libddwaf 1.22.0.0.2 → 1.24.1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0df9a5856b3d088cb3df3831c6ff9a8effbbfafbca8648e39aac1e7d54c26252
-  data.tar.gz: 162b988831c6b41f5f4ff556eee37b117120c02aa66e288f569b663759c9fc67
+  metadata.gz: 10d8d57e5c46bce6df51fd1b551831c8d4421144837498ce916c093c0b255b8e
+  data.tar.gz: d8fd00d07b23de9ff1af3be34b0344f0a1404db5da66e219e312a75d8d191942
 SHA512:
-  metadata.gz: c29189c22f7b96212ef2bf3e9c5089ee7984e29da3d4dabe3a639ba033b8f6126c3aa72f94e7ca82963bcef78eb8efdeee4b27eee0645adf9ad2cebac5107504
-  data.tar.gz: bda9cb832b37a022553f64903d3aeceb4432ecccfcf6c7d5fb3f46f0cad0e37bb493f9559e005c24003744053c00d68593d7a15790c323701f6e07d4f0c5ca1d
+  metadata.gz: 20d4c8ae3986514d5bf69d830a75468973e3688e971fe03068cd3451d58ddb0bf3a9e0ad86303b04c7e42cbef85dc9bf1e61e23e3db77a57374d30422c54b9c2
+  data.tar.gz: bd3c2665b3b5ab606ad59dc48e4eac7cd8f5568c38141d3cee0cddcbb2ba5681186174bbe1804657c47441a204297a1313a86fb3cf25274e398b857732382c77

data/.github/workflows/lint.yml

@@ -15,8 +15,8 @@ jobs:
       - name: Bundle
         run: bundle install
 
-      - name: Run Rubocop
-        run: bundle exec rubocop -D
+      - name: Run standardrb
+        run: standardrb
 
   type-check:
     name: Type check

data/.github/workflows/test-for-memory-leaks.yml

@@ -0,0 +1,15 @@
+name: Test for memory leaks
+on: [push]
+jobs:
+  test-memcheck:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ruby/setup-ruby@f41e084df884422b269f4c01c3748a9df4431a75 # v1.236.0
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+          bundler: latest
+          cache-version: v1 # bump this to invalidate cache
+      - run: sudo apt-get update && (sudo apt-get install -y valgrind || sleep 5 && sudo apt-get install -y valgrind --no-install-recommends --no-install-suggests) && valgrind --version
+      - run: bundle exec rake binary spec:memory_leaks:all

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+# Unreleased v1.23.0.0.0
+
+## Added
+
+- Add `HandleBuilder` class for managing libddwaf configuration and building WAF handles
+- Add Error classes:
+  - `LibDDWAFError` for libddwaf errors
+  - `ConversionError` for conversion errors
+  - `InstanceFinalizedError` that is raised when attempting to run methods on finalized instances
+
+## Changed
+
+- Change `Handle` instantiation - now it should be done using `HandleBuilder#build_handle` method
+- Change `Context` instantiation - now is should be done using `Handle#build_context` method
+- Change configuration of Limits and obfuscation - it is now done when initializing `HandleBuilder`
+- Change `Context#run` to return a `Result` object instead of an tuple with code and result
+
+## Removed
+
+- Remove `WAF::Handle#merge` method - the configuration is now handled by `HandleBuilder`
+
 # 2025-02-20 v.1.18.0.0.1
 
 - Fixed memory-leak in `Datadog::AppSec::WAF::Context#run` when non-empty ephemeral data passed
@@ -12,7 +33,6 @@
 - Update to libddwaf 1.14.0
 - Add support for `Float` and `Nil` scalar values when converting from ruby to WAF Object and vice versa.
 
