feat(libddwaf): bump to 1.20.1 (#2913)

--------- Signed-off-by: Alexandre Rulleau <alexandre.rulleau@datadoghq.com> Co-authored-by: Anil Mahtani <929854+Anilm3@users.noreply.github.com> Co-authored-by: Gustavo Lopes <mail@geleia.net>
DataDog · Nov 8, 2024 · d47c723 · d47c723
1 parent 84f7fa8
commit d47c723
Show file tree

Hide file tree

Showing 24 changed files with 59 additions and 480 deletions.
diff --git a/appsec/tests/helper/client_test.cpp b/appsec/tests/helper/client_test.cpp
@@ -155,7 +155,7 @@ TEST(ClientTest, ClientInit)
     EXPECT_STREQ(msg_res->status.c_str(), "ok");
     EXPECT_EQ(msg_res->meta.size(), 2);
     EXPECT_STREQ(
-        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.18.0");
+        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.20.1");
     EXPECT_STREQ(
         msg_res->meta[std::string(tag::event_rules_errors)].c_str(), "{}");
 
@@ -264,7 +264,7 @@ TEST(ClientTest, ClientInitInvalidRules)
     EXPECT_STREQ(msg_res->status.c_str(), "ok");
     EXPECT_EQ(msg_res->meta.size(), 2);
     EXPECT_STREQ(
-        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.18.0");
+        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.20.1");
 
     rapidjson::Document doc;
     doc.Parse(msg_res->meta[std::string(tag::event_rules_errors)]);
@@ -637,8 +637,8 @@ TEST(ClientTest, EventWithMultipleActions)
         EXPECT_EQ(msg_res->actions.size(),
             3); // Block is not generated since there is a redirect
         EXPECT_STREQ(msg_res->actions[0].verdict.c_str(), "redirect");
-        EXPECT_STREQ(
-            msg_res->actions[0].parameters["location"].c_str(), "localhost");
+        EXPECT_STREQ(msg_res->actions[0].parameters["location"].c_str(),
+            "https://localhost");
         EXPECT_STREQ(
             msg_res->actions[0].parameters["status_code"].c_str(), "303");
         EXPECT_STREQ(msg_res->actions[1].verdict.c_str(),

diff --git a/appsec/tests/helper/engine_test.cpp b/appsec/tests/helper/engine_test.cpp
@@ -4,14 +4,13 @@
 // This product includes software developed at Datadog
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #include "common.hpp"
-#include "json_helper.hpp"
 #include <engine.hpp>
 #include <memory>
 #include <rapidjson/document.h>
 #include <subscriber/waf.hpp>
 
 const std::string waf_rule =
-    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":"^string.*"}},{"operator":"match_regex","parameters":{"inputs":[{"address":"arg2","key_path":[]}],"regex":".*"}}]}]})";
+    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":"^string.*"}},{"operator":"match_regex","parameters":{"inputs":[{"address":"arg2","key_path":[]}],"regex":".*"}}]},{"id":"2","name":"rule2","tags":{"type":"flow2","category":"category2"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg3","key_path":[]}],"regex":"^string.*"}}]}]})";
 const std::string waf_rule_with_data =
     R"({"version":"2.1","rules":[{"id":"blk-001-001","name":"Block IP Addresses","tags":{"type":"block_ip","category":"security_response"},"conditions":[{"parameters":{"inputs":[{"address":"http.client_ip"}],"data":"blocked_ips"},"operator":"ip_match"}],"transformers":[],"on_match":["block"]}]})";
 
@@ -704,7 +703,7 @@ TEST(EngineTest, WafSubscriptorUpdateRuleOverrideAndActions)
             R"({"rules_override": [{"rules_target":[{"rule_id":"1"}],
              "on_match": ["redirect"]}], "actions": [{"id": "redirect",
              "type": "redirect_request", "parameters": {"status_code": "303",
-             "location": "localhost"}}]})");
+             "location": "https://localhost"}}]})");
         e->update(update, meta, metrics);
     }
 

diff --git a/appsec/tests/helper/main.cpp b/appsec/tests/helper/main.cpp
@@ -190,7 +190,7 @@ std::string create_sample_rules_ok()
       "id": "redirect",
       "type": "redirect_request",
       "parameters": {
-        "location": "localhost"
+        "location": "https://localhost"
       }
     }
   ]

diff --git a/appsec/tests/helper/remote_config/listeners/engine_listener_test.cpp b/appsec/tests/helper/remote_config/listeners/engine_listener_test.cpp
@@ -6,18 +6,16 @@
 
 #include "../../common.hpp"
 #include "../mocks.hpp"
-#include "base64.h"
 #include "engine.hpp"
 #include "json_helper.hpp"
 #include "remote_config/exception.hpp"
 #include "remote_config/listeners/engine_listener.hpp"
-#include "remote_config/product.hpp"
 #include "subscriber/waf.hpp"
 #include <memory>
 #include <rapidjson/writer.h>
 
 const std::string waf_rule =
-    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":".*"}}]}]})";
+    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":".*"}}]},{"id":"2","name":"rule2","tags":{"type":"flow2","category":"category2"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"dummy","key_path":[]}],"regex":".*"}}]}]})";
 
 namespace dds::remote_config {
 
@@ -978,7 +976,7 @@ TEST(RemoteConfigEngineListener, EngineRuleOverrideAndActionsUpdate)
     }
     const std::string update =
         R"({"actions": [{"id": "redirect", "type": "redirect_request", "parameters":
-            {"status_code": "303", "location": "localhost"}}],"rules_override":
+            {"status_code": "303", "location": "https://localhost"}}],"rules_override":
             [{"rules_target": [{"rule_id": "1"}], "on_match": ["redirect"]}]})";
 
     listener.on_update(get_config("ASM", update));

diff --git a/appsec/tests/helper/waf_test.cpp b/appsec/tests/helper/waf_test.cpp
@@ -48,7 +48,7 @@ TEST(WafTest, InitWithInvalidRules)
         waf::instance::from_settings(cs, ruleset, meta, metrics)};
 
     EXPECT_EQ(meta.size(), 2);
-    EXPECT_STREQ(meta[std::string(tag::waf_version)].c_str(), "1.18.0");
+    EXPECT_STREQ(meta[std::string(tag::waf_version)].c_str(), "1.20.1");
 
     rapidjson::Document doc;
     doc.Parse(meta[std::string(tag::event_rules_errors)]);

diff --git a/appsec/tests/integration/build.gradle b/appsec/tests/integration/build.gradle
@@ -333,7 +333,6 @@ def buildAppSecTask = { String version, String variant ->
                         cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \\
                               -DCMAKE_INSTALL_PREFIX=/appsec \\
                               -DDD_APPSEC_ENABLE_PATCHELF_LIBC=ON \\
-                              -DCMAKE_TOOLCHAIN_FILE=/build/Toolchain.cmake \\
                               -DDD_APPSEC_TESTING=ON /project/appsec
                     make -j extension ddappsec-helper && \\
                         touch ddappsec.so libddappsec-helper.so

diff --git a/appsec/tests/integration/gradle/images.gradle b/appsec/tests/integration/gradle/images.gradle
@@ -11,6 +11,7 @@ def phpVersions = [
         '8.1': '8.1.26',
         '8.2': '8.2.13',
         '8.3': '8.3.0',
+        '8.4': '8.4.0',
 ]
 
 def arch = System.getProperty('os.arch')

diff --git a/appsec/tests/integration/src/docker/apache2-fpm/Dockerfile b/appsec/tests/integration/src/docker/apache2-fpm/Dockerfile
@@ -3,8 +3,10 @@ ARG VARIANT
 FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT
 
 RUN apt-get update && apt-get install -y \
-	apache2 \
-	&& rm -rf /var/lib/apt/lists/*
+    apache2 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN usermod -a -G linux_users www-data
 
 RUN rm -rf /var/www/html
 RUN sed -i '/<Directory \/var\/www\/>/,/<\/Directory>/s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf

diff --git a/appsec/tests/integration/src/docker/apache2-mod/Dockerfile b/appsec/tests/integration/src/docker/apache2-mod/Dockerfile
@@ -3,8 +3,10 @@ ARG VARIANT
 FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT
 
 RUN apt-get update && apt-get install -y \
-	apache2 \
-	&& rm -rf /var/lib/apt/lists/*
+    apache2 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN usermod -a -G linux_users www-data
 
 RUN rm -rf /var/www/html
 RUN sed -i 's@/var/www/html@/var/www/public@' /etc/apache2/sites-available/000-default.conf

diff --git a/appsec/tests/integration/src/docker/nginx-fpm/Dockerfile b/appsec/tests/integration/src/docker/nginx-fpm/Dockerfile
@@ -4,8 +4,10 @@ ARG VARIANT
 FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT
 
 RUN apt-get update && apt-get install -y \
-	nginx \
-	&& rm -rf /var/lib/apt/lists/*
+    nginx \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN usermod -a -G linux_users www-data
 
 RUN rm -rf /var/www/html
 

diff --git a/appsec/tests/integration/src/docker/php/Dockerfile b/appsec/tests/integration/src/docker/php/Dockerfile
@@ -23,7 +23,12 @@ ARG VARIANT
 
 ENV NO_APX_WRAPPER=1
 
+# PHP 8.4 checks if /usr/sbin/apache2 exists
+RUN touch /usr/sbin/apache2
+RUN chmod +x /usr/sbin/apache2
 RUN USER=root /build/php/build_dev_php.sh "$PHP_VERSION" "$VARIANT"
+RUN rm /usr/sbin/apache2
+
 ADD php.ini /root/php/php.ini
 ENV PHPRC=/root/php/php.ini
 
@@ -35,4 +40,7 @@ ENV CARGO_HOME=/root/.cargo
 ENV RUSTUP_HOME=/root/.rustup
 ENV LD_LIBRARY_PATH=/root/php/icu-60/lib
 
