wip

Author: sezen-datadog

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

@@ -251,7 +251,7 @@ private boolean initOrUpdateWafHandle(
       config.dirtyStatus.markAllDirty();
     }
     try {
-      wafHandle = wafBuilder.buildWafHandleInstance(wafHandle);
+      wafHandle = wafBuilder.buildWafHandleInstance(null);
     } catch (AbstractWafException e) {
       log.info("Could not initialize waf handle, no rules were added!", e);
       throw new AppSecModuleActivationException(
@@ -329,14 +329,6 @@ public void onDataAvailable(
         DataBundle newData,
         GatewayContext gwCtx) {
       Waf.ResultWithData resultWithData;
-      if (reqCtx.isWafContextClosed()) {
-        log.debug("Skipped; the WAF context is closed");
-        if (gwCtx.isRasp) {
-          WafMetricCollector.get().raspRuleSkipped(gwCtx.raspRuleType);
-        }
-        return;
-      }
-
       StandardizedLogging.executingWAF(log);
       long start = 0L;
       if (log.isDebugEnabled()) {
@@ -537,7 +529,6 @@ private StackTraceEvent createExploitStackTraceEvent(String stackId) {
     private Waf.ResultWithData doRunWaf(
         AppSecRequestContext reqCtx, DataBundle newData, GatewayContext gwCtx)
         throws AbstractWafException {
-      WafContext wafContext = reqCtx.getOrCreateWafContext(wafHandle, gwCtx.isRasp);
       WafMetrics metrics;
       if (gwCtx.isRasp) {
         metrics = reqCtx.getRaspMetrics();
@@ -547,9 +538,11 @@ private Waf.ResultWithData doRunWaf(
       }
 
       if (gwCtx.isTransient) {
-        return runWafTransient(wafContext, metrics, newData);
+        return runWafTransient(
+            reqCtx.getOrCreateWafContext(wafHandle, gwCtx.isRasp), metrics, newData);
       } else {
-        return runWafContext(wafContext, metrics, newData);
+        return runWafContext(
+            reqCtx.getOrCreateWafContext(wafHandle, gwCtx.isRasp), metrics, newData);
       }
     }
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -114,7 +114,6 @@ public class AppSecRequestContext implements DataBundle, Closeable {
 
   // should be guarded by this
   private volatile WafContext wafContext;
-  private volatile boolean wafContextClosed;
   // set after wafContext is set
   private volatile WafMetrics wafMetrics;
   private volatile WafMetrics raspMetrics;
@@ -248,22 +247,24 @@ public WafContext getOrCreateWafContext(WafHandle wafHandle, boolean isRasp) {
     }
 
     WafContext curWafContext;
-    synchronized (this) {
-      curWafContext = new WafContext(wafHandle);
-      if (this.wafContext != null && !wafContextClosed) {
-        this.wafContext.close();
+    if (!isRasp || wafContext == null) {
+      synchronized (this) {
+        curWafContext = new WafContext(wafHandle);
+        if (this.wafContext != null && this.wafContext.isOnline()) {
+          this.wafContext.close();
+        }
+        this.wafContext = curWafContext;
+        return curWafContext;
       }
-      this.wafContext = curWafContext;
-      return curWafContext;
     }
+    return wafContext;
   }
 
   public void closeWafContext() {
-    if (wafContext != null) {
+    if (wafContext != null && wafContext.isOnline()) {
       synchronized (this) {
         if (wafContext != null) {
           try {
-            wafContextClosed = true;
             wafContext.close();
           } finally {
             wafContext = null;
@@ -554,7 +555,7 @@ public void close() {
     // flag needs to be
     // later reset by the API Security post-processor and close must be called again.
     if (!keepOpenForApiSecurityPostProcessing) {
-      if (wafContext != null) {
+      if (wafContext != null && wafContext.isOnline()) {
         log.debug(
             SEND_TELEMETRY, "WAF object had not been closed (probably missed request-end event)");
         closeWafContext();
@@ -667,7 +668,7 @@ public boolean isThrottled(RateLimiter rateLimiter) {
   }
 
   public boolean isWafContextClosed() {
-    return wafContextClosed;
+    return wafContext == null || !wafContext.isOnline();
   }
 
   /** Must be called during request end event processing. */