[AppSec] Update waf and ruleset 1.3.0 (DataDog#2638)

* First update classes

* Update of the waf

* Waf tests and init fixed

* change snapshots and obfuscate values

* Adding some integration tests for initialization

* update waf to 1.3.0

* Skip cookies tests because of new ruleset

* Fix tests to not run parallel and snapshots

Fixing tests to match 1.3.0

fix snapshots

* fix snapshots

* Response to comments

* Response to 2nd round of comments

Add default rule file

* fix initialization

* Return if ddwafObjectStruct from resultsetinfo is not a map, but it should be a map coming from the waf

Author: anna-git

tracer/build/_build/Build.Steps.cs

@@ -51,7 +51,7 @@ partial class Build
 
     AbsolutePath ProfilerHomeDirectory => ProfilerHome ?? RootDirectory / ".." / "_build" / "DDProf-Deploy";
 
-    const string LibDdwafVersion = "1.0.17";
+    const string LibDdwafVersion = "1.3.0";
     AbsolutePath LibDdwafDirectory => (NugetPackageDirectory ?? RootDirectory / "packages") / $"libddwaf.{LibDdwafVersion}";
 
     AbsolutePath SourceDirectory => TracerDirectory / "src";

tracer/build/crank/Security.Samples.AspNetCoreSimpleController.yml

@@ -67,4 +67,4 @@ scenarios:
         warmup: 30
         duration: 240
         serverPort: 5000
-        path: /hello?arg=[$slice]
+        path: /hello?[$slice]=arg

tracer/src/Datadog.Trace.ClrProfiler.Native/packages.config

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="libddwaf" version="1.0.17" targetFramework="native" />
+  <package id="libddwaf" version="1.3.0" targetFramework="native" />
 </packages>

tracer/src/Datadog.Trace/AppSec/BodyExtractor.cs

@@ -60,12 +60,12 @@ private static IReadOnlyDictionary<string, object> ExtractProperties(object body
 
             depth++;
 
-            var dictSize = Math.Min(WafConstants.MaxMapOrArrayLength, fields.Length);
+            var dictSize = Math.Min(WafConstants.MaxContainerSize, fields.Length);
             var dict = new Dictionary<string, object>(dictSize);
 
             for (var i = 0; i < fields.Length; i++)
             {
-                if (dict.Count >= WafConstants.MaxMapOrArrayLength || depth >= WafConstants.MaxObjectDepth)
+                if (dict.Count >= WafConstants.MaxContainerSize || depth >= WafConstants.MaxContainerDepth)
                 {
                     return dict;
                 }
@@ -135,7 +135,7 @@ private static Dictionary<string, object> ExtractDictionary(object value, Type d
             var valueProp = tkvp.GetProperty("Value");
 
             var sourceDict = (ICollection)value;
-            var dictSize = Math.Min(WafConstants.MaxMapOrArrayLength, sourceDict.Count);
+            var dictSize = Math.Min(WafConstants.MaxContainerSize, sourceDict.Count);
             var items = new Dictionary<string, object>(dictSize);
 
             foreach (var item in sourceDict)
@@ -152,7 +152,7 @@ private static Dictionary<string, object> ExtractDictionary(object value, Type d
                     items.Add(dictKey, nestedDict);
                 }
 
-                if (items.Count >= WafConstants.MaxMapOrArrayLength)
+                if (items.Count >= WafConstants.MaxContainerSize)
                 {
                     break;
                 }
@@ -164,7 +164,7 @@ private static Dictionary<string, object> ExtractDictionary(object value, Type d
         private static List<object> ExtractListOrArray(object value, int depth, HashSet<object> visited)
         {
             var sourceList = (ICollection)value;
-            var listSize = Math.Min(WafConstants.MaxMapOrArrayLength, sourceList.Count);
+            var listSize = Math.Min(WafConstants.MaxContainerSize, sourceList.Count);
             var items = new List<object>(listSize);
 
             foreach (var item in sourceList)
@@ -179,7 +179,7 @@ private static List<object> ExtractListOrArray(object value, int depth, HashSet<
                     items.Add(nestedDict);
                 }
 
