v1.22.0 (unstable)
This new version of libddwaf introduces an important new feature: module-based rule evaluation precedence. This new feature ensures that rules are evaluated in a specified order, based on the module they belong to, which specifies the absolute precedence of the rules contained within it, as well as a set of criteria which determines the relative precedence within the module.
Rules within a module are organised based on whether they are in blocking mode or monitoring mode, with the former always having precedence over the latter. In addition, two rules of the same mode are then organised based on whether they belong to the base ruleset (datadog-owned) or the custom ruleset (customer-owned), as some modules give precedence to one over the other.
The modules defined in this version, in their evaluation order, are the following:
network-acl: specifically containing IP denylist rules. In this module, precedence is given to rules within the base ruleset over the custom ruleset. Additionally, this module does not adhere to the user-provided timeout.authentication-acl: specifically containing user denylist rules. In this module, precedence is given to rules within the base ruleset over the custom ruleset. Additionally, this module does not adhere to the user-provided timeout.custom-acl: this module contains custom denylist rules, without restriction on the type of inputs targeted. As the name suggests, precedence is given to rules within the custom ruleset.configuration: this module contains rules for detecting misconfigurations and / or configuration restrictions, giving also precedence to rules within the custom ruleset.business-logic: containing rules used to identify and / or block business logic events, also giving precedence to rules within the custom ruleset.rasp: containing exclusively exploit prevention rules. To ensure the effectivenes of exploit prevention rules, this module gives precedence to rules within the base ruleset.waf: this module contains rules for detecting attacks exclusively based on the request inputs. Rules within this module are organised by rule type, in what is known as rule collections. This organisation is primarily used to ensure that only a single match of a given type is generated per context, but it also has a marginal impact on the rule evaluation order, as rules are clustered together by type as much as possible. In addition, precedence is given to rules within the custom ruleset rather than the base ruleset.
Note that while some modules have "lower" precedence, the reality is that they are often evaluated independently of other modules, as is the case for the rasp and business-logic modules
Finally, this release also includes a number of fixes and improvements on the exploit prevention heuristics to limit the potential for false positives.
- Module-based rule evaluation precedence (#353)
v1.21.0 (unstable)
This new version of libddwaf only introduces one new feature, alongside other fixes and behind-the-scenes changes and improvements.
A new operator cmdi_detector has been introduced for detecting and blocking command injections. This heuristics builds on the shell injection heuristic in order to detect injections on non-shell APIs, including indirect shell injections. This new operator is part of the exploit prevention feature, so it is meant to be used in combination with targeted instrumentation.
The following example rule takes advantage of the new operator to identify injections originating from request parameters:
- id: rsp-930-005
name: CMDi Exploit detection
tags:
type: cmdi
category: exploit_detection
module: rasp
conditions:
- parameters:
resource:
- address: server.sys.exec.cmd
params:
- address: server.request.query
- address: server.request.body
- address: server.request.path_params
- address: grpc.server.request.message
- address: graphql.server.all_resolvers
- address: graphql.server.resolver
operator: cmdi_detector- Disable a few patterns that caused false positives (#355)
- Fix build on macos-14 (#349)
- Support
(min|max)_versiononverify_ruleutility (#350) - Reorganise tests (#351)
- Auto-retry flaky build steps & downgrade to macos-13 (#357)
v1.20.1 (unstable)
- Shell injection for array-based resources (#333)
- Fix logic error on
lfi_detectorfor windows and introducelfi_detector@v2(#346)
v1.20.0 (unstable)
This new version of libddwaf introduces a small set of convenience features and expands some of the existing functionality.
Some of the existing fingerprinting processors have been expanded with the ability to regenerate fingerprints as new data becomes available over subsequent evaluations, specifically:
- The
bodyparameter of thehttp_endpoint_fingerprintis now optional. - All the parameters of the
session_fingerprintare now optional (cookies,session_id,user_id), however a session fingerprint will only be generated if at least one argument is present.
API users must take into consideration that the same fingerprint may be provided in the derivatives section of ddwaf_result over subsequent calls, which should override the previously generated one.
