libddwaf 1.22.0.0.2-aarch64-linux → 1.24.1.0.3-aarch64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c04a4590ede43aeca708d2452c9118b34a46c9820322dc7feb19dc98f982d28
-  data.tar.gz: d37d7f1c4016d9979e4c4b9ad886d51ef1b2b2b373dc2c1ca2b6381cd6f897f4
+  metadata.gz: 94f0f27a08d18b3e1d41ad75c96edd62c01d1d22c2d69e5d6c8f2f4f98bd8172
+  data.tar.gz: 732d929052278441c9b5d95cd7f9ad1a52917d4af267b5803d7e90e7760d5532
 SHA512:
-  metadata.gz: 9b9c07adb0eb5ff437b3f738b76c1792cfb5c639b4df2a04ceb6ecbbc77672390e9899c64fed615356af1a5abb560799a1b90e8ecfcaa4f5cce2273e6fbace03
-  data.tar.gz: 11678d6e41a6fcc95c114637ca55d71f77f1c1761d84f6d2e9733cf8bbbc4bb820c6447b1ebe25a834134c882c83f2a482b5e391227e255746a020abde24af8d
+  metadata.gz: 43139856cbb68e3be10d6d35aa412783a9396f2038f48f39ec297f2db13046e0185fd2a24e581bf2cb2b0294d9e461a4d9416023208f4468fe58b7778d4c875e
+  data.tar.gz: d1f5f32f20ad0abbb544e66dec7e81f655fd1892eca8a3d89f0be771abbab85eacecc50c08fa590e754cbf2b3b48089798c6e28edf84b2b400d84b4c67879284

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+# Unreleased v1.23.0.0.0
+
+## Added
+
+- Add `HandleBuilder` class for managing libddwaf configuration and building WAF handles
+- Add Error classes:
+  - `LibDDWAFError` for libddwaf errors
+  - `ConversionError` for conversion errors
+  - `InstanceFinalizedError` that is raised when attempting to run methods on finalized instances
+
+## Changed
+
+- Change `Handle` instantiation - now it should be done using `HandleBuilder#build_handle` method
+- Change `Context` instantiation - now is should be done using `Handle#build_context` method
+- Change configuration of Limits and obfuscation - it is now done when initializing `HandleBuilder`
+- Change `Context#run` to return a `Result` object instead of an tuple with code and result
+
+## Removed
+
+- Remove `WAF::Handle#merge` method - the configuration is now handled by `HandleBuilder`
+
 # 2025-02-20 v.1.18.0.0.1
 
 - Fixed memory-leak in `Datadog::AppSec::WAF::Context#run` when non-empty ephemeral data passed
@@ -12,7 +33,6 @@
 - Update to libddwaf 1.14.0
 - Add support for `Float` and `Nil` scalar values when converting from ruby to WAF Object and vice versa.
 
-
 # 2023-08-29 v.1.11.0.0.0
 
 - Update to libddwaf 1.11.0
@@ -21,7 +41,6 @@
 - Changed `Datadog::AppSec::WAF::Result#data` to `Datadog::AppSec::WAF::Result#events`. (Breaking change)
   The schema of the events variable can be found [here](https://github.com/DataDog/libddwaf/blob/master/schema/events.json)
 
