libddwaf 1.3.0.0.0 → 1.3.0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/package.yml +48 -9
- data/.github/workflows/test.yml +28 -28
- data/README.md +118 -0
- data/lib/datadog/appsec/waf/version.rb +1 -1
- data/lib/datadog/appsec/waf.rb +68 -14
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 761413998bd5c350c78413a3b1ab14de9d7b31e5784e206d4a1e24747e84943b
|
4
|
+
data.tar.gz: 99f0a81a21c6e6cb78895422fc93345b2e466adc2977e97d0fb69f2ca7d4968c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ef74395170939fb40cca96f4b93628987d980d579a05083cbf7e738e239be2bd61bfde3e3666e5a6227f57681bd3961a24d81f33140e463110f80c916b5311d0
|
7
|
+
data.tar.gz: 834f41db4de087c0dc8df8ba418c54ff5d530223e94a627f65f818482183678626a89dcdc07b91045b66ae0b8d75b6f6e6452ff9e5f535bad231625a7cb8b340
|
@@ -22,7 +22,7 @@ jobs:
|
|
22
22
|
- name: Bundle
|
23
23
|
run: |
|
24
24
|
bundle install
|
25
|
-
- name: Build
|
25
|
+
- name: Build gem
|
26
26
|
run: |
|
27
27
|
bundle exec rake build
|
28
28
|
- name: Upload gem
|
@@ -41,6 +41,21 @@ jobs:
|
|
41
41
|
- os: ubuntu-20.04
|
42
42
|
cpu: aarch64
|
43
43
|
platform: aarch64-linux
|
44
|
+
- os: ubuntu-20.04
|
45
|
+
cpu: x86_64
|
46
|
+
platform: x86_64-linux-gnu
|
47
|
+
- os: ubuntu-20.04
|
48
|
+
cpu: aarch64
|
49
|
+
platform: aarch64-linux-gnu
|
50
|
+
- os: ubuntu-20.04
|
51
|
+
cpu: x86_64
|
52
|
+
platform: x86_64-linux-musl
|
53
|
+
- os: ubuntu-20.04
|
54
|
+
cpu: aarch64
|
55
|
+
platform: aarch64-linux-musl
|
56
|
+
- os: ubuntu-20.04
|
57
|
+
cpu: universal
|
58
|
+
platform: java
|
44
59
|
- os: macos-10.15
|
45
60
|
cpu: x86_64
|
46
61
|
platform: x86_64-darwin
|
@@ -58,13 +73,7 @@ jobs:
|
|
58
73
|
- name: Bundle
|
59
74
|
run: |
|
60
75
|
bundle install
|
61
|
-
- name:
|
62
|
-
run: |
|
63
|
-
bundle exec rake fetch[${{ matrix.platform }}]
|
64
|
-
- name: Extract binary library
|
65
|
-
run: |
|
66
|
-
bundle exec rake extract[${{ matrix.platform }}]
|
67
|
-
- name: Build package
|
76
|
+
- name: Build binary gem
|
68
77
|
run: |
|
69
78
|
bundle exec rake binary[${{ matrix.platform }}]
|
70
79
|
- name: Upload gem
|
@@ -142,7 +151,37 @@ jobs:
|
|
142
151
|
image: ruby:2.6-alpine
|
143
152
|
qemu: aarch64
|
144
153
|
libc: musl
|
145
|
-
|
154
|
+
- os: ubuntu-20.04
|
155
|
+
cpu: x86_64
|
156
|
+
platform: x86_64-linux-gnu
|
157
|
+
image: ruby:2.6
|
158
|
+
qemu: amd64
|
159
|
+
libc: gnu
|
160
|
+
- os: ubuntu-20.04
|
161
|
+
cpu: aarch64
|
162
|
+
platform: aarch64-linux-gnu
|
163
|
+
image: ruby:2.6
|
164
|
+
qemu: aarch64
|
165
|
+
libc: gnu
|
166
|
+
- os: ubuntu-20.04
|
167
|
+
cpu: x86_64
|
168
|
+
platform: x86_64-linux-musl
|
169
|
+
image: ruby:2.6-alpine
|
170
|
+
qemu: amd64
|
171
|
+
libc: musl
|
172
|
+
- os: ubuntu-20.04
|
173
|
+
cpu: aarch64
|
174
|
+
platform: aarch64-linux-musl
|
175
|
+
image: ruby:2.6-alpine
|
176
|
+
qemu: aarch64
|
177
|
+
libc: musl
|
178
|
+
- os: ubuntu-20.04
|
179
|
+
cpu: x86_64
|
180
|
+
platform: java
|
181
|
+
image: jruby:9.3.0.0
|
182
|
+
qemu: amd64
|
183
|
+
libc: gnu
|
184
|
+
name: Test package (${{ matrix.platform }}, ${{ matrix.libc }}, ${{ matrix.cpu }})
|
146
185
|
runs-on: ${{ matrix.os }}
|
147
186
|
steps:
|
148
187
|
- name: Enable ${{ matrix.qemu }} platform
|
data/.github/workflows/test.yml
CHANGED
@@ -10,148 +10,148 @@ jobs:
|
|
10
10
|
include:
