Waf upgrade to 1.28.0

Signed-off-by: sezen.leblay <[email protected]>

Author: sezen-datadog

dd-java-agent/appsec/build.gradle

@@ -15,7 +15,7 @@ dependencies {
   implementation project(':internal-api')
   implementation project(':communication')
   implementation project(':telemetry')
-  implementation group: 'io.sqreen', name: 'libsqreen', version: '15.0.1'
+  implementation group: 'io.sqreen', name: 'libsqreen', version: '17.0.0'
   implementation libs.moshi
 
   testImplementation libs.bytebuddy

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

@@ -52,7 +52,6 @@
 import java.lang.reflect.UndeclaredThrowableException;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
@@ -80,8 +79,6 @@ public class WAFModule implements AppSecModule {
 
   private static final JsonAdapter<List<WAFResultData>> RES_JSON_ADAPTER;
 
-  private static final Map<String, ActionInfo> DEFAULT_ACTIONS;
-
   private static final String EXPLOIT_DETECTED_MSG = "Exploit detected";
   private boolean init = true;
   private String rulesetVersion;
@@ -117,12 +114,6 @@ private CtxAndAddresses(Collection<Address<?>> addressesOfInterest, WafHandle ct
     Moshi moshi = new Moshi.Builder().build();
     RES_JSON_ADAPTER = moshi.adapter(Types.newParameterizedType(List.class, WAFResultData.class));
 
-    Map<String, Object> actionParams = new HashMap<>();
-    actionParams.put("status_code", 403);
-    actionParams.put("type", "auto");
-    actionParams.put("grpc_status_code", 10);
-    DEFAULT_ACTIONS =
-        Collections.singletonMap("block", new ActionInfo("block_request", actionParams));
     createLimitsObject();
   }
 

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/ddwaf/WAFModuleSpecification.groovy

@@ -1,5 +1,6 @@
 package com.datadog.appsec.ddwaf
 
+import com.datadog.appsec.AppSecModule.AppSecModuleActivationException
 import com.datadog.appsec.AppSecSystem
 import com.datadog.appsec.config.AppSecConfigService
 import com.datadog.appsec.config.AppSecConfigServiceImpl
@@ -147,10 +148,42 @@ class WAFModuleSpecification extends DDSpecification {
       listener.remove(config, null)
       return
     }
-    def json = ADAPTER.toJson(map)
+    // Convert Double values to Long for status codes
+    def convertedMap = convertDoublesToLongs(map)
+    def json = ADAPTER.toJson(convertedMap)
     listener.accept(config, json.getBytes(), null)
   }
 
+  private static Map<String, Object> convertDoublesToLongs(Map<String, Object> map) {
+    def result = [:]
+    map.each { key, value ->
+      if (value instanceof Map) {
+        result[key] = convertDoublesToLongs(value as Map<String, Object>)
+      } else if (value instanceof List) {
+        result[key] = convertDoublesToLongs(value as List)
+      } else if (value instanceof Double && ((Double) value).longValue() == ((Double) value).doubleValue()) {
+        // Convert whole number doubles to longs
+        result[key] = ((Double) value).longValue()
+      } else {
+        result[key] = value
+      }
+    }
+    return result
+  }
+
+  private static List convertDoublesToLongs(List list) {
+    return list.collect { item ->
+      if (item instanceof Map) {
+        return convertDoublesToLongs(item as Map<String, Object>)
+      } else if (item instanceof List) {
+        return convertDoublesToLongs(item as List)
+      } else if (item instanceof Double && ((Double) item).longValue() == ((Double) item).doubleValue()) {
+        return ((Double) item).longValue()
+      }
+      return item
+    }
+  }
+
   void 'override on_match through reconfiguration'() {
     ChangeableFlow flow = Mock()
 
@@ -1309,8 +1342,9 @@ class WAFModuleSpecification extends DDSpecification {
     initialRuleAddWithMap(waf)
 
     then:
-    thrown RuntimeException
+    thrown AppSecModuleActivationException
     wafModule.dataSubscriptions.empty
+    1 * wafMetricCollector.wafInit(Waf.LIB_VERSION, _, false)
     0 * _
   }
 
@@ -1321,8 +1355,10 @@ class WAFModuleSpecification extends DDSpecification {
     initialRuleAddWithMap(waf)
 
     then:
-    thrown RuntimeException
+    thrown AppSecModuleActivationException
     wafModule.ctxAndAddresses.get() == null
+    // WAF initialization is attempted but fails, so wafInit is called with success=false
+    1 * wafMetricCollector.wafInit(Waf.LIB_VERSION, _, false)
     0 * _
   }
 

internal-api/src/main/java/datadog/trace/api/gateway/Flow.java

@@ -28,7 +28,7 @@ public boolean isBlocking() {
     }
 
     class RequestBlockingAction implements Action {
-      private final int statusCode;
+      private final long statusCode;
       private final BlockingContentType blockingContentType;
       private final Map<String, String> extraHeaders;
 
@@ -56,7 +56,7 @@ public boolean isBlocking() {
       }
 
       public int getStatusCode() {
-        return statusCode;
+        return Math.toIntExact(statusCode);
       }
 
       public BlockingContentType getBlockingContentType() {