feat: embed the default ruleset in go-libddwaf (#129)

Author: RomainMuller

.github/workflows/default-ruleset.yml

@@ -0,0 +1,101 @@
+name: Default Ruleset
+on:
+  workflow_dispatch: # Manually
+  schedule: # Every Monday at 06:00 UTC
+    - cron: '0 6 * * 1'
+
+permissions: read-all
+
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    name: Update
+    outputs:
+      mutation-happened: ${{ steps.detect.outputs.mutation-happened }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: oldstable
+          cache-dependency-path: _tools/ruleset-updater/go.mod
+      - name: Generate a GitHub token
+        id: generate-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ vars.DD_K9_LIBRARY_GO_APP_ID }}
+          private-key: ${{ secrets.DD_K9_LIBRARY_GO_APP_PRIVATE_KEY }}
+      - name: Update Default Ruleset
+        run: go run -C _tools/ruleset-updater run . -output=${{ github.workspace }}/internal/ruleset/recommended.json.gz
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+      - name: Detect Mutation
+        id: detect
+        run: |-
+          git add .
+          git diff --staged --patch --exit-code > ${{ runner.temp }}/repo.patch || echo "mutation-happened=true" >> "${GITHUB_OUTPUT}"
+      - name: Upload Patch
+        if: steps.detect.outputs.mutation_happened
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: repo.patch
+          path: ${{ runner.temp }}/repo.patch
+
+  pr:
+    runs-on: ubuntu-latest
+    name: Create PR
+    needs: update
+    if: needs.update.outputs.mutation-happened
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Download Patch
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: repo.patch
+          path: ${{ runner.temp }}
+      - name: Apply Patch
+        id: apply
+        run: |-
+          git apply ${{ runner.temp }}/repo.patch
+          echo "version=$(jq -r '.metadata.rules_version' < ./appsec/rules.json)" >> $GITHUB_OUTPUT
+
+      - name: Create PR Branch
+        id: create-branch
+        run: |-
+          branch="automation/default-ruleset-update/${VERSION}"
+          git push origin "${{ github.sha }}":"refs/heads/${branch}"
+          echo "branch=${branch}" >> "${GITHUB_OUTPUT}"
+          git fetch origin "${branch}"
+        env:
+          VERSION: ${{ steps.apply.outputs.version }}
+      - name: Generate a GitHub token
+        id: generate-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ vars.DD_K9_LIBRARY_GO_APP_ID }}
+          private-key: ${{ secrets.DD_K9_LIBRARY_GO_APP_PRIVATE_KEY }}
+      # We use ghcommit to create signed commits directly using the GitHub API
+      - name: Create Commit on PR Branch
+        uses: planetscale/ghcommit-action@6a383e778f6620afde4bf4b45069d3c6983c1ae2 # v0.2.15
+        with:
+          commit_message: "chore: update default ruleset to ${{ steps.apply.outputs.version }}"
+          branch: ${{ steps.create-branch.outputs.branch }}
+          repo: ${{ github.repository }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+      - name: Create PR
+        run: |-
+          git fetch origin "${{ steps.create-branch.outputs.branch }}"
+          git reset --hard HEAD
+          git switch "${{ steps.create-branch.outputs.branch }}"
+          gh pr create --title "chore: update default ruleset to ${VERSION}" \
+                        --body "Updated default ruleset to ${VERSION}." \
+                        --head="${{ steps.create-branch.outputs.branch }}"
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+          VERSION: ${{ steps.apply.outputs.version }}

_tools/ruleset-updater/go.mod

@@ -0,0 +1,12 @@
+module github.com/DataDog/go-libddwaf/_tools/ruleset-updater
+
+go 1.23.0
+
+toolchain go1.24.3
+
+require (
+	github.com/google/go-github/v72 v72.0.0
+	github.com/iancoleman/orderedmap v0.3.0
+)
+
+require github.com/google/go-querystring v1.1.0 // indirect