New operators have now been included in this version of libddwaf, and some others have been expanded:
greater_than: asserts whether a numeric value in the input data is greater than a specified one.lower_than: asserts whether a numeric value in the input data is lower than a specified one.existsfor key paths: theexistsoperator is already available to assert the presence of an address, but it has now been expanded to assert the presence of a key path within an address;
In addition, some operators can now be negated, with the following caveats:
- Matches can only be performed on available addresses, as there isn't sufficient information to determine if an address will be provided in a subsequent evaluation. As a consequence, conditions using negated operators can only specify a single input address.
- Due to the above, the negated version of the
existsoperator (!exists) can only assert the absence of a key path, rather than an address.
The following are the new negated operators: !match_regex, !phrase_match, !exact_match, !ip_match, !equals and !exists.
In order to allow for a single ruleset to be used throughout multiple versions of libddwaf, while taking advantage of new features and / or changes to the evaluation primitives schema, two new fields have been added:
min_version: this can be used to specify the minimum version oflibddwafrequired to support this evaluation primitive.max_version: this can be used to specify the maximum version oflibddwafrequired to support this evaluation primitive.
Both fields follow the semantic versioning schema x.y.z without a v in front nor any subsequent labels or hashes, the minimum allowed version is 0.0.0 and the maximum 999.999.999. Each new field can be provided in isolation or in combination with its counterpart.
The evaluation primitives supporting this new fields are: rules, exclusion filters, processors and scanners. An example of a rule using a minimum and maximum version can be seen below:
- id: rsp-930-004
name: SHi Exploit detection
tags:
type: shi
category: exploit_detection
module: rasp
min_version: 1.19.0
max_version 1.19.999
conditions:
- parameters:
resource:
- address: server.sys.shell.cmd
params:
- address: server.request.query
operator: shi_detectorFinally, when an evaluation primitive doesn't meet the required version criteria, its ID is included in a new diagnostic field called skipped, within the relevant section, e.g.
rules:
skipped:
- rsp-930-004
loaded: ...Finally, in order to distinguish multiple versions of our exploit prevention heuristics, RASP operators can now be versioned. Versioning is done with the following schema: operator_name@version, where the operator name is one of the existing RASP operators (lfi_detector, ssrf_detector, sqli_detector, shi_detector) and version consists of a single digit preceded by a v, e.g. sqli_detector@v2.
Operator versioning works as follows:
- When the existing operator version is higher or equal to the required version, the available operator is compatible.
- When the existing operator version is lower than the required version, the operator is incompatible.
- When the operator is incompatible, the rule is silently skipped and added to the
skippedsection of the diagnostics.
In addition, this release includes a new version of the sqli_detector operator, specifically sqli_detector@v2.
- Fingerprint regeneration based on availability of optional arguments (#331)
- Expand detections per parameter (#332)
- Extend exists operator to support key paths and negation (#334)
- Negated scalar condition for matchers (#335)
- Greater and lower than matchers (#336)
- Support min_version and max_version on evaluation primitives and RASP operator versioning (#343)
- Introduce
sqli_detector@v2(#343)
- Fix false positive on SQLi EOL comments (#330)
- Fix many, but not all, clang-tidy complaints (#339)
- Set content:write permissions on release job (#340)
v1.19.1 (unstable)
- Split collections by module (#328)
v1.19.0 (unstable)
This new version of libddwaf introduces a multitude of new features in order to support new use cases and expand existing ones.
A new operator shi_detector has been introduced for detecting and blocking shell injections, based on input parameters and the final shell code being evaluated. This new operator is part of the exploit prevention feature, so it is meant to be used in combination with targeted instrumentation.
The following example rule takes advantage of the new operator to identify injections originating from request parameters:
- id: rsp-930-004
name: SHi Exploit detection
tags:
type: shi
category: exploit_detection
module: rasp
conditions:
- parameters:
resource:
- address: server.sys.shell.cmd
params:
- address: server.request.query
- address: server.request.body
- address: server.request.path_params
- address: grpc.server.request.message
- address: graphql.server.all_resolvers
- address: graphql.server.resolver
operator: shi_detectorThis release includes a new family of processors which can be used to generate different fingerprints for a request and / or user, depending on available information:
http_endpoint_fingerprint: this processor generates a fingerprint which uniquely identifies the HTTP endpoint accessed by the request as well as how this endpoint was accessed (i.e. which parameters were used).http_headers_fingerprint: generates a fingerprint which provides information about the headers used when accessing said HTTP endpoint.http_network_fingerprint: provides a fingerprint containing some information about the network-related HTTP headers used within the request.session_fingerprint: this processor generates a specific fingeprint with sufficient information to track a unique session and / or attacker.