-
 # 2023-08-28 v.1.10.0.0.0
 
 - Update to libddwaf 1.10.0

data/README.md

@@ -0,0 +1,124 @@
+# libddwaf Ruby bindings
+
+``libddwaf-rb`` is library exposing the libddwaf C++ library to Ruby, packaging it in a multiplatform gem.
+
+For the libddwaf implementation, see this repository:
+ - [``libddwaf``: libddwaf](https://github.com/DataDog/libddwaf.git)
+
+
+
+## Rake tasks
+
+### Outline
+
+A typical workflow is as follows:
+
+```
+rake fetch    # fetch prebuilt libddwaf binaries tarball in vendor/libddwaf
+rake extract  # extract downloaded tarball in vendor/libddwaf
+rake spec     # run rspec
+rake binary   # build the gem
+```
+
+Note that each depends on the previous one, but `fetch` and `extract` are lazy, which proves useful to produce manual builds.
+
+### Platform selection
+
+By default the above will automatically use the local Ruby platform.
+
+Since libddwaf binary builds are available upstream, it's possible to build gems for any platform on any other platform. To that end `fetch`, `extract`, and `binary` can take an argument to specify the Ruby platform for which these operations should apply:
+
+```
+rake fetch[x86_64-linux-musl]
+rake extract[x86_64-linux-musl]
+rake binary[x86_64-linux-musl]
+```
+
+Of course you can't force the platform for `rspec` since that requires running code; see the Docker section below for ways to achieve that.
+
+Note that zsh gives special meaning to brackets, therefore you may need to quote the argument:
+
+```
+rake 'fetch[x86_64-linux-musl]'
+```
+
+Available platforms are:
+
+```
+x86_64-linux-musl   # Alpine build: targets musl-based Linux
+x86_64-linux-gnu    # Debian build: targets glibc-based Linux
+x86_64-linux        # Portable build: targets multiple linux libc
+x86_64-darwin       # Darwin build: targets macOS
+aarch64-linux-musl  # Same as above, for ARMv8
+aarch64-linux-gnu   # Same as above, for ARMv8
+aarch64-linux       # Same as above, for ARMv8
+arm64-darwin        # Same as above, for Apple Silicon
+java                # JRuby build, universal
+```
+
+Note: since it is not (yet) possible to package gems for the `java` Ruby platform any other way than `java`, it has to package all the native architectures.
+
+In addition, options can be specified for the portable build:
+
+```
+rake binary[x86_64-linux:gnu+musl]  # Combined build: combine musl and glibc builds, selecting one at runtime
+rake binary[x86_64-linux:llvm]      # Hybrid build: linked to llvm static libs and built against a musl sysroot
+```
+
+See upstream libddwaf for details about the [hybrid portable build](https://github.com/DataDog/libddwaf/blob/master/docker/libddwaf/README.md).
+
+## Testing with Docker
+
+Unless using Docker for Mac, remember to enable foreign CPU emulation via QEMU:
+
+```
+# aarch64 on x86_64 hardware
+docker run --privileged --rm tonistiigi/binfmt --install arm64
+# x86_64 on aarch64 hardware
+docker run --privileged --rm tonistiigi/binfmt --install amd64
+```
+
+Then you can substitute e.g `--platform linux/x86_64` with `--platform linux/aarch64` below.
+
+### GNU (Debian)
+
+```
+# this is too old for aarch64
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.1 sh -c 'rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
+# these are fine for aarch64
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.2 sh -c 'rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.3 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.4 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.5 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.6 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.7 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.0 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.1 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+```
+
+### musl (Alpine)
+
+```
+# these are too old for aarch64
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.1-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.2-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
+# these are fine for aarch64
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.3-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.4-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.5-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.6-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.7-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.0-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.1-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.1-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+```
+
+### JRuby
+
+```
+# these are too old for aarch64
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" jruby:9.2.8.0 sh -c 'apt-get update && apt-get install -y build-essential git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" jruby:9.3.0.0 sh -c 'apt-get update && apt-get install -y build-essential git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+# this is fine for aarch64
+docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" jruby:9.3.4.0 sh -c 'apt-get update && apt-get install -y build-essential git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
+```

data/lib/datadog/appsec/waf/context.rb

@@ -14,20 +14,16 @@ module Datadog
           ddwaf_err_invalid_argument: :err_invalid_argument
         }.freeze
 
-        attr_reader :context_obj
-
-        def initialize(handle)
-          handle_obj = handle.handle_obj
-          retain(handle)
-
-          @context_obj = LibDDWAF.ddwaf_context_init(handle_obj)
-          raise LibDDWAF::Error, 'Could not create context' if @context_obj.null?
-
-          validate!
+        def initialize(context_ptr)
+          @context_ptr = context_ptr
         end
 
-        def finalize
-          invalidate!
+        # Destroys the WAF context and sets the pointer to nil.
+        #
+        # The instance becomes unusable after this method is called.
+        def finalize!
+          context_ptr_to_destroy = @context_ptr
+          @context_ptr = nil
 
           retained.each do |retained_obj|
             next unless retained_obj.is_a?(LibDDWAF::Object)
@@ -36,11 +32,17 @@ module Datadog
           end
 
           retained.clear
-          LibDDWAF.ddwaf_context_destroy(context_obj)
+          LibDDWAF.ddwaf_context_destroy(context_ptr_to_destroy)
         end
 
+        # Runs the WAF context with the given persistent and ephemeral data.
+        #
+        # @raise [ConversionError] if the conversion of persistent or ephemeral data fails
+        # @raise [LibDDWAFError] if libddwaf could not create the result object
+        #
+        # @return [Result] the result of the WAF run
         def run(persistent_data, ephemeral_data, timeout = LibDDWAF::DDWAF_RUN_TIMEOUT)
-          valid!
+          ensure_pointer_presence!
 
