Miscellaneous fixes and Release 1.8.1 (#139)

DataDog · Feb 16, 2023 · 1aee0e3 · 1aee0e3
1 parent fe0bd83
commit 1aee0e3
Show file tree

Hide file tree

Showing 6 changed files with 141 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,13 +1,17 @@
 # libddwaf release
 
+### v1.8.1 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
+#### Fixes
+- Return `NULL` handle when incorrect version or empty rules provided to `ddwaf_init` ([#139](https://github.com/DataDog/libddwaf/pull/139))
+
 ### v1.8.0 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
-### API \& Breaking Changes
+#### API \& Breaking Changes
 - Add `ddwaf_update` for all-in-one ruleset updates ([#138](https://github.com/DataDog/libddwaf/pull/138))
 - Remove `ddwaf_required_rule_data_ids` ([#138](https://github.com/DataDog/libddwaf/pull/138))
 - Remove `ddwaf_update_rule_data` ([#138](https://github.com/DataDog/libddwaf/pull/138))
 - Remove `ddwaf_toggle_rules` ([#138](https://github.com/DataDog/libddwaf/pull/138))
 
-### Changes
+#### Changes
 - Add WAF Builder ([#138](https://github.com/DataDog/libddwaf/pull/138))
 
 ### v1.7.0  ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics)) - 2023/02/06

diff --git a/src/ruleset_builder.cpp b/src/ruleset_builder.cpp
@@ -226,6 +226,10 @@ ruleset_builder::change_state ruleset_builder::load(parameter::map &root, rulese
         base_rules_ = std::move(new_base_rules);
         rule_data_ids_ = std::move(rule_data_ids);
         state = state | change_state::rules;
+    } else if (base_rules_.empty()) {
+        // If we haven't received rules and our base ruleset is empty, the
+        // WAF can't proceed.
+        throw ddwaf::parsing_error("no valid rules found");
     }
 
     it = root.find("rules_data");

diff --git a/src/waf.hpp b/src/waf.hpp
@@ -46,8 +46,15 @@ class waf {
             return;
         }
 
-        builder_ = std::make_shared<ruleset_builder>(limits, free_fn, std::move(event_obfuscator));
-        ruleset_ = builder_->build(input, info);
+        if (version == 2) {
+            builder_ =
+                std::make_shared<ruleset_builder>(limits, free_fn, std::move(event_obfuscator));
+            ruleset_ = builder_->build(input, info);
+            return;
+        }
+
+        DDWAF_ERROR("incompatible ruleset version %u.x", version);
+        throw unsupported_version();
     }
 
     waf *update(ddwaf::parameter input, ddwaf::ruleset_info &info)

diff --git a/tests/TestInterface.cpp b/tests/TestInterface.cpp
@@ -296,7 +296,7 @@ TEST(FunctionalTests, HandleBad)
 /*ddwaf_destroy(handle2);*/
 /*}*/
 
-TEST(FunctionalTests, ddwaf_get_version) { EXPECT_STREQ(ddwaf_get_version(), "1.8.0"); }
+TEST(FunctionalTests, ddwaf_get_version) { EXPECT_STREQ(ddwaf_get_version(), LIBDDWAF_VERSION); }
 
 TEST(FunctionalTests, ddwaf_runNull)
 {

diff --git a/tests/interface_test.cpp b/tests/interface_test.cpp
@@ -9,6 +9,16 @@
 
 using namespace ddwaf;
 
+TEST(TestInterface, Empty)
+{
+    auto rule = readRule("{}");
+    ASSERT_TRUE(rule.type != DDWAF_OBJ_INVALID);
+
+    ddwaf_handle handle = ddwaf_init(&rule, nullptr, nullptr);
+    ASSERT_EQ(handle, nullptr);
+    ddwaf_object_free(&rule);
+}
+
 TEST(TestInterface, RootAddresses)
 {
     auto rule = readFile("interface.yaml");
@@ -121,6 +131,36 @@ TEST(TestInterface, InvalidVersion)
     ddwaf_object_free(&rule);
 }
 
