v0.12.1

Fixes:

- (d81222d) Add missing request parameters when both JSON values and form values
  were present - only the form values were taken into account.

- (ee22b77) Upgrade to libsqreen v0.7.0:
    - Fix false positives in libinjection SQL heuristics.
    - Fix a false positive in libinjection XSS heuristics.
    - Add support for boolean values.
    - Add support for float values.
    - Fix memory deallocator of scalar values.

- (c425760) Fix data bindings with null values.

Internal Changes:

- (eeb1dca) Avoid copying the metadata returned by the In-App WAF.

Author: Julio Guerra

CHANGELOG.md

@@ -1,3 +1,24 @@
+# v0.12.1
+
+## Fixes
+
+- (d81222d) Add missing request parameters when both JSON values and form values
+  were present - only the form values were taken into account.
+
+- (ee22b77) Upgrade to libsqreen v0.7.0:
+    - Fix false positives in libinjection SQL heuristics.
+    - Fix a false positive in libinjection XSS heuristics.
+    - Add support for boolean values.
+    - Add support for float values.
+    - Fix memory deallocator of scalar values.
+
+- (c425760) Fix data bindings with null values.
+
+## Internal Changes
+
+- (eeb1dca) Avoid copying the metadata returned by the In-App WAF.
+
+
 # v0.12.0
 
 ## New Features

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.3.2
-	github.com/sqreen/go-libsqreen v0.6.1
+	github.com/sqreen/go-libsqreen v0.7.0
 	github.com/sqreen/go-sdk/signal v1.0.0
 	github.com/stretchr/testify v1.5.1
 	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 // indirect

go.sum

@@ -103,6 +103,8 @@ github.com/spf13/viper v1.3.2 h1:VUFqw5KcqRf7i70GOzW7N+Q7+gxVBkSSqiXB12+JQ4M=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/sqreen/go-libsqreen v0.6.1 h1:+SHH3h8qHhINEzgRVqTZ40YxqwDjSVxU5r4isUeg+C8=
 github.com/sqreen/go-libsqreen v0.6.1/go.mod h1:D324eoKlZGfW+TF3WGg+2fUtpdrI+cEK5UYwpxfaeUc=
+github.com/sqreen/go-libsqreen v0.7.0 h1:MRX/KB5lX3O6ucvmTUap6iSDt27bM+76MQpuDNjL+1o=
+github.com/sqreen/go-libsqreen v0.7.0/go.mod h1:D324eoKlZGfW+TF3WGg+2fUtpdrI+cEK5UYwpxfaeUc=
 github.com/sqreen/go-sdk/signal v1.0.0 h1:WNjufvcjKYOgSZHPCwqG0Od5eVAD8wxwmiIe6ZCqoNE=
 github.com/sqreen/go-sdk/signal v1.0.0/go.mod h1:UksuO4mxxDMFw3el+R9mW9tmCgdc94WiDcGuCXU/pwU=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

internal/backend/api/api.go

@@ -400,7 +400,7 @@ type RequestRecord_Observed_Attack struct {
 }
 
 type WAFAttackInfo struct {
-	WAFData string `json:"waf_data"`
+	WAFData json.RawMessage `json:"waf_data"`
 }
 
 type WAFInfoFilter struct {
@@ -456,7 +456,7 @@ func (i *WAFAttackInfo) Scrub(scrubber *sqsanitize.Scrubber, info sqsanitize.Inf
 	if err != nil {
 		return false, err
 	}
-	i.WAFData = string(buf)
+	i.WAFData = buf
 	return scrubbed, nil
 }
 

internal/backend/api/json_test.go

@@ -162,7 +162,7 @@ func TestCustomScrubber(t *testing.T) {
 		}
 		buf, err := json.Marshal(&winfo)
 		require.NoError(t, err)
-		winfoJSONStr := string(buf)
+		winfoJSON := buf
 
 		rr := &api.RequestRecord{
 			Request: api.RequestRecord_Request{
@@ -176,7 +176,7 @@ func TestCustomScrubber(t *testing.T) {
 			Observed: api.RequestRecord_Observed{
 				Attacks: []*api.RequestRecord_Observed_Attack{
 					{
-						Info: api.WAFAttackInfo{WAFData: winfoJSONStr},
+						Info: api.WAFAttackInfo{WAFData: winfoJSON},
 					},
 				},
 			},

internal/binding-accessor/binding-accessor_test.go

@@ -286,6 +286,17 @@ func TestBindingAccessor(t *testing.T) {
 			},
 			ExpectedValue: "Sqreen",
 		},
+		{
+			Title:      "flat values transformation",
+			Expression: "# | flat_values",
+			Context: []interface{}{
+				map[string]interface{}{
+					"k1": "hello",
+				},
+				nil,
+			},
+			ExpectedValue: FlattenedResult{"hello"},
+		},
 		{
 			Title:      "flat values transformation",
 			Expression: "# | flat_values",
@@ -336,6 +347,18 @@ func TestBindingAccessor(t *testing.T) {
 			},
 			ExpectedValue: FlattenedResult{"A", "B", "C", "D", "E", "One", 2, "Three"},
 		},
+		{
+			Title:      "flat keys transformation",
+			Expression: "# | flat_keys",
+			Context: []interface{}{
+				map[*string]interface{}{
+					new(string): "hello",
+					nil:         "hello nil",
+				},
+				nil,
+			},
+			ExpectedValue: FlattenedResult{new(string), (*string)(nil)},
+		},
 		{
 			Title:      "field value transformation",
 			Expression: "#.B | flat_values",

internal/binding-accessor/exec.go

@@ -208,6 +208,9 @@ func flatValues(v reflect.Value, depth int, elements *int) (values []interface{}
 		return flatValues(v.Elem(), depth, elements)
 
 	default:
+		if !v.IsValid() || !v.CanInterface() {
+			break
+		}
 		*elements -= 1
 		values = []interface{}{v.Interface()}
 	}

internal/protection/http/bindingaccessor.go

@@ -65,7 +65,7 @@ func (r *RequestBindingAccessorContext) FilteredParams() RequestParamMap {
 		return params
 	}
 
-	res := make(types.RequestParamMap, len(form)+len(params))
+	res := make(types.RequestParamMap, 1+len(params))
 	res.Add("Form", form)
 	for k, v := range params {
 		res.Add(k, v)

internal/protection/http/http.go

@@ -93,14 +93,19 @@ func (r *requestReader) Params() types.RequestParamMap {
 	params := r.RequestReader.Params()
 	if len(params) == 0 {
 		return r.requestParams
-	} else if len(r.requestParams) == 0 {
+	}
+
+	if len(r.requestParams) == 0 {
 		return params
 	}
 
 	res := make(types.RequestParamMap, len(params)+len(r.requestParams))
 	for n, v := range params {
 		res[n] = v
 	}
+	for n, v := range r.requestParams {
+		res[n] = v
+	}
 	return res
 }
 

internal/rule/callback/waf.go

@@ -140,7 +140,7 @@ func runWAF(ctx *httpprotection.RequestContext, bindingAccessors map[string]bind
 		return false, nil
 	}
 
-	attackInfo := api.WAFAttackInfo{WAFData: string(info)}
+	attackInfo := api.WAFAttackInfo{WAFData: info}
 	blocked = false
 
 	if blockingMode && action == waftypes.BlockAction {