report max truncated elements and errors (#130)

* report max truncated elements and errors

* fix linter

* Use error code instead

* Typescript definition

* update test to check truncated nested objects are not checked

* add tests

---------

Co-authored-by: simon-id <simon.id@datadoghq.com>

Author: IlyasShabi

index.d.ts

@@ -22,13 +22,21 @@ type diagnosticsError = {
 
 type diagnosticsResult = diagnosticsInfo | diagnosticsError
 
+type TruncationMetrics = {
+  maxTruncatedString?: number;
+  maxTruncatedContainerSize?: number;
+  maxTruncatedContainerDepth?: number;
+}
+
 type result = {
   timeout: boolean;
   totalRuntime?: number;
   events?: object[]; // https://github.com/DataDog/libddwaf/blob/master/schema/events.json
   status?: 'match'; // TODO: remove this if new statuses are never added
   actions?: object[];
   derivatives?: object;
+  metrics?: TruncationMetrics;
+  errorCode?: number;
 }
 
 type payload = {

src/convert.cpp

@@ -9,6 +9,7 @@
 
 #include <limits>
 #include <string>
+#include <algorithm>
 
 #include "src/convert.h"
 #include "src/log.h"
@@ -21,7 +22,8 @@ ddwaf_object* to_ddwaf_object(
   int depth,
   bool lim,
   bool ignoreToJSON,
-  JsSet stack
+  JsSet stack,
+  WAFTruncationMetrics* metrics
 );
 
 ddwaf_object* to_ddwaf_object_array(
@@ -31,12 +33,13 @@ ddwaf_object* to_ddwaf_object_array(
   int depth,
   bool lim,
   bool ignoreToJSON,
-  JsSet stack
+  JsSet stack,
+  WAFTruncationMetrics* metrics
 ) {
   if (!ignoreToJSON) {
     Napi::Value toJSON = arr.Get("toJSON");
     if (toJSON.IsFunction()) {
-      return to_ddwaf_object(object, env, toJSON.As<Napi::Function>().Call(arr, {}), depth, lim, true, stack);
+      return to_ddwaf_object(object, env, toJSON.As<Napi::Function>().Call(arr, {}), depth, lim, true, stack, metrics);
     }
   }
 
@@ -53,12 +56,16 @@ ddwaf_object* to_ddwaf_object_array(
   // TODO(@vdeturckheim): handle arrays with
   // more than DDWAF_MAX_CONTAINER_SIZE chars
   if (lim && len > DDWAF_MAX_CONTAINER_SIZE) {
+    if (metrics) {
+      metrics->max_truncated_container_size = std::max(metrics->max_truncated_container_size,
+                                                       static_cast<size_t>(len));
+    }
     len = DDWAF_MAX_CONTAINER_SIZE;
   }
   for (uint32_t i = 0; i < len; ++i) {
     Napi::Value item  = arr.Get(i);
     ddwaf_object val;
-    to_ddwaf_object(&val, env, item, depth, lim, false, stack);
+    to_ddwaf_object(&val, env, item, depth, lim, false, stack, metrics);
     if (!ddwaf_object_array_add(object, &val)) {
       mlog("add to array failed, freeing");
       ddwaf_object_free(&val);
@@ -75,18 +82,23 @@ ddwaf_object* to_ddwaf_object_object(
   int depth,
   bool lim,
   bool ignoreToJSON,
-  JsSet stack
+  JsSet stack,
+  WAFTruncationMetrics* metrics
 ) {
   if (!ignoreToJSON) {
     Napi::Value toJSON = obj.Get("toJSON");
     if (toJSON.IsFunction()) {
-      return to_ddwaf_object(object, env, toJSON.As<Napi::Function>().Call(obj, {}), depth, lim, true, stack);
+      return to_ddwaf_object(object, env, toJSON.As<Napi::Function>().Call(obj, {}), depth, lim, true, stack, metrics);
     }
   }
 
   Napi::Array properties = obj.GetPropertyNames();
   uint32_t len = properties.Length();
   if (lim && len > DDWAF_MAX_CONTAINER_SIZE) {
+    if (metrics) {
+      metrics->max_truncated_container_size = std::max(metrics->max_truncated_container_size,
+                                                       static_cast<size_t>(len));
+    }
     len = DDWAF_MAX_CONTAINER_SIZE;
   }
   if (env.IsExceptionPending()) {
@@ -112,7 +124,7 @@ ddwaf_object* to_ddwaf_object_object(
     Napi::Value valV = obj.Get(keyV);
     mlog("Looping into ToPWArgs");
     ddwaf_object val;
-    to_ddwaf_object(&val, env, valV, depth, lim, false, stack);
+    to_ddwaf_object(&val, env, valV, depth, lim, false, stack, metrics);
     if (!ddwaf_object_map_add(map, key.c_str(), &val)) {
       mlog("add to object failed, freeing");
       ddwaf_object_free(&val);
@@ -122,10 +134,19 @@ ddwaf_object* to_ddwaf_object_object(
   return object;
 }
 
