libddwaf 1.3.0.2.0-x86_64-darwin → 1.5.1.0.1-x86_64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cd64af8282e39c80685231bc47387ed3c685dce9a927e05ce8dfadc995dcc7a0
-  data.tar.gz: f3db575f44ce5bb8ecebf1732b77aa4ea5ae0350f053402f03f833a00280e869
+  metadata.gz: e0a596d9f94ee5aed556adfa96b6e005e5e49754c4bbcfb9b58becc61e97fd41
+  data.tar.gz: 7c4d3f254272fcca470bb6d6d57c4b08ee9a7af6dc0a3e8a691d73399ed2eab1
 SHA512:
-  metadata.gz: 3418e4f2bfb0b9c73cce9c7bc6fa8594fbdec009e01d59b210480484306982e7ae798c3ffdc25984cc1fc8dea4a50fc771fa7c924eae2af37719b4e029ad1372
-  data.tar.gz: 7fcb30f7a97d1c31abb2c26746eb8b60f637cdcbcfb05fe6fcfbe3fcc1fff73336c3d6c429e2f2c579cd4d12ce01e3b30b16f18c8287c31f8fc0b6454e357898
+  metadata.gz: c39d0828579f5d75ccdf6bd73e986fde409abdb0aa82d47fe8a667efa79e316c109fd65691471718fc0e2dc03ef6f6aea5b36b4518cdd9cd8149760372f86f60
+  data.tar.gz: '085b54fe799d706da464a5b4488d25c2b2e3529d1db235d1900a5b0e0567f0f92c12246d51350b1a6e97dfcc83a4a655794c2bfc498295535179483d54be6d65'

data/CHANGELOG.md

@@ -0,0 +1,79 @@
+# 2023-02-01 v1.5.1.0.1
+
+- Fix incorrect size in input string limit
+- Fix object freeing on `update_rule_data` and `toggle_rules`
+
+# 2022-10-04 v1.5.1.0.0
+
+- Update to libddwaf 1.5.1
+- Add live rule data update API
+- Add live rule toggle API
+- Add libddwaf boolean type support
+- Add Ruby to libddwaf object conversion limits
+- Add Ruby to libddwaf object converter optional coercion of scalars to string
+- Add static type checking via RBS+Steep
+- Change version to return a string
+- Change free function to be passed as config instead of context init argument
+- Change result to include action list
+- Change return code from action to status
+- Change handle and context freeing model from GC-based to explicit
+- Fix double-free upon finalization of retained C objects
+- Fix context crash by retaining necessary C objects
+
+# 2022-05-20 v1.3.0.2.0
+
+- Fix multibyte string handling
+- Support JRuby
+
+# 2022-04-29 v1.3.0.1.0
+
+Promotion of v1.3.0.1.0.beta1 to stable
+
+# 2022-04-25 v1.3.0.1.0.beta1
+
+- Add obfuscator configuration
+- Add nested object limit configuration
+- Add report ruleset information
+
+# 2022-04-29 v1.3.0.0.0
+
+- Promote v1.3.0.0.0.beta1 to stable
+
+# 2022-04-20 v1.3.0.0.0.beta1
+
+- Update to libddwaf 1.3.0
+
+# 2022-03-18 v1.2.1.0.0.beta1
+
+- Update to libddwaf 1.2.1
+- Fix incorrect types for a few binding functions
+
+# 2022-03-04 v1.0.14.2.1.beta1
+
+- Fix incorrect return code
+- Fix passing nil in libddwaf object containers
+
+# 2022-02-07 v1.0.14.2.0.beta1
+
+- Change Datadog::Security to Datadog::AppSec
+
+# 2022-02-01 v1.0.14.1.0.beta2
+
+- Add support for Ruby 3.1
+
+# 2021-12-14 v1.0.14.1.0.beta1
+
+- Fix sequential runs on a single context by retaining C input data objects
+
+# 2021-11-24 v1.0.14.0.0.beta1
+
+- Update to libddwaf 1.0.14
+
+# 2021-11-24 v1.0.13.0.0.beta1
+
+- Add ruby platform fallback for unsupported platforms
+- Update to libddwaf 1.0.13
+
+# 2021-10-13 v1.0.12.0.0.beta1
+
+- Initial release

data/lib/datadog/appsec/waf/version.rb

@@ -2,8 +2,8 @@ module Datadog
   module AppSec
     module WAF
       module VERSION
-        BASE_STRING = '1.3.0'
-        STRING = "#{BASE_STRING}.2.0"
+        BASE_STRING = '1.5.1'
+        STRING = "#{BASE_STRING}.0.1"
         MINIMUM_RUBY_VERSION = '2.1'
       end
     end

data/lib/datadog/appsec/waf.rb

@@ -57,20 +57,35 @@ module Datadog
           Gem::Platform.local.cpu
         end
 
+        def self.source_dir
+          __dir__ || raise('__dir__ is nil: eval?')
+        end
+
         def self.vendor_dir
-          File.join(__dir__, '../../../vendor')
+          File.join(source_dir, '../../../vendor')
         end
 
         def self.libddwaf_vendor_dir
           File.join(vendor_dir, 'libddwaf')
         end
 
-        def self.shared_lib_triplet
-          local_version ? "#{local_os}-#{local_version}-#{local_cpu}" : "#{local_os}-#{local_cpu}"
+        def self.shared_lib_triplet(version: local_version)
+          version ? "#{local_os}-#{version}-#{local_cpu}" : "#{local_os}-#{local_cpu}"
         end
 
         def self.libddwaf_dir
-          File.join(libddwaf_vendor_dir, "libddwaf-#{Datadog::AppSec::WAF::VERSION::BASE_STRING}-#{shared_lib_triplet}")
+          default = File.join(libddwaf_vendor_dir,
+                              "libddwaf-#{Datadog::AppSec::WAF::VERSION::BASE_STRING}-#{shared_lib_triplet}")
+          candidates = [
+            default
+          ]
+
+          if local_os == 'linux'
+            candidates << File.join(libddwaf_vendor_dir,
+                                    "libddwaf-#{Datadog::AppSec::WAF::VERSION::BASE_STRING}-#{shared_lib_triplet(version: nil)}")
+          end
+
+          candidates.find { |d| Dir.exist?(d) } || default
         end
 
         def self.shared_lib_extname
@@ -85,15 +100,7 @@ module Datadog
 
         # version
 
-        class Version < ::FFI::Struct
-          layout :major, :uint16,
-                 :minor, :uint16,
-                 :patch, :uint16
-        end
-
-        typedef Version.by_ref, :ddwaf_version
-
-        attach_function :ddwaf_get_version, [:ddwaf_version], :void
+        attach_function :ddwaf_get_version, [], :string
 
         # ddwaf::object data structure
 
@@ -102,7 +109,9 @@ module Datadog
                               :ddwaf_obj_unsigned, 1 << 1,
                               :ddwaf_obj_string,   1 << 2,
                               :ddwaf_obj_array,    1 << 3,
-                              :ddwaf_obj_map,      1 << 4
+                              :ddwaf_obj_map,      1 << 4,
+                              :ddwaf_obj_bool,     1 << 5
+        typedef DDWAF_OBJ_TYPE, :ddwaf_obj_type
 
         typedef :pointer, :charptr
         typedef :pointer, :charptrptr
@@ -129,7 +138,8 @@ module Datadog
           layout :stringValue, :charptr,
                  :uintValue,   :uint64,
                  :intValue,    :int64,
-                 :array,       :pointer
+                 :array,       :pointer,
+                 :boolean,     :bool
         end
 
         class Object < ::FFI::Struct
@@ -137,7 +147,7 @@ module Datadog
                  :parameterNameLength, :uint64,
                  :valueUnion,          ObjectValueUnion,
                  :nbEntries,           :uint64,
-                 :type,                DDWAF_OBJ_TYPE
+                 :type,                :ddwaf_obj_type
         end
 
         typedef Object.by_ref, :ddwaf_object
@@ -152,6 +162,7 @@ module Datadog
         attach_function :ddwaf_object_signed, [:ddwaf_object, :int64], :ddwaf_object
         attach_function :ddwaf_object_unsigned_force, [:ddwaf_object, :uint64], :ddwaf_object
         attach_function :ddwaf_object_signed_force, [:ddwaf_object, :int64], :ddwaf_object
+        attach_function :ddwaf_object_bool, [:ddwaf_object, :bool], :ddwaf_object
 
         attach_function :ddwaf_object_array, [:ddwaf_object], :ddwaf_object
         attach_function :ddwaf_object_array_add, [:ddwaf_object, :ddwaf_object], :bool
@@ -182,6 +193,8 @@ module Datadog
         typedef :pointer, :ddwaf_handle
         typedef Object.by_ref, :ddwaf_rule
 
