platform:**
+* **Ruby version:**
+* **Ruby platform:**
+* **Operating system:**
+

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,17 @@
+**What does this PR do?**
+<!-- A brief description of the change being made with this pull request. -->
+
+**Motivation**
+<!-- What inspired you to submit this pull request? -->
+
+**Additional Notes**
+<!-- Anything else we should know when reviewing? -->
+
+**How to test the change?**
+<!--
+Describe here how the change can be validated.
+You are strongly encouraged to provide automated tests for this PR.
+If this change cannot be feasibly tested, please explain why,
+unless the change does not modify code (e.g. only modifies docs, comments).
+-->
+

data/.github/actions/docker-build-ruby/Dockerfile

@@ -0,0 +1,5 @@
+ARG RUBY_VERSION
+
+FROM ruby:${RUBY_VERSION:-2.5}
+
+RUN gem update --system 3.3.27

data/.github/actions/docker-build-ruby/Dockerfile.alpine

@@ -0,0 +1,7 @@
+ARG RUBY_VERSION
+
+FROM ruby:${RUBY_VERSION:-2.5}-alpine
+
+RUN apk add --no-cache build-base git
+
+RUN gem update --system 3.3.27

data/.github/actions/docker-build-ruby/Dockerfile.jruby

@@ -0,0 +1,6 @@
+ARG RUBY_VERSION
+
+FROM jruby:${RUBY_VERSION:-9.2}
+
+RUN apt-get update
+RUN apt-get install -y build-essential git

data/.github/actions/docker-build-ruby/action.yml

@@ -0,0 +1,57 @@
+name: Build docker image
+description:
+  Github Actions does not support setting the platform for the container yet.
+  This action builds the image for the specified architecture and libc.
+
+inputs:
+  ruby-version:
+    description: Ruby version
+    required: true
+
+  arch:
+    description: Build architecture
+    required: true
+
+  libc:
+    description: Which libc is used
+    required: true
+
+  jruby:
+    description: Whether to use JRuby
+    required: false
+    default: "false"
+
+outputs:
+  run-cmd:
+    description: Command to run the container
+    value: ${{ steps.set-run-cmd.outputs.run-cmd }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+      with:
+        platforms: ${{ inputs.arch }}
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build image
+      uses: docker/build-push-action@v6
+      with:
+        file: .github/actions/docker-build-ruby/Dockerfile${{ inputs.libc == 'musl' && '.alpine' || '' }}${{ inputs.jruby == 'true' && '.jruby' || '' }}
+        build-args: |
+          "RUBY_VERSION=${{ inputs.ruby-version }}"
+        push: false
+        load: true
+        tags: libddwaf-rb-test:latest
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        platforms: linux/${{ inputs.arch }}
+
+    - name: Set run-cmd output
+      id: set-run-cmd
+      shell: bash
+      run: |
+        echo "run-cmd=docker run --platform linux/${{ inputs.arch }} -v gems:/usr/local/bundle -v ${{ github.workspace }}:/libddwaf-rb -w /libddwaf-rb libddwaf-rb-test:latest" >> "$GITHUB_OUTPUT"

data/.github/workflows/lint.yml

@@ -0,0 +1,34 @@
+name: Lint
+on:
+  - push
+
+jobs:
+  style-check:
+    name: Style check
+    runs-on: ubuntu-24.04
+    container:
+      image: ruby:3.3
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Bundle
+        run: bundle install
+
+      - name: Run Rubocop
+        run: bundle exec rubocop -D
+
+  type-check:
+    name: Type check
+    runs-on: ubuntu-24.04
+    container:
+      image: ruby:3.3
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Bundle
+        run: bundle install
+
+      - name: Run Steep
+        run: bundle exec rake steep:check