-                if (items.Count >= WafConstants.MaxMapOrArrayLength)
+                if (items.Count >= WafConstants.MaxContainerSize)
                 {
                     break;
                 }

tracer/src/Datadog.Trace/AppSec/Security.cs

@@ -97,7 +97,7 @@ private Security(SecuritySettings settings = null, InstrumentationGateway instru
                 if (_settings.Enabled)
                 {
                     _waf = waf ?? Waf.Waf.Create(_settings.Rules);
-                    if (_waf != null)
+                    if (_waf.InitializedSuccessfully)
                     {
                         _instrumentationGateway.RequestEnd += InstrumentationGatewayInstrumentationGatewayEvent;
                         _instrumentationGateway.BodyAvailable += InstrumentationGatewayInstrumentationGatewayEvent;
@@ -126,6 +126,7 @@ private Security(SecuritySettings settings = null, InstrumentationGateway instru
                         _settings.Enabled = false;
                     }
 
+                    _instrumentationGateway.RequestEnd += ReportWafInitInfoOnce;
                     LifetimeManager.Instance.AddShutdownTask(RunShutdown);
                     _rateLimiter = new RateLimiterTimer(_settings.TraceRateLimit);
                 }
@@ -222,7 +223,7 @@ private static void TryAddEndPoint(Span span)
             }
         }
 
-        private void AddAppsecSpecificInstrumentations()
+        private static void AddAppsecSpecificInstrumentations()
         {
             try
             {
@@ -276,9 +277,10 @@ private void InstrumentationGateway_AddHeadersResponseTags(object sender, Instru
             }
         }
 
-        private void Report(ITransport transport, Span span, string resultData, bool blocked)
+        private void Report(ITransport transport, Span span, IResult result, bool blocked)
         {
             span.SetTag(Tags.AppSecEvent, "true");
+            var resultData = result.Data;
             var exceededTraces = _rateLimiter.UpdateTracesCounter();
             if (exceededTraces <= 0)
             {
@@ -307,7 +309,8 @@ private void Report(ITransport transport, Span span, string resultData, bool blo
 
             var ipInfo = RequestHeadersHelper.ExtractIpAndPort(transport.GetHeader, _settings.CustomIpHeader, _settings.ExtraHeaders, transport.IsSecureConnection, reportedIpInfo);
             span.SetTag(Tags.ActorIp, ipInfo.IpAddress);
-
+            span.SetMetric(Metrics.AppSecWafDuration, result.AggregatedTotalRuntime);
+            span.SetMetric(Metrics.AppSecWafAndBindingsDuration, result.AggregatedTotalRuntimeWithBindings);
             var headers = transport.GetRequestHeaders();
             AddHeaderTags(span, headers, RequestHeaders, SpanContextPropagator.HttpRequestHeadersTagPrefix);
         }
@@ -343,7 +346,7 @@ private void RunWafAndReact(IDictionary<string, object> args, ITransport transpo
                     // blocking has been removed, waiting a better implementation
                 }
 
-                Report(transport, span, wafResult.Data, block);
+                Report(transport, span, wafResult, block);
             }
         }
 
@@ -359,6 +362,22 @@ private void InstrumentationGatewayInstrumentationGatewayEvent(object sender, In
             }
         }
 
+        private void ReportWafInitInfoOnce(object sender, InstrumentationGatewaySecurityEventArgs e)
+        {
+            _instrumentationGateway.RequestEnd -= ReportWafInitInfoOnce;
+            var span = e.RelatedSpan.Context.TraceContext.RootSpan ?? e.RelatedSpan;
+            span.SetTraceSamplingPriority(_settings.KeepTraces ? SamplingPriorityValues.UserKeep : SamplingPriorityValues.AutoReject);
+            span.SetMetric(Metrics.AppSecWafInitRulesLoaded, _waf.InitializationResult.LoadedRules);
+            span.SetMetric(Metrics.AppSecWafInitRulesErrorCount, _waf.InitializationResult.FailedToLoadRules);
+            span.SetTag(Tags.AppSecRuleFileVersion, _waf.InitializationResult.RuleFileVersion);
+            if (_waf.InitializationResult.HasErrors)
+            {
+                span.SetTag(Tags.AppSecWafInitRuleErrors, _waf.InitializationResult.ErrorMessage);
+            }
+
+            span.SetTag(Tags.AppSecWafVersion, _waf.Version.ToString());
+        }
+
         private void RunShutdown()
         {
             if (_instrumentationGateway != null)

tracer/src/Datadog.Trace/AppSec/Waf/Context.cs

@@ -5,6 +5,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using Datadog.Trace.AppSec.Waf.NativeBindings;
 using Datadog.Trace.Logging;
 using Datadog.Trace.Vendors.Serilog.Events;
@@ -18,22 +19,23 @@ internal class Context : IContext
         private readonly WafNative wafNative;
         private readonly Encoder encoder;
         private readonly List<Obj> argCache = new();
+        private readonly Stopwatch _stopwatch;
         private bool disposed = false;
+        private ulong _totalRuntimeOverRuns;
 
         public Context(IntPtr contextHandle, WafNative wafNative, Encoder encoder)
         {
             this.contextHandle = contextHandle;
             this.wafNative = wafNative;
             this.encoder = encoder;
+            _stopwatch = new Stopwatch();
         }
 
-        ~Context()
-        {
-            Dispose(false);
-        }
+        ~Context() => Dispose(false);
 
         public IResult Run(IDictionary<string, object> args, ulong timeoutMicroSeconds)
         {
+            _stopwatch.Start();
             var pwArgs = encoder.Encode(args, argCache, applySafetyLimits: true);
 
             if (Log.IsEnabled(LogEventLevel.Debug))
@@ -42,23 +44,22 @@ public IResult Run(IDictionary<string, object> args, ulong timeoutMicroSeconds)
                 Log.Debug("DDAS-0010-00: Executing AppSec In-App WAF with parameters: {Parameters}", parameters);
             }
 
-            var rawAgs = pwArgs.RawPtr;
+            var rawArgs = pwArgs.RawPtr;
             DdwafResultStruct retNative = default;
-
-            var code = wafNative.Run(contextHandle, rawAgs, ref retNative, timeoutMicroSeconds);
-
-            var ret = new Result(retNative, code, wafNative);
+            var code = wafNative.Run(contextHandle, rawArgs, ref retNative, timeoutMicroSeconds);
+            _stopwatch.Stop();
+            _totalRuntimeOverRuns += retNative.TotalRuntime / 1000;
+            var result = new Result(retNative, code, wafNative, _totalRuntimeOverRuns, (ulong)_stopwatch.Elapsed.TotalMilliseconds * 1000);
 
             if (Log.IsEnabled(LogEventLevel.Debug))
             {
-                Log.Debug<ReturnCode, string, int>(
-                    "DDAS-0011-00: AppSec In-App WAF returned: {ReturnCode} {Data} Took {PerfTotalRuntime} ms",
-                    ret.ReturnCode,
-                    ret.Data,
-                    retNative.PerfTotalRuntime);
+                Log.Debug(
+                    "DDAS-0011-00: AppSec In-App WAF returned: {ReturnCode} {Data}",
+                    result.ReturnCode,
+                    result.Data);
             }
 