_tools/ruleset-updater/go.sum

@@ -0,0 +1,10 @@
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-github/v72 v72.0.0 h1:FcIO37BLoVPBO9igQQ6tStsv2asG4IPcYFi655PPvBM=
+github.com/google/go-github/v72 v72.0.0/go.mod h1:WWtw8GMRiL62mvIquf1kO3onRHeWWKmK01qdCY8c5fg=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/iancoleman/orderedmap v0.3.0 h1:5cbR2grmZR/DiVt+VJopEhtVs9YGInGIxAoMJn+Ichc=
+github.com/iancoleman/orderedmap v0.3.0/go.mod h1:XuLcCUkdL5owUCQeF2Ue9uuw1EptkJDkXXS7VoV7XGE=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

_tools/ruleset-updater/main.go

@@ -0,0 +1,86 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package main
+
+import (
+	"compress/gzip"
+	"context"
+	"encoding/json"
+	"flag"
+	"log"
+	"os"
+
+	"github.com/google/go-github/v72/github"
+	"github.com/iancoleman/orderedmap"
+)
+
+const (
+	ghRepoOwner = "DataDog"
+	ghRepoName  = "appsec-event-rules"
+)
+
+func main() {
+	var output string
+	flag.StringVar(&output, "output", "", "Path to the output file")
+	flag.Parse()
+
+	if output == "" {
+		log.Fatalln("Missing required flag: -output")
+	}
+
+	token := os.Getenv("GITHUB_TOKEN")
+	if token == "" {
+		log.Fatalln("GITHUB_TOKEN is not set; this is required to update the default ruleset!")
+	}
+
+	gh := github.NewClient(nil).WithAuthToken(token)
+
+	ctx := context.Background()
+
+	release, _, err := gh.Repositories.GetLatestRelease(ctx, ghRepoOwner, ghRepoName)
+	if err != nil {
+		log.Fatalln("Failed to get latest release:", err)
+	}
+
+	tag := release.GetTagName()
+	log.Println("Latest release is", tag)
+
+	file, _, err := gh.Repositories.DownloadContents(ctx, ghRepoOwner, ghRepoName, "build/recommended.json", &github.RepositoryContentGetOptions{Ref: tag})
+	if err != nil {
+		log.Fatalln("Failed to get recommended.json:", err)
+	}
+	defer file.Close()
+	dec := json.NewDecoder(file)
+	dec.UseNumber()
+
+	// Decode the original ruleset into an [orderedmap.OrderedMap] so we preserve the order of items
+	// from the original file. This makes it easier to ensure the output GZIP file is always the same
+	// given a version of the input file.
+	var ruleset orderedmap.OrderedMap
+	if err := dec.Decode(&ruleset); err != nil {
+		log.Fatalln("Failed to decode recommended.json:", err)
+	}
+
+	out, err := os.Create(output)
+	if err != nil {
+		log.Fatalln("Failed to create output file:", err)
+	}
+	defer out.Close()
+
+	wr, err := gzip.NewWriterLevel(out, gzip.BestCompression)
+	if err != nil {
+		log.Fatalln("Failed to create gzip writer:", err)
+	}
+	defer wr.Close()
+
+	// Strip all irrelevant whitespace from the JSON so it is as small as possible.
+	enc := json.NewEncoder(wr)
+	enc.SetIndent("", "")
+
+	if err := enc.Encode(ruleset); err != nil {
+		log.Fatalln("Failed to encode ruleset:", err)
+	}
+}

internal/bindings/ctypes.go

@@ -145,11 +145,21 @@ func (w *WAFObject) SetArray(pinner pin.Pinner, capacity uint64) []WAFObject {
 	return w.setArrayTyped(pinner, capacity, WAFArrayType)
 }
 
+// SetArrayData sets the receiving [WAFObject] to the provided array items.
+func (w *WAFObject) SetArrayData(pinner pin.Pinner, data []WAFObject) {
+	w.setArrayDataTyped(pinner, data, WAFArrayType)
+}
+
 // SetMap sets the receiving [WAFObject] to a new map with the given capacity.
 func (w *WAFObject) SetMap(pinner pin.Pinner, capacity uint64) []WAFObject {
 	return w.setArrayTyped(pinner, capacity, WAFMapType)
 }
 
