Upgrade libddwaf to 1.28.1 (#9543)

Signed-off-by: sezen.leblay <[email protected]>

Author: sezen-datadog

dd-java-agent/agent-jmxfetch/integrations-core

@@ -14,7 +14,7 @@ dependencies {
   implementation project(':internal-api')
   implementation project(':communication')
   implementation project(':telemetry')
-  implementation group: 'io.sqreen', name: 'libsqreen', version: '17.0.0'
+  implementation group: 'io.sqreen', name: 'libsqreen', version: '17.1.0'
   implementation libs.moshi
 
   testImplementation libs.bytebuddy

dd-java-agent/appsec/build.gradle

@@ -39,9 +39,8 @@
 import com.datadog.ddwaf.exception.InvalidRuleSetException;
 import com.datadog.ddwaf.exception.UnclassifiedWafException;
 import com.squareup.moshi.JsonAdapter;
-import com.squareup.moshi.JsonReader;
-import com.squareup.moshi.JsonWriter;
 import com.squareup.moshi.Moshi;
+import com.squareup.moshi.Types;
 import datadog.remoteconfig.ConfigurationEndListener;
 import datadog.remoteconfig.ConfigurationPoller;
 import datadog.remoteconfig.PollingRateHinter;
@@ -53,7 +52,6 @@
 import datadog.trace.api.ConfigOrigin;
 import datadog.trace.api.ProductActivation;
 import datadog.trace.api.UserIdCollectionMode;
-import datadog.trace.api.telemetry.LogCollector;
 import datadog.trace.api.telemetry.WafMetricCollector;
 import java.io.ByteArrayInputStream;
 import java.io.FileInputStream;
@@ -68,7 +66,6 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicBoolean;
-import javax.annotation.Nullable;
 import okio.Okio;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -96,25 +93,10 @@ public class AppSecConfigServiceImpl implements AppSecConfigService {
       new WAFInitializationResultReporter();
   private final WAFStatsReporter statsReporter = new WAFStatsReporter();
 
-  private static final JsonAdapter<Object> ADAPTER =
+  private static final JsonAdapter<Map<String, Object>> ADAPTER =
       new Moshi.Builder()
-          .add(
-              Double.class,
-              new JsonAdapter<Number>() {
-                @Override
-                public Number fromJson(JsonReader reader) throws IOException {
-                  double value = reader.nextDouble();
-                  long longValue = (long) value;
-                  return value % 1 == 0 ? longValue : value;
-                }
-
-                @Override
-                public void toJson(JsonWriter writer, @Nullable Number value) throws IOException {
-                  throw new UnsupportedOperationException();
-                }
-              })
           .build()
-          .adapter(Object.class);
+          .adapter(Types.newParameterizedType(Map.class, String.class, Object.class));
 
   private boolean hasUserWafConfig;
   private boolean defaultConfigActivated;
@@ -309,7 +291,6 @@ private void handleWafUpdateResultReport(String configKey, Map<String, Object> r
       }
 
       // TODO: Send diagnostics via telemetry
-      final LogCollector telemetryLogger = LogCollector.get();
 
       initReporter.setReportForPublication(wafDiagnostics);
       if (wafDiagnostics.rulesetVersion != null
@@ -488,8 +469,7 @@ private static Map<String, Object> loadDefaultWafConfig() throws IOException {
         throw new IOException("Resource " + DEFAULT_CONFIG_LOCATION + " not found");
       }
 
-      Map<String, Object> ret =
-          (Map<String, Object>) ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
+      Map<String, Object> ret = ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
 
       StandardizedLogging._initialConfigSourceAndLibddwafVersion(log, "<bundled config>");
       if (log.isInfoEnabled()) {
@@ -506,8 +486,7 @@ private static Map<String, Object> loadUserWafConfig(Config tracerConfig) throws
       return null;
     }
     try (InputStream is = new FileInputStream(filename)) {
-      Map<String, Object> ret =
-          (Map<String, Object>) ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
+      Map<String, Object> ret = ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
 
       StandardizedLogging._initialConfigSourceAndLibddwafVersion(log, filename);
       if (log.isInfoEnabled()) {

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -34,7 +34,6 @@
 import datadog.trace.api.ProductActivation;
 import datadog.trace.api.ProductTraceSource;
 import datadog.trace.api.gateway.Flow;
-import datadog.trace.api.sampling.PrioritySampling;
 import datadog.trace.api.telemetry.LogCollector;
 import datadog.trace.api.telemetry.WafMetricCollector;
 import datadog.trace.api.time.SystemTimeSource;
@@ -432,9 +431,6 @@ public void onDataAvailable(
         }
       }
 
-      reqCtx.setKeepType(
-          resultWithData.keep ? PrioritySampling.USER_KEEP : PrioritySampling.USER_DROP);
-
       if (resultWithData.attributes != null && !resultWithData.attributes.isEmpty()) {
         reqCtx.reportDerivatives(resultWithData.attributes);
       }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

@@ -13,7 +13,6 @@
 import datadog.trace.api.Config;
 import datadog.trace.api.http.StoredBodySupplier;
 import datadog.trace.api.internal.TraceSegment;
-import datadog.trace.api.sampling.PrioritySampling;
 import datadog.trace.util.stacktrace.StackTraceEvent;
 import java.io.Closeable;
 import java.util.*;
@@ -147,7 +146,6 @@ public class AppSecRequestContext implements DataBundle, Closeable {
 
   private volatile boolean keepOpenForApiSecurityPostProcessing;
   private volatile Long apiSecurityEndpointHash;
-  private volatile byte keepType = PrioritySampling.SAMPLER_KEEP;
 
   private static final AtomicIntegerFieldUpdater<AppSecRequestContext> WAF_TIMEOUTS_UPDATER =
       AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "wafTimeouts");
@@ -363,14 +361,6 @@ public Long getApiSecurityEndpointHash() {
     return this.apiSecurityEndpointHash;
   }
 
-  public void setKeepType(byte keepType) {
-    this.keepType = keepType;
-  }
-
-  public byte getKeepType() {
-    return this.keepType;
-  }
-
   void addRequestHeader(String name, String value) {
     if (finishedRequestHeaders) {
       throw new IllegalStateException("Request headers were said to be finished before");

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -5,7 +5,6 @@
 import static com.datadog.appsec.gateway.AppSecRequestContext.DEFAULT_REQUEST_HEADERS_ALLOW_LIST;
 import static com.datadog.appsec.gateway.AppSecRequestContext.REQUEST_HEADERS_ALLOW_LIST;
 import static com.datadog.appsec.gateway.AppSecRequestContext.RESPONSE_HEADERS_ALLOW_LIST;
-import static datadog.trace.bootstrap.instrumentation.api.Tags.SAMPLING_PRIORITY;
 
 import com.datadog.appsec.AppSecSystem;
 import com.datadog.appsec.api.security.ApiSecuritySampler;
@@ -750,9 +749,6 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
 
       // If detected any events - mark span at appsec.event
       if (!collectedEvents.isEmpty()) {
-        // Set asm keep in case that root span was not available when events are detected
-        traceSeg.setTagTop(Tags.ASM_KEEP, true);
-        traceSeg.setTagTop(SAMPLING_PRIORITY, ctx.getKeepType());
         traceSeg.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
         traceSeg.setTagTop("appsec.event", true);
         traceSeg.setTagTop("network.client.ip", ctx.getPeerAddress());

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -40,6 +40,7 @@ import datadog.trace.api.Config
 import datadog.trace.api.ConfigDefaults
 import datadog.trace.api.gateway.Flow
 import datadog.trace.api.internal.TraceSegment
+import datadog.trace.api.sampling.PrioritySampling
 import datadog.trace.api.telemetry.RuleType
 import datadog.trace.api.telemetry.WafMetricCollector
 import datadog.trace.api.telemetry.WafMetricCollector.WafErrorCode as InternalWafErrorCode
@@ -1983,6 +1984,111 @@ class WAFModuleSpecification extends DDSpecification {
     !flow3.blocking
   }
 
