libddwaf v1.8.2 (#3)

Author: Julio-Guerra

_tools/libddwaf-updater/update.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016 Datadog, Inc.
+#
+
+# Update the libddwaf to the latest GitHub release version.
+# Usage: ./update-libddwaf.sh
+#
+
+set -ex
+
+bindings_dir=$(readlink -f "$(dirname $0)/../../")
+
+version=""
+if [ $# -eq 1 ]; then
+    version=$1
+else
+    echo Looking up for the latest GitHub release
+    version=$(curl -s https://api.github.com/repos/DataDog/libddwaf/releases/latest | jq -r '.tag_name')
+fi
+
+echo Updating to libddwaf v$version
+
+tmpdir=$(mktemp -d /tmp/libddwaf-XXXXXXXX)
+echo Using $tmpdir
+
+LD_REQUIRED_DEFINED="--require-defined=ddwaf_init \
+                    --require-defined=ddwaf_get_version \
+                    --require-defined=ddwaf_destroy \
+                    --require-defined=ddwaf_context_init \
+                    --require-defined=ddwaf_context_destroy \
+                    --require-defined=ddwaf_required_addresses \
+                    --require-defined=ddwaf_result_free"
+
+run_binutils() {
+  docker run -it --rm -v $bindings_dir:$bindings_dir -v $tmpdir:$tmpdir -w $PWD ghcr.io/datadog/binutils-gdb:2.38 $@
+}
+
+run_strip() {
+  run_binutils $1-strip --strip-dwo --strip-unneeded --strip-debug $2
+}
+
+#
+# darwin/arm64
+#
+
+echo Updating libddwaf for darwin/arm64
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libddwaf-$version-darwin-arm64.tar.gz | tar -xz -C$tmpdir
+echo Copying the darwin/arm64 library
+cp -v $tmpdir/libddwaf-$version-darwin-arm64/lib/libddwaf.a.stripped $bindings_dir/lib/darwin-arm64/libddwaf.a
+
+#
+# darwin/amd64
+#
+
+echo Updating libddwaf for darwin/amd64yes
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libddwaf-$version-darwin-x86_64.tar.gz | tar -xz -C$tmpdir
+echo Copying the darwin/amd64 library
+cp -v $tmpdir/libddwaf-$version-darwin-x86_64/lib/libddwaf.a.stripped $bindings_dir/lib/darwin-amd64/libddwaf.a
+
+#
+# linux/amd64
+#
+
+echo Updating libddwaf for linux/amd64
+# 1. Download the libddwaf build
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libddwaf-$version-linux-x86_64.tar.gz | tar -xz -C$tmpdir
+# 2. Download the libc++ build
+libcxx_dir=$tmpdir/libc++-x86_64-linux
+mkdir $libcxx_dir
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libc++-static-x86_64-linux.tar.gz | tar -xz -C$libcxx_dir
+# 3. Combine libddwaf.a + libc++.a + libc++abi.a + libunwind.a in a single
+#  object file by using ld -r
+run_binutils x86_64-linux-gnu-ld \
+   -r -o $bindings_dir/lib/linux-amd64/libddwaf.a \
+   $LD_REQUIRED_DEFINED \
+   $tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $libcxx_dir/libunwind.a
+# 4. Strip
+run_strip x86_64-linux-gnu $bindings_dir/lib/linux-amd64/libddwaf.a
+
+#
+# linux/arm64
+#
+
+echo Updating libddwaf for linux/arm64
+# 1. Download the libddwaf build
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libddwaf-$version-linux-aarch64.tar.gz | tar -xz -C$tmpdir
+# 2. Download the libc++ build
+libcxx_dir=$tmpdir/libc++-aarch64-linux
+mkdir $libcxx_dir
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libc++-static-aarch64-linux.tar.gz | tar -xz -C$libcxx_dir
+# 3. Combine libddwaf.a + libc++.a + libc++abi.a + libunwind.a in a single
+#  object file by using ld -r
+run_binutils aarch64-linux-gnu-ld \
+   -r -o $bindings_dir/lib/linux-arm64/libddwaf.a \
+   $LD_REQUIRED_DEFINED \
+   $tmpdir/libddwaf-$version-linux-aarch64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $libcxx_dir/libunwind.a
+# 4. Strip
+run_strip aarch64-linux-gnu $bindings_dir/lib/linux-arm64/libddwaf.a
+
+#
+# ddwaf.h
+# Note that we arbitrarily take it from the linux/amd64 archive as it does not
+# depend on the target.
+#
+echo Updating ddwaf.h
+cp -v $tmpdir/libddwaf-$version-linux-x86_64/include/ddwaf.h $bindings_dir/include

include/ddwaf.h

@@ -4,10 +4,17 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
 
-#ifndef pw_h
-#define pw_h
+#ifndef DDWAF_H
+#define DDWAF_H
 
 #ifdef __cplusplus
+namespace ddwaf{
+class waf;
+class context;
+} // namespace ddwaf
+using ddwaf_handle = ddwaf::waf *;
+using ddwaf_context = ddwaf::context *;
+
 extern "C"
 {
 #endif
@@ -72,14 +79,7 @@ typedef enum
     DDWAF_LOG_OFF,
 } DDWAF_LOG_LEVEL;
 
-#ifdef __cplusplus
-namespace ddwaf{
-class waf;
-class context;
-}
-using ddwaf_handle = ddwaf::waf *;
-using ddwaf_context = ddwaf::context *;
-#else
+#ifndef __cplusplus
 typedef struct _ddwaf_handle* ddwaf_handle;
 typedef struct _ddwaf_context* ddwaf_context;
 #endif
@@ -206,46 +206,40 @@ typedef void (*ddwaf_log_cb)(
  *
  * Initialize a ddwaf instance
  *
- * @param rule ddwaf::object containing the patterns to be used by the WAF. (nonnull)
+ * @param rule ddwaf::object map containing rules, exclusions, rules_override and rules_data. (nonnull)
  * @param config Optional configuration of the WAF. (nullable)
  * @param info Optional ruleset parsing diagnostics. (nullable)
  *
- * @return Handle to the WAF instance.
+ * @return Handle to the WAF instance or NULL on error.
  *
  * @note If config is NULL, default values will be used, including the default
  *       free function (ddwaf_object_free).
  **/
-ddwaf_handle ddwaf_init(const ddwaf_object *rule,
+ddwaf_handle ddwaf_init(const ddwaf_object *ruleset,
     const ddwaf_config* config, ddwaf_ruleset_info *info);
 
 /**
- * ddwaf_destroy
- *
- * Destroy a WAF instance.
+ * ddwaf_update
  *
- * @param Handle to the WAF instance.
- */
-void ddwaf_destroy(ddwaf_handle handle);
-
-/**
- * ddwaf_update_rule_data
+ * Update a ddwaf instance
  *
- * Update existing rules with new rule data.
+ * @param rule ddwaf::object map containing rules, exclusions, rules_override and rules_data. (nonnull)
+ * @param info Optional ruleset parsing diagnostics. (nullable)
  *
- * @param handle to the WAF instance.
- * @param data A ddwaf_object with the format [{id, type, [data]}].
- */
-DDWAF_RET_CODE ddwaf_update_rule_data(ddwaf_handle handle, ddwaf_object *data);
+ * @return Handle to the new WAF instance or NULL if there were no new updates
+ *         or there was an error processing the ruleset.
+ **/
+ddwaf_handle ddwaf_update(ddwaf_handle handle, const ddwaf_object *ruleset,
+    ddwaf_ruleset_info *info);
 
 /**
- * ddwaf_toggle_rules
+ * ddwaf_destroy
  *
- * Enable or disable rules (true -> rule enabled, false -> rule disabled).
+ * Destroy a WAF instance.
  *
- * @param handle to the WAF instance.
- * @param data A ddwaf_object with the format {rule_id : boolean}.
+ * @param Handle to the WAF instance.
  */
-DDWAF_RET_CODE ddwaf_toggle_rules(ddwaf_handle handle, ddwaf_object *rule_map);
+void ddwaf_destroy(ddwaf_handle handle);
 
 /**
  * ddwaf_ruleset_info_free
@@ -267,18 +261,6 @@ void ddwaf_ruleset_info_free(ddwaf_ruleset_info *info);
  * @return NULL if empty, otherwise a pointer to an array with size elements.
  **/
 const char* const* ddwaf_required_addresses(const ddwaf_handle handle, uint32_t *size);
-/**
- * ddwaf_required_rule_data_ids
- *
- * Get a list of required rule data IDs (if any). The memory is owned by the
- * WAF and should not be freed.
- *
- * @param Handle to the WAF instance.
- * @param size Output parameter in which the size will be returned. The value of
- *             size will be 0 if the return value is NULL.
- * @return NULL if empty, otherwise a pointer to an array with size elements.
- **/
-const char* const* ddwaf_required_rule_data_ids(const ddwaf_handle handle, uint32_t *size);
 
 /**
  * ddwaf_context_init
@@ -622,6 +604,17 @@ uint64_t ddwaf_object_get_unsigned(ddwaf_object *object);
  **/
 int64_t ddwaf_object_get_signed(ddwaf_object *object);
 
+/**
+ * ddwaf_object_get_bool
+ *
+ * Returns the boolean contained within the object.
+ *
+ * @param object The object from which to get the boolean.
+ *
+ * @return The boolean or false if the object is not a boolean.
+ **/
+bool ddwaf_object_get_bool(ddwaf_object *object);
+
 /**
  * ddwaf_object_get_index
  *
@@ -668,4 +661,4 @@ bool ddwaf_set_log_cb(ddwaf_log_cb cb, DDWAF_LOG_LEVEL min_level);
 }
 #endif /* __cplusplus */
 
-#endif /* pw_h */
+#endif /*DDWAF_H */

lib/darwin-amd64/libddwaf.a

@@ -35,7 +35,6 @@ import (
 	"unicode"
 	"unsafe"
 
-	rc "github.com/DataDog/datadog-agent/pkg/remoteconfig/state"
 	"go.uber.org/atomic"
 
 	// Do not remove the following imports which allow supporting package
@@ -96,14 +95,16 @@ func NewHandle(jsonRule []byte, keyRegex, valueRegex string) (*Handle, error) {
 	if err := json.Unmarshal(jsonRule, &rule); err != nil {
 		return nil, fmt.Errorf("could not parse the WAF rule: %v", err)
 	}
+	return NewHandleFromRuleSet(rule, keyRegex, valueRegex)
+}
 
+// NewHandleFromRuleSet creates a new instance of the WAF with the given ruleset and key/value regexps for obfuscation.
+func NewHandleFromRuleSet(ruleset interface{}, keyRegex, valueRegex string) (*Handle, error) {
 	// Create a temporary unlimited encoder for the rules
-	const intSize = 32 << (^uint(0) >> 63) // copied from recent versions of math.MaxInt
-	const maxInt = 1<<(intSize-1) - 1      // copied from recent versions of math.MaxInt
 	ruleEncoder := newMaxEncoder()
-	wafRule, err := ruleEncoder.encode(rule)
+	wafRule, err := ruleEncoder.encode(ruleset)
 	if err != nil {
-		return nil, fmt.Errorf("could not encode the JSON WAF rule into a WAF object: %v", err)
+		return nil, fmt.Errorf("could not encode the WAF ruleset into a WAF object: %v", err)
 	}
 	defer freeWO(wafRule)
 
@@ -219,34 +220,6 @@ func (h *Handle) RulesetInfo() RulesetInfo {
 	return h.rulesetInfo
 }
 
-// UpdateRulesData updates the data that some rules reference to.
-func (h *Handle) UpdateRulesData(data []rc.ASMDataRuleData) error {
-	encoded, err := newMaxEncoder().encode(data)
-	if err != nil {
-		return fmt.Errorf("could not encode the JSON WAF rule data into a WAF object: %v", err)
-	}
-	defer freeWO(encoded)
-
-	return h.updateRulesData(encoded)
-}
-
-// updateRuleData is the critical section of UpdateRuleData
-func (h *Handle) updateRulesData(data *wafObject) error {
-	// Note about this lock: ddwaf_update_rule_data already is thread-safe to
-	// use, but we chose to lock at the goroutine-level instead in order to
-	// avoid locking OS threads and therefore prevent many other goroutines from
-	// executing during that OS lock. If a goroutine locks due to this handle's
-	// RWMutex, another goroutine gets executed on its OS thread.
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	rc := C.ddwaf_update_rule_data(h.handle, data.ctype())
-	if rc != C.DDWAF_OK {
-		return fmt.Errorf("unexpected error number `%d` while updating the WAF rule data", rc)
-	}
-	return nil
-}
-
 // Close the WAF handle. Note that this call doesn't block until the handle gets
 // released but instead let WAF contexts still use it until there's no more (eg.
 // when swapping the WAF handle with a new one).

lib/darwin-arm64/libddwaf.a

@@ -11,8 +11,6 @@ package waf
 import (
 	"errors"
 	"time"
-
-	rc "github.com/DataDog/datadog-agent/pkg/remoteconfig/state"
 )
 
 type (
@@ -34,17 +32,17 @@ func Version() string { return "" }
 // NewHandle creates a new instance of the WAF with the given JSON rule.
 func NewHandle([]byte, string, string) (*Handle, error) { return nil, errDisabledReason }
 
+// NewHandleFromRuleSet creates a new instance of the WAF with the given ruleset and key/value regexps for obfuscation.
+func NewHandleFromRuleSet(interface{}, string, string) (*Handle, error) {
+	return nil, errDisabledReason
+}
+
 // Addresses returns the list of addresses the WAF rule is expecting.
 func (*Handle) Addresses() []string { return nil }
 
 // RulesetInfo returns the rules initialization metrics for the current WAF handle
 func (*Handle) RulesetInfo() RulesetInfo { return RulesetInfo{} }
 
-// UpdateRuleData updates the data that some rules reference to.
-// The given rule data must be a raw JSON string of the form
-// [ {rule data #1}, ... {rule data #2} ]
-func (*Handle) UpdateRulesData(data []rc.ASMDataRuleData) error { return errDisabledReason }
-
 // Close the WAF and release the underlying C memory as soon as there are
 // no more WAF contexts using the rule.
 func (*Handle) Close() {}