           persistent_data_obj = Converter.ruby_to_object(
             persistent_data,
@@ -50,7 +52,7 @@ module Datadog
             coerce: false
           )
           if persistent_data_obj.null?
-            raise LibDDWAF::Error, "Could not convert persistent data: #{persistent_data.inspect}"
+            raise ConversionError, "Could not convert persistent data: #{persistent_data.inspect}"
           end
 
           # retain C objects in memory for subsequent calls to run
@@ -64,15 +66,15 @@ module Datadog
             coerce: false
           )
           if ephemeral_data_obj.null?
-            raise LibDDWAF::Error, "Could not convert ephemeral data: #{ephemeral_data.inspect}"
+            raise ConversionError, "Could not convert ephemeral data: #{ephemeral_data.inspect}"
           end
 
           result_obj = LibDDWAF::Result.new
-          raise LibDDWAF::Error, 'Could not create result object' if result_obj.null?
+          raise LibDDWAFError, "Could not create result object" if result_obj.null?
 
-          code = LibDDWAF.ddwaf_run(@context_obj, persistent_data_obj, ephemeral_data_obj, result_obj, timeout)
+          code = LibDDWAF.ddwaf_run(@context_ptr, persistent_data_obj, ephemeral_data_obj, result_obj, timeout)
 
-          result = Result.new(
+          Result.new(
             RESULT_CODE[code],
             Converter.object_to_ruby(result_obj[:events]),
             result_obj[:total_runtime],
@@ -80,8 +82,6 @@ module Datadog
             Converter.object_to_ruby(result_obj[:actions]),
             Converter.object_to_ruby(result_obj[:derivatives])
           )
-
-          [RESULT_CODE[code], result]
         ensure
           LibDDWAF.ddwaf_result_free(result_obj) if result_obj
           LibDDWAF.ddwaf_object_free(ephemeral_data_obj) if ephemeral_data_obj
@@ -89,24 +89,10 @@ module Datadog
 
         private
 
-        # FIXME: Rename into something which reflect that it's impossible to run
-        #        libddwaf on finalized context (closed)
-        def validate!
-          @valid = true
-        end
-
-        def invalidate!
-          @valid = false
-        end
-
-        def valid?
-          @valid
-        end
-
-        def valid!
-          return if valid?
+        def ensure_pointer_presence!
+          return if @context_ptr
 
-          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+          raise InstanceFinalizedError, "Cannot use WAF context after it has been finalized"
         end
 
         def retained

data/lib/datadog/appsec/waf/converter.rb

@@ -7,66 +7,67 @@ module Datadog
       module Converter
         module_function
 
-        # rubocop:disable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        # standard:disable Metrics/MethodLength,Metrics/CyclomaticComplexity
         def ruby_to_object(val, max_container_size: nil, max_container_depth: nil, max_string_length: nil, coerce: true)
           case val
           when Array
             obj = LibDDWAF::Object.new
             res = LibDDWAF.ddwaf_object_array(obj)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val}"
-            end
+            raise ConversionError, "Could not convert into object: #{val}" if res.null?
 
             max_index = max_container_size - 1 if max_container_size
-            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
-              member = Converter.ruby_to_object(e,
-                                                max_container_size: max_container_size,
-                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
-                                                max_string_length: max_string_length,
-                                                coerce: coerce)
-              e_res = LibDDWAF.ddwaf_object_array_add(obj, member)
-              raise LibDDWAF::Error, "Could not add to array object: #{e.inspect}" unless e_res
-
-              break val if max_index && i >= max_index
-            end unless max_container_depth == 0
+            unless max_container_depth == 0
+              val.each.with_index do |e, i|
+                member = Converter.ruby_to_object(
+                  e,
+                  max_container_size: max_container_size,
+                  max_container_depth: (max_container_depth - 1 if max_container_depth),
+                  max_string_length: max_string_length,
+                  coerce: coerce
+                )
+                e_res = LibDDWAF.ddwaf_object_array_add(obj, member)
+                raise ConversionError, "Could not add to array object: #{e.inspect}" unless e_res
+
+                break val if max_index && i >= max_index
+              end
+            end
 
             obj
           when Hash
             obj = LibDDWAF::Object.new
             res = LibDDWAF.ddwaf_object_map(obj)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val}"
-            end
+            raise ConversionError, "Could not convert into object: #{val}" if res.null?
 
