chore(asm): handle any object passed to the waf as str (#5422)

1. Remove error for unknown objects passed to the WAF and quietly
transform them to str
2. Ensure the string limit is also enforced on bytes passed to the WAF

Those are minor improvements after a code review due to
#5415

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/contributing.html#Release-Note-Guidelines)
are followed.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Author is aware of the performance implications of this PR as
reported in the benchmarks PR comment.

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer is aware of, and discussed the performance implications
of this PR as reported in the benchmarks PR comment.

---------

Co-authored-by: Federico Mon <[email protected]>

Author: christophe-papazian

ddtrace/appsec/ddwaf/ddwaf_types.py

@@ -125,7 +125,7 @@ def __init__(
         elif isinstance(struct, unicode):
             ddwaf_object_string(self, struct.encode("UTF-8", errors="ignore")[: max_string_length - 1])
         elif isinstance(struct, bytes):
-            ddwaf_object_string(self, struct)
+            ddwaf_object_string(self, struct[: max_string_length - 1])
         elif isinstance(struct, float):
             res = unicode(struct).encode("UTF-8", errors="ignore")[: max_string_length - 1]
             ddwaf_object_string(self, res)
@@ -159,10 +159,13 @@ def __init__(
                 )
                 if obj.type:  # discards invalid objects
                     ddwaf_object_map_add(map_o, res_key, obj)
+        elif struct is not None:
+            struct = str(struct)
+            if isinstance(struct, bytes):  # Python 2
+                ddwaf_object_string(self, struct[: max_string_length - 1])
+            else:  # Python 3
+                ddwaf_object_string(self, struct.encode("UTF-8", errors="ignore")[: max_string_length - 1])
         else:
-            if struct is not None:
-                log.debug("DDWAF object init called with unknown data structure: %s", repr(type(struct)))
-
             ddwaf_object_invalid(self)
 
     @classmethod

tests/appsec/test_ddwaf_fuzz.py

@@ -2,6 +2,7 @@
 
 from hypothesis import given
 from hypothesis import strategies as st
+import pytest
 
 from ddtrace.appsec.ddwaf.ddwaf_types import ddwaf_object
 
@@ -25,6 +26,53 @@ def test_ddwaf_objects_wrapper(obj, kwargs):
     del obj
 
 
+class _AnyObject:
+    cst = "1048A9B04F0EDC"
+
+    def __str__(self):
+        return self.cst
+
+
+@pytest.mark.parametrize(
+    "obj, res",
+    [
+        (32, "32"),
+        (True, True),
+        ("test", "test"),
+        (b"test", "test"),
+        (1.0, "1.0"),
+        ([1, 2], ["1", "2"]),
+        ({"test": "truc"}, {"test": "truc"}),
+        (None, None),
+        (_AnyObject(), _AnyObject.cst),
+    ],
+)
+def test_small_objects(obj, res):
+    dd_obj = ddwaf_object(obj)
+    assert dd_obj.struct == res
+
+
+@pytest.mark.parametrize(
+    "obj, res",
+    [
+        (324, "324"),  # integers are formatted into strings by libddwaf and are not truncated
+        (True, True),
+        ("toast", "to"),
+        (b"toast", "to"),
+        (1.034, "1."),
+        ([1, 2], ["1"]),
+        ({"toast": "touch", "tomato": "tommy"}, {"to": "to"}),
+        (None, None),
+        (_AnyObject(), _AnyObject.cst[:2]),
+        ([[[1, 2], 3], 4], [[]]),
+    ],
+)
+def test_limits(obj, res):
+    # truncation of max_string_length takes the last C null byte into account
+    dd_obj = ddwaf_object(obj, max_objects=1, max_depth=1, max_string_length=3)
+    assert dd_obj.struct == res
+
+
 if __name__ == "__main__":
     import atheris