-
 # 2023-08-29 v.1.11.0.0.0
 
 - Update to libddwaf 1.11.0
@@ -21,7 +41,6 @@
 - Changed `Datadog::AppSec::WAF::Result#data` to `Datadog::AppSec::WAF::Result#events`. (Breaking change)
   The schema of the events variable can be found [here](https://github.com/DataDog/libddwaf/blob/master/schema/events.json)
 
-
 # 2023-08-28 v.1.10.0.0.0
 
 - Update to libddwaf 1.10.0

data/Dockerfile

@@ -0,0 +1,11 @@
+FROM ruby:3.4
+
+RUN apt-get update && apt-get install -y valgrind --no-install-recommends --no-install-suggests
+
+ADD . /libddwaf-rb
+
+WORKDIR /libddwaf-rb
+
+RUN bundle install
+
+CMD /bin/bash

data/Steepfile

@@ -13,9 +13,9 @@ target :lib do
   library "jruby"
   library "gem"
 
-#   # configure_code_diagnostics(D::Ruby.strict)       # `strict` diagnostics setting
-#   # configure_code_diagnostics(D::Ruby.lenient)      # `lenient` diagnostics setting
-#   # configure_code_diagnostics do |hash|             # You can setup everything yourself
-#   #   hash[D::Ruby::NoMethod] = :information
-#   # end
+  # configure_code_diagnostics(D::Ruby.strict)       # `strict` diagnostics setting
+  # configure_code_diagnostics(D::Ruby.lenient)      # `lenient` diagnostics setting
+  # configure_code_diagnostics do |hash|             # You can setup everything yourself
+  #   hash[D::Ruby::NoMethod] = :information
+  # end
 end

data/lib/datadog/appsec/waf/context.rb

@@ -14,20 +14,16 @@ module Datadog
           ddwaf_err_invalid_argument: :err_invalid_argument
         }.freeze
 
-        attr_reader :context_obj
-
-        def initialize(handle)
-          handle_obj = handle.handle_obj
-          retain(handle)
-
-          @context_obj = LibDDWAF.ddwaf_context_init(handle_obj)
-          raise LibDDWAF::Error, 'Could not create context' if @context_obj.null?
-
-          validate!
+        def initialize(context_ptr)
+          @context_ptr = context_ptr
         end
 
-        def finalize
-          invalidate!
+        # Destroys the WAF context and sets the pointer to nil.
+        #
+        # The instance becomes unusable after this method is called.
+        def finalize!
+          context_ptr_to_destroy = @context_ptr
+          @context_ptr = nil
 
           retained.each do |retained_obj|
             next unless retained_obj.is_a?(LibDDWAF::Object)
@@ -36,11 +32,17 @@ module Datadog
           end
 
           retained.clear
-          LibDDWAF.ddwaf_context_destroy(context_obj)
+          LibDDWAF.ddwaf_context_destroy(context_ptr_to_destroy)
         end
 
+        # Runs the WAF context with the given persistent and ephemeral data.
+        #
+        # @raise [ConversionError] if the conversion of persistent or ephemeral data fails
+        # @raise [LibDDWAFError] if libddwaf could not create the result object
+        #
+        # @return [Result] the result of the WAF run
         def run(persistent_data, ephemeral_data, timeout = LibDDWAF::DDWAF_RUN_TIMEOUT)
-          valid!
+          ensure_pointer_presence!
 
           persistent_data_obj = Converter.ruby_to_object(
             persistent_data,
@@ -50,7 +52,7 @@ module Datadog
             coerce: false
           )
           if persistent_data_obj.null?
-            raise LibDDWAF::Error, "Could not convert persistent data: #{persistent_data.inspect}"
+            raise ConversionError, "Could not convert persistent data: #{persistent_data.inspect}"
           end
 
           # retain C objects in memory for subsequent calls to run
@@ -64,15 +66,15 @@ module Datadog
             coerce: false
           )
           if ephemeral_data_obj.null?
-            raise LibDDWAF::Error, "Could not convert ephemeral data: #{ephemeral_data.inspect}"
+            raise ConversionError, "Could not convert ephemeral data: #{ephemeral_data.inspect}"
           end
 
           result_obj = LibDDWAF::Result.new
-          raise LibDDWAF::Error, 'Could not create result object' if result_obj.null?
+          raise LibDDWAFError, "Could not create result object" if result_obj.null?
 
