Upgrade libddwaf java to 14.0.0

Author: sezen-datadog

dd-java-agent/appsec/build.gradle

@@ -15,7 +15,7 @@ dependencies {
   implementation project(':internal-api')
   implementation project(':communication')
   implementation project(':telemetry')
-  implementation group: 'io.sqreen', name: 'libsqreen', version: '13.0.1'
+  implementation group: 'io.sqreen', name: 'libsqreen', version: '14.0.0'
   implementation libs.moshi
 
   testImplementation libs.bytebuddy

dd-java-agent/appsec/src/jmh/java/datadog/appsec/benchmark/WafBenchmark.java

@@ -7,8 +7,8 @@
 import com.datadog.appsec.config.AppSecConfigDeserializer;
 import com.datadog.appsec.event.data.KnownAddresses;
 import com.datadog.ddwaf.Waf;
+import com.datadog.ddwaf.WafBuilder;
 import com.datadog.ddwaf.WafContext;
-import com.datadog.ddwaf.WafHandle;
 import com.datadog.ddwaf.WafMetrics;
 import com.datadog.ddwaf.exception.AbstractWafException;
 import java.io.IOException;
@@ -44,14 +44,14 @@ public class WafBenchmark {
     BenchmarkUtil.initializeWaf();
   }
 
-  WafHandle ctx;
+  WafBuilder wafBuilder;
   Map<String, Object> wafData = new HashMap<>();
   Waf.Limits limits = new Waf.Limits(50, 500, 1000, 5000000, 5000000);
 
   @Benchmark
   public void withMetrics() throws Exception {
-    WafMetrics metricsCollector = ctx.createMetrics();
-    WafContext add = ctx.openContext();
+    WafMetrics metricsCollector = new WafMetrics();
+    WafContext add = new WafContext(wafBuilder);
     try {
       add.run(wafData, limits, metricsCollector);
     } finally {
@@ -61,7 +61,7 @@ public void withMetrics() throws Exception {
 
   @Benchmark
   public void withoutMetrics() throws Exception {
-    WafContext add = ctx.openContext();
+    WafContext add = new WafContext(wafBuilder);
     try {
       add.run(wafData, limits, null);
     } finally {
@@ -75,7 +75,8 @@ public void setUp() throws AbstractWafException, IOException {
     Map<String, AppSecConfig> cfg =
         Collections.singletonMap("waf", AppSecConfigDeserializer.INSTANCE.deserialize(stream));
     AppSecConfig waf = cfg.get("waf");
-    ctx = Waf.createHandle("waf", waf.getRawConfig());
+    wafBuilder = new WafBuilder();
+    wafBuilder.addOrUpdateConfig("waf", waf.getRawConfig());
 
     wafData.put(KnownAddresses.REQUEST_METHOD.getKey(), "POST");
     wafData.put(
@@ -112,6 +113,8 @@ public void setUp() throws AbstractWafException, IOException {
 
   @TearDown(Level.Trial)
   public void teardown() {
-    ctx.close();
+    if (wafBuilder != null && !wafBuilder.isOnline()) {
+      wafBuilder.destroy();
+    }
   }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecModule.java

@@ -3,10 +3,12 @@
 import com.datadog.appsec.config.AppSecModuleConfigurer;
 import com.datadog.appsec.event.DataListener;
 import com.datadog.appsec.event.data.Address;
+import com.datadog.ddwaf.WafBuilder;
 import java.util.Collection;
 
 public interface AppSecModule {
-  void config(AppSecModuleConfigurer appSecConfigService) throws AppSecModuleActivationException;
+  void config(AppSecModuleConfigurer appSecConfigService, WafBuilder wafBuilder)
+      throws AppSecModuleActivationException;
 
   String getName();
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java

@@ -7,11 +7,14 @@
 import com.datadog.appsec.config.AppSecConfigService;
 import com.datadog.appsec.config.AppSecConfigServiceImpl;
 import com.datadog.appsec.ddwaf.WAFModule;
+import com.datadog.appsec.ddwaf.WafInitialization;
 import com.datadog.appsec.event.EventDispatcher;
 import com.datadog.appsec.event.ReplaceableEventProducerService;
 import com.datadog.appsec.gateway.GatewayBridge;
 import com.datadog.appsec.util.AbortStartupException;
 import com.datadog.appsec.util.StandardizedLogging;
+import com.datadog.ddwaf.WafBuilder;
+import com.datadog.ddwaf.WafConfig;
 import datadog.appsec.api.blocking.Blocking;
 import datadog.appsec.api.blocking.BlockingService;
 import datadog.communication.ddagent.SharedCommunicationObjects;
@@ -43,6 +46,7 @@ public class AppSecSystem {
   private static ReplaceableEventProducerService REPLACEABLE_EVENT_PRODUCER; // testing
   private static Runnable STOP_SUBSCRIPTION_SERVICE;
   private static Runnable RESET_SUBSCRIPTION_SERVICE;
+  private static WafBuilder wafBuilder;
 