+// SetMapData sets the receiving [WAFObject] to the provided map items.
+func (w *WAFObject) SetMapData(pinner pin.Pinner, data []WAFObject) {
+	w.setArrayDataTyped(pinner, data, WAFMapType)
+}
+
 // SetMapKey sets the receiving [WAFObject] to a new map key with the given
 // string.
 func (w *WAFObject) SetMapKey(pinner pin.Pinner, key string) {
@@ -339,18 +349,25 @@ func (w *WAFObject) SetInvalid() {
 }
 
 func (w *WAFObject) setArrayTyped(pinner pin.Pinner, capacity uint64, t WAFObjectType) []WAFObject {
+	var arr []WAFObject
+	if capacity > 0 {
+		arr = make([]WAFObject, capacity)
+	}
+	w.setArrayDataTyped(pinner, arr, t)
+	return arr
+}
+
+func (w *WAFObject) setArrayDataTyped(pinner pin.Pinner, arr []WAFObject, t WAFObjectType) {
 	w.Type = t
-	w.NbEntries = capacity
+	w.NbEntries = uint64(len(arr))
 	if w.NbEntries == 0 {
 		w.Value = 0
-		return nil
+		return
 	}
 
-	arr := make([]WAFObject, capacity)
-	data := unsafe.Pointer(unsafe.SliceData(arr))
-	pinner.Pin(data)
-	w.Value = uintptr(data)
-	return arr
+	ptr := unsafe.Pointer(unsafe.SliceData(arr))
+	pinner.Pin(ptr)
+	w.Value = uintptr(ptr)
 }
 
 type WAFConfig struct {

internal/ruleset/.gitattributes

@@ -0,0 +1 @@
+/recommended.json.gz linguist-vendored

internal/ruleset/recommended.json.gz

@@ -0,0 +1,34 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package ruleset
+
+import (
+	"bytes"
+	"compress/gzip"
+	_ "embed"
+	"runtime"
+
+	"github.com/DataDog/go-libddwaf/v4/internal/bindings"
+	"github.com/DataDog/go-libddwaf/v4/json"
+) // For go:embed
+
+//go:embed recommended.json.gz
+var defaultRuleset []byte
+
+func DefaultRuleset(pinner *runtime.Pinner) (bindings.WAFObject, error) {
+	gz, err := gzip.NewReader(bytes.NewReader(defaultRuleset))
+	if err != nil {
+		return bindings.WAFObject{}, err
+	}
+
+	dec := json.NewDecoder(gz, pinner)
+
+	var ruleset bindings.WAFObject
+	if err := dec.Decode(&ruleset); err != nil {
+		return bindings.WAFObject{}, err
+	}
+	return ruleset, nil
+}

internal/ruleset/ruleset.go

@@ -0,0 +1,59 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package ruleset
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/json"
+	"runtime"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestDefaultRuleset(t *testing.T) {
+	var pinner runtime.Pinner
+	defer pinner.Unpin()
+
+	rs, err := DefaultRuleset(&pinner)
+	require.NoError(t, err)
+	require.NotNil(t, rs)
+
+	obj, err := rs.MapValue()
+	require.NoError(t, err)
+	useJSONNumber(obj) // So we can easily compare the result with the expected JSON.
+
+	rd, err := gzip.NewReader(bytes.NewReader(defaultRuleset))
+	require.NoError(t, err)
+	dec := json.NewDecoder(rd)
+	dec.UseNumber()
+	var expected map[string]any
+	require.NoError(t, dec.Decode(&expected))
+	require.Equal(t, expected, obj)
+}
+
+func useJSONNumber(obj map[string]any) {
+	for k, v := range obj {
+		switch v := v.(type) {
+		case float64:
+			obj[k] = json.Number(strconv.FormatFloat(v, 'f', -1, 64))
+		case int64:
+			obj[k] = json.Number(strconv.FormatInt(v, 10))
+		case uint64:
+			obj[k] = json.Number(strconv.FormatUint(v, 10))
+		case map[string]any:
+			useJSONNumber(v)
+		case []any:
+			for _, v := range v {
+				if v, ok := v.(map[string]any); ok {
+					useJSONNumber(v)
+				}
+			}
+		}
+	}
+}