|
11
11
|
- os: ubuntu-20.04
|
12
12
|
cpu: x86_64
|
13
|
-
platform: x86_64-linux
|
13
|
+
platform: x86_64-linux-gnu
|
14
14
|
image: ruby:3.1
|
15
15
|
qemu: amd64
|
16
16
|
libc: gnu
|
17
17
|
- os: ubuntu-20.04
|
18
18
|
cpu: aarch64
|
19
|
-
platform: aarch64-linux
|
19
|
+
platform: aarch64-linux-gnu
|
20
20
|
image: ruby:3.1
|
21
21
|
qemu: arm64
|
22
22
|
libc: gnu
|
23
23
|
- os: ubuntu-20.04
|
24
24
|
cpu: x86_64
|
25
|
-
platform: x86_64-linux
|
25
|
+
platform: x86_64-linux-gnu
|
26
26
|
image: ruby:3.0
|
27
27
|
qemu: amd64
|
28
28
|
libc: gnu
|
29
29
|
- os: ubuntu-20.04
|
30
30
|
cpu: aarch64
|
31
|
-
platform: aarch64-linux
|
31
|
+
platform: aarch64-linux-gnu
|
32
32
|
image: ruby:3.0
|
33
33
|
qemu: arm64
|
34
34
|
libc: gnu
|
35
35
|
- os: ubuntu-20.04
|
36
36
|
cpu: x86_64
|
37
|
-
platform: x86_64-linux
|
37
|
+
platform: x86_64-linux-gnu
|
38
38
|
image: ruby:2.7
|
39
39
|
qemu: amd64
|
40
40
|
libc: gnu
|
41
41
|
- os: ubuntu-20.04
|
42
42
|
cpu: aarch64
|
43
|
-
platform: aarch64-linux
|
43
|
+
platform: aarch64-linux-gnu
|
44
44
|
image: ruby:2.7
|
45
45
|
qemu: arm64
|
46
46
|
libc: gnu
|
47
47
|
- os: ubuntu-20.04
|
48
48
|
cpu: x86_64
|
49
|
-
platform: x86_64-linux
|
49
|
+
platform: x86_64-linux-gnu
|
50
50
|
image: ruby:2.6
|
51
51
|
qemu: amd64
|
52
52
|
libc: gnu
|
53
53
|
- os: ubuntu-20.04
|
54
54
|
cpu: aarch64
|
55
|
-
platform: aarch64-linux
|
55
|
+
platform: aarch64-linux-gnu
|
56
56
|
image: ruby:2.6
|
57
57
|
qemu: arm64
|
58
58
|
libc: gnu
|
59
59
|
- os: ubuntu-20.04
|
60
60
|
cpu: x86_64
|
61
|
-
platform: x86_64-linux
|
61
|
+
platform: x86_64-linux-gnu
|
62
62
|
image: ruby:2.5
|
63
63
|
qemu: amd64
|
64
64
|
libc: gnu
|
65
65
|
- os: ubuntu-20.04
|
66
66
|
cpu: x86_64
|
67
|
-
platform: x86_64-linux
|
67
|
+
platform: x86_64-linux-gnu
|
68
68
|
image: ruby:2.4
|
69
69
|
qemu: amd64
|
70
70
|
libc: gnu
|
71
71
|
- os: ubuntu-20.04
|
72
72
|
cpu: x86_64
|
73
|
-
platform: x86_64-linux
|
73
|
+
platform: x86_64-linux-gnu
|
74
74
|
image: ruby:2.3
|
75
75
|
qemu: amd64
|
76
76
|
libc: gnu
|
77
77
|
- os: ubuntu-20.04
|
78
78
|
cpu: x86_64
|
79
|
-
platform: x86_64-linux
|
79
|
+
platform: x86_64-linux-gnu
|
80
80
|
image: ruby:2.2
|
81
81
|
qemu: amd64
|
82
82
|
libc: gnu
|
83
83
|
- os: ubuntu-20.04
|
84
84
|
cpu: x86_64
|
85
|
-
platform: x86_64-linux
|
85
|
+
platform: x86_64-linux-gnu
|
86
86
|
image: ruby:2.1
|
87
87
|
qemu: amd64
|
88
88
|
libc: gnu
|
89
89
|
- os: ubuntu-20.04