-            return ret;
+            return result;
         }
 
         public void Dispose(bool disposing)

tracer/src/Datadog.Trace/AppSec/Waf/Encoder.cs

@@ -57,7 +57,7 @@ private static string TruncateLongString(string s) =>
             s.Length > WafConstants.MaxStringLength ? s.Substring(0, WafConstants.MaxStringLength) : s;
 
         public Obj Encode(object o, List<Obj> argCache, bool applySafetyLimits) =>
-            EncodeInternal(o, argCache, WafConstants.MaxObjectDepth, applySafetyLimits);
+            EncodeInternal(o, argCache, WafConstants.MaxContainerDepth, applySafetyLimits);
 
         private Obj EncodeInternal(object o, List<Obj> argCache, int remainingDepth, bool applyLimits)
         {
@@ -98,10 +98,10 @@ private Obj EncodeList(IEnumerable<object> objEnumerator, List<Obj> argCache, in
             }
 
             var count = objEnumerator is IList<object> objs ? objs.Count : objEnumerator.Count();
-            if (applyLimits && count > WafConstants.MaxMapOrArrayLength)
+            if (applyLimits && count > WafConstants.MaxContainerSize)
             {
-                Log.Warning<int, int>("EncodeList: list too long, it will be truncated, count: {Count}, MaxMapOrArrayLength {MaxMapOrArrayLength}", count, WafConstants.MaxMapOrArrayLength);
-                objEnumerator = objEnumerator.Take(WafConstants.MaxMapOrArrayLength);
+                Log.Warning<int, int>("EncodeList: list too long, it will be truncated, count: {Count}, MaxMapOrArrayLength {MaxMapOrArrayLength}", count, WafConstants.MaxContainerSize);
+                objEnumerator = objEnumerator.Take(WafConstants.MaxContainerSize);
             }
 
             foreach (var o in objEnumerator)
@@ -125,10 +125,10 @@ private Obj EncodeDictionary(IEnumerable<KeyValuePair<string, object>> objDictEn
 
             var count = objDictEnumerator is IDictionary<string, object> objDict ? objDict.Count : objDictEnumerator.Count();
 
-            if (applyLimits && count > WafConstants.MaxMapOrArrayLength)
+            if (applyLimits && count > WafConstants.MaxContainerSize)
             {
-                Log.Warning<int, int>("EncodeDictionary: list too long, it will be truncated, count: {Count}, MaxMapOrArrayLength {MaxMapOrArrayLength}", count, WafConstants.MaxMapOrArrayLength);
-                objDictEnumerator = objDictEnumerator.Take(WafConstants.MaxMapOrArrayLength);
+                Log.Warning<int, int>("EncodeDictionary: list too long, it will be truncated, count: {Count}, MaxMapOrArrayLength {MaxMapOrArrayLength}", count, WafConstants.MaxContainerSize);
+                objDictEnumerator = objDictEnumerator.Take(WafConstants.MaxContainerSize);
             }
 
             foreach (var o in objDictEnumerator)

tracer/src/Datadog.Trace/AppSec/Waf/IResult.cs

@@ -12,5 +12,9 @@ internal interface IResult : IDisposable
         ReturnCode ReturnCode { get; }
 
         string Data { get; }
+
+        ulong AggregatedTotalRuntime { get; }
+
+        ulong AggregatedTotalRuntimeWithBindings { get; }
     }
 }

tracer/src/Datadog.Trace/AppSec/Waf/IWaf.cs

@@ -4,13 +4,18 @@
 // </copyright>
 
 using System;
+using Datadog.Trace.AppSec.Waf.ReturnTypesManaged;
 
 namespace Datadog.Trace.AppSec.Waf
 {
     internal interface IWaf : IDisposable
     {
         public Version Version { get; }
 
+        public bool InitializedSuccessfully { get; }
+
+        public InitializationResult InitializationResult { get; }
+
         public IContext CreateContext();
     }
 }

tracer/src/Datadog.Trace/AppSec/Waf/Initialization/WafConfigurator.cs

@@ -7,7 +7,9 @@
 using System.IO;
 using System.Linq;
 using Datadog.Trace.AppSec.Waf.NativeBindings;
+using Datadog.Trace.AppSec.Waf.ReturnTypesManaged;
 using Datadog.Trace.Logging;
+using Datadog.Trace.Util;
 using Datadog.Trace.Vendors.Newtonsoft.Json;
 using Datadog.Trace.Vendors.Newtonsoft.Json.Linq;
 using Datadog.Trace.Vendors.Serilog.Events;
@@ -18,30 +20,55 @@ internal static class WafConfigurator
     {
         private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor(typeof(WafConfigurator));
 