data/.github/workflows/package.yml

@@ -0,0 +1,134 @@
+name: Package
+on:
+  - push
+
+jobs:
+  test-rake-build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04]
+        ruby: ["3.3"]
+        arch: [amd64, arm64]
+        libc: [gnu]
+        include:
+          - arch: amd64
+            platform: x86_64-linux
+          - arch: arm64
+            platform: aarch64-linux
+
+    name: Test build without fetching libddwaf (Ruby ${{ matrix.ruby }}, ${{ matrix.arch }}, ${{ matrix.libc }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build docker image
+        id: build-image
+        uses: ./.github/actions/docker-build-ruby
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          arch: ${{ matrix.arch }}
+          libc: ${{ matrix.libc }}
+
+      - name: Bundle install
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle install
+
+      - name: Build gem
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake build
+
+      - name: List artifact files
+        run: find .
+        working-directory: pkg
+
+      - name: Install gem
+        run: ${{ steps.build-image.outputs.run-cmd }} gem install --verbose pkg/*.gem
+
+      - name: Run smoke test
+        run: ${{ steps.build-image.outputs.run-cmd }} ruby -e 'begin require "libddwaf"; rescue LoadError => e; puts e.message; else fail "loaded when it should not"; end'
+
+  test-rake-binary:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04]
+        ruby: ["3.3", "9.4"]
+        arch: [amd64, arm64]
+        libc: [gnu, musl]
+        include:
+          - arch: amd64
+            platform: x86_64-linux:llvm
+          - arch: arm64
+            platform: aarch64-linux:llvm
+          - ruby: 3.3
+            jruby: false
+          - ruby: 9.4
+            jruby: true
+        exclude:
+          - ruby: 9.4
+            libc: musl
+
+    name: Test gem build (${{ matrix.jruby == true && 'Jruby' || 'Ruby'}} ${{ matrix.ruby }}, ${{ matrix.arch }}, ${{ matrix.libc }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build docker image
+        id: build-image
+        uses: ./.github/actions/docker-build-ruby
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          arch: ${{ matrix.arch }}
+          libc: ${{ matrix.libc }}
+          jruby: ${{ matrix.jruby }}
+
+      - name: Bundle install
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle install
+
+      - name: Build binary gem
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake binary[${{ matrix.platform }}]
+
+      - name: List artifact files
+        run: find .
+        working-directory: pkg
+
+      - name: Install gem
+        run: ${{ steps.build-image.outputs.run-cmd }} gem install --verbose pkg/*.gem
+
+      - name: Run smoke test
+        run: ${{ steps.build-image.outputs.run-cmd }} ruby -r 'libddwaf' -e 'p Datadog::AppSec::WAF::LibDDWAF.ddwaf_get_version'
+
+  test-rake-binary-on-darwin:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-15, macos-15-large]
+        include:
+          - os: macos-15
+            platform: arm64-darwin
+          - os: macos-15-large
+            platform: x86_64-darwin
+
+    name: Test gem build (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Bundle
+        run: bundle install
+
+      - name: Build binary gem
+        run: bundle exec rake binary[${{ matrix.platform }}]
+
+      - name: Install gem
+        run: gem install --verbose pkg/*.gem
+
+      - name: Run smoke test
+        run: ruby -r 'libddwaf' -e 'p Datadog::AppSec::WAF::LibDDWAF.ddwaf_get_version'

data/.github/workflows/test.yml

@@ -0,0 +1,118 @@
+name: Test
+on:
+  - push
+
+jobs:
+  test-cruby-linux:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04]
+        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2", "3.3"]
+        arch: [amd64, arm64]
+        libc: [gnu, musl]
+        include:
+          - arch: amd64
+            platform: x86_64-linux
+          - arch: arm64
+            platform: aarch64-linux
+
+    name: Test (Ruby ${{ matrix.ruby }}, ${{ matrix.arch }}, ${{ matrix.libc }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build docker image
+        id: build-image
+        uses: ./.github/actions/docker-build-ruby
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          arch: ${{ matrix.arch }}
+          libc: ${{ matrix.libc }}
+
+      - name: Bundle install
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle install
+
+      - name: Fetch binary library
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake fetch[${{ matrix.platform }}]
+
+      - name: Extract binary library
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake extract[${{ matrix.platform }}]
+
+      - name: Run specs
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake spec
+
+  test-jruby-linux:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04]
+        jruby: ["9.3", "9.4"]
+        arch: [amd64, arm64]
+        include:
+          - arch: amd64
+            platform: x86_64-linux
+          - arch: arm64
+            platform: aarch64-linux
+
+    name: Test (Jruby ${{ matrix.jruby }}, ${{ matrix.arch }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build docker image
+        id: build-image
+        uses: ./.github/actions/docker-build-ruby
+        with:
+          ruby-version: ${{ matrix.jruby }}
+          jruby: true
+          arch: ${{ matrix.arch }}
+          libc: gnu
+
+      - name: Bundle install
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle install
+
+      - name: Fetch binary library
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake fetch[${{ matrix.platform }}]
+
+      - name: Extract binary library
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake extract[${{ matrix.platform }}]
+
+      - name: Run specs
+        run: ${{ steps.build-image.outputs.run-cmd }} bundle exec rake spec
+
+  test-darwin:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-15, macos-15-large]
+        include:
+          - os: macos-15
+            platform: arm64-darwin
+          - os: macos-15-large
+            platform: x86_64-darwin
+
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Bundle
+        run: bundle install
+
+      - name: Fetch binary library
+        run: bundle exec rake fetch[${{ matrix.platform }}]
+
+      - name: Extract binary library
+        run: bundle exec rake extract[${{ matrix.platform }}]
+
+      - name: Run specs
+        run: bundle exec rake spec