+RUN groupadd -g 1000 linux_users && \
+    useradd -G linux_users -u 1000 linux_user
+
 ENTRYPOINT ["php"]
diff --git a/appsec/tests/integration/src/docker/php/build_dev_php.sh b/appsec/tests/integration/src/docker/php/build_dev_php.sh
@@ -36,6 +36,8 @@ function download_php {
   local download_url
   if [[ $version_id -lt 50400 ]]; then
     download_url="http://museum.php.net/php5/php-${version}.tar.gz"
+  elif [[ $version_id -ge 80400 ]]; then
+    download_url="https://downloads.php.net/~saki/php-8.4.0RC3.tar.gz"
   else
     download_url="https://www.php.net/distributions/php-${version}.tar.gz"
   fi
@@ -85,10 +87,10 @@ function get_xdebug_version {
     echo '2.8.1'
   elif [[ $version_id -lt 80000 ]]; then
     echo '2.9.8'
-  elif [[ $version_id -ge 80300 ]]; then
+  elif [[ $version_id -lt 80400 ]]; then
     echo '3.3.1'
-  else
-    echo '3.2.2'
+  elif [[ $version_id -ge 80400 ]]; then
+    echo '3.4.0beta1'
   fi
 }
 

diff --git a/appsec/tests/integration/src/docker/toolchain/CHECKSUMS b/appsec/tests/integration/src/docker/toolchain/CHECKSUMS
@@ -1,10 +1,2 @@
-9b0b259cc43d5e4d20200676be153de81b485b3fdf065623ff71c7e1894ec5c8ed9d99c1416f70246ab0f417cbba6d1d4af9f3769e2e6577400681a791346231  compiler-rt-11.1.0.src.tar.xz
-a1d2e3f5ad529a04f87059903b31fc3c9803cd86f44aed1aebd87ce7e423d8dd2b6776be12e85a0374a6215f581420438d224c130aad5e6355920af32c02aa7b  compiler-rt-10.0.1.src.tar.xz
-d77145858cda538127b631a8072fafc3fa01a5a9648d4ca1cb6d563009061c56f93ca606f4f7f9e706d5cc0dd8f4e0895f496439ca173f175a1c8ee740b5d30a  gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu.tar.xz
-af5333da5b90f4a46a5184532164f4c6522e3c03a580131627c0f167ab98fb3e71b3e15518d6e22414141484ec5ab0d184294ae7f10034ebfed28e7072836b28  libcxx-11.1.0.src.tar.xz
-0bf3806fd9382ca6790ca2a8e991424caf64e81415386875243565034243f2ac7442c596e3c55ece80932c2ec59b71801e3e415dedc9db4dd4c3f66b6a893558  libcxxabi-11.1.0.src.tar.xz
-507f29cf1a318d9761fe6306b2e9b57c02a342f138b47ec5420dce527132a33f7affcd386913792c472ceeb9fb1c1b105bba3234a1575aae0f68024e94c8d596  libunwind-11.1.0.src.tar.xz
-07bf9973384151a18d5cc2892103e5f28a88c632e8e49662fde56d123632f2ed1b3710fa7a87b6b821955d0ec44160ff36f2aa4f233e389e14d628e9bf8dc764  llvm-11.1.0.src.tar.xz
-5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82  musl-1.2.2.tar.gz
 9591360672ba6192c606404caf70101538728a1cd5d548efcbb952f663f182bd1954d63743ffc9dd18f5c649a62a042c5e36d1ff423634dfd074f672dd1f4af9  cmake-3.28.0-linux-x86_64.tar.gz
 48a20095711870b23bd5db342de0e058a7c6876bafad4c6ce9ff9bce672ca1e95ed9ac890d519b0884cd277d091575eda7e60a97cad377ee57c1e20dee25feb1  cmake-3.28.0-linux-aarch64.tar.gz
diff --git a/appsec/tests/integration/src/docker/toolchain/Dockerfile b/appsec/tests/integration/src/docker/toolchain/Dockerfile
@@ -1,14 +1,24 @@
 FROM debian@sha256:08db48d59c0a91afb802ebafc921be3154e200c452e4d0b19634b426b03e0e25 AS toolchain
-RUN apt-get update && \
-	apt-get install -y curl xz-utils make file lld clang git patchelf gcc libgcc-s1 sed autoconf wget libssl-dev wget libxml2
+
+RUN apt-get update && apt-get install -y \
+  binutils \
+  build-essential \
+  curl \
+  git \
+  gnupg \
+  libncurses5-dev \
+  lld \
+  lsb-release \
+  patchelf \
+  software-properties-common \
+  wget \
+  wget \
+  xz-utils
 
 RUN ln -s /bin/sed /usr/bin/sed
-RUN mkdir /build
-ADD . /build/
+COPY . /build/
 
 RUN wget https://github.com/Kitware/CMake/releases/download/v3.28.0/cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz && \
-    grep -F "cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz" ./build/CHECKSUMS | sha512sum --check && \
-    tar --strip-components=1 -C /usr/local -xvzf cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz && \
-    rm cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz
-
-RUN cd /build && make install && make clean
+  grep -F "cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz" ./build/CHECKSUMS | sha512sum --check && \
+  tar --strip-components=1 -C /usr/local -xvzf cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz && \
+  rm cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz