internal/appsec/waf: remove appsec rule size limitations (#1189)

The size of the WAF rules were limited like regular WAF values, leading
to truncated WAF rules. This patch changes the limits to the max int
values when encoding the WAF rules. It is considered a simpler change
to achieve compared to the introduction of new "disabled limit" values
that would have introduced more advanced and complex conditions in the
encoder.

internal/appsec/_tools/libddwaf-updater/update.sh

@@ -67,7 +67,7 @@ run_binutils x86_64-linux-gnu-ld \
    --require-defined=ddwaf_result_free \
    --require-defined=ddwaf_context_destroy \
    --require-defined=ddwaf_required_addresses \
-   $tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $bindings_dir/lib/linux-amd64/libunwind_linux_amd64.a #$libcxx_dir/libunwind.a
+   $tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $libcxx_dir/libunwind.a
 # 4. Strip
 run_strip x86_64-linux-gnu $bindings_dir/lib/linux-amd64/libddwaf.a
 

internal/appsec/waf/waf.go

@@ -82,19 +82,28 @@ func NewHandle(jsonRule []byte) (*Handle, error) {
 		return nil, fmt.Errorf("could not parse the WAF rule: %v", err)
 	}
 
+	// Create a temporary unlimited encoder for the rules
+	const intSize = 32 << (^uint(0) >> 63) // copied from recent versions of math.MaxInt
+	const maxInt = 1<<(intSize-1) - 1      // copied from recent versions of math.MaxInt
+	ruleEncoder := encoder{
+		maxDepth:        maxInt,
+		maxStringLength: maxInt,
+		maxArrayLength:  maxInt,
+		maxMapLength:    maxInt,
+	}
+	wafRule, err := ruleEncoder.encode(rule)
+	if err != nil {
+		return nil, fmt.Errorf("could not encode the JSON WAF rule into a WAF object: %v", err)
+	}
+	defer free(wafRule)
+
+	// Run-time encoder limiting the size of the encoded values
 	encoder := encoder{
 		maxDepth:        C.DDWAF_MAX_MAP_DEPTH,
 		maxStringLength: C.DDWAF_MAX_STRING_LENGTH,
 		maxArrayLength:  C.DDWAF_MAX_ARRAY_LENGTH,
 		maxMapLength:    C.DDWAF_MAX_ARRAY_LENGTH,
 	}
-
-	wafRule, err := encoder.encode(rule)
-	if err != nil {
-		return nil, fmt.Errorf("could not encode the JSON WAF rule into a WAF object: %v", err)
-	}
-	defer free(wafRule)
-
 	handle := C.ddwaf_init(wafRule.ctype(), &C.ddwaf_config{
 		maxArrayLength: C.uint64_t(encoder.maxArrayLength),
 		maxMapDepth:    C.uint64_t(encoder.maxMapLength),

internal/appsec/waf/waf_test.go

@@ -31,7 +31,7 @@ func TestHealth(t *testing.T) {
 	version, err := Health()
 	require.NoError(t, err)
 	require.NotNil(t, version)
-	require.Equal(t, "1.0.16", version.String())
+	require.Equal(t, "1.0.18", version.String())
 }
 
 var testRule = newTestRule(ruleInput{Address: "server.request.headers.no_cookies", KeyPath: []string{"user-agent"}})