+        callback :ddwaf_object_free_fn, [:ddwaf_object], :void
+
         class Config < ::FFI::Struct
           class Limits < ::FFI::Struct
             layout :max_container_size,  :uint32,
@@ -190,12 +203,13 @@ module Datadog
           end
 
           class Obfuscator < ::FFI::Struct
-            layout :key_regex,   :pointer, # :charptr
-                   :value_regex, :pointer  # :charptr
+            layout :key_regex,   :pointer, # should be :charptr
+                   :value_regex, :pointer  # should be :charptr
           end
 
           layout :limits,     Limits,
-                 :obfuscator, Obfuscator
+                 :obfuscator, Obfuscator,
+                 :free_fn,    :pointer #:ddwaf_object_free_fn
         end
 
         typedef Config.by_ref, :ddwaf_config
@@ -216,33 +230,43 @@ module Datadog
         attach_function :ddwaf_destroy, [:ddwaf_handle], :void
 
         attach_function :ddwaf_required_addresses, [:ddwaf_handle, UInt32Ptr], :charptrptr
+        attach_function :ddwaf_required_rule_data_ids, [:ddwaf_handle, UInt32Ptr], :charptrptr
+
+        # updating
+
+        DDWAF_RET_CODE = enum :ddwaf_err_internal,         -3,
+                              :ddwaf_err_invalid_object,   -2,
+                              :ddwaf_err_invalid_argument, -1,
+                              :ddwaf_ok,                    0,
+                              :ddwaf_match,                 1
+        typedef DDWAF_RET_CODE, :ddwaf_ret_code
+
+        attach_function :ddwaf_update_rule_data, [:ddwaf_handle, :ddwaf_object], :ddwaf_ret_code
+        attach_function :ddwaf_toggle_rules, [:ddwaf_handle, :ddwaf_object], :ddwaf_ret_code
 
         # running
 
         typedef :pointer, :ddwaf_context
 
-        callback :ddwaf_object_free_fn, [:ddwaf_object], :void
-
-        attach_function :ddwaf_context_init, [:ddwaf_handle, :ddwaf_object_free_fn], :ddwaf_context
+        attach_function :ddwaf_context_init, [:ddwaf_handle], :ddwaf_context
         attach_function :ddwaf_context_destroy, [:ddwaf_context], :void
 
-        DDWAF_RET_CODE = enum :ddwaf_err_internal,         -3,
-                              :ddwaf_err_invalid_object,   -2,
-                              :ddwaf_err_invalid_argument, -1,
-                              :ddwaf_good,                  0,
-                              :ddwaf_monitor,               1,
-                              :ddwaf_block,                 2
+        class ResultActions < ::FFI::Struct
+          layout :array, :charptrptr,
+                 :size,  :uint32
+        end
 
         class Result < ::FFI::Struct
           layout :timeout,          :bool,
                  :data,             :string,
+                 :actions,          ResultActions,
                  :total_runtime,    :uint64
         end
 
         typedef Result.by_ref, :ddwaf_result
         typedef :uint64, :timeout_us
 
-        attach_function :ddwaf_run, [:ddwaf_context, :ddwaf_object, :ddwaf_result, :timeout_us], DDWAF_RET_CODE, blocking: true
+        attach_function :ddwaf_run, [:ddwaf_context, :ddwaf_object, :ddwaf_result, :timeout_us], :ddwaf_ret_code, blocking: true
         attach_function :ddwaf_result_free, [:ddwaf_result], :void
 
         # logging
@@ -253,20 +277,28 @@ module Datadog
                                :ddwaf_log_warn,
                                :ddwaf_log_error,
                                :ddwaf_log_off
+        typedef DDWAF_LOG_LEVEL, :ddwaf_log_level
+
+        callback :ddwaf_log_cb, [:ddwaf_log_level, :string, :string, :uint, :charptr, :uint64], :void
+
+        attach_function :ddwaf_set_log_cb, [:ddwaf_log_cb, :ddwaf_log_level], :bool
+
+        DEFAULT_MAX_CONTAINER_SIZE  = 0
+        DEFAULT_MAX_CONTAINER_DEPTH = 0
+        DEFAULT_MAX_STRING_LENGTH   = 0
 
-        callback :ddwaf_log_cb, [DDWAF_LOG_LEVEL, :string, :string, :uint, :charptr, :uint64], :void
+        DDWAF_MAX_CONTAINER_SIZE  = 256
+        DDWAF_MAX_CONTAINER_DEPTH = 20
+        DDWAF_MAX_STRING_LENGTH   = 4096
 
-        attach_function :ddwaf_set_log_cb, [:ddwaf_log_cb, DDWAF_LOG_LEVEL], :bool
+        DDWAF_RUN_TIMEOUT = 5000
       end
 
       def self.version
-        version = LibDDWAF::Version.new
-        LibDDWAF.ddwaf_get_version(version.pointer)
-
-        [version[:major], version[:minor], version[:patch]]
+        LibDDWAF.ddwaf_get_version
       end
 
-      def self.ruby_to_object(val)
+      def self.ruby_to_object(val, max_container_size: nil, max_container_depth: nil, max_string_length: nil, coerce: true)
         case val
         when Array
           obj = LibDDWAF::Object.new
@@ -275,12 +307,20 @@ module Datadog
             fail LibDDWAF::Error, "Could not convert into object: #{val}"
           end
 
-          val.each do |e|
-            res = LibDDWAF.ddwaf_object_array_add(obj, ruby_to_object(e))
-            unless res
-              fail LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
+          max_index = max_container_size - 1 if max_container_size
+          val.each.with_index do |e, i|
+            member = ruby_to_object(e,
+                                    max_container_size: max_container_size,
+                                    max_container_depth: (max_container_depth - 1 if max_container_depth),
+                                    max_string_length: max_string_length,
+                                    coerce: coerce)
+            e_res = LibDDWAF.ddwaf_object_array_add(obj, member)
+            unless e_res
+              fail LibDDWAF::Error, "Could not add to array object: #{e.inspect}"
             end
-          end
+
+            break val if max_index && i >= max_index
+          end unless max_container_depth == 0
 
           obj
         when Hash
@@ -290,36 +330,56 @@ module Datadog
             fail LibDDWAF::Error, "Could not convert into object: #{val}"
           end
 
-          val.each do |k, v|
-            res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, ruby_to_object(v))
-            unless res
+          max_index = max_container_size - 1 if max_container_size
+          val.each.with_index do |e, i|
+            k, v = e[0], e[1] # for Steep, which doesn't handle |(k, v), i|
+
+            k = k.to_s[0, max_string_length] if max_string_length
+            member = ruby_to_object(v,
+                                    max_container_size: max_container_size,
+                                    max_container_depth: (max_container_depth - 1 if max_container_depth),
+                                    max_string_length: max_string_length,
+                                    coerce: coerce)
+            kv_res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, member)
+            unless kv_res
               fail LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
             end
-          end
+
+            break val if max_index && i >= max_index
+          end unless max_container_depth == 0
 
           obj
         when String
           obj = LibDDWAF::Object.new
-          res = LibDDWAF.ddwaf_object_stringl(obj, val, val.bytesize)
+          val = val.to_s[0, max_string_length] if max_string_length
+          str = val.to_s
+          res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
           if res.null?
-            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+            fail LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
           end
 
           obj
         when Symbol
           obj = LibDDWAF::Object.new
+          val = val.to_s[0, max_string_length] if max_string_length
           str = val.to_s
           res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
           if res.null?
-            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+            fail LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
           end
 
           obj
         when Integer
           obj = LibDDWAF::Object.new
-          res = LibDDWAF.ddwaf_object_string(obj, val.to_s)
+          res = if coerce
+                  LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                elsif val < 0
+                  LibDDWAF.ddwaf_object_signed_force(obj, val)
+                else
+                  LibDDWAF.ddwaf_object_unsigned_force(obj, val)
+                end
           if res.null?
-            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+            fail LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
           end
 
           obj
@@ -327,15 +387,19 @@ module Datadog
           obj = LibDDWAF::Object.new
           res = LibDDWAF.ddwaf_object_string(obj, val.to_s)
           if res.null?
-            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+            fail LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
           end
 
           obj
         when TrueClass, FalseClass
           obj = LibDDWAF::Object.new
-          res = LibDDWAF.ddwaf_object_string(obj, val.to_s)
+          res = if coerce
+                  LibDDWAF.ddwaf_object_string(obj, val.to_s)
+                else
+                  LibDDWAF.ddwaf_object_bool(obj, val)
+                end
           if res.null?
-            fail LibDDWAF::Error, "Could not convert into object: #{val}"
+            fail LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
           end
 
           obj
@@ -348,6 +412,8 @@ module Datadog
         case obj[:type]
         when :ddwaf_obj_invalid
           nil
+        when :ddwaf_obj_bool
+          obj[:valueUnion][:boolean]
         when :ddwaf_obj_string
           obj[:valueUnion][:stringValue].read_bytes(obj[:nbEntries])
         when :ddwaf_obj_signed
@@ -372,21 +438,47 @@ module Datadog
         end
       end
 
+      def self.log_callback(level, func, file, line, message, len)
+        return if logger.nil?
+
+        logger.debug do
+          {
+            level: level,
+            func: func,
+            file: file,
+            line: line,
+            message: message.read_bytes(len)
+          }.inspect
+        end
+      end
+
+      def self.logger
+        @logger
+      end
+
       def self.logger=(logger)
-        @log_cb = proc do |level, func, file, line, message, len|
-          logger.debug { { level: level, func: func, file: file, line: line, message: message.read_bytes(len) }.inspect }
+        unless @log_callback
+          log_callback = method(:log_callback)
+          Datadog::AppSec::WAF::LibDDWAF.ddwaf_set_log_cb(log_callback, :ddwaf_log_trace)
+
+          # retain logging proc if set properly
+          @log_callback = log_callback
         end
 
-        Datadog::AppSec::WAF::LibDDWAF.ddwaf_set_log_cb(@log_cb, :ddwaf_log_trace)
+        @logger = logger
       end
 
+      RESULT_CODE = {
+        ddwaf_err_internal:         :err_internal,
+        ddwaf_err_invalid_object:   :err_invalid_object,
+        ddwaf_err_invalid_argument: :err_invalid_argument,
+        ddwaf_ok:                   :ok,
+        ddwaf_match:                :match,
+      }
+
       class Handle
         attr_reader :handle_obj
 
-        DEFAULT_MAX_CONTAINER_SIZE  = 0
-        DEFAULT_MAX_CONTAINER_DEPTH = 0
-        DEFAULT_MAX_STRING_LENGTH   = 0
-
         attr_reader :ruleset_info
 
         def initialize(rule, limits: {}, obfuscator: {})
@@ -399,12 +491,14 @@ module Datadog
           if config_obj.null?
             fail LibDDWAF::Error, 'Could not create config struct'
           end
+          retain(config_obj)
 
-          config_obj[:limits][:max_container_size]  = limits[:max_container_size]  || DEFAULT_MAX_CONTAINER_SIZE
-          config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || DEFAULT_MAX_CONTAINER_DEPTH
-          config_obj[:limits][:max_string_length]   = limits[:max_string_length]   || DEFAULT_MAX_STRING_LENGTH
+          config_obj[:limits][:max_container_size]  = limits[:max_container_size]  || LibDDWAF::DEFAULT_MAX_CONTAINER_SIZE
+          config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || LibDDWAF::DEFAULT_MAX_CONTAINER_DEPTH
+          config_obj[:limits][:max_string_length]   = limits[:max_string_length]   || LibDDWAF::DEFAULT_MAX_STRING_LENGTH
           config_obj[:obfuscator][:key_regex]       = FFI::MemoryPointer.from_string(obfuscator[:key_regex])   if obfuscator[:key_regex]
           config_obj[:obfuscator][:value_regex]     = FFI::MemoryPointer.from_string(obfuscator[:value_regex]) if obfuscator[:value_regex]
+          config_obj[:free_fn] = Datadog::AppSec::WAF::LibDDWAF::ObjectNoFree
 
           ruleset_info = LibDDWAF::RuleSetInfo.new
 
@@ -421,19 +515,21 @@ module Datadog
             fail LibDDWAF::Error.new('Could not create handle', ruleset_info: @ruleset_info)
           end
 
