Enhance WAF result handling by adding keep and duration attributes, and refactor derivatives to attributes

zlib 1.3.1

Author: sezen-datadog

.github/workflows/actions.yml

@@ -11,7 +11,7 @@ defaults:
 env:
   buildType: RelWithDebInfo
   tempdir: ${{ github.workspace }}/build
-  libddwafVersion: 1.25.1
+  libddwafVersion: 1.26.0
 jobs:
   Spotless:
     name: spotless
@@ -203,7 +203,7 @@ jobs:
       - uses: ilammy/msvc-dev-cmd@v1
         name: Setup x86_64 build
         with:
-          toolset: 14.29
+          toolset: 14.28
           arch: amd64
       - name: Prepare libddwaf
         run: |

libddwaf

@@ -629,7 +629,7 @@ static jstring _encode_json_gzip_base64_checked(JNIEnv *env,
     return ret;
 }
 
-jobject output_convert_derivatives_checked(JNIEnv *env, const ddwaf_object *obj)
+jobject output_convert_attributes_checked(JNIEnv *env, const ddwaf_object *obj)
 {
     assert(obj->type == DDWAF_OBJ_MAP);
 

src/main/c/output.c

@@ -22,6 +22,5 @@ jobject output_convert_diagnostics_checked(JNIEnv *env,
 
 struct json_segment *output_convert_json(const ddwaf_object *obj);
 struct json_segment *output_convert_json(const ddwaf_object *obj);
-jobject output_convert_derivatives_checked(JNIEnv *env,
-                                           const ddwaf_object *obj);
+jobject output_convert_attributes_checked(JNIEnv *env, const ddwaf_object *obj);
 jobject convert_ddwaf_object_to_jobject(JNIEnv *env, const ddwaf_object *obj);

src/main/c/output.h

@@ -1200,7 +1200,8 @@ static bool _cache_methods(JNIEnv *env)
                                 "(Lcom/datadog/ddwaf/Waf$Result;"
                                 "Ljava/lang/String;"
                                 "Ljava/util/Map;"
-                                "Ljava/util/Map;)V",
+                                "Ljava/util/Map;"
+                                "ZJ)V",
                                 JMETHOD_CONSTRUCTOR)) {
         goto error;
     }
@@ -2138,7 +2139,24 @@ static jobject _create_result_checked(JNIEnv *env, DDWAF_RET_CODE code,
                                       const ddwaf_object *ret)
 {
     if (code == DDWAF_OK && !_has_derivative(ret)) {
-        return _result_with_data_ok_null;
+        // Get keep and duration from the ddwaf_object structure for the OK case
+        const ddwaf_object *keep_obj = ddwaf_object_find(ret, "keep", 4);
+        jboolean keep = JNI_FALSE;
+        if (keep_obj != NULL && keep_obj->type == DDWAF_OBJ_BOOL) {
+            keep = (jboolean) ddwaf_object_get_bool(keep_obj);
+        }
+
+        const ddwaf_object *duration_obj =
+                ddwaf_object_find(ret, "duration", 8);
+        jlong duration = 0;
+        if (duration_obj != NULL && duration_obj->type == DDWAF_OBJ_UNSIGNED) {
+            duration = (jlong) ddwaf_object_get_unsigned(duration_obj);
+        }
+
+        // Create a new instance with the new constructor signature
+        return java_meth_call(env, &result_with_data_init, NULL, _action_ok,
+                              NULL, _result_with_data_empty_map,
+                              _result_with_data_empty_map, keep, duration);
     }
 
     // Get actions from the new ddwaf_object structure
@@ -2179,20 +2197,33 @@ static jobject _create_result_checked(JNIEnv *env, DDWAF_RET_CODE code,
     // Get attributes (formerly derivatives) from the new ddwaf_object structure
     const ddwaf_object *attributes_obj =
             ddwaf_object_find(ret, "attributes", 10);
-    jobject derivatives = NULL;
+    jobject attributes = NULL;
     if (attributes_obj != NULL && attributes_obj->type == DDWAF_OBJ_MAP &&
         ddwaf_object_size(attributes_obj) > 0) {
-        derivatives = output_convert_derivatives_checked(env, attributes_obj);
-        if (!derivatives) {
-            java_wrap_exc("%s", "Failed encoding inferred derivatives");
+        attributes = output_convert_attributes_checked(env, attributes_obj);
+        if (!attributes) {
+            java_wrap_exc("%s", "Failed encoding inferred attributes");
             goto err;
         }
     }
 