+TEST(TestInterface, InvalidVersionNoRules)
+{
+    auto rule = readRule("{version: 3.0}");
+    ASSERT_TRUE(rule.type != DDWAF_OBJ_INVALID);
+
+    ddwaf_config config{{0, 0, 0}, {nullptr, nullptr}, nullptr};
+
+    ddwaf_handle handle1 = ddwaf_init(&rule, &config, nullptr);
+    ASSERT_EQ(handle1, nullptr);
+    ddwaf_object_free(&rule);
+}
+
+TEST(TestInterface, UpdateWithNullObject)
+{
+    EXPECT_EQ(ddwaf_update(nullptr, nullptr, nullptr), nullptr);
+}
+
+TEST(TestInterface, UpdateWithNullHandle)
+{
+    auto rule = readFile("rule_data.yaml");
+    ASSERT_TRUE(rule.type != DDWAF_OBJ_INVALID);
+
+    ddwaf_handle handle = ddwaf_init(&rule, nullptr, nullptr);
+    ASSERT_NE(handle, nullptr);
+    ddwaf_object_free(&rule);
+
+    EXPECT_EQ(ddwaf_update(handle, nullptr, nullptr), nullptr);
+    ddwaf_destroy(handle);
+}
+
 TEST(TestInterface, UpdateEmpty)
 {
     auto rule = readFile("interface.yaml");
@@ -140,6 +180,86 @@ TEST(TestInterface, UpdateEmpty)
     ddwaf_destroy(handle);
 }
 
+TEST(TestInterface, PreloadRuleData)
+{
+    auto rule = readFile("rule_data_with_data.yaml");
+    ASSERT_TRUE(rule.type != DDWAF_OBJ_INVALID);
+
+    ddwaf_handle handle = ddwaf_init(&rule, nullptr, nullptr);
+    ASSERT_NE(handle, nullptr);
+    ddwaf_object_free(&rule);
+
+    {
+        ddwaf_context context = ddwaf_context_init(handle);
+        ASSERT_NE(context, nullptr);
+
+        ddwaf_object root;
+        ddwaf_object tmp;
+        ddwaf_object_map(&root);
+        ddwaf_object_map_add(&root, "http.client_ip", ddwaf_object_string(&tmp, "192.168.1.1"));
+
+        EXPECT_EQ(ddwaf_run(context, &root, nullptr, LONG_TIME), DDWAF_MATCH);
+
+        ddwaf_context_destroy(context);
+    }
+
+    {
+        ddwaf_context context = ddwaf_context_init(handle);
+        ASSERT_NE(context, nullptr);
+
+        ddwaf_object root;
+        ddwaf_object tmp;
+        ddwaf_object_map(&root);
+        ddwaf_object_map_add(&root, "usr.id", ddwaf_object_string(&tmp, "paco"));
+
+        EXPECT_EQ(ddwaf_run(context, &root, nullptr, LONG_TIME), DDWAF_MATCH);
+
+        ddwaf_context_destroy(context);
+    }
+
+    {
+        auto root = readRule(
+            R"({rules_data: [{id: usr_data, type: data_with_expiration, data: [{value: pepe, expiration: 0}]}, {id: ip_data, type: ip_with_expiration, data: [{value: 192.168.1.2, expiration: 0}]}]})");
+
+        ddwaf_handle new_handle = ddwaf_update(handle, &root, nullptr);
+        ASSERT_NE(new_handle, nullptr);
+        ddwaf_object_free(&root);
+        ddwaf_destroy(handle);
+
+        handle = new_handle;
+    }
+
+    {
+        ddwaf_context context = ddwaf_context_init(handle);
+        ASSERT_NE(context, nullptr);
+
+        ddwaf_object root;
+        ddwaf_object tmp;
+        ddwaf_object_map(&root);
+        ddwaf_object_map_add(&root, "http.client_ip", ddwaf_object_string(&tmp, "192.168.1.1"));
+
+        EXPECT_EQ(ddwaf_run(context, &root, nullptr, LONG_TIME), DDWAF_OK);
+
+        ddwaf_context_destroy(context);
+    }
+
+    {
+        ddwaf_context context = ddwaf_context_init(handle);
+        ASSERT_NE(context, nullptr);
+
+        ddwaf_object root;
+        ddwaf_object tmp;
+        ddwaf_object_map(&root);
+        ddwaf_object_map_add(&root, "usr.id", ddwaf_object_string(&tmp, "paco"));
+
+        EXPECT_EQ(ddwaf_run(context, &root, nullptr, LONG_TIME), DDWAF_OK);
+
+        ddwaf_context_destroy(context);
+    }
+
+    ddwaf_destroy(handle);
+}
+
 TEST(TestInterface, UpdateRules)
 {
     auto rule = readFile("interface.yaml");

diff --git a/version b/version
@@ -1 +1 @@
-1.8.0
+1.8.1