-          ObjectSpace.define_finalizer(self, Handle.finalizer(handle_obj))
+          validate!
         ensure
           Datadog::AppSec::WAF::LibDDWAF.ddwaf_ruleset_info_free(ruleset_info) if ruleset_info
           Datadog::AppSec::WAF::LibDDWAF.ddwaf_object_free(rule_obj) if rule_obj
         end
 
-        def self.finalizer(handle_obj)
-          proc do |object_id|
-            Datadog::AppSec::WAF::LibDDWAF.ddwaf_destroy(handle_obj)
-          end
+        def finalize
+          invalidate!
+
+          Datadog::AppSec::WAF::LibDDWAF.ddwaf_destroy(handle_obj)
         end
 
         def required_addresses
+          valid!
+
           count = Datadog::AppSec::WAF::LibDDWAF::UInt32Ptr.new
           list = Datadog::AppSec::WAF::LibDDWAF.ddwaf_required_addresses(handle_obj, count)
 
@@ -441,48 +537,108 @@ module Datadog
 
           list.get_array_of_string(0, count[:value])
         end
+
+        def update_rule_data(data)
+          data_obj = Datadog::AppSec::WAF.ruby_to_object(data, coerce: false)
+          res = Datadog::AppSec::WAF::LibDDWAF.ddwaf_update_rule_data(@handle_obj, data_obj)
+
+          RESULT_CODE[res]
+        ensure
+          Datadog::AppSec::WAF::LibDDWAF.ddwaf_object_free(data_obj) if data_obj
+        end
+
+        def toggle_rules(map)
+          map_obj = Datadog::AppSec::WAF.ruby_to_object(map, coerce: false)
+          res = Datadog::AppSec::WAF::LibDDWAF.ddwaf_toggle_rules(@handle_obj, map_obj)
+
+          RESULT_CODE[res]
+        ensure
+          Datadog::AppSec::WAF::LibDDWAF.ddwaf_object_free(map_obj) if map_obj
+        end
+
+        private
+
+        def validate!
+          @valid = true
+        end
+
+        def invalidate!
+          @valid = false
+        end
+
+        def valid?
+          @valid
+        end
+
+        def valid!
+          return if valid?
+
+          fail LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+        end
+
+        def retained
+          @retained ||= []
+        end
+
+        def retain(object)
+          retained << object
+        end
+
+        def release(object)
+          retained.delete(object)
+        end
       end
 
-      Result = Struct.new(:action, :data, :total_runtime, :timeout)
+      class Result
+        attr_reader :status, :data, :total_runtime, :timeout, :actions
+
+        def initialize(status, data, total_runtime, timeout, actions)
+          @status = status
+          @data = data
+          @total_runtime = total_runtime
+          @timeout = timeout
+          @actions = actions
+        end
+      end
 
       class Context
         attr_reader :context_obj
 
         def initialize(handle)
           handle_obj = handle.handle_obj
-          free_func = Datadog::AppSec::WAF::LibDDWAF::ObjectNoFree
+          retain(handle)
 
-          @context_obj = Datadog::AppSec::WAF::LibDDWAF.ddwaf_context_init(handle_obj, free_func)
+          @context_obj = Datadog::AppSec::WAF::LibDDWAF.ddwaf_context_init(handle_obj)
           if @context_obj.null?
             fail LibDDWAF::Error, 'Could not create context'
           end
 
-          @input_objs = []
-
-          ObjectSpace.define_finalizer(self, Context.finalizer(context_obj, @input_objs))
+          validate!
         end
 
-        def self.finalizer(context_obj, input_objs)
-          proc do |object_id|
-            input_objs.each do |input_obj|
-              Datadog::AppSec::WAF::LibDDWAF.ddwaf_object_free(input_obj)
-            end
-            Datadog::AppSec::WAF::LibDDWAF.ddwaf_context_destroy(context_obj)
+        def finalize
+          invalidate!
+
+          retained.each do |retained_obj|
+            next unless retained_obj.is_a?(Datadog::AppSec::WAF::LibDDWAF::Object)
+
+            Datadog::AppSec::WAF::LibDDWAF.ddwaf_object_free(retained_obj)
           end
+
+          Datadog::AppSec::WAF::LibDDWAF.ddwaf_context_destroy(context_obj)
         end
 
-        DEFAULT_TIMEOUT_US = 10_0000
-        ACTION_MAP_OUT = {
-          ddwaf_err_internal:         :err_internal,
-          ddwaf_err_invalid_object:   :err_invalid_object,
-          ddwaf_err_invalid_argument: :err_invalid_argument,
-          ddwaf_good:                 :good,
-          ddwaf_monitor:              :monitor,
-          ddwaf_block:                :block,
-        }
+        def run(input, timeout = LibDDWAF::DDWAF_RUN_TIMEOUT)
+          valid!
+
+          max_container_size  = LibDDWAF::DDWAF_MAX_CONTAINER_SIZE
+          max_container_depth = LibDDWAF::DDWAF_MAX_CONTAINER_DEPTH
+          max_string_length   = LibDDWAF::DDWAF_MAX_STRING_LENGTH
 
-        def run(input, timeout = DEFAULT_TIMEOUT_US)
-          input_obj = Datadog::AppSec::WAF.ruby_to_object(input)
+          input_obj = Datadog::AppSec::WAF.ruby_to_object(input,
+                                                          max_container_size: max_container_size,
+                                                          max_container_depth: max_container_depth,
+                                                          max_string_length: max_string_length)
           if input_obj.null?
             fail LibDDWAF::Error, "Could not convert input: #{input.inspect}"
           end
@@ -493,21 +649,60 @@ module Datadog
           end
 
           # retain C objects in memory for subsequent calls to run
-          @input_objs << input_obj
+          retain(input_obj)
 
           code = Datadog::AppSec::WAF::LibDDWAF.ddwaf_run(@context_obj, input_obj, result_obj, timeout)
 
+          actions = if result_obj[:actions][:size] > 0
+                      result_obj[:actions][:array].get_array_of_string(0, result_obj[:actions][:size])
+                    else
+                      []
+                    end
+
           result = Result.new(
-            ACTION_MAP_OUT[code],
+            RESULT_CODE[code],
             (JSON.parse(result_obj[:data]) if result_obj[:data] != nil),
             result_obj[:total_runtime],
             result_obj[:timeout],
+            actions,
           )
 
-          [ACTION_MAP_OUT[code], result]
+          [RESULT_CODE[code], result]
         ensure
           Datadog::AppSec::WAF::LibDDWAF.ddwaf_result_free(result_obj) if result_obj
         end
+
+        private
+
+        def validate!
+          @valid = true
+        end
+
+        def invalidate!
+          @valid = false
+        end
+
+        def valid?
+          @valid
+        end
+
+        def valid!
+          return if valid?
+
+          fail LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+        end
+
+        def retained
+          @retained ||= []
+        end
+
+        def retain(object)
+          retained << object
+        end
+
+        def release(object)
+          retained.delete(object)
+        end
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: libddwaf
 version: !ruby/object:Gem::Version
-  version: 1.3.0.2.0
+  version: 1.5.1.0.1
 platform: x86_64-darwin
 authors:
 - Datadog, Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 1980-01-01 00:00:00.000000000 Z
+date: 2023-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -33,6 +33,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
 - LICENSE
 - LICENSE-3rdparty.csv
 - LICENSE.Apache
@@ -41,8 +42,8 @@ files:
 - lib/datadog/appsec/waf.rb
 - lib/datadog/appsec/waf/version.rb
 - lib/libddwaf.rb
-- vendor/libddwaf/libddwaf-1.3.0-darwin-x86_64/lib/libddwaf.dylib
-homepage: https://github.com/DataDog/libddwaf
+- vendor/libddwaf/libddwaf-1.5.1-darwin-x86_64/lib/libddwaf.dylib
+homepage: https://github.com/DataDog/libddwaf-rb
 licenses:
 - BSD-3-Clause
 metadata:
@@ -62,7 +63,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.0.0
 requirements: []
-rubygems_version: 3.2.26
+rubygems_version: 3.4.4
 signing_key:
 specification_version: 4
 summary: Datadog WAF