   public static void start(SubscriptionService gw, SharedCommunicationObjects sco) {
     try {
@@ -64,7 +68,10 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
       return;
     }
     log.debug("AppSec is starting ({})", appSecEnabledConfig);
-
+    if (!WafInitialization.ONLINE) {
+      log.debug("In-app WAF initialization failed. See previous log entries");
+      return;
+    }
     REPLACEABLE_EVENT_PRODUCER = new ReplaceableEventProducerService();
     EventDispatcher eventDispatcher = new EventDispatcher();
     REPLACEABLE_EVENT_PRODUCER.replaceEventProducerService(eventDispatcher);
@@ -86,7 +93,8 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
     APP_SEC_CONFIG_SERVICE =
         new AppSecConfigServiceImpl(
             config, configurationPoller, () -> reloadSubscriptions(REPLACEABLE_EVENT_PRODUCER));
-    APP_SEC_CONFIG_SERVICE.init();
+    wafBuilder = new WafBuilder(createWafConfig(config));
+    APP_SEC_CONFIG_SERVICE.init(wafBuilder);
 
     sco.createRemaining(config);
 
@@ -105,7 +113,7 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
 
     setActive(appSecEnabledConfig == ProductActivation.FULLY_ENABLED);
 
-    APP_SEC_CONFIG_SERVICE.maybeSubscribeConfigPolling();
+    APP_SEC_CONFIG_SERVICE.maybeSubscribeConfigPolling(wafBuilder);
 
     Blocking.setBlockingService(new BlockingServiceImpl(REPLACEABLE_EVENT_PRODUCER));
 
@@ -143,8 +151,8 @@ public static void stop() {
       RESET_SUBSCRIPTION_SERVICE = null;
     }
     Blocking.setBlockingService(BlockingService.NOOP);
-
     APP_SEC_CONFIG_SERVICE.close();
+    wafBuilder.destroy();
   }
 
   private static void loadModules(EventDispatcher eventDispatcher, Monitoring monitoring) {
@@ -155,9 +163,9 @@ private static void loadModules(EventDispatcher eventDispatcher, Monitoring moni
     for (AppSecModule module : modules) {
       log.debug("Starting appsec module {}", module.getName());
       try {
-        AppSecConfigService.TransactionalAppSecModuleConfigurer cfgObject;
-        cfgObject = APP_SEC_CONFIG_SERVICE.createAppSecModuleConfigurer();
-        module.config(cfgObject);
+        AppSecConfigService.TransactionalAppSecModuleConfigurer cfgObject =
+            APP_SEC_CONFIG_SERVICE.createAppSecModuleConfigurer();
+        module.config(cfgObject, wafBuilder);
         cfgObject.commit();
       } catch (RuntimeException | AppSecModule.AppSecModuleActivationException t) {
         log.error("Startup of appsec module {} failed", module.getName(), t);
@@ -209,4 +217,21 @@ public static Set<String> getStartedModulesInfo() {
       return Collections.emptySet();
     }
   }
+
+  private static WafConfig createWafConfig(Config config) {
+    WafConfig wafConfig = new WafConfig();
+    String keyRegexp = config.getAppSecObfuscationParameterKeyRegexp();
+    if (keyRegexp != null) {
+      wafConfig.obfuscatorKeyRegex = keyRegexp;
+    } else { // reset
+      wafConfig.obfuscatorKeyRegex = WafConfig.DEFAULT_KEY_REGEX;
+    }
+    String valueRegexp = config.getAppSecObfuscationParameterValueRegexp();
+    if (valueRegexp != null) {
+      wafConfig.obfuscatorValueRegex = valueRegexp;
+    } else { // reset
+      wafConfig.obfuscatorValueRegex = WafConfig.DEFAULT_VALUE_REGEX;
+    }
+    return wafConfig;
+  }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigService.java

@@ -1,12 +1,13 @@
 package com.datadog.appsec.config;
 
+import com.datadog.ddwaf.WafBuilder;
 import java.io.Closeable;
 
 public interface AppSecConfigService extends Closeable {
-  void init();
-
   void close();
 
+  void init(WafBuilder wafBuilder);
+
   TransactionalAppSecModuleConfigurer createAppSecModuleConfigurer();
 
   interface TransactionalAppSecModuleConfigurer extends AppSecModuleConfigurer {