-ddwaf_object* to_ddwaf_string(ddwaf_object *object, Napi::Value val, bool lim) {
+ddwaf_object* to_ddwaf_string(
+  ddwaf_object *object,
+  Napi::Value val,
+  bool lim,
+  WAFTruncationMetrics* metrics
+) {
   std::string str = val.ToString().Utf8Value();
   int len = str.length();
   if (lim && len > DDWAF_MAX_STRING_LENGTH) {
+    if (metrics) {
+      metrics->max_truncated_string_length = std::max(metrics->max_truncated_string_length,
+                                                      static_cast<size_t>(len));
+    }
     len = DDWAF_MAX_STRING_LENGTH;
   }
   return ddwaf_object_stringl(object, str.c_str(), len);
@@ -138,11 +159,16 @@ ddwaf_object* to_ddwaf_object(
   int depth,
   bool lim,
   bool ignoreToJson,
-  JsSet stack
+  JsSet stack,
+  WAFTruncationMetrics* metrics
 ) {
   mlog("starting to convert an object");
   if (depth >= DDWAF_MAX_CONTAINER_DEPTH) {
     mlog("Max depth reached");
+    if (metrics) {
+      metrics->max_truncated_container_depth = std::max(metrics->max_truncated_container_depth,
+                                                        static_cast<size_t>(depth));
+    }
     return ddwaf_object_map(object);
   }
   if (val.IsNull()) {
@@ -151,7 +177,7 @@ ddwaf_object* to_ddwaf_object(
   }
   if (val.IsString()) {
     mlog("creating String");
-    return to_ddwaf_string(object, val, lim);
+    return to_ddwaf_string(object, val, lim, metrics);
   }
   if (val.IsNumber()) {
     mlog("creating Number");
@@ -190,32 +216,22 @@ ddwaf_object* to_ddwaf_object(
     stack.Add(val);
     mlog("creating Array");
     auto result =
-      to_ddwaf_object_array(object, env, val.ToObject().As<Napi::Array>(), depth + 1, lim, ignoreToJson, stack);
+      to_ddwaf_object_array(object, env, val.ToObject().As<Napi::Array>(), depth + 1, lim, ignoreToJson, stack,
+                            metrics);
     stack.Delete(val);
     return result;
   }
   if (val.IsObject()) {
     stack.Add(val);
     mlog("creating Object");
-    auto result = to_ddwaf_object_object(object, env, val.ToObject(), depth + 1, lim, ignoreToJson, stack);
+    auto result = to_ddwaf_object_object(object, env, val.ToObject(), depth + 1, lim, ignoreToJson, stack, metrics);
     stack.Delete(val);
     return result;
   }
   mlog("creating invalid object");
   return ddwaf_object_invalid(object);
 }
 
-ddwaf_object* to_ddwaf_object(
-  ddwaf_object *object,
-  Napi::Env env,
-  Napi::Value val,
-  int depth,
-  bool lim,
-  bool ignoreToJson
-) {
-  return to_ddwaf_object(object, env, val, depth, lim, ignoreToJson, JsSet::Create(env));
-}
-
 Napi::Value from_ddwaf_object(ddwaf_object *object, Napi::Env env) {
   DDWAF_OBJ_TYPE type = object->type;
 

src/convert.h

@@ -7,14 +7,18 @@
 
 #include <napi.h>
 #include <ddwaf.h>
+#include "src/jsset.h"
+#include "src/metrics.h"
 
 ddwaf_object* to_ddwaf_object(
   ddwaf_object *object,
   Napi::Env env,
   Napi::Value val,
   int depth,
   bool lim,
-  bool ignoreToJson = false
+  bool ignoreToJson,
+  JsSet stack,
+  WAFTruncationMetrics *metrics
 );
 
 Napi::Value from_ddwaf_object(ddwaf_object *object, Napi::Env env);

src/main.cpp

@@ -93,7 +93,7 @@ DDWAF::DDWAF(const Napi::CallbackInfo& info) : Napi::ObjectWrap<DDWAF>(info) {
 
   ddwaf_object rules;
   mlog("building rules");
-  to_ddwaf_object(&rules, env, info[0], 0, false);
+  to_ddwaf_object(&rules, env, info[0], 0, false, false, JsSet::Create(env), nullptr);
 
   ddwaf_object diagnostics;
 
@@ -153,7 +153,7 @@ void DDWAF::update(const Napi::CallbackInfo& info) {
 
   ddwaf_object update;
   mlog("building rules update");
-  to_ddwaf_object(&update, env, info[0], 0, false);
+  to_ddwaf_object(&update, env, info[0], 0, false, false, JsSet::Create(env), nullptr);
 
   ddwaf_object diagnostics;
 
@@ -299,17 +299,18 @@ Napi::Value DDWAFContext::run(const Napi::CallbackInfo& info) {
   }
 
   ddwaf_object *ddwafPersistent = nullptr;
+  this->_metrics = {};
 
   if (persistent.IsObject()) {
     ddwafPersistent = static_cast<ddwaf_object *>(alloca(sizeof(ddwaf_object)));
-    to_ddwaf_object(ddwafPersistent, env, persistent, 0, true);
+    to_ddwaf_object(ddwafPersistent, env, persistent, 0, true, false, JsSet::Create(env), &this->_metrics);
   }
 
   ddwaf_object *ddwafEphemeral = nullptr;
 
   if (ephemeral.IsObject()) {
     ddwafEphemeral = static_cast<ddwaf_object *>(alloca(sizeof(ddwaf_object)));
-    to_ddwaf_object(ddwafEphemeral, env, ephemeral, 0, true);
+    to_ddwaf_object(ddwafEphemeral, env, ephemeral, 0, true, false, JsSet::Create(env), &this->_metrics);
   }
 
   ddwaf_result result;
@@ -321,24 +322,39 @@ Napi::Value DDWAFContext::run(const Napi::CallbackInfo& info) {
     &result,
     static_cast<uint64_t>(timeout));
 
+  Napi::Object res = Napi::Object::New(env);
+  Napi::Object metrics = Napi::Object::New(env);
+
+  res.Set("metrics", metrics);
+
+  if (this->_metrics.max_truncated_string_length > 0) {
+    metrics.Set("maxTruncatedString",
+                Napi::Number::New(env, this->_metrics.max_truncated_string_length));
+  }
+
+  if (this->_metrics.max_truncated_container_size > 0) {
+    metrics.Set("maxTruncatedContainerSize",
+                Napi::Number::New(env, this->_metrics.max_truncated_container_size));
+  }
+
+  if (this->_metrics.max_truncated_container_depth > 0) {
+    metrics.Set("maxTruncatedContainerDepth",
+                Napi::Number::New(env, this->_metrics.max_truncated_container_depth));
+  }
+
+  // Report if there is an error first
   switch (code) {
     case DDWAF_ERR_INTERNAL:
-      Napi::Error::New(env, "Internal error").ThrowAsJavaScriptException();
-      ddwaf_result_free(&result);
-      return env.Null();
     case DDWAF_ERR_INVALID_OBJECT:
-      Napi::Error::New(env, "Invalid ddwaf object").ThrowAsJavaScriptException();
-      ddwaf_result_free(&result);
-      return env.Null();
     case DDWAF_ERR_INVALID_ARGUMENT:
-      Napi::Error::New(env, "Invalid arguments").ThrowAsJavaScriptException();
+      res.Set("errorCode", Napi::Number::New(env, code));
       ddwaf_result_free(&result);
-      return env.Null();
+      return res;
     default:
       break;
   }
   // there is no error. We need to collect perf data
-  Napi::Object res = Napi::Object::New(env);
+
   mlog("Set timeout");
   res.Set("timeout", Napi::Boolean::New(env, result.timeout));
 

src/main.h

@@ -6,6 +6,7 @@
 #define SRC_MAIN_H_
 #include <napi.h>
 #include <ddwaf.h>
+#include "src/metrics.h"
 
 // TODO(@vdeturckheim): logs with ddwaf_set_log_cb
 // TODO(@vdeturckheim): fix issue when used with workers
@@ -54,5 +55,6 @@ class DDWAFContext : public Napi::ObjectWrap<DDWAFContext> {
  private:
     bool _disposed;
     ddwaf_context _context;
+    WAFTruncationMetrics _metrics;
 };
 #endif  // SRC_MAIN_H_

src/metrics.h

@@ -0,0 +1,17 @@
+/**
+* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+* This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
+**/
+
+#ifndef SRC_METRICS_H_
+#define SRC_METRICS_H_
+
+#include <napi.h>
+
+struct WAFTruncationMetrics {
+  size_t max_truncated_string_length = 0;
+  size_t max_truncated_container_size = 0;
+  size_t max_truncated_container_depth = 0;
+};
+
+#endif  // SRC_METRICS_H_