-        internal static IntPtr? Configure(string rulesFile, WafNative wafNative, Encoder encoder)
+        internal static InitializationResult Configure(string rulesFile, WafNative wafNative, Encoder encoder)
         {
             var argCache = new List<Obj>();
             var configObj = GetConfigObj(rulesFile, argCache, encoder);
             if (configObj == null)
             {
-                return null;
+                return InitializationResult.FromUnusableRuleFile();
             }
 
+            DdwafRuleSetInfoStruct ruleSetInfo = default;
+
             try
             {
                 DdwafConfigStruct args = default;
-                var ruleHandle = wafNative.Init(configObj.RawPtr, ref args);
+                var ruleHandle = wafNative.Init(configObj.RawPtr, ref args, ref ruleSetInfo);
                 if (ruleHandle == IntPtr.Zero)
                 {
                     Log.Warning("DDAS-0005-00: WAF initialization failed.");
                 }
 
-                return ruleHandle;
+                var initResult = InitializationResult.From(ruleSetInfo, ruleHandle);
+                if (initResult.LoadedRules == 0)
+                {
+                    Log.Error("DDAS-0003-03: AppSec could not read the rule file {rulesFile}. Reason: All rules are invalid. AppSec will not run any protections in this application.", rulesFile);
+                }
+                else
+                {
+                    Log.Information("DDAS-0015-00: AppSec loaded {loadedRules} from file {rulesFile}.", initResult.LoadedRules, rulesFile);
+                }
+
+                if (initResult.HasErrors)
+                {
+                    var sb = StringBuilderCache.Acquire(0);
+                    sb.Append($"WAF initialization failed. Some rules are invalid in rule file {rulesFile}:");
+                    foreach (var item in initResult.Errors)
+                    {
+                        sb.Append($"{item.Key}: [{string.Join(", ", item.Value)}] ");
+                    }
+
+                    var errorMess = StringBuilderCache.GetStringAndRelease(sb);
+                    Log.Warning(errorMess);
+                }
+
+                return initResult;
             }
             finally
             {
-                wafNative.ObjectFree(configObj.RawPtr);
-
+                wafNative.RuleSetInfoFree(ref ruleSetInfo);
+                wafNative.ObjectFreePtr(configObj.RawPtr);
                 configObj.Dispose();
                 foreach (var arg in argCache)
                 {
@@ -97,10 +124,11 @@ private static void LogRuleDetailsIfDebugEnabled(JToken root)
                     Log.Debug($"eventspropo {eventsProp.Count}");
                     foreach (var ev in eventsProp)
                     {
-                        var idProp = ev.Value<JValue>("id");
-                        var nameProp = ev.Value<JValue>("name");
-                        var addresses = ev.Value<JArray>("conditions").SelectMany(x => x.Value<JObject>("parameters").Value<JArray>("inputs"));
-                        Log.Debug("DDAS-0007-00: Loaded rule: {id} - {name} on addresses: {addresses}", idProp.Value, nameProp.Value, string.Join(", ", addresses));
+                        var emptyJValue = JValue.CreateString(string.Empty);
+                        var idProp = ev.Value<JValue>("id") ?? emptyJValue;
+                        var nameProp = ev.Value<JValue>("name") ?? emptyJValue;
+                        var addresses = ev.Value<JArray>("conditions")?.SelectMany(x => x.Value<JObject>("parameters")?.Value<JArray>("inputs"));
+                        Log.Debug("DDAS-0007-00: Loaded rule: {id} - {name} on addresses: {addresses}", idProp.Value, nameProp.Value, string.Join(", ", addresses ?? Enumerable.Empty<JToken>()));
                     }
                 }
                 catch (Exception ex)