data/.gitignore

@@ -0,0 +1,10 @@
+/.envrc
+/vendor/bundle
+/vendor/libddwaf
+/pkg
+/tmp
+*.gem
+*.vim
+.ruby-version
+.github-token
+Gemfile.lock

data/.steepignore

@@ -0,0 +1,4 @@
+ffi/library.rbs:36:45 "Type `::FFI::DataConverter` is generic but used as a non generic type"
+ffi/struct.rbs:5:15 "Type application of `::FFI::Type::Mapped` doesn't satisfy the constraints"
+ffi/struct.rbs:23:29 "Type application of `::FFI::Type::Mapped` doesn't satisfy the constraints"
+ffi/auto_pointer.rbs:15:65 "Type application of `::FFI::AutoPointer::Releaser::_Proc` doesn't satisfy the constraints"

data/CONTRIBUTING.md

@@ -0,0 +1,84 @@
+# Contributing
+
+Community contributions to the Datadog bindings to libddwaf for Ruby are welcome! See below for some basic guidelines.
+
+## Want to request a new feature?
+
+Many great ideas for new features come from the community, and we'd be happy to consider yours!
+
+To share your request, you can [open a Github issue](https://github.com/DataDog/libddwaf-rb/issues/new) with the details about what you'd like to see. At a minimum, please provide:
+
+ - The goal of the new feature
+ - A description of how it might be used or behave
+ - Links to any important resources (e.g. Github repos, websites, screenshots, specifications, diagrams)
+
+Additionally, if you can, include:
+
+ - A description of how it could be accomplished
+ - Code snippets that might demonstrate its use or implementation
+ - Screenshots or mockups that visually demonstrate the feature
+ - Links to similar features that would serve as a good comparison
+ - (Any other details that would be useful for implementing this feature!)
+
+Feature requests will be reviewed and discussed.
+
+## Found a bug?
+
+For any urgent matters (such as outages) or issues concerning the Datadog service or UI, contact our support team via https://docs.datadoghq.com/help/ for direct, faster assistance.
+
+You may submit bug reports concerning the Datadog bindings to libddwaf for Ruby by [opening a Github issue](https://github.com/DataDog/libddwaf-rb/issues/new). At a minimum, please provide:
+
+ - A description of the problem
+ - Steps to reproduce
+ - Expected behavior
+ - Actual behavior
+ - Errors (with stack traces) or warnings received
+ - Any details you can share about your configuration including:
+    - Ruby version & platform
+    - `libddwaf` version
+    - Versions of any other relevant gems (or a `Gemfile.lock` if available)
+
+If at all possible, also provide:
+
+ - Logs from the application or other diagnostics
+ - Screenshots, links, or other visual aids that are publicly accessible
+ - Code sample or test that reproduces the problem
+ - An explanation of what causes the bug and/or how it can be fixed
+
+Reports that include rich detail are better, and ones with code that reproduce the bug are best. Bug requests will be triaged and reviewed by our collaborators.
+
+## Have a patch?
+
+We welcome code contributions to the library, which you can [submit as a pull request](https://github.com/DataDog/libddwaf-rb/pull/new/master). To create a pull request:
+
+1. **Fork the repository** from https://github.com/DataDog/libddwaf-rb
+2. **Make any changes** for your patch.
+3. **Write tests** that demonstrate how the feature works or how the bug is fixed.
+4. **Update any documentation** especially for new features.
+5. **Submit the pull request** from your fork back to the latest revision of the `master` branch on https://github.com/DataDog/libddwaf-rb.
+
+The pull request will be run through our CI pipeline, and a project member will review the changes with you. At a minimum, to be accepted and merged, pull requests must:
+
+ - Have a stated goal and detailed description of the changes made
+ - Include thorough test coverage and documentation, where applicable
+ - Pass all tests and code quality checks (linting/coverage) on CI
+ - Receive at least one approval from a project member with push permissions
+
+We also recommend that you share in your description:
+
+ - Any motivations or intent for the contribution
+ - Links to any issues/pull requests it might be related to
+ - Links to any webpages or other external resources that might be related to the change
+ - Screenshots, code samples, or other visual aids that demonstrate the changes or how they are implemented
+ - Benchmarks if the feature is anticipated to have performance implications
+ - Any limitations, constraints or risks that are important to consider
+
+Pull requests will be reviewed by our collaborators.
+
+For more information on common topics such as debugging locally, or how to write new integrations, check out [our development guide](https://github.com/DataDog/libddwaf-rb/blob/master/README.md#development). If at any point you have a question or need assistance with your pull request, feel free to mention a project member! We're always happy to help contributors with their pull requests.
+
+## Final word
+
+Many thanks to all of our contributors, and looking forward to seeing you on Github! :tada:
+
+ - Datadog Ruby Team

