Upgrade helper to use WAF 1.18.0 (#2660)

Upgrade helper to use WAF 1.18.0
DataDog · Jul 3, 2024 · 8f57b6e · 8f57b6e
1 parent a20d7fc
commit 8f57b6e
Show file tree

Hide file tree

Showing 129 changed files with 1,138 additions and 940 deletions.
diff --git a/appsec/src/extension/commands_helpers.c b/appsec/src/extension/commands_helpers.c
@@ -420,57 +420,78 @@ static void _command_process_redirect_parameters(mpack_node_t root)
     dd_set_redirect_code_and_location(status_code, location);
 }
 
+dd_result _command_process_actions(mpack_node_t root, struct req_info *ctx)
+{
+    size_t actions = mpack_node_array_length(root);
+    dd_result res = dd_success;
+
+    for (size_t i = 0; i < actions; i++) {
+        mpack_node_t action = mpack_node_array_at(root, i);
+
+        // expected: ['ok' / 'record' / 'block' / 'redirect']
+        mpack_node_t verdict = mpack_node_array_at(action, 0);
+        if (mlog_should_log(dd_log_debug)) {
+            const char *verd_str = mpack_node_str(verdict);
+            size_t verd_len = mpack_node_strlen(verdict);
+            if (verd_len > INT_MAX) {
+                verd_len = INT_MAX;
+            }
+            mlog(dd_log_debug, "Verdict of %s was '%.*s'",
+                ctx->command_name ? ctx->command_name : "(unknown)",
+                (int)verd_len, verd_str);
+        }
+
+        // Parse parameters
+        if (dd_mpack_node_lstr_eq(verdict, "block") && res != dd_should_block &&
+            res != dd_should_redirect) { // Redirect take over block
+            res = dd_should_block;
+            _command_process_block_parameters(mpack_node_array_at(action, 1));
+            dd_tags_add_blocked();
+        } else if (dd_mpack_node_lstr_eq(verdict, "redirect") &&
+                   res != dd_should_redirect) {
+            res = dd_should_redirect;
+            _command_process_redirect_parameters(
+                mpack_node_array_at(action, 1));
+            dd_tags_add_blocked();
+        } else if (dd_mpack_node_lstr_eq(verdict, "record") &&
+                   res == dd_success) {
+            res = dd_should_record;
+        }
+    }
+
+    return res;
+}
+
 dd_result dd_command_proc_resp_verd_span_data(
     mpack_node_t root, void *unspecnull _ctx)
 {
     struct req_info *ctx = _ctx;
     assert(ctx != NULL);
 
-    // expected: ['ok' / 'record' / 'block' / 'redirect']
-    mpack_node_t verdict = mpack_node_array_at(root, 0);
-    if (mlog_should_log(dd_log_debug)) {
-        const char *verd_str = mpack_node_str(verdict);
-        size_t verd_len = mpack_node_strlen(verdict);
-        if (verd_len > INT_MAX) {
-            verd_len = INT_MAX;
-        }
-        mlog(dd_log_debug, "Verdict of %s was '%.*s'",
-            ctx->command_name ? ctx->command_name : "(unknown)", (int)verd_len,
-            verd_str);
-    }
+    mpack_node_t actions = mpack_node_array_at(root, 0);
 
-    dd_result res = dd_success;
-    // Parse parameters
-    if (dd_mpack_node_lstr_eq(verdict, "block")) {
-        res = dd_should_block;
-        _command_process_block_parameters(mpack_node_array_at(root, 1));
-        dd_tags_add_blocked();
-    } else if (dd_mpack_node_lstr_eq(verdict, "redirect")) {
-        res = dd_should_redirect;
-        _command_process_redirect_parameters(mpack_node_array_at(root, 1));
-        dd_tags_add_blocked();
-    }
+    dd_result res = _command_process_actions(actions, ctx);
 
     if (res == dd_should_block || res == dd_should_redirect ||
-        dd_mpack_node_lstr_eq(verdict, "record")) {
-        _set_appsec_span_data(mpack_node_array_at(root, 2));
+        res == dd_should_record) {
+        _set_appsec_span_data(mpack_node_array_at(root, 1));
     }
 
     // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-    mpack_node_t force_keep = mpack_node_array_at(root, 3);
+    mpack_node_t force_keep = mpack_node_array_at(root, 2);
     if (mpack_node_type(force_keep) == mpack_type_bool &&
         mpack_node_bool(force_keep)) {
         dd_tags_set_sampling_priority();
     }
 
     // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-    if (mpack_node_array_length(root) >= 6 && ctx->root_span) {
+    if (mpack_node_array_length(root) >= 5 && ctx->root_span) {
         zend_object *span = ctx->root_span;
 
-        mpack_node_t meta = mpack_node_array_at(root, 4);
+        mpack_node_t meta = mpack_node_array_at(root, 3);
         dd_command_process_meta(meta, span);
         // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-        mpack_node_t metrics = mpack_node_array_at(root, 5);
+        mpack_node_t metrics = mpack_node_array_at(root, 4);
         dd_command_process_metrics(metrics, span);
     }
 

diff --git a/appsec/src/extension/dddefs.h b/appsec/src/extension/dddefs.h
@@ -14,6 +14,7 @@ typedef enum {
     dd_network,      // error in communication; connection should be abandoned
     dd_should_block, // caller should abort the request
     dd_should_redirect, // caller should redirect the request
+    dd_should_record,
     dd_error,           // misc error
     dd_try_later,       // non-fatal error, try again
     dd_helper_error     // helper failed to process message (non-fatal)

diff --git a/appsec/src/helper/action.hpp b/appsec/src/helper/action.hpp
@@ -0,0 +1,33 @@
+// Unless explicitly stated otherwise all files in this repository are
+// dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
+//
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
+#pragma once
+
+#include <map>
+#include <string>
+#include <unordered_map>
+#include <vector>
+
+namespace dds {
+
+enum class action_type : unsigned int {
+    invalid = 0,
+    record = 1,
+    redirect = 2,
+    block = 3,
+    stack_trace = 4,
+    extract_schema = 5
+};
+
+struct action {
+    dds::action_type type;
+    std::unordered_map<std::string, std::string> parameters;
+};
+
+struct event {
+    std::vector<std::string> data;
+    std::vector<action> actions;
+};
+} // namespace dds