Suspicious attackers can now be blocked conditionally when they perform a restricted action or an attack. With the combination of custom exclusion filter actions and exclusion data, it is now possible to change the action of a rule dynamically depending on a condition, e.g. all rules could be set to blocking mode if a given IP performs a known attack.
The following exclusion filter, in combination with the provided exclusion data, changes the action of all rules based on the client IP:
exclusions:
- id: suspicious_attacker
conditions:
- operator: ip_match
parameters:
inputs:
- address: http.client_ip
data: ip_data
exclusion_data:
- id: ip_data
type: ip_with_expiration
data:
- value: 1.2.3.4
expiration: 0- New operator
exists: this new operator can be used to assert the presence of at least one address from a given set of addresses, regardless of their underlying value. - Rule tagging overrides: rule overrides now allow adding tags to an existing rule, e.g. to provide information about the policy used.
- New function
ddwaf_known_actions: this new function can be used to obtain a list of the action types which can be triggered given the set of rules and exclusion filters available.
- Multivariate processors and remove generators (#298)
- Custom rule filter actions (#303)
- SHA256 hash based on OpenSSL (#304)
- Shell injection detection operator (#308)
- Limit the number of transformers per rule or input (#309)
- Validate redirection location and restrict status codes (#310)
- Rule override for adding tags (#313)
- Add support for dynamic exclusion filter data (#316)
- HTTP Endpoint Fingerprint Processor (#318)
- HTTP Header, HTTP Network and Session Fingerprints (#320)
- Exists operator and waf.context.event virtual address (#321)
- Add function to obtain available actions (#324)
- Transformer fixes and improvements (#299)
- Fix object generator stray container (#294)
- Regex tools & benchmark rename (#290)
- Order benchmark scenarios (#300)
- Upgrade to macos-12 (#312)
- Skip disabled rules when generating ruleset (#314)
- Update default obfuscator regex (#317)
v1.18.0 (unstable)
This version introduces a new operator sqli_detector for the detection of SQL injections. In addition, the ruleset parser has been updated to allow non-string parameter values on action definitions.
- SQL Injection (SQLi) Detection Operator (#284)
- Fix mishandling invalid actions key type (#286)
- Convert non-string object types into string during ruleset parsing (#285)
- Use SSE4.1 ceilf when available and add badges to readme (#288)
- SQLi Detector Fuzzer and improvements (#291)
v1.17.0 (unstable)
This new version introduces RASP rules and supporting features, including:
- Multivariate operators for the development of complex rules.
- A new operator
lfi_detectorfor the detection of local file inclusion (LFI) / path traversal attacks. - A new operator
ssrf_detectorfor the detection of server-side request forgery (SSRF) attacks. - Better support for rule actions, as well as internal default actions:
block,stack_traceandextract_schema.
The upgrading guide has also been updated to cover the new breaking changes.
- Multivariate operator support (#241)
- Local file inclusion (LFI) operator (#258)
- Server-side request forgery (SSRF) detection operator (#268)
- Action semantics and related improvements (#277)
- Reduce benchmark noise (#257, #259, #260)
- Add support for old glibc (e.g. RHEL 6) (#262)
- Add weak ceilf symbol and definition (#263)
- Fix parsing of variadic arguments (#267)
- Update node-16 actions to node-20 ones (#266)
- Attempt to build libddwaf on arm64 runner (#270)
- Run tests on arm64 (#271)
- LFI detector fuzzer (#274)
- Remove rpath from linux-musl binary (#282)
v1.17.0-alpha3 (unstable)
- Action semantics and related improvements (#277)
- LFI detector fuzzer (#274)
v1.17.0-alpha2 (unstable)
- Server-side request forgery (SSRF) detection operator (#268)
v1.17.0-alpha1 (unstable)
- Fix parsing of variadic arguments (#267)
- Update node-16 actions to node-20 ones (#266)
v1.17.0-alpha0 (unstable)
v1.16.1 (unstable)
v1.16.0 (unstable)
- Address a libinjection false positive (#251)
- Remove a few fingerprints causing false positives (#252)
- Fix SSE2 lowercase transformer (#253)
- Build tools on CI to avoid breaking tool users (#229)
- Remove legacy linux builds (#230)
- Vendorize re2 and utf8proc (#231)
- Refactor cmake scripts and support LTO (#232)
- Microbenchmarks (#242, #243, #244, #245, #246, #247, #248, #250)
v1.15.1 (unstable)
- Fix duplicate processor check (#234)
v1.15.0 (unstable)
This new version of the WAF includes the following new features:
- Ephemeral addresses for composite requests
- Naive duplicate address support on input filters
- Required / Optional address diagnostics
The upgrading guide has also been updated to cover the new changes.
- Support ephemeral addresses on
ddwaf_run(#219) - Rename
ddwaf_required_addressestoddwaf_known_addresses(#221)
- Schema extraction scanners: reduce false positives on arrays (#220)
- Ephemeral addresses for rules & exclusion filters (#219)(#224)
- Address diagnostics (#221)
- Naive duplicate address support on input/object filters (#222)
- Update nuget packaging to use new musl linux binaries (#217)
- Validator improvements (#225)
- Use
fmt::formatfor logging and vendorize some dependencies withinsrc/(#226) - Reduce linux binary size and fix some flaky tests (#227)
v1.14.0 (unstable)
This release of the WAF includes the following new features:
- Schema data classification through the use of scanners.
- A vectorized version of the
lowercasetransformer using SSE2. - Generalized processors which are evaluated before or after filters and rules based on their outcome.
- Optimizations to avoid unnecessary rule and filter evaluation.
- Many other quality of life, correctness and performance improvements
- Rename
preprocessortop-level key toprocessor(#209)
- Fix missing top-level key for processor diagnostics (#209)
- SSE2 lowercase transformer (#195)
- Reduce schema extraction limits (#208)
- Skip rule and filter evaluation when no new rule targets exist (#207)
- Refactor preprocessors into preprocessors and postprocessors (#209)
- Convert float to (un)signed within the parsing stage (#210)
- Scanners for schema scalar classification (#211)
- Remove ptr typedefs (#212)
- Indexer abstraction to encapsulate rule and scanner search and storage (#213)
v1.13.1 (unstable)
- Allow conversions between signed/unsigned types during parsing (#205)
v1.13.0 (unstable)
This new version of the WAF includes the following new features:
- Schema extraction preprocessor
- New and improved universal linux buids, including support for i386 and armv7
floatandnulltypes- Equals operator for arbitrary type equality comparison within conditions
- Many other quality of life, correctness and performance improvements
The upgrading guide has also been updated to cover the new changes.
- Add object types
DDWAF_OBJ_FLOATandDDWAF_OBJ_NULL(#197) - Add
doublefieldf64inddwaf_object(#197) - Add
ddwaf_object_null,ddwaf_object_floatandddwaf_object_get_float(#197) - Rename
ddwaf_object_signedtoddwaf_object_string_from_signed(#197) - Rename
ddwaf_object_unsignedtoddwaf_object_string_from_unsigned(#197) - Rename
ddwaf_object_signed_forcetoddwaf_object_signed(#197) - Rename
ddwaf_object_unsigned_forcetoddwaf_object_unsigned(#197) - Add
derivativesfield toddwaf_resultfor output objects generated through preprocessors (#182)
- Encapsulate conditions within expressions (#192)
- Equals operator and arbitrary operator type support (#194)
- Float and null type support (#197)
- Schema Extraction Preprocessor (#182)(#202)
- Minor improvements (#193)
- Rename operation to matcher (#196)
- Fix coverage (#199)
- Linux musl/libc++ builds using alpine-based sysroots and llvm16 (#198)(#200)(#201)
v1.12.0 (unstable)
- Per-input transformers support on exclusion filter conditions (#177)
- Read-only transformers (#178)(#185)(#190)
- Rule filter bypass / monitor mode support (#184)(#188)
- Object schemas (#174)
- Simple IP Match Benchmark (#176)
- Remove Manifest (#179)
- Reduce build parallelism (#183)
- Change standard to C++20 (#186)
v1.11.0 (unstable)
- Full ruleset parsing diagnostics (#161)
- Event result as
ddwaf_object(#162) - Replace
ddwaf_result.actionswith addwaf_objectarray (#165)
- Multithreaded fuzzer (#166)
- Fix benchmark, test output and update ruleset to 1.7.0 (#171)
- Validator: add support for per-directory tests and ruleset (#172)
- Rename examples directory to tools (#173)
