Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

internal/appsec/waf: remove appsec rule size limitations (#1189) #1189

Merged
merged 4 commits into from Mar 1, 2022
Merged

internal/appsec/waf: remove appsec rule size limitations (#1189) #1189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
200c4a4
internal/appsec/waf: do not limit the size of WAF rules
Julio-Guerra Mar 1, 2022
42f73c7
internal/appsec/waf: fix undefined math.MaxInt
Julio-Guerra Mar 1, 2022
00bbfa5
Fix unused imports
Julio-Guerra Mar 1, 2022
28fe655
Merge branch 'v1' into julio.guerra/unlimited-waf-rules
Julio-Guerra Mar 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion internal/appsec/_tools/libddwaf-updater/update.sh
View file
Open in desktop
Expand Up @@ -67,7 +67,7 @@ run_binutils x86_64-linux-gnu-ld \
--require-defined=ddwaf_result_free \
--require-defined=ddwaf_context_destroy \
--require-defined=ddwaf_required_addresses \
$tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $bindings_dir/lib/linux-amd64/libunwind_linux_amd64.a #$libcxx_dir/libunwind.a
$tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $libcxx_dir/libunwind.a
# 4. Strip
run_strip x86_64-linux-gnu $bindings_dir/lib/linux-amd64/libddwaf.a

Expand Down
Binary file modified internal/appsec/waf/lib/darwin-amd64/libddwaf.a
View file
Open in desktop
Binary file not shown.
Binary file modified internal/appsec/waf/lib/linux-amd64/libddwaf.a
View file
Open in desktop
Binary file not shown.
23 changes: 16 additions & 7 deletions internal/appsec/waf/waf.go
View file
Open in desktop
Expand Up @@ -82,19 +82,28 @@ func NewHandle(jsonRule []byte) (*Handle, error) {
return nil, fmt.Errorf("could not parse the WAF rule: %v", err)
}

// Create a temporary unlimited encoder for the rules
const intSize = 32 << (^uint(0) >> 63) // copied from recent versions of math.MaxInt
const maxInt = 1<<(intSize-1) - 1 // copied from recent versions of math.MaxInt
ruleEncoder := encoder{
maxDepth: maxInt,
maxStringLength: maxInt,
maxArrayLength: maxInt,
maxMapLength: maxInt,
}
wafRule, err := ruleEncoder.encode(rule)
if err != nil {
return nil, fmt.Errorf("could not encode the JSON WAF rule into a WAF object: %v", err)
}
defer free(wafRule)

// Run-time encoder limiting the size of the encoded values
encoder := encoder{
maxDepth: C.DDWAF_MAX_MAP_DEPTH,
maxStringLength: C.DDWAF_MAX_STRING_LENGTH,
maxArrayLength: C.DDWAF_MAX_ARRAY_LENGTH,
maxMapLength: C.DDWAF_MAX_ARRAY_LENGTH,
}

wafRule, err := encoder.encode(rule)
if err != nil {
return nil, fmt.Errorf("could not encode the JSON WAF rule into a WAF object: %v", err)
}
defer free(wafRule)

handle := C.ddwaf_init(wafRule.ctype(), &C.ddwaf_config{
maxArrayLength: C.uint64_t(encoder.maxArrayLength),
maxMapDepth: C.uint64_t(encoder.maxMapLength),
Expand Down
2 changes: 1 addition & 1 deletion internal/appsec/waf/waf_test.go
View file
Open in desktop
Expand Up @@ -31,7 +31,7 @@ func TestHealth(t *testing.T) {
version, err := Health()
require.NoError(t, err)
require.NotNil(t, version)
require.Equal(t, "1.0.16", version.String())
require.Equal(t, "1.0.18", version.String())
}

var testRule = newTestRule(ruleInput{Address: "server.request.headers.no_cookies", KeyPath: []string{"user-agent"}})
Expand Down