-          code = LibDDWAF.ddwaf_run(@context_obj, persistent_data_obj, ephemeral_data_obj, result_obj, timeout)
+          code = LibDDWAF.ddwaf_run(@context_ptr, persistent_data_obj, ephemeral_data_obj, result_obj, timeout)
 
-          result = Result.new(
+          Result.new(
             RESULT_CODE[code],
             Converter.object_to_ruby(result_obj[:events]),
             result_obj[:total_runtime],
@@ -80,8 +82,6 @@ module Datadog
             Converter.object_to_ruby(result_obj[:actions]),
             Converter.object_to_ruby(result_obj[:derivatives])
           )
-
-          [RESULT_CODE[code], result]
         ensure
           LibDDWAF.ddwaf_result_free(result_obj) if result_obj
           LibDDWAF.ddwaf_object_free(ephemeral_data_obj) if ephemeral_data_obj
@@ -89,24 +89,10 @@ module Datadog
 
         private
 
-        # FIXME: Rename into something which reflect that it's impossible to run
-        #        libddwaf on finalized context (closed)
-        def validate!
-          @valid = true
-        end
-
-        def invalidate!
-          @valid = false
-        end
-
-        def valid?
-          @valid
-        end
-
-        def valid!
-          return if valid?
+        def ensure_pointer_presence!
+          return if @context_ptr
 
-          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+          raise InstanceFinalizedError, "Cannot use WAF context after it has been finalized"
         end
 
         def retained

data/lib/datadog/appsec/waf/converter.rb

@@ -7,66 +7,67 @@ module Datadog
       module Converter
         module_function
 
-        # rubocop:disable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        # standard:disable Metrics/MethodLength,Metrics/CyclomaticComplexity
         def ruby_to_object(val, max_container_size: nil, max_container_depth: nil, max_string_length: nil, coerce: true)
           case val
           when Array
             obj = LibDDWAF::Object.new
             res = LibDDWAF.ddwaf_object_array(obj)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val}"
-            end
+            raise ConversionError, "Could not convert into object: #{val}" if res.null?
 
             max_index = max_container_size - 1 if max_container_size
-            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
-              member = Converter.ruby_to_object(e,
-                                                max_container_size: max_container_size,
-                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
-                                                max_string_length: max_string_length,
-                                                coerce: coerce)
-              e_res = LibDDWAF.ddwaf_object_array_add(obj, member)
-              raise LibDDWAF::Error, "Could not add to array object: #{e.inspect}" unless e_res
-
-              break val if max_index && i >= max_index
-            end unless max_container_depth == 0
+            unless max_container_depth == 0
+              val.each.with_index do |e, i|
+                member = Converter.ruby_to_object(
+                  e,
+                  max_container_size: max_container_size,
+                  max_container_depth: (max_container_depth - 1 if max_container_depth),
+                  max_string_length: max_string_length,
+                  coerce: coerce
+                )
+                e_res = LibDDWAF.ddwaf_object_array_add(obj, member)
+                raise ConversionError, "Could not add to array object: #{e.inspect}" unless e_res
+
+                break val if max_index && i >= max_index
+              end
+            end
 
             obj
           when Hash
             obj = LibDDWAF::Object.new
             res = LibDDWAF.ddwaf_object_map(obj)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val}"
-            end
+            raise ConversionError, "Could not convert into object: #{val}" if res.null?
 
             max_index = max_container_size - 1 if max_container_size
-            val.each.with_index do |e, i| # rubocop:disable Style/MultilineIfModifier
-              # for Steep, which doesn't handle |(k, v), i|
-              k, v = e[0], e[1] # rubocop:disable Style/ParallelAssignment
-
-              k = k.to_s[0, max_string_length] if max_string_length
-              member = Converter.ruby_to_object(v,
-                                                max_container_size: max_container_size,
-                                                max_container_depth: (max_container_depth - 1 if max_container_depth),
-                                                max_string_length: max_string_length,
-                                                coerce: coerce)
-              kv_res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, member)
-              unless kv_res
-                raise LibDDWAF::Error, "Could not add to map object: #{k.inspect} => #{v.inspect}"
+            unless max_container_depth == 0
+              val.each.with_index do |e, i|
+                # for Steep, which doesn't handle |(k, v), i|
+                k = e[0]
+                v = e[1]
+
+                k = k.to_s[0, max_string_length] if max_string_length
+                member = Converter.ruby_to_object(
+                  v,
+                  max_container_size: max_container_size,
+                  max_container_depth: (max_container_depth - 1 if max_container_depth),
+                  max_string_length: max_string_length,
+                  coerce: coerce
+                )
+                kv_res = LibDDWAF.ddwaf_object_map_addl(obj, k.to_s, k.to_s.bytesize, member)
+                raise ConversionError, "Could not add to map object: #{k.inspect} => #{v.inspect}" unless kv_res
+
+                break val if max_index && i >= max_index
               end
-
-              break val if max_index && i >= max_index
-            end unless max_container_depth == 0
+            end
 