             max_index = max_container_size - 1 if max_container_size
-            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
-              # for Steep, which doesn't handle |(k, v), i|
-              k, v = e[0], e[1] # rubocop:disable Style/ParallelAssignment
-
-              k = k.to_s[0, max_string_length] if max_string_length
-              member = Converter.ruby_to_object(v,
-                                                max_container_size: max_container_size,
-                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
-                                                max_string_length: max_string_length,
-                                                coerce: coerce)
-              kv_res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, member)
-              unless kv_res
-                raise LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
+            unless max_container_depth == 0
+              val.each.with_index do |e, i|
+                # for Steep, which doesn't handle |(k, v), i|
+                k = e[0]
+                v = e[1]
+
+                k = k.to_s[0, max_string_length] if max_string_length
+                member = Converter.ruby_to_object(
+                  v,
+                  max_container_size: max_container_size,
+                  max_container_depth: (max_container_depth - 1 if max_container_depth),
+                  max_string_length: max_string_length,
+                  coerce: coerce
+                )
+                kv_res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, member)
+                raise ConversionError, "Could not add to map object: #{k.inspect} => #{v.inspect}" unless kv_res
+
+                break val if max_index && i >= max_index
               end
-
-              break val if max_index && i >= max_index
-            end unless max_container_depth == 0
+            end
 
             obj
           when String
             obj = LibDDWAF::Object.new
-            encoded_val = val.to_s.encode('utf-8', invalid: :replace, undef: :replace)
+            encoded_val = val.to_s.encode(Encoding::UTF_8, invalid: :replace, undef: :replace)
             val = encoded_val[0, max_string_length] if max_string_length
             str = val.to_s
             res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
-            end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when Symbol
@@ -74,67 +75,58 @@ module Datadog
             val = val.to_s[0, max_string_length] if max_string_length
             str = val.to_s
             res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
-            end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when Integer
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
-                  elsif val < 0
-                    LibDDWAF.ddwaf_object_signed(obj, val)
-                  else
-                    LibDDWAF.ddwaf_object_unsigned(obj, val)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, val.to_s)
+            elsif val < 0
+              LibDDWAF.ddwaf_object_signed(obj, val)
+            else
+              LibDDWAF.ddwaf_object_unsigned(obj, val)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when Float
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
-                  else
-                    LibDDWAF.ddwaf_object_float(obj, val)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, val.to_s)
+            else
+              LibDDWAF.ddwaf_object_float(obj, val)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when TrueClass, FalseClass
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
-                  else
-                    LibDDWAF.ddwaf_object_bool(obj, val)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, val.to_s)
+            else
+              LibDDWAF.ddwaf_object_bool(obj, val)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when NilClass
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, '')
-                  else
-                    LibDDWAF.ddwaf_object_null(obj)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, "")
+            else
+              LibDDWAF.ddwaf_object_null(obj)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           else
-            Converter.ruby_to_object('')
+            Converter.ruby_to_object("")
           end
         end
-        # rubocop:enable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        # standard:enable Metrics/MethodLength,Metrics/CyclomaticComplexity
 
+        # standard:disable Metrics/MethodLength,Metrics/CyclomaticComplexity
         def object_to_ruby(obj)
           case obj[:type]
           when :ddwaf_obj_invalid, :ddwaf_obj_null
@@ -170,6 +162,7 @@ module Datadog
             end
           end
         end
+        # standard:enable Metrics/MethodLength,Metrics/CyclomaticComplexity
       end
     end
   end

data/lib/datadog/appsec/waf/errors.rb

@@ -0,0 +1,19 @@
+module Datadog
+  module AppSec
+    module WAF
+      Error = Class.new(StandardError)
+      InstanceFinalizedError = Class.new(Error)
+      ConversionError = Class.new(Error)
+
+      class LibDDWAFError < Error
+        attr_reader :diagnostics
+
+        def initialize(msg, diagnostics: nil)
+          @diagnostics = diagnostics
+
+          super(msg)
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/waf/handle.rb