data/Steepfile

@@ -0,0 +1,21 @@
+# D = Steep::Diagnostic
+
+target :lib do
+  signature "sig"
+
+  check "lib"
+  library "logger"
+  library "monitor" # needed by logger
+  library "json"
+
+  repo_path "vendor/rbs"
+  library "ffi"
+  library "jruby"
+  library "gem"
+
+#   # configure_code_diagnostics(D::Ruby.strict)       # `strict` diagnostics setting
+#   # configure_code_diagnostics(D::Ruby.lenient)      # `lenient` diagnostics setting
+#   # configure_code_diagnostics do |hash|             # You can setup everything yourself
+#   #   hash[D::Ruby::NoMethod] = :information
+#   # end
+end

data/lib/datadog/appsec/waf/context.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module WAF
+      # Ruby representation of the ddwaf_context in libddwaf
+      # See https://github.com/DataDog/libddwaf/blob/10e3a1dfc7bc9bb8ab11a09a9f8b6b339eaf3271/BINDING_IMPL_NOTES.md?plain=1#L125-L158
+      class Context
+        RESULT_CODE = {
+          ddwaf_ok: :ok,
+          ddwaf_match: :match,
+          ddwaf_err_internal: :err_internal,
+          ddwaf_err_invalid_object: :err_invalid_object,
+          ddwaf_err_invalid_argument: :err_invalid_argument
+        }.freeze
+
+        attr_reader :context_obj
+
+        def initialize(handle)
+          handle_obj = handle.handle_obj
+          retain(handle)
+
+          @context_obj = LibDDWAF.ddwaf_context_init(handle_obj)
+          raise LibDDWAF::Error, 'Could not create context' if @context_obj.null?
+
+          validate!
+        end
+
+        def finalize
+          invalidate!
+
+          retained.each do |retained_obj|
+            next unless retained_obj.is_a?(LibDDWAF::Object)
+
+            LibDDWAF.ddwaf_object_free(retained_obj)
+          end
+
+          LibDDWAF.ddwaf_context_destroy(context_obj)
+        end
+
+        def run(persistent_data, ephemeral_data, timeout = LibDDWAF::DDWAF_RUN_TIMEOUT)
+          valid!
+
+          persistent_data_obj = Converter.ruby_to_object(
+            persistent_data,
+            max_container_size: LibDDWAF::DDWAF_MAX_CONTAINER_SIZE,
+            max_container_depth: LibDDWAF::DDWAF_MAX_CONTAINER_DEPTH,
+            max_string_length: LibDDWAF::DDWAF_MAX_STRING_LENGTH,
+            coerce: false
+          )
+          if persistent_data_obj.null?
+            raise LibDDWAF::Error, "Could not convert persistent data: #{persistent_data.inspect}"
+          end
+
+          # retain C objects in memory for subsequent calls to run
+          retain(persistent_data_obj)
+
+          ephemeral_data_obj = Converter.ruby_to_object(
+            ephemeral_data,
+            max_container_size: LibDDWAF::DDWAF_MAX_CONTAINER_SIZE,
+            max_container_depth: LibDDWAF::DDWAF_MAX_CONTAINER_DEPTH,
+            max_string_length: LibDDWAF::DDWAF_MAX_STRING_LENGTH,
+            coerce: false
+          )
+          if ephemeral_data_obj.null?
+            raise LibDDWAF::Error, "Could not convert ephemeral data: #{ephemeral_data.inspect}"
+          end
+
+          result_obj = LibDDWAF::Result.new
+          raise LibDDWAF::Error, 'Could not create result object' if result_obj.null?
+
+          code = LibDDWAF.ddwaf_run(@context_obj, persistent_data_obj, ephemeral_data_obj, result_obj, timeout)
+
+          result = Result.new(
+            RESULT_CODE[code],
+            Converter.object_to_ruby(result_obj[:events]),
+            result_obj[:total_runtime],
+            result_obj[:timeout],
+            Converter.object_to_ruby(result_obj[:actions]),
+            Converter.object_to_ruby(result_obj[:derivatives])
+          )
+
+          [RESULT_CODE[code], result]
+        ensure
+          LibDDWAF.ddwaf_result_free(result_obj) if result_obj
+        end
+
+        private
+
+        def validate!
+          @valid = true
+        end
+
+        def invalidate!
+          @valid = false
+        end
+
+        def valid?
+          @valid
+        end
+
+        def valid!
+          return if valid?
+
+          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+        end
+
+        def retained
+          @retained ||= []
+        end
+
+        def retain(object)
+          retained << object
+        end
+
+        def release(object)
+          retained.delete(object)
+        end
+      end
+    end
+  end
+end