Merge branch 'v1' into julio.guerra/appsec-rules-1.2.6

DataDog · Mar 1, 2022 · bf74446 · bf74446
2 parents 0f0a16f + c5d3ff2
commit bf74446
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 9 deletions.
diff --git a/internal/appsec/_tools/libddwaf-updater/update.sh b/internal/appsec/_tools/libddwaf-updater/update.sh
@@ -67,7 +67,7 @@ run_binutils x86_64-linux-gnu-ld \
    --require-defined=ddwaf_result_free \
    --require-defined=ddwaf_context_destroy \
    --require-defined=ddwaf_required_addresses \
-   $tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $bindings_dir/lib/linux-amd64/libunwind_linux_amd64.a #$libcxx_dir/libunwind.a
+   $tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $libcxx_dir/libunwind.a
 # 4. Strip
 run_strip x86_64-linux-gnu $bindings_dir/lib/linux-amd64/libddwaf.a
 

diff --git a/internal/appsec/waf/lib/darwin-amd64/libddwaf.a b/internal/appsec/waf/lib/darwin-amd64/libddwaf.a
diff --git a/internal/appsec/waf/lib/linux-amd64/libddwaf.a b/internal/appsec/waf/lib/linux-amd64/libddwaf.a
diff --git a/internal/appsec/waf/waf.go b/internal/appsec/waf/waf.go
@@ -82,19 +82,28 @@ func NewHandle(jsonRule []byte) (*Handle, error) {
 		return nil, fmt.Errorf("could not parse the WAF rule: %v", err)
 	}
 
+	// Create a temporary unlimited encoder for the rules
+	const intSize = 32 << (^uint(0) >> 63) // copied from recent versions of math.MaxInt
+	const maxInt = 1<<(intSize-1) - 1      // copied from recent versions of math.MaxInt
+	ruleEncoder := encoder{
+		maxDepth:        maxInt,
+		maxStringLength: maxInt,
+		maxArrayLength:  maxInt,
+		maxMapLength:    maxInt,
+	}
+	wafRule, err := ruleEncoder.encode(rule)
+	if err != nil {
+		return nil, fmt.Errorf("could not encode the JSON WAF rule into a WAF object: %v", err)
+	}
+	defer free(wafRule)
+
+	// Run-time encoder limiting the size of the encoded values
 	encoder := encoder{
 		maxDepth:        C.DDWAF_MAX_MAP_DEPTH,
 		maxStringLength: C.DDWAF_MAX_STRING_LENGTH,
 		maxArrayLength:  C.DDWAF_MAX_ARRAY_LENGTH,
 		maxMapLength:    C.DDWAF_MAX_ARRAY_LENGTH,
 	}
-
-	wafRule, err := encoder.encode(rule)
-	if err != nil {
-		return nil, fmt.Errorf("could not encode the JSON WAF rule into a WAF object: %v", err)
-	}
-	defer free(wafRule)
-
 	handle := C.ddwaf_init(wafRule.ctype(), &C.ddwaf_config{
 		maxArrayLength: C.uint64_t(encoder.maxArrayLength),
 		maxMapDepth:    C.uint64_t(encoder.maxMapLength),

diff --git a/internal/appsec/waf/waf_test.go b/internal/appsec/waf/waf_test.go
@@ -31,7 +31,7 @@ func TestHealth(t *testing.T) {
 	version, err := Health()
 	require.NoError(t, err)
 	require.NotNil(t, version)
-	require.Equal(t, "1.0.16", version.String())
+	require.Equal(t, "1.0.18", version.String())
 }
 
 var testRule = newTestRule(ruleInput{Address: "server.request.headers.no_cookies", KeyPath: []string{"user-agent"}})