|
90
90
|
cpu: x86_64
|
91
|
-
platform: x86_64-linux
|
91
|
+
platform: x86_64-linux-musl
|
92
92
|
image: ruby:3.1-alpine
|
93
93
|
qemu: amd64
|
94
94
|
libc: musl
|
95
95
|
- os: ubuntu-20.04
|
96
96
|
cpu: aarch64
|
97
|
-
platform: aarch64-linux
|
97
|
+
platform: aarch64-linux-musl
|
98
98
|
image: ruby:3.1-alpine
|
99
99
|
qemu: arm64
|
100
100
|
libc: musl
|
101
101
|
- os: ubuntu-20.04
|
102
102
|
cpu: x86_64
|
103
|
-
platform: x86_64-linux
|
103
|
+
platform: x86_64-linux-musl
|
104
104
|
image: ruby:3.0-alpine
|
105
105
|
qemu: amd64
|
106
106
|
libc: musl
|
107
107
|
- os: ubuntu-20.04
|
108
108
|
cpu: aarch64
|
109
|
-
platform: aarch64-linux
|
109
|
+
platform: aarch64-linux-musl
|
110
110
|
image: ruby:3.0-alpine
|
111
111
|
qemu: arm64
|
112
112
|
libc: musl
|
113
113
|
- os: ubuntu-20.04
|
114
114
|
cpu: x86_64
|
115
|
-
platform: x86_64-linux
|
115
|
+
platform: x86_64-linux-musl
|
116
116
|
image: ruby:2.7-alpine
|
117
117
|
qemu: amd64
|
118
118
|
libc: musl
|
119
119
|
- os: ubuntu-20.04
|
120
120
|
cpu: aarch64
|
121
|
-
platform: aarch64-linux
|
121
|
+
platform: aarch64-linux-musl
|
122
122
|
image: ruby:2.7-alpine
|
123
123
|
qemu: arm64
|
124
124
|
libc: musl
|
125
125
|
- os: ubuntu-20.04
|
126
126
|
cpu: x86_64
|
127
|
-
platform: x86_64-linux
|
127
|
+
platform: x86_64-linux-musl
|
128
128
|
image: ruby:2.6-alpine
|
129
129
|
qemu: amd64
|
130
130
|
libc: musl
|
131
131
|
- os: ubuntu-20.04
|
132
132
|
cpu: aarch64
|
133
|
-
platform: aarch64-linux
|
133
|
+
platform: aarch64-linux-musl
|
134
134
|
image: ruby:2.6-alpine
|
135
135
|
qemu: arm64
|
136
136
|
libc: musl
|
137
137
|
# TODO: jruby images have no sudo so apt-get can't get a lock
|
138
138
|
# - os: ubuntu-20.04
|
139
139
|
# cpu: x86_64
|
140
|
-
# platform: x86_64-linux
|
141
|
-
# image: jruby:9.3
|
140
|
+
# platform: x86_64-linux-gnu
|
141
|
+
# image: jruby:9.3.0.0
|
142
142
|
# qemu: amd64
|
143
143
|
# libc: gnu
|
144
144
|
# - os: ubuntu-20.04
|
145
145
|
# cpu: x86_64
|
146
|
-
# platform: x86_64-linux
|
147
|
-
# image: jruby:9.2
|
146
|
+
# platform: x86_64-linux-gnu
|
147
|
+
# image: jruby:9.2.8.0
|
148
148
|
# qemu: amd64
|
149
149
|
# libc: gnu
|
150
150
|
# - os: ubuntu-20.04
|
151
151
|
# cpu: x86_64
|
152
|
-
# platform:
|
153
|
-
# image: jruby:9.
|
154
|
-
# qemu:
|
152
|
+
# platform: aarch64-linux-gnu
|
153
|
+
# image: jruby:9.3.4.0
|
154
|
+
# qemu: arm64
|
155
155
|
# libc: gnu
|
156
156
|
