v1.17.0 (unstable)

This new version introduces RASP rules and supporting features, including:

• Multivariate operators for the development of complex rules.
• A new operator lfi_detector for the detection of local file inclusion (LFI) / path traversal attacks.
• A new operator ssrf_detector for the detection of server-side request forgery (SSRF) attacks.
• Better support for rule actions, as well as internal default actions: block, stack_trace and extract_schema.

The upgrading guide has also been updated to cover the new breaking changes.

Changes

• Multivariate operator support (#241)
• Local file inclusion (LFI) operator (#258)
• Server-side request forgery (SSRF) detection operator (#268)
• Action semantics and related improvements (#277)

Fixes

• Reduce benchmark noise (#257, #259, #260)
• Add support for old glibc (e.g. RHEL 6) (#262)
• Add weak ceilf symbol and definition (#263)
• Fix parsing of variadic arguments (#267)

Miscellaneous

• Update node-16 actions to node-20 ones (#266)
• Attempt to build libddwaf on arm64 runner (#270)
• Run tests on arm64 (#271)
• LFI detector fuzzer (#274)
• Remove rpath from linux-musl binary (#282)

v1.17.0-alpha3 (unstable)

Since this release contains breaking changes, the upgrading guide has been updated.

Changes

• Action semantics and related improvements (#277)

Miscellaneous

• LFI detector fuzzer (#274)

v1.16.1 (unstable)

Fixes

• Add support for old glibc (e.g. RHEL 6) (#262)
• Add weak ceilf symbol and definition (#263)

v1.17.0-alpha2 (unstable)

Changes

• Server-side request forgery (SSRF) detection operator (#268)

Miscellaneous

• Attempt to build libddwaf on arm64 runner (#270)
• Run tests on arm64 (#271)

v1.17.0-alpha1 (unstable)

Fixes

• Fix parsing of variadic arguments (#267)

Miscellaneous

• Update node-16 actions to node-20 ones (#266)

v1.17.0-alpha0 (unstable)

Fixes

• Add support for old glibc (e.g. RHEL 6) (#262)
• Add weak ceilf symbol and definition (#263)

Changes

• Multivariate operator support (#241)
• Local file inclusion (LFI) operator (#258)

Miscellaneous

• Reduce benchmark noise (#257, #259, #260)

v1.16.0 (unstable)

Note: while there are no breaking changes in this release, legacy linux builds are no longer being produced.

Fixes

• Address a libinjection false positive (#251)
• Remove a few fingerprints causing false positives (#252)
• Fix SSE2 lowercase transformer (#253)

Changes

• Support ephemeral addresses on processors (#240)
• Phrase match: enforce word boundary option (#256)

Miscellaneous

• Build tools on CI to avoid breaking tool users (#229)
• Remove legacy linux builds (#230)
• Vendorize re2 and utf8proc (#231)
• Refactor cmake scripts and support LTO (#232)
• Microbenchmarks (#242, #243, #244, #245, #246, #247, #248, #250)

v1.15.1 (unstable)

Fixes

• Fix duplicate processor check (#234)

v1.15.0 (unstable)

This new version of the WAF includes the following new features:

• Ephemeral addresses for composite requests
• Naive duplicate address support on input filters
• Required / Optional address diagnostics

The upgrading guide has also been updated to cover the new changes.

API & Breaking Changes

• Support ephemeral addresses on ddwaf_run (#219)
• Rename ddwaf_required_addresses to ddwaf_known_addresses (#221)

Fixes

• Schema extraction scanners: reduce false positives on arrays (#220)

Changes

• Ephemeral addresses for rules & exclusion filters (#219)(#224)
• Address diagnostics (#221)
• Naive duplicate address support on input/object filters (#222)

Miscellaneous

• Update nuget packaging to use new musl linux binaries (#217)
• Validator improvements (#225)
• Use fmt::format for logging and vendorize some dependencies within src/ (#226)
• Reduce linux binary size and fix some flaky tests (#227)

v1.14.0 (unstable)

This release of the WAF includes the following new features:

• Schema data classification through the use of scanners.
• A vectorized version of the lowercase transformer using SSE2.
• Generalized processors which are evaluated before or after filters and rules based on their outcome.
• Optimizations to avoid unnecessary rule and filter evaluation.
• Many other quality of life, correctness and performance improvements

API & Breaking Changes

• Rename preprocessors top-level key to processors (#209)

Fixes

• Fix missing top-level key for processor diagnostics (#209)

Changes

• SSE2 lowercase transformer (#195)
• Reduce schema extraction limits (#208)
• Skip rule and filter evaluation when no new rule targets exist (#207)
• Refactor preprocessors into preprocessors and postprocessors (#209)
• Convert float to (un)signed within the parsing stage (#210)
• Scanners for schema scalar classification (#211)
• Remove ptr typedefs (#212)
• Indexer abstraction to encapsulate rule and scanner search and storage (#213)