             obj
           when String
             obj = LibDDWAF::Object.new
-            encoded_val = val.to_s.encode('utf-8', invalid: :replace, undef: :replace)
+            encoded_val = val.to_s.encode(Encoding::UTF_8, invalid: :replace, undef: :replace)
             val = encoded_val[0, max_string_length] if max_string_length
             str = val.to_s
             res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
-            end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when Symbol
@@ -74,67 +75,58 @@ module Datadog
             val = val.to_s[0, max_string_length] if max_string_length
             str = val.to_s
             res = LibDDWAF.ddwaf_object_stringl(obj, str, str.bytesize)
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
-            end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when Integer
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
-                  elsif val < 0
-                    LibDDWAF.ddwaf_object_signed(obj, val)
-                  else
-                    LibDDWAF.ddwaf_object_unsigned(obj, val)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, val.to_s)
+            elsif val < 0
+              LibDDWAF.ddwaf_object_signed(obj, val)
+            else
+              LibDDWAF.ddwaf_object_unsigned(obj, val)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when Float
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
-                  else
-                    LibDDWAF.ddwaf_object_float(obj, val)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, val.to_s)
+            else
+              LibDDWAF.ddwaf_object_float(obj, val)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when TrueClass, FalseClass
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, val.to_s)
-                  else
-                    LibDDWAF.ddwaf_object_bool(obj, val)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, val.to_s)
+            else
+              LibDDWAF.ddwaf_object_bool(obj, val)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           when NilClass
             obj = LibDDWAF::Object.new
             res = if coerce
-                    LibDDWAF.ddwaf_object_string(obj, '')
-                  else
-                    LibDDWAF.ddwaf_object_null(obj)
-                  end
-            if res.null?
-              raise LibDDWAF::Error, "Could not convert into object: #{val.inspect}"
+              LibDDWAF.ddwaf_object_string(obj, "")
+            else
+              LibDDWAF.ddwaf_object_null(obj)
             end
+            raise ConversionError, "Could not convert into object: #{val.inspect}" if res.null?
 
             obj
           else
-            Converter.ruby_to_object('')
+            Converter.ruby_to_object("")
           end
         end
-        # rubocop:enable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        # standard:enable Metrics/MethodLength,Metrics/CyclomaticComplexity
 
+        # standard:disable Metrics/MethodLength,Metrics/CyclomaticComplexity
         def object_to_ruby(obj)
           case obj[:type]
           when :ddwaf_obj_invalid, :ddwaf_obj_null
@@ -170,6 +162,7 @@ module Datadog
             end
           end
         end
+        # standard:enable Metrics/MethodLength,Metrics/CyclomaticComplexity
       end
     end
   end

data/lib/datadog/appsec/waf/errors.rb

@@ -0,0 +1,19 @@
+module Datadog
+  module AppSec
+    module WAF
+      Error = Class.new(StandardError)
+      InstanceFinalizedError = Class.new(Error)
+      ConversionError = Class.new(Error)
+
+      class LibDDWAFError < Error
+        attr_reader :diagnostics
+
+        def initialize(msg, diagnostics: nil)
+          @diagnostics = diagnostics
+
+          super(msg)
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/waf/handle.rb

@@ -6,101 +6,54 @@ module Datadog
       # Ruby representation of the ddwaf_handle in libddwaf
       # See https://github.com/DataDog/libddwaf/blob/10e3a1dfc7bc9bb8ab11a09a9f8b6b339eaf3271/BINDING_IMPL_NOTES.md?plain=1#L4-L19
       class Handle
-        attr_reader :handle_obj, :diagnostics, :config
-
-        def initialize(rule, limits: {}, obfuscator: {})
-          rule_obj = Converter.ruby_to_object(rule)
-          if rule_obj.null? || rule_obj[:type] == :ddwaf_object_invalid
-            raise LibDDWAF::Error, "Could not convert object #{rule.inspect}"
-          end
-
-          config_obj = Datadog::AppSec::WAF::LibDDWAF::Config.new
-          if config_obj.null?
-            raise LibDDWAF::Error, 'Could not create config struct'
-          end
-
-          config_obj[:limits][:max_container_size]  = limits[:max_container_size]  || LibDDWAF::DEFAULT_MAX_CONTAINER_SIZE
-          config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || LibDDWAF::DEFAULT_MAX_CONTAINER_DEPTH
-          config_obj[:limits][:max_string_length]   = limits[:max_string_length]   || LibDDWAF::DEFAULT_MAX_STRING_LENGTH
-          config_obj[:obfuscator][:key_regex]       = FFI::MemoryPointer.from_string(obfuscator[:key_regex])   if obfuscator[:key_regex]
-          config_obj[:obfuscator][:value_regex]     = FFI::MemoryPointer.from_string(obfuscator[:value_regex]) if obfuscator[:value_regex]
-          config_obj[:free_fn] = LibDDWAF::ObjectNoFree
-
-          @config = config_obj
-
-          diagnostics_obj = LibDDWAF::Object.new
-
-          @handle_obj = LibDDWAF.ddwaf_init(rule_obj, config_obj, diagnostics_obj)
-
-          @diagnostics = Converter.object_to_ruby(diagnostics_obj)
+        def initialize(handle_ptr)
+          @handle_ptr = handle_ptr
+        end
 
-          if @handle_obj.null?
-            raise LibDDWAF::Error.new('Could not create handle', diagnostics: @diagnostics)
-          end
+        # Destroys the WAF handle and sets the pointer to nil.
+        #
+        # The instance becomes unusable after this method is called.
+        def finalize!
+          handle_ptr_to_destroy = @handle_ptr
+          @handle_ptr = nil
 
-          validate!
-        ensure
-          LibDDWAF.ddwaf_object_free(diagnostics_obj) if diagnostics_obj
-          LibDDWAF.ddwaf_object_free(rule_obj) if rule_obj
+          LibDDWAF.ddwaf_destroy(handle_ptr_to_destroy)
         end
 
-        def finalize
-          invalidate!
+        # Builds a WAF context.
+        #
+        # @raise [LibDDWAFError] if libddwaf could not create the context.
+        # @return [Handle] the WAF handle
+        def build_context
+          ensure_pointer_presence!
+
+          context_obj = LibDDWAF.ddwaf_context_init(@handle_ptr)
+          raise LibDDWAFError, "Could not create context" if context_obj.null?
 
-          LibDDWAF.ddwaf_destroy(handle_obj)
+          Context.new(context_obj)
         end
 
-        def required_addresses
-          valid!
+        # Returns the list of known addresses in the WAF handle.
+        #
+        # @return [Array<String>] the list of known addresses
+        def known_addresses
+          ensure_pointer_presence!
 
           count = LibDDWAF::UInt32Ptr.new
-          list = LibDDWAF.ddwaf_known_addresses(handle_obj, count)
+          list = LibDDWAF.ddwaf_known_addresses(@handle_ptr, count)
 
           return [] if count == 0 # list is null
 
           list.get_array_of_string(0, count[:value])
-        end
-
-        def merge(data)
-          data_obj = Converter.ruby_to_object(data, coerce: false)
-          diagnostics_obj = LibDDWAF::Object.new
-          new_handle = LibDDWAF.ddwaf_update(handle_obj, data_obj, diagnostics_obj)
-
-          return if new_handle.null?
-
-          diagnostics = Converter.object_to_ruby(diagnostics_obj)
-          new_from_handle(new_handle, diagnostics, config)
-        ensure
-          LibDDWAF.ddwaf_object_free(data_obj) if data_obj
-          LibDDWAF.ddwaf_object_free(diagnostics_obj) if diagnostics_obj
+          # TODO: garbage collect the count?
         end
 
         private
 
-        def new_from_handle(handle_object, diagnostics, config)
-          obj = Handle.allocate
-          obj.instance_variable_set(:@handle_obj, handle_object)
-          obj.instance_variable_set(:@diagnostics, diagnostics)
-          obj.instance_variable_set(:@config, config)
-          obj
-        end
-
-        def validate!
-          @valid = true
-        end
-
-        def invalidate!
-          @valid = false
-        end
-
-        def valid?
-          @valid
-        end
-
-        def valid!
-          return if valid?
+        def ensure_pointer_presence!
+          return if @handle_ptr
 
-          raise LibDDWAF::Error, "Attempt to use an invalid instance: #{inspect}"
+          raise InstanceFinalizedError, "Cannot use WAF handle after it has been finalized"
         end
       end
     end

data/lib/datadog/appsec/waf/handle_builder.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module WAF
+      # This class represents the libddwaf WAF builder, which is used to generate WAF handles.
+      #
+      # It handles merging of potentially overlapping configurations.
+      class HandleBuilder
+        def initialize(limits: {}, obfuscator: {})
+          handle_config_obj = LibDDWAF::HandleBuilderConfig.new
+          if handle_config_obj.null?
+            raise LibDDWAFError, "Could not create config struct"
+          end
+
+          handle_config_obj[:limits][:max_container_size] = limits[:max_container_size] || LibDDWAF::DEFAULT_MAX_CONTAINER_SIZE
+          handle_config_obj[:limits][:max_container_depth] = limits[:max_container_depth] || LibDDWAF::DEFAULT_MAX_CONTAINER_DEPTH
+          handle_config_obj[:limits][:max_string_length] = limits[:max_string_length] || LibDDWAF::DEFAULT_MAX_STRING_LENGTH
+
+          handle_config_obj[:obfuscator][:key_regex] = FFI::MemoryPointer.from_string(obfuscator[:key_regex]) if obfuscator[:key_regex]
+          handle_config_obj[:obfuscator][:value_regex] = FFI::MemoryPointer.from_string(obfuscator[:value_regex]) if obfuscator[:value_regex]
+          handle_config_obj[:free_fn] = LibDDWAF::ObjectNoFree
+
+          @builder_ptr = LibDDWAF.ddwaf_builder_init(handle_config_obj)
+        end
+
+        # Destroys the WAF builder and sets the pointer to nil.
+        #
+        # The instance becomes unusable after this method is called.
+        def finalize!
+          builder_ptr_to_destroy = @builder_ptr
+          @builder_ptr = nil
+
+          LibDDWAF.ddwaf_builder_destroy(builder_ptr_to_destroy)
+        end
+
+        # Builds a WAF handle from the current state of the builder.
+        #
+        # @raise [LibDDWAFError] if no rules were added to the builder before building the handle
+        # @return [Handle] the WAF handle
+        def build_handle
+          ensure_pointer_presence!
+
+          handle_obj = LibDDWAF.ddwaf_builder_build_instance(@builder_ptr)
+          raise LibDDWAFError, "Could not create handle" if handle_obj.null?
+
+          Handle.new(handle_obj)
+        end
+
+        # :section: Configuration management methods
+        # methods for adding, updating, and removing configurations from the WAF handle builder.
+
+        # Adds or updates a configuration in the WAF handle builder for the given path.
+        #
+        # @return [Hash] diagnostics object
+        # NOTE: default config that was read from file at application startup
+        # has to be removed before adding configurations obtained through Remote Configuration.
+        def add_or_update_config(config, path:)
+          ensure_pointer_presence!
+
+          config_obj = Converter.ruby_to_object(config)
+          diagnostics_obj = LibDDWAF::Object.new
+
+          LibDDWAF.ddwaf_builder_add_or_update_config(@builder_ptr, path, path.length, config_obj, diagnostics_obj)
+
+          Converter.object_to_ruby(diagnostics_obj)
+        ensure
+          LibDDWAF.ddwaf_object_free(config_obj) if config_obj
+          LibDDWAF.ddwaf_object_free(diagnostics_obj) if diagnostics_obj
+        end
+
+        # Removes a configuration from the WAF handle builder for the given path.
+        #
+        # @return [Boolean] true if the configuration was removed, false otherwise
+        def remove_config_at_path(path)
+          ensure_pointer_presence!
+
+          LibDDWAF.ddwaf_builder_remove_config(@builder_ptr, path, path.length)
+        end
+
+        private
+
+        def ensure_pointer_presence!
+          return if @builder_ptr
+
+          raise InstanceFinalizedError, "Cannot use WAF handle builder after it has been finalized"
+        end
+      end
+    end
+  end
+end