name: Test (${{ matrix.image }}, ${{ matrix.cpu }})
|
157
157
|
runs-on: ${{ matrix.os }}
|
data/README.md
CHANGED
@@ -4,3 +4,121 @@
|
|
4
4
|
|
5
5
|
For the libddwaf implementation, see this repository:
|
6
6
|
- [``libddwaf``: libddwaf](https://github.com/DataDog/libddwaf.git)
|
7
|
+
|
8
|
+
|
9
|
+
|
10
|
+
## Rake tasks
|
11
|
+
|
12
|
+
### Outline
|
13
|
+
|
14
|
+
A typical workflow is as follows:
|
15
|
+
|
16
|
+
```
|
17
|
+
rake fetch # fetch prebuilt libddwaf binaries tarball in vendor/libddwaf
|
18
|
+
rake extract # extract downloaded tarball in vendor/libddwaf
|
19
|
+
rake spec # run rspec
|
20
|
+
rake binary # build the gem
|
21
|
+
```
|
22
|
+
|
23
|
+
Note that each depends on the previous one, but `fetch` and `extract` are lazy, which proves useful to produce manual builds.
|
24
|
+
|
25
|
+
### Platform selection
|
26
|
+
|
27
|
+
By default the above will automatically use the local Ruby platform.
|
28
|
+
|
29
|
+
Since libddwaf binary builds are available upstream, it's possible to build gems for any platform on any other platform. To that end `fetch`, `extract`, and `binary` can take an argument to specify the Ruby platform for which these operations should apply:
|
30
|
+
|
31
|
+
```
|
32
|
+
rake fetch[x86_64-linux-musl]
|
33
|
+
rake extract[x86_64-linux-musl]
|
34
|
+
rake binary[x86_64-linux-musl]
|
35
|
+
```
|
36
|
+
|
37
|
+
Of course you can't force the platform for `rspec` since that requires running code; see the Docker section below for ways to achieve that.
|
38
|
+
|
39
|
+
Note that zsh gives special meaning to brackets, therefore you may need to quote the argument:
|
40
|
+
|
41
|
+
```
|
42
|
+
rake 'fetch[x86_64-linux-musl]'
|
43
|
+
```
|
44
|
+
|
45
|
+
Available platforms are:
|
46
|
+
|
47
|
+
```
|
48
|
+
x86_64-linux-musl # Alpine build: targets musl-based Linux
|
49
|
+
x86_64-linux-gnu # Debian build: targets glibc-based Linux
|
50
|
+
x86_64-linux # Portable build: targets multiple linux libc
|
51
|
+
x86_64-darwin # Darwin build: targets macOS
|
52
|
+
aarch64-linux-musl # Same as above, for ARMv8
|
53
|
+
aarch64-linux-gnu # Same as above, for ARMv8
|
54
|
+
aarch64-linux # Same as above, for ARMv8
|
55
|
+
arm64-darwin # Same as above, for Apple Silicon
|
56
|
+
java # JRuby build, universal
|
57
|
+
```
|
58
|
+
|
59
|
+
Note: since it is not (yet) possible to package gems for the `java` Ruby platform any other way than `java`, it has to package all the native architectures.
|
60
|
+
|
61
|
+
In addition, options can be specified for the portable build:
|
62
|
+
|
63
|
+
```
|
64
|
+
rake binary[x86_64-linux:gnu+musl] # Combined build: combine musl and glibc builds, selecting one at runtime
|
65
|
+
rake binary[x86_64-linux:llvm] # Hybrid build: linked to llvm static libs and built against a musl sysroot
|
66
|
+
```
|
67
|
+
|
68
|
+
See upstream libddwaf for details about the [hybrid portable build](https://github.com/DataDog/libddwaf/blob/master/docker/libddwaf/README.md).
|
69
|
+
|
70
|
+
## Testing with Docker
|
71
|
+
|
72
|
+
Unless using Docker for Mac, remember to enable foreign CPU emulation via QEMU:
|
73
|
+
|
74
|
+
```
|
75
|
+
# aarch64 on x86_64 hardware
|
76
|
+
docker run --privileged --rm tonistiigi/binfmt --install arm64
|
77
|
+
# x86_64 on aarch64 hardware
|
78
|
+
docker run --privileged --rm tonistiigi/binfmt --install amd64
|
79
|
+
```
|
80
|
+
|
81
|
+
Then you can substitute e.g `--platform linux/x86_64` with `--platform linux/aarch64` below.
|
82
|
+
|
83
|
+
### GNU (Debian)
|
84
|
+
|
85
|
+
```
|
86
|
+
# this is too old for aarch64
|
87
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.1 sh -c 'rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
|
88
|
+
# these are fine for aarch64
|
89
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.2 sh -c 'rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
|
90
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.3 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
91
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.4 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
92
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.5 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
93
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.6 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
94
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.7 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
95
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.0 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
96
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.1 sh -c 'rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
97
|
+
```
|
98
|
+
|
99
|
+
### musl (Alpine)
|
100
|
+
|
101
|
+
```
|
102
|
+
# these are too old for aarch64
|
103
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.1-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
|
104
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.2-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler -v "~> 1.17" && bundle install && bundle exec rake spec'
|
105
|
+
# these are fine for aarch64
|
106
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.3-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
107
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.4-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
108
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.5-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
109
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.6-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
110
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:2.7-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
111
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.0-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
112
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.1-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
113
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" ruby:3.1-alpine sh -c 'apk update && apk add build-base git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
114
|
+
```
|
115
|
+
|
116
|
+
### JRuby
|
117
|
+
|
118
|
+
```
|
119
|
+
# these are too old for aarch64
|
120
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" jruby:9.2.8.0 sh -c 'apt-get update && apt-get install -y build-essential git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
121
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" jruby:9.3.0.0 sh -c 'apt-get update && apt-get install -y build-essential git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
122
|
+
# this is fine for aarch64
|
123
|
+
docker run --rm -it --platform linux/x86_64 -v "${PWD}":"${PWD}" -w "${PWD}" jruby:9.3.4.0 sh -c 'apt-get update && apt-get install -y build-essential git && rm -fv Gemfile.lock && gem install bundler:2.2.22 && bundle install && bundle exec rake spec'
|
124
|
+
```
|
data/lib/datadog/appsec/waf.rb
CHANGED
@@ -6,7 +6,13 @@ module Datadog
|
|
6
6
|
module AppSec
|
7
7
|
module WAF
|
8
8
|
module LibDDWAF
|
9
|
-
class Error < StandardError
|
9
|
+
class Error < StandardError
|
10
|
+
attr_reader :ruleset_info
|
11
|
+
|
12
|
+
def initialize(msg, ruleset_info: nil)
|
13
|
+
@ruleset_info = ruleset_info
|
14
|
+
end
|
15
|
+
end
|
10
16
|
|
11
17
|
extend ::FFI::Library
|
12
18
|
|
@@ -26,12 +32,22 @@ module Datadog
|
|
26
32
|
Gem::Platform.local.os
|
27
33
|
end
|
28
34
|
|
35
|
+
def self.local_version
|
36
|
+
return nil unless local_os == 'linux'
|
37
|
+
|
38
|
+
# Old rubygems don't handle non-gnu linux correctly
|
39
|
+
return $1 if RUBY_PLATFORM =~ /linux-(.+)$/
|
40
|
+
|
41
|
+
'gnu'
|
42
|
+
end
|
43
|
+
|
29
44
|
def self.local_cpu
|
30
45
|
if RUBY_ENGINE == 'jruby'
|
31
46
|
os_arch = java.lang.System.get_property('os.arch')
|
32
47
|
|
33
48
|
cpu = case os_arch
|
34
49
|
when 'amd64' then 'x86_64'
|
50
|
+
when 'aarch64' then 'aarch64'
|
35
51
|
else raise Error, "unsupported JRuby os.arch: #{os_arch.inspect}"
|
36
52
|
end
|
37
53
|
|
@@ -41,12 +57,28 @@ module Datadog
|
|
41
57
|
Gem::Platform.local.cpu
|
42
58
|
end
|
43
59
|
|
60
|
+
def self.vendor_dir
|
61
|
+
File.join(__dir__, '../../../vendor')
|
62
|
+
end
|
63
|
+
|
64
|
+
def self.libddwaf_vendor_dir
|
65
|
+
File.join(vendor_dir, 'libddwaf')
|
66
|
+
end
|
67
|
+
|
68
|
+
def self.shared_lib_triplet
|
69
|
+
local_version ? "#{local_os}-#{local_version}-#{local_cpu}" : "#{local_os}-#{local_cpu}"
|
70
|
+
end
|
71
|
+
|
72
|
+
def self.libddwaf_dir
|
73
|
+
File.join(libddwaf_vendor_dir, "libddwaf-#{Datadog::AppSec::WAF::VERSION::BASE_STRING}-#{shared_lib_triplet}")
|
74
|
+
end
|
75
|
+
|
44
76
|
def self.shared_lib_extname
|
45
77
|
Gem::Platform.local.os == 'darwin' ? '.dylib' : '.so'
|
46
78
|
end
|
47
79
|
|
48
80
|
def self.shared_lib_path
|
49
|
-
File.join(
|
81
|
+
File.join(libddwaf_dir, 'lib', "libddwaf#{shared_lib_extname}")
|
50
82
|
end
|
51
83
|
|
52
84
|
ffi_lib [shared_lib_path]
|
@@ -158,8 +190,8 @@ module Datadog
|
|
158
190
|
end
|
159
191
|
|
160
192
|
class Obfuscator < ::FFI::Struct
|
161
|
-
layout :key_regex, :
|
162
|
-
:value_regex, :
|
193
|
+
layout :key_regex, :pointer, # :charptr
|
194
|
+
:value_regex, :pointer # :charptr
|
163
195
|
end
|
164
196
|
|
165
197
|
layout :limits, Limits,
|
@@ -183,7 +215,7 @@ module Datadog
|
|
183
215
|
attach_function :ddwaf_init, [:ddwaf_rule, :ddwaf_config, :ddwaf_ruleset_info], :ddwaf_handle
|
184
216
|
attach_function :ddwaf_destroy, [:ddwaf_handle], :void
|
185
217
|
|
186
|
-
attach_function :ddwaf_required_addresses, [:ddwaf_handle,
|
218
|
+
attach_function :ddwaf_required_addresses, [:ddwaf_handle, UInt32Ptr], :charptrptr
|
187
219
|
|
188
220
|
# running
|
189
221
|
|
@@ -259,7 +291,7 @@ module Datadog
|
|
259
291
|
end
|
260
292
|
|
261
293
|
val.each do |k, v|
|
262
|
-
res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.
|
294
|
+
res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, ruby_to_object(v))
|
263
295
|
unless res
|
264
296
|
fail LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
|
265
297
|
end
|
@@ -268,7 +300,7 @@ module Datadog
|
|
268
300
|
obj
|
269
301
|
when String
|
270
302
|
obj = LibDDWAF::Object.new
|
271
|
-
res = LibDDWAF.ddwaf_object_stringl(obj, val, val.
|
303
|
+
res = LibDDWAF.ddwaf_object_stringl(obj, val, val.bytesize)
|
272
304
|
if res.null?
|
273
305
|
fail LibDDWAF::Error, "Could not convert into object: #{val}"
|
274
306
|
end
|
@@ -276,7 +308,8 @@ module Datadog
|
|
276
308
|
obj
|
277
309
|
when Symbol
|
278
310
|
obj = LibDDWAF::Object.new
|
279
|
-
|
311
|
+
str = val.to_s
|
312
|
+
res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
|
280
313
|
if res.null?
|
281
314
|
fail LibDDWAF::Error, "Could not convert into object: #{val}"
|
282
315
|
end
|
@@ -354,7 +387,9 @@ module Datadog
|
|
354
387
|
DEFAULT_MAX_CONTAINER_DEPTH = 0
|
355
388
|
DEFAULT_MAX_STRING_LENGTH = 0
|
356
389
|
|
357
|
-
|
390
|
+
attr_reader :ruleset_info
|
391
|
+
|
392
|
+
def initialize(rule, limits: {}, obfuscator: {})
|
358
393
|
rule_obj = Datadog::AppSec::WAF.ruby_to_object(rule)
|
359
394
|
if rule_obj.null? || rule_obj[:type] == :ddwaf_object_invalid
|
360
395
|
fail LibDDWAF::Error, "Could not convert object #{rule.inspect}"
|
@@ -365,15 +400,25 @@ module Datadog
|
|
365
400
|
fail LibDDWAF::Error, 'Could not create config struct'
|
366
401
|
end
|
367
402
|
|
368
|
-
config_obj[:limits][:max_container_size] =
|
369
|
-
config_obj[:limits][:max_container_depth] =
|
370
|
-
config_obj[:limits][:max_string_length] =
|
403
|
+
config_obj[:limits][:max_container_size] = limits[:max_container_size] || DEFAULT_MAX_CONTAINER_SIZE
|
404
|
+
config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || DEFAULT_MAX_CONTAINER_DEPTH
|
405
|
+
config_obj[:limits][:max_string_length] = limits[:max_string_length] || DEFAULT_MAX_STRING_LENGTH
|
406
|
+
config_obj[:obfuscator][:key_regex] = FFI::MemoryPointer.from_string(obfuscator[:key_regex]) if obfuscator[:key_regex]
|
407
|
+
config_obj[:obfuscator][:value_regex] = FFI::MemoryPointer.from_string(obfuscator[:value_regex]) if obfuscator[:value_regex]
|
371
408
|
|
372
|
-
ruleset_info = LibDDWAF::
|
409
|
+
ruleset_info = LibDDWAF::RuleSetInfo.new
|
373
410
|
|
374
411
|
@handle_obj = Datadog::AppSec::WAF::LibDDWAF.ddwaf_init(rule_obj, config_obj, ruleset_info)
|
412
|
+
|
413
|
+
@ruleset_info = {
|
414
|
+
loaded: ruleset_info[:loaded],
|
415
|
+
failed: ruleset_info[:failed],
|
416
|
+
errors: WAF.object_to_ruby(ruleset_info[:errors]),
|
417
|
+
version: ruleset_info[:version],
|
418
|
+
}
|
419
|
+
|
375
420
|
if @handle_obj.null?
|
376
|
-
fail LibDDWAF::Error
|
421
|
+
fail LibDDWAF::Error.new('Could not create handle', ruleset_info: @ruleset_info)
|
377
422
|
end
|
378
423
|
|
379
424
|
ObjectSpace.define_finalizer(self, Handle.finalizer(handle_obj))
|
@@ -387,6 +432,15 @@ module Datadog
|
|
387
432
|
Datadog::AppSec::WAF::LibDDWAF.ddwaf_destroy(handle_obj)
|
388
433
|
end
|
389
434
|
end
|
435
|
+
|
436
|
+
def required_addresses
|
437
|
+
count = Datadog::AppSec::WAF::LibDDWAF::UInt32Ptr.new
|
438
|
+
list = Datadog::AppSec::WAF::LibDDWAF.ddwaf_required_addresses(handle_obj, count)
|
439
|
+
|
440
|
+
return [] if count == 0 # list is null
|
441
|
+
|
442
|
+
list.get_array_of_string(0, count[:value])
|
443
|
+
end
|
390
444
|
end
|
391
445
|
|
392
446
|
Result = Struct.new(:action, :data, :total_runtime, :timeout)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: libddwaf
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.0.
|
4
|
+
version: 1.3.0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Datadog, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-05-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: ffi
|