+  void 'test trace tagging rule with attributes, no keep and event (dynamic value extraction)'() {
+    setup:
+    def rulesConfig = [
+      version: '2.1',
+      metadata: [
+        rules_version: '1.2.7'
+      ],
+      rules: [
+        [
+          id: 'arachni_rule',
+          name: 'Arachni',
+          tags: [
+            type: 'security_scanner',
+            category: 'attack_attempt'
+          ],
+          conditions: [
+            [
+              parameters: [
+                inputs: [
+                  [
+                    address: 'server.request.headers.no_cookies',
+                    key_path: ['user-agent']
+                  ]
+                ],
+                regex: '^Arachni\\/v'
+              ],
+              operator: 'match_regex'
+            ]
+          ],
+          transformers: [],
+          on_match: ['block']
+        ]
+      ],
+      rules_compat: [
+        [
+          id: 'ttr-000-004',
+          name: 'Trace Tagging Rule: Attributes, No Keep, Event',
+          tags: [
+            type: 'security_scanner',
+            category: 'attack_attempt'
+          ],
+          conditions: [
+            [
+              parameters: [
+                inputs: [
+                  [
+                    address: 'server.request.headers.no_cookies',
+                    key_path: ['user-agent']
+                  ]
+                ],
+                regex: '^TraceTagging\\/v4'
+              ],
+              operator: 'match_regex'
+            ]
+          ],
+          output: [
+            event: true,
+            keep: false,
+            attributes: [
+              '_dd.appsec.trace.integer': [
+                value: 1729
+              ],
+              '_dd.appsec.trace.agent': [
+                address: 'server.request.headers.no_cookies',
+                key_path: ['user-agent']
+              ]
+            ]
+          ],
+          on_match: []
+        ]
+      ]
+    ]
+
+    when:
+    initialRuleAddWithMap(rulesConfig)
+    wafModule.applyConfig(reconf)
+
+    then:
+    1 * wafMetricCollector.wafInit(Waf.LIB_VERSION, _, true)
+    1 * wafMetricCollector.wafUpdates(_, true)
+    1 * reconf.reloadSubscriptions()
+    0 * _
+
+    when: 'test trace tagging rule with attributes, no keep and event (dynamic value extraction)'
+    def bundle = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES,
+    new CaseInsensitiveMap<List<String>>(['user-agent': 'TraceTagging/v4']))
+    def flow = new ChangeableFlow()
+    dataListener.onDataAvailable(flow, ctx, bundle, gwCtx)
+    ctx.closeWafContext()
+
+    then:
+    1 * ctx.getOrCreateWafContext(_, true, false)
+    2 * ctx.getWafMetrics() >> metrics
+    1 * ctx.isWafContextClosed() >> false
+    1 * ctx.closeWafContext()
+    // Should report derivatives with dynamic value extraction - the user-agent value should be extracted
+    1 * ctx.reportDerivatives(['_dd.appsec.trace.agent':'TraceTagging/v4', '_dd.appsec.trace.integer': 1729])
+    1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
+    1 * ctx.isThrottled(null)
+    // CRITICAL: Verify that setKeepType is called with USER_DROP when keep: false
+    1 * ctx.setKeepType(PrioritySampling.USER_DROP)
+    0 * ctx._(*_)
+    !flow.blocking // Should not block since keep: false
+  }
+
   private static class BadConfig implements Map<String, Object> {
     @Delegate
     private Map<String, Object> delegate

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/ddwaf/WAFModuleSpecification.groovy

@@ -154,6 +154,42 @@ class TraceTaggingSmokeTest extends AbstractAppSecServerSmokeTest {
             ]
           ],
           on_match: []
+        ],
+        [
+          id: 'ttr-000-004',
+          name: 'Trace Tagging Rule: Attributes, No Keep, Event',
+          tags: [
+            type: 'security_scanner',
+            category: 'attack_attempt'
+          ],
+          conditions: [
+            [
+              parameters: [
+                inputs: [
+                  [
+                    address: 'server.request.headers.no_cookies',
+                    key_path: ['user-agent']
+                  ]
+                ],
+                regex: '^TraceTagging\\/v4'
+              ],
+              operator: 'match_regex'
+            ]
+          ],
+          output: [
+            event: true,
+            keep: false,
+            attributes: [
+              '_dd.appsec.trace.integer': [
+                value: 1729
+              ],
+              '_dd.appsec.trace.agent': [
+                address: 'server.request.headers.no_cookies',
+                key_path: ['user-agent']
+              ]
+            ]
+          ],
+          on_match: []
         ]
       ]
     ]
@@ -265,4 +301,36 @@ class TraceTaggingSmokeTest extends AbstractAppSecServerSmokeTest {
     assert appsecJson.triggers != null, "Missing triggers in WAF attack event"
   }
 
+  def "test trace tagging rule with attributes, no keep and event"() {
+    when:
+    String url = "http://localhost:${httpPort}/greeting"
+    def request = new Request.Builder()
+      .url(url)
+      .addHeader("User-Agent", "TraceTagging/v4")
+      .build()
+    def response = client.newCall(request).execute()
+    def responseBodyStr = response.body().string()
+    waitForTraceCount(1)
+
+    then:
+    responseBodyStr == "Sup AppSec Dawg"
+    response.code() == 200
+    rootSpans.size() == 1
+
+    def rootSpan = rootSpans[0]
+    assert rootSpan.meta['_dd.appsec.trace.agent'] != null, "Missing _dd.appsec.trace.agent from span's meta"
+    assert rootSpan.metrics['_dd.appsec.trace.integer'] != null, "Missing _dd.appsec.trace.integer from span's metrics"
+
+    assert rootSpan.meta['_dd.appsec.trace.agent'].startsWith("TraceTagging/v4")
+    assert rootSpan.metrics['_dd.appsec.trace.integer'] == 1729
+
+    // Should NOT have USER_KEEP sampling priority since keep: false
+    assert rootSpan.metrics.get('_sampling_priority_v1') < 2, "Should not have USER_KEEP sampling priority when keep: false"
+
+    // Check for WAF attack event (should exist since event: true)
+    assert rootSpan.meta['_dd.appsec.json'] != null, "Missing WAF attack event"
+    def appsecJson = new JsonSlurper().parseText(rootSpan.meta['_dd.appsec.json'])
+    assert appsecJson.triggers != null, "Missing triggers in WAF attack event"
+  }
+
 }