@@ -6,101 +6,53 @@ module Datadog
       # Ruby representation of the ddwaf_handle in libddwaf
       # See https://github.com/DataDog/libddwaf/blob/10e3a1dfc7bc9bb8ab11a09a9f8b6b339eaf3271/BINDING_IMPL_NOTES.md?plain=1#L4-L19
       class Handle
-        attr_reader :handle_obj, :diagnostics, :config
-
-        def initialize(rule, limits: {}, obfuscator: {})
-          rule_obj = Converter.ruby_to_object(rule)
-          if rule_obj.null? || rule_obj[:type] == :ddwaf_object_invalid
-            raise LibDDWAF::Error, "Could not convert object #{rule.inspect}"
-          end
-
-          config_obj = Datadog::AppSec::WAF::LibDDWAF::Config.new
-          if config_obj.null?
-            raise LibDDWAF::Error, 'Could not create config struct'
-          end
-
-          config_obj[:limits][:max_container_size]  = limits[:max_container_size]  || LibDDWAF::DEFAULT_MAX_CONTAINER_SIZE
-          config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || LibDDWAF::DEFAULT_MAX_CONTAINER_DEPTH
-          config_obj[:limits][:max_string_length]   = limits[:max_string_length]   || LibDDWAF::DEFAULT_MAX_STRING_LENGTH
-          config_obj[:obfuscator][:key_regex]       = FFI::MemoryPointer.from_string(obfuscator[:key_regex])   if obfuscator[:key_regex]
-          config_obj[:obfuscator][:value_regex]     = FFI::MemoryPointer.from_string(obfuscator[:value_regex]) if obfuscator[:value_regex]
-          config_obj[:free_fn] = LibDDWAF::ObjectNoFree
-
-          @config = config_obj
-
-          diagnostics_obj = LibDDWAF::Object.new
-
-          @handle_obj = LibDDWAF.ddwaf_init(rule_obj, config_obj, diagnostics_obj)
-
-          @diagnostics = Converter.object_to_ruby(diagnostics_obj)
+        def initialize(handle_ptr)
+          @handle_ptr = handle_ptr
+        end
 
-          if @handle_obj.null?
-            raise LibDDWAF::Error.new('Could not create handle', diagnostics: @diagnostics)
-          end
+        # Destroys the WAF handle and sets the pointer to nil.
+        #
+        # The instance becomes unusable after this method is called.
+        def finalize!
+          handle_ptr_to_destroy = @handle_ptr
+          @handle_ptr = nil
 
-          validate!
-        ensure
-          LibDDWAF.ddwaf_object_free(diagnostics_obj) if diagnostics_obj
-          LibDDWAF.ddwaf_object_free(rule_obj) if rule_obj
+          LibDDWAF.ddwaf_destroy(handle_ptr_to_destroy)
         end
 
-        def finalize
-          invalidate!
+        # Builds a WAF context.
+        #
+        # @raise [LibDDWAFError] if libddwaf could not create the context.
+        # @return [Handle] the WAF handle
+        def build_context
+          ensure_pointer_presence!
+
+          context_obj = LibDDWAF.ddwaf_context_init(@handle_ptr)
+          raise LibDDWAFError, "Could not create context" if context_obj.null?
 
-          LibDDWAF.ddwaf_destroy(handle_obj)
+          Context.new(context_obj)
         end
 
-        def required_addresses
-          valid!
+        # Returns the list of known addresses in the WAF handle.
+        #
+        # @return [Array<String>] the list of known addresses
+        def known_addresses
+          ensure_pointer_presence!
 
           count = LibDDWAF::UInt32Ptr.new
-          list = LibDDWAF.ddwaf_known_addresses(handle_obj, count)
+          list = LibDDWAF.ddwaf_known_addresses(@handle_ptr, count)
 
           return [] if count == 0 # list is null
 
           list.get_array_of_string(0, count[:value])
         end
 
-        def merge(data)
-          data_obj = Converter.ruby_to_object(data, coerce: false)
-          diagnostics_obj = LibDDWAF::Object.new
-          new_handle = LibDDWAF.ddwaf_update(handle_obj, data_obj, diagnostics_obj)
-
-          return if new_handle.null?
-
-          diagnostics = Converter.object_to_ruby(diagnostics_obj)
-          new_from_handle(new_handle, diagnostics, config)
-        ensure
-          LibDDWAF.ddwaf_object_free(data_obj) if data_obj
-          LibDDWAF.ddwaf_object_free(diagnostics_obj) if diagnostics_obj
-        end
-
         private
 
-        def new_from_handle(handle_object, diagnostics, config)
-          obj = Handle.allocate
-          obj.instance_variable_set(:@handle_obj, handle_object)
-          obj.instance_variable_set(:@diagnostics, diagnostics)
-          obj.instance_variable_set(:@config, config)
-          obj
-        end
-
-        def validate!
-          @valid = true
-        end
-
-        def invalidate!
-          @valid = false
-        end
-
-        def valid?
-          @valid
-        end
-
-        def valid!
-          return if valid?
+        def ensure_pointer_presence!
+          return if @handle_ptr
 
-          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+          raise InstanceFinalizedError, "Cannot use WAF handle after it has been finalized"
         end
       end
     end