+    // Get keep and duration from the ddwaf_object structure
+    const ddwaf_object *keep_obj = ddwaf_object_find(ret, "keep", 4);
+    jboolean keep = JNI_FALSE;
+    if (keep_obj != NULL && keep_obj->type == DDWAF_OBJ_BOOL) {
+        keep = (jboolean) ddwaf_object_get_bool(keep_obj);
+    }
+
+    const ddwaf_object *duration_obj = ddwaf_object_find(ret, "duration", 8);
+    jlong duration = 0;
+    if (duration_obj != NULL && duration_obj->type == DDWAF_OBJ_UNSIGNED) {
+        duration = (jlong) ddwaf_object_get_unsigned(duration_obj);
+    }
+
     jobject result =
             java_meth_call(env, &result_with_data_init, NULL,
                            code == DDWAF_OK ? _action_ok : _action_match,
-                           data_obj, actions_jmap, derivatives);
+                           data_obj, actions_jmap, attributes, keep, duration);
     if (del_actions_jmap) {
         JNI(DeleteLocalRef, actions_jmap);
     }

src/main/c/waf_jni.c

@@ -20,7 +20,7 @@
 import org.slf4j.LoggerFactory;
 
 public final class Waf {
-  public static final String LIB_VERSION = "1.25.1";
+  public static final String LIB_VERSION = "1.26.0";
 
   private static final Logger LOGGER = LoggerFactory.getLogger(Waf.class);
   static final boolean EXIT_ON_LEAK;
@@ -98,31 +98,38 @@ public static class ResultWithData {
 
     // reuse this from JNI when there is no actions or data
     public static final ResultWithData OK_NULL =
-        new ResultWithData(Result.OK, null, EMPTY_ACTIONS, null);
+        new ResultWithData(Result.OK, null, EMPTY_ACTIONS, null, false, 0);
 
     public final Result result;
     public final String data;
     public final Map<String, Map<String, Object>> actions;
-    public final Map<String, String> derivatives;
+    public final Map<String, String> attributes;
+    private final boolean keep;
+    public final long duration; // in nanoseconds
 
     public ResultWithData(
         Result result,
         String data,
         Map<String, Map<String, Object>> actions,
-        Map<String, String> derivatives) {
+        Map<String, String> attributes,
+        boolean keep,
+        long duration) {
       this.result = result;
       this.data = data;
       this.actions = actions;
-      this.derivatives = derivatives;
+      this.attributes = attributes;
+      this.keep = keep;
+      this.duration = duration;
     }
 
     @Override
     public String toString() {
       final StringBuilder sb = new StringBuilder("ResultWithData{");
       sb.append("result=").append(result);
+      sb.append(", keep=").append(keep);
       sb.append(", data='").append(data).append('\'');
       sb.append(", actions='").append(Arrays.asList(actions)).append('\'');
-      sb.append(", derivatives='").append(derivatives).append('\'');
+      sb.append(", attributes='").append(attributes).append('\'');
       sb.append('}');
       return sb.toString();
     }

src/main/java/com/datadog/ddwaf/Waf.java

@@ -98,8 +98,8 @@ class FingerprintTests implements WafTrait {
       metrics
       )
     assertThat res.result, is(Waf.Result.MATCH)
-    assertThat res.derivatives.keySet(), contains('_dd.appsec.fp.http.endpoint')
-    assertThat res.derivatives['_dd.appsec.fp.http.endpoint'], matchesPattern('http-get-.*')
+    assertThat res.attributes.keySet(), contains('_dd.appsec.fp.http.endpoint')
+    assertThat res.attributes['_dd.appsec.fp.http.endpoint'], matchesPattern('http-get-.*')
   }
 }
 

src/test/groovy/com/datadog/ddwaf/FingerprintTests.groovy

@@ -146,9 +146,9 @@ class SchemaTests implements WafTrait {
     handle = builder.buildWafHandleInstance()
     context = new WafContext(handle)
     Waf.ResultWithData awd = context.run(data, limits, metrics)
-    assertThat awd.derivatives, isA(Map)
+    assertThat awd.attributes, isA(Map)
 
-    def schema = new JsonSlurper().parseText(decodeGzipBase64(awd.derivatives['_dd.appsec.s.req.body']))
+    def schema = new JsonSlurper().parseText(decodeGzipBase64(awd.attributes['_dd.appsec.s.req.body']))
     assert deepSortLists(schema) == [
       [
         'a':[8],

src/test/groovy/com/datadog/ddwaf/SchemaTests.groovy

@@ -94,6 +94,9 @@ class WafContextTest implements WafTrait {
     def result = context.run([:], limits, metrics)
     assert result != null
     assert result.result == Waf.Result.OK
+    assert result.keep instanceof Boolean
+    assert result.duration instanceof Long
+    assert result.duration >= 0
   }
 
   @Test
@@ -104,6 +107,9 @@ class WafContextTest implements WafTrait {
 
     def result = context.run(['server.request.headers.no_cookies': ['user-agent': 'Arachni/v1']], limits, metrics)
     assert result.result == Waf.Result.MATCH
+    assert result.keep instanceof Boolean
+    assert result.duration instanceof Long
+    assert result.duration > 0
   }
 
   @Test