fix(AAP): reverting usage of json helper function from libddwaf [backport 3.16] (#14886)

dd-octo-sts[bot] · christophe-papazian · web-flow · commit 792d4937b51b · 2025-10-16T12:15:07.000Z
Backport 8235d03 from #14876 to 3.16. ## Description Reverting usage of json helper function from libddwaf due to some possibly related memory corruption errors. This is a (only partial) revert of #14215 Also: - improve a test file to ensure the waf is creating a proper handle from this file. Co-authored-by: Christophe Papazian <114495376+christophe-papazian@users.noreply.github.com>
diff --git a/ddtrace/appsec/_ddwaf/waf.py b/ddtrace/appsec/_ddwaf/waf.py
@@ -59,9 +59,12 @@ def __init__(
             key_regex=obfuscation_parameter_key_regexp, value_regex=obfuscation_parameter_value_regexp
         )
         diagnostics = ddwaf_object()
-        ruleset_map_object = ddwaf_object.from_json_bytes(ruleset_json_str)
-        if not ruleset_map_object:
-            raise ValueError("Invalid ruleset provided to DDWaf constructor")
+        ruleset_map_object = None
+        try:
+            dct = json.loads(ruleset_json_str)
+        except Exception:
+            dct = {}
+        ruleset_map_object = ddwaf_object.create_without_limits(dct)
         self._builder = py_ddwaf_builder_init(config)
         py_add_or_update_config(self._builder, ASM_DD_DEFAULT, ruleset_map_object, diagnostics)
         self._handle = py_ddwaf_builder_build_instance(self._builder)
diff --git a/releasenotes/notes/tentative_fix_for_waf_builder_error-e3e15de63c5e1363.yaml b/releasenotes/notes/tentative_fix_for_waf_builder_error-e3e15de63c5e1363.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    AAP: This PR is a tentative fix for rare memory problems with libddwaf that we were unable to reproduce for now.
diff --git a/tests/appsec/appsec/rules-rasp-disabled.json b/tests/appsec/appsec/rules-rasp-disabled.json
@@ -250,6 +250,45 @@
       "on_match": [
         "stack_trace"
       ]
+    },
+    {
+      "id": "ua0-600-56x",
+      "name": "Datadog test scanner - blocking version: user-agent",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "tool_name": "Datadog Canary Test",
+        "confidence": "1",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              },
+              {
+                "address": "grpc.server.request.metadata",
+                "key_path": [
+                  "dd-canary"
+                ]
+              }
+            ],
+            "regex": "^dd-test-scanner-log-block(?:$|/|\\s)"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "block"
+      ]
     }
   ]
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +fixes:
 +  - |
 +    AAP: This PR is a tentative fix for rare memory problems with libddwaf that we were unable to reproduce for now.