- Update ruleset to 1.7.1 (#173)
- Refactor and simplify tools to reduce code duplication (#173)
v1.10.0 (unstable)
- Add all rule tags to event (#160)
v1.9.0 (unstable)
- Remove a libinjection signature (#145)
- Priority collection, rule and filter simplification (#150)
- Improve allocation / deallocation performance within the context using a
context_allocator(#151) - Longest rule data expiration takes precedence for
ip_matchandexact_matchoperators (#152) - Custom rules support (#154)
- Add vdso support for aarch64 (#157)
- Upgrade CodeQL Github Action to v2 (#144)
- Fix broken builds (#147)
- Benchmark: context destroy fixture (#148)
- Remove unused json rule files and vendorise aho-corasick submodule (#153)
- Cancel jobs in progress (#158)
v1.8.2 (unstable)
- Use raw pointers instead of shared pointers for rule targets (#141)
v1.8.1 (unstable)
- Return
NULLhandle when incorrect version or empty rules provided toddwaf_init(#139)
v1.8.0 (unstable)
- Add
ddwaf_updatefor all-in-one ruleset updates (#138) - Remove
ddwaf_required_rule_data_ids(#138) - Remove
ddwaf_update_rule_data(#138) - Remove
ddwaf_toggle_rules(#138)
- Add WAF Builder (#138)
v1.7.0 (unstable) - 2023/02/06
v1.6.2 (unstable) - 2023/01/26
- Add boolean getter (#132)
- Add support for converting string to bool in parameter bool cast operator (#133)
- Add parameter
int64_tcast operator (#133) - Add support for
enabledflag on ruleset parser (#133)
- Replace
isdigitwith custom version due to windows locale-dependence (#133) - Minor fixes and parsing improvements (#133)
v1.6.1 (unstable) - 2023/01/17
v1.6.0 (unstable) - 2023/01/10
- Exclusion filters: targets and conditions (#110)
- Exclusion filters: inputs (#117)
- Add ID to exclusion filters (#120)
- Rework path trie for exclusion (#122)
- Priority collections (#123)
- Support for glob component and arrays on object filter (#124)
- Experiment building libddwaf on the oldest available macos target (#111)
- Strip libddwaf.a for darwin/linux release (#107)
- linux/aarch64: add missing libunwind.a artefact (#109)
- Add option to prevent loading test targets (#108)
- Upgrade deprecated actions (#114)
- Include mac arm binaries in nuget (#115)
- Run clang tidy / format on CI (#116)
- Exclusion filters on fuzzer (#118)
v1.5.1 (unstable) - 2022/09/22
- Add
ddwaf_required_rule_data_idsto obtain the rule data IDs defined in the ruleset (#104)
- GTest
ddwaf_resultvalidators (#102) - Replace
std::optional::value()withstd::optional::operator*()(#105) - Add new and missing exports (#106)
v1.5.0 (unstable) - 2022/09/08
- Remove
ddwaf_version,ddwaf_get_versionnow returns a version string (#89) - Move free function from
ddwaf_context_inittoddwaf_config(#89) - Add
ddwaf_result.actionsstruct containing achar*array and its size (#91) - Add
ddwaf_update_rule_data(#91) - Remote
DDWAF_BLOCK(#91) - Rename
DDWAF_GOODtoDDWAF_OK(#92) - Rename
DDWAF_MONITORtoDDWAF_MATCH(#92) - Deanonymize nested structs (#97)
- Add
ddwaf_object_boolfor backwards-compatible support for booleanddwaf_object(#99) - Add
ddwaf_toggle_rulesto enable or disable rules at runtime (#99)
- Add
unicode_normalizetransformer (#82) - Remove
PWRetriever,PWArgsWrapper,IteratorandArgsIterator(#77) - Add
ddwaf::object_storeto manage all targets and objects provided to the WAF (#77) - Add
ddwaf::value_iteratorfor object value traversal (#77) - Add
ddwaf::key_iteratorfor object key traversal (#77) - Simplify target manifest (#78)
- Remove input object validation (#85)
- Merge
PWAdditiveandPWProcessorand rename toddwaf::context(#89) - Rename
PowerWAFtoddwaf::waf(#89) - Add
ddwaf::timerto abstract deadline (#89) - Simplify rule processors (#89)
- Add
ip_matchoperator and tests (#87) - Refactor ip handling into
ip_utils(#87) - Add
exact_matchoperator and tests (#87) - Rename existing rule processors to more closely resemble their operator name (#87)
- Rename
IPWRuleProcessortorule_processor_base(#87) - Add support for per-rule
on_matcharray in ruleset (#91) - Add optional
on_matchto JSON event format (#91) - Remove
PWRetManagerandMatchGatherer(#91) - Add
ddwaf::eventto collect all relevant rule match data in one structure (#91) - Add
ddwaf::event_serializerfor JSON event (#91) - Update processors to use
std::string_viewrather thanchar *and length (#91) - Add
ddwaf::timeout_exceptionto avoid error code propagation (#91) - Disable the
1)clibinjection fingerprint (#94) - Configurable rule data (#96)
- Timeout error propagation (#89)
- Pass object limits configuration to iterators (#89)
- Apply string limits (#89)
- Fix missing exports (#101)
- Add
utf8proclicense (#84) - Add codecov support (#86)
- Add CODEOWNERS (#88)
- Add
benchmergeto merge multiple benchmark results (#85) - Update ruleset version for testing to 1.3.2 (#101)
- Fix missing build flags from
utf8procbuild (#100)
v1.5.0-rc0 (unstable) - 2022/09/02
- Add
ddwaf_object_boolfor backwards-compatible support for booleanddwaf_object(#99) - Add
ddwaf_toggle_rulesto enable or disable rules at runtime (#99)
- Fix missing exports (#101)
- Update ruleset version for testing to 1.3.2 (#101)
- Fix missing build flags from
utf8procbuild (#100)
v1.5.0-alpha1 (unstable) - 2022/08/30
- Deanonymize nested structs (#97)
v1.5.0-alpha0 (unstable) - 2022/08/04
- Remove
ddwaf_version,ddwaf_get_versionnow returns a version string (#89) - Move free function from
ddwaf_context_inittoddwaf_config(#89) - Add
ddwaf_result.actionsstruct containing achar*array and its size (#91) - Add dummy
ddwaf_update_rule_datafor future use (#91) - Remote
DDWAF_BLOCK(#91) - Rename
DDWAF_GOODtoDDWAF_OK(#92) - Rename
DDWAF_MONITORtoDDWAF_MATCH(#92)
- Add
unicode_normalizetransformer (#82) - Remove
PWRetriever,PWArgsWrapper,IteratorandArgsIterator(#77) - Add
ddwaf::object_storeto manage all targets and objects provided to the WAF (#77) - Add
ddwaf::value_iteratorfor object value traversal (#77) - Add
ddwaf::key_iteratorfor object key traversal (#77) - Simplify target manifest (#78)
- Remove input object validation (#85)
- Merge
PWAdditiveandPWProcessorand rename toddwaf::context(#89) - Rename
PowerWAFtoddwaf::waf(#89) - Add
ddwaf::timerto abstract deadline (#89) - Simplify rule processors (#89)
- Add
ip_matchoperator and tests (#87) - Refactor ip handling into
ip_utils(#87) - Add
exact_matchoperator and tests (#87) - Rename existing rule processors to more closely resemble their operator name (#87)
- Rename
IPWRuleProcessortorule_processor_base(#87) - Add support for per-rule
on_matcharray in ruleset (#91) - Add optional
on_matchto JSON event format (#91) - Remove
PWRetManagerandMatchGatherer(#91) - Add
ddwaf::eventto collect all relevant rule match data in one structure (#91) - Add
ddwaf::event_serializerfor JSON event (#91) - Update processors to use
std::string_viewrather thanchar *and length (#91) - Add
ddwaf::timeout_exceptionto avoid error code propagation (#91)
- Timeout error propagation (#89)
- Pass object limits configuration to iterators (#89)
- Apply string limits (#89)
- Add
utf8proclicense (#84) - Add codecov support (#86)
- Add CODEOWNERS (#88)
- Add
benchmergeto merge multiple benchmark results (#85)
v1.4.0 (unstable) - 2022/06/29
- Correct nuget url (#68)
- Only take params ownership when needed (#69)
- WAF Benchmark Utility (#70)
- WAF Validator (#74)
- Make libinjection look for backticks (#80)
- Add version semantic and unstable release information (#81)
- WAF event obfuscator.
- Add obfuscator configuration to
ddwaf_config. - Changes to limits in
ddwaf_config:- Rename
maxArrayLengthtolimits.max_container_size. - Rename
maxMapDepthtolimits.max_container_depth. - Add
limits.max_string_length, currently unused. - All limits are now
uint32. - Relevant macros renamed accordingly.
- Rename
- Fix issue on ruleset error map reallocation causing cached pointer invalidation.
- Add check for empty input map on parser.
- Update github actions windows build VM to windows-2019.
- Remove metrics collector.
- Add
total_runtimetoddwaf_result. - Fix issue when reporting timeouts.
- Add
ddwaf_objectgetters. - Provide ruleset parsing diagnostics on
ddwaf_init. - Add support for metrics collection on
ddwaf_run. - Add
keys_onlytransformer. - Improve support for older platforms.
- Remove indirection and reduce string operations when processing flows.
- Refactor input verification.
- Remove deprecated features.
- Add arm64 build to nuget package.
- Upgrade RE2 to 2022-02-01.
- Add missing libunwind to x86_64 linux build.
- Fix potential integer overflow in
DDWAF_LOG_HELPER. - Add missing shared mingw64 build.
- Add example tool to run the WAF on a single rule with multiple test vectors.
- Fix duplicate matches in output (#36)
- Support
min_lengthoption onregex_matchoperator. - Remove
DDWAF_ERR_TIMEOUTand update value of other errors. - Add timeout field to
ddwaf_result. - Remove action field from
ddwaf_result. - Support MacOS 10.9.
- Minor CMake compatibility improvements.
- WAF output now conforms to the appsec event format v1.0.0.
- Add schema for output validation.
- Remove zip package generation.
- Minor improvements.
- Add support for ruleset format v2.1.
- Update fuzzer.
- Fix addresses with key path missing from ddwaf_required_addresses.
- Improve ruleset parsing logging.
- Add libinjection SQL and XSS rule processors.
- Add support for ruleset format v1.1 (adding is_sqli and is_xss operators).
- Improved universal x86_64 and arm64 builds.
- Added darwin arm64 build.
- Fixed error on corpus generator for fuzzer.
- Improve contributor onboarding and readme.
- Cross-compile aarch64 static/shared libraries.
- Improve corpus generator for fuzzer.
- Add license to nuget package.
- Renamed static windows library to
ddwaf_static. - Correctly publish DSO dependencies.
- Add license and notice.
- Add copyright note to source files.
- Add issue and pull-request templates.
- Removed spdlog dependency.
- Fixed crash on base64encode transformer.
- Fixed crash on compressWhiteSpace transformer.
- Updated and fixed fuzzer.
- Fixed missing static library on windows packages.
- Other minor fixes and improvements.
- Support for new rule format, using
ddwaf::object. - Interface updated with
ddwafnamespace. - Removed pass-by-value and return-by-value from interface.
- Removed WAF singleton interface.
- Simplified WAF interface to be handle based and always additive.
- Clarified the ownership of
ddwaf::objectpassed to the WAF. - Removed functionality not supported by the new rule format.
- Added exception catch-all on interface functions to prevent std::terminate.
- Convert integers to strings at the input of the WAF
- Report the manifest key of the parameter that we matched in the trigger report
- Fix a bug where we could send reports from a previously reported attack in follow-up executions of the additive API
- Fix behavior of @exist on empty list
- Improve the cache bypass logic to only bypass it once per run
- Fix the cache overwrite logic when the bypass resulted in a match
- Fix an issue where we wouldn't run on keys if the associtated value was a container in specific encapsulated containers
- Introduce a
numerizetransformer to better handleContent-Length
- Fix an issue where we wouldn't run on keys if the associtated value was a container
- Fix an issue where reports would be generated when no action is triggered
- Fix an issue where only the last step of a flow will trigger a report
- Fix an issue where reports would be incomplete if some rules triