Release v1.15.0 (#228)

Author: Anilm3

CHANGELOG.md

@@ -1,5 +1,32 @@
 # libddwaf release
 
+### v1.15.0 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
+
+This new version of the WAF includes the following new features:
+- Ephemeral addresses for composite requests
+- Naive duplicate address support on input filters
+- Required / Optional address diagnostics
+
+The [upgrading guide](UGRADING.md) has also been updated to cover the new changes.
+
+#### API & Breaking Changes
+- Support ephemeral addresses on `ddwaf_run` ([#219](https://github.com/DataDog/libddwaf/pull/219))
+- Rename `ddwaf_required_addresses` to `ddwaf_known_addresses` ([#221](https://github.com/DataDog/libddwaf/pull/221))
+
+#### Fixes
+- Schema extraction scanners: reduce false positives on arrays ([#220](https://github.com/DataDog/libddwaf/pull/220))
+
+#### Changes
+- Ephemeral addresses for rules & exclusion filters ([#219](https://github.com/DataDog/libddwaf/pull/219))([#224](https://github.com/DataDog/libddwaf/pull/224))
+- Address diagnostics ([#221](https://github.com/DataDog/libddwaf/pull/221))
+- Naive duplicate address support on input/object filters ([#222](https://github.com/DataDog/libddwaf/pull/222))
+
+#### Miscellaneous
+- Update nuget packaging to use new musl linux binaries ([#217](https://github.com/DataDog/libddwaf/pull/217))
+- Validator improvements  ([#225](https://github.com/DataDog/libddwaf/pull/225))
+- Use `fmt::format` for logging and vendorize some dependencies within `src/` ([#226](https://github.com/DataDog/libddwaf/pull/226))
+- Reduce linux binary size and fix some flaky tests ([#227](https://github.com/DataDog/libddwaf/pull/227))
+
 ### v1.14.0 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
 
 This release of the WAF includes the following new features:

UPGRADING.md

@@ -1,5 +1,108 @@
 # Upgrading libddwaf
 
+## Upgrading from `1.14.0` to `1.15.0`
+
+### Interface changes
+
+With the introduction of ephemeral addresses, `ddwaf_run` now allows the caller to provide data as both persistent or ephemeral. The new signature can be seen below:
+```c
+DDWAF_RET_CODE ddwaf_run(ddwaf_context context, ddwaf_object *persistent_data,
+    ddwaf_object *ephemeral_data, ddwaf_result *result, uint64_t timeout);
+```
+
+Both `persistent_data` and `ephemeral_data` are nullable, however at least one of them has to be non-null for the call to be valid. Otherwise the call to `ddwaf_run` will return the error `DDWAF_ERR_INVALID_ARGUMENT`.
+
+The other interface change is the renaming of `ddwaf_required_addresses` to `ddwaf_known_addresses`, aside from the name change, the signature hasn't changed, as can be seen below:
+
+```c
+const char* const* ddwaf_known_addresses(const ddwaf_handle handle, uint32_t *size);
+```
+
+The reason for the name change is to better reflect the nature of the addresses provided by this function, which will now provide a list of all addresses seen by the WAF, regardless of whether they are required for rule, filter or processor evaluation, or whether they are optionally used when available, such as part of an exclusion filter for inputs or a processor mapping. A more accurate distinction, as well as a breakdown of the addresses required by each of the supported high-level features, is now provided as part of the diagnostics returned by `ddwaf_init` and `ddwaf_update`.
+
+Finally, `testPowerWAF` has been renamed to `waf_test`, while this isn't an interface change it might affect those building and testing the WAF directly.
+
+### Ephemeral addresses
+
+Ephemeral addresses is a new feature aimed at providing better support for protocols composed of a single request with multiple subrequests, such as gRPC client / server streaming or GraphQL. As the name implies, ephemeral addresses are short-lived:
+- These addresses are only used for evaluation of rules and exclusion filters during the `ddwaf_run` call in which they are provided; subsequent calls will have no access to these addresses.
+- At the end of `ddwaf_run` the memory associated with the ephemeral addresses is freed.
+
+As an example, these addresses can be used to evaluate independent gRPC messages within the context of the whole HTTP request. A call with the whole HTTP context and the first gRPC message could look as follows:
+```json
+{
+  "persistent": {
+    "server.request.headers.no_cookies": [ "..." ],
+    "server.request.uri.raw": "...",
+    "http.client_ip": "..."
+  },
+  "ephemeral": {
+    "grpc.server.request.message": { "..." }
+  }
+}
+```
+
+Subsequent calls only need to provide the relevant gRPC message data:
+```json
+{
+  "ephemeral": {
+    "grpc.server.request.message": { "..." }
+  }
+}
+```
+
+When using ephemeral addresses in this manner, each call is somewhat equivalent to creating a new context and providing all of the data at once for each message, however:
+- The new approach doesn't need to reevaluate the already evaluated persistent addresses for each gRPC message.
+- Consequently the new approach does not provide duplicate events for the already evaluated persistent addresses.
+- The performance impact should be much smaller when using the new approach since less rules need to be evaluated and the context can be reused rather than created & destroyed for each message.
+
+Finally, aside from the addresses themselves being ephemeral, the outcome of any evaluation with an ephemeral address is also ephemeral. The evaluation of any condition, from either rules, filters or processors, with ephemeral addresses will always be uncached, meaning that subsequent calls to `ddwaf_run` will reevaluate said conditions if relevant addresses are provided. 
+
+Similarly, any address, object or rule excluded as a result of the evaluation of an ephemeral address, either due to the filter condition matching on an ephemeral address or the excluded address being ephemeral, will only have effect for the duration of the `ddwaf_run` call. As a result, subsequent calls to `ddwaf_run` will be able to evaluate those previously excluded rules or addresses, unless filtered again.
+
+### Address diagnostics
+In order to provide more visibility regarding the breakdown of addresses per feature and whether they are required or optional, the latest version of the WAF introduces address diagnostics. These diagnostics can typically be obtained through a call to `ddwaf_init` or `ddwaf_update` and are broken down per feature, for example:
+
+```json
+
+{
+  "rules": {
+    "loaded": [
+      "a45b55fc-5b57-4002-90bf-58cdf296124c"
+    ],
+    "failed": [],
+    "errors": {},
+    "addresses": {
+      "required": [
+        "http.client_ip",
+        "usr.id",
+        "server.request.headers.no_cookies",
+        "graphql.server.all_resolvers",
+        "grpc.server.request.message",
+        "server.request.path_params",
+        "server.request.body",
+        "server.request.query",
+        "server.request.uri.raw",
+        "server.response.status",
+        "grpc.server.request.metadata"
+      ],
+      "optional": []
+    }
+  }
+}
+```
+
+The distinction between required and optional addresses depends on the feature:
+- Rules only have required addresses.
+- Exclusion filters have both required and optional addresses:
+  - The required addresses correspond to those used within the filter conditions, i.e. those which are required for the filter to be evaluated altogether.
+  - Currently the only optional addresses are those of the excluded inputs, e.g. a filter could exclude `http.client_ip` for a specific endpoint, this address would be optional since it's only used when available.
+- Processors also have both required and optional addresses:
+  - The required addresses correspond to those used within the processor conditions.
+  - The optional addresses correspond to each of the processor mappings, for example if a processor uses `server.request.body.raw` to generate `server.request.body`, the former would be considered optional.
+
+Other diagnostics, such as `rules_data` or `rules_override`, do not provide the addresses key.
+
 ## Upgrading from `1.12.0` to `1.13.0`
 
 ### Interface changes

tools/CMakeLists.txt

@@ -7,6 +7,7 @@ foreach(EXAMPLE ${LIBDDWAF_EXAMPLE_SOURCE})
     add_executable(${EXAMPLE_NAME} ${EXAMPLE} ${LIBDDWAF_EXAMPLE_COMMON_SOURCE})
     target_link_libraries(${EXAMPLE_NAME} PRIVATE libddwaf_objects lib_yamlcpp lib_rapidjson)
     target_include_directories(${EXAMPLE_NAME} PRIVATE ${libddwaf_SOURCE_DIR}/src)
+    target_include_directories(${EXAMPLE_NAME} PRIVATE ${libddwaf_SOURCE_DIR}/src/vendor)
 
     set_target_properties(${EXAMPLE_NAME} PROPERTIES
         CXX_STANDARD 20

tools/verify_ruleset.cpp

@@ -15,7 +15,7 @@ int main(int argc, char *argv[])
     ddwaf_set_log_cb(log_cb, DDWAF_LOG_TRACE);
 
     if (argc < 2) {
-        DDWAF_ERROR("Usage: %s <json/yaml file>", argv[0]);
+        DDWAF_ERROR("Usage: {} <json/yaml file>", argv[0]);
         return EXIT_FAILURE;
     }
 
@@ -33,13 +33,13 @@ int main(int argc, char *argv[])
 
     DDWAF_INFO("Ruleset loaded successfully");
 
-    DDWAF_INFO("Diagnostics:\n%s", object_to_json(diagnostics).c_str());
+    DDWAF_INFO("Diagnostics:\n{}", object_to_json(diagnostics).c_str());
     ddwaf_object_free(&diagnostics);
 
     uint32_t required_size;
     const char *const *required = ddwaf_known_addresses(handle, &required_size);
-    DDWAF_INFO("Required addresses: %u", required_size);
-    for (uint32_t i = 0; i < required_size; i++) { DDWAF_INFO("    - %s", required[i]); }
+    DDWAF_INFO("Required addresses: {}", required_size);
+    for (uint32_t i = 0; i < required_size; i++) { DDWAF_INFO("    - {}", required[i]); }
     ddwaf_destroy(handle);
 
     return EXIT_SUCCESS;

version

@@ -1 +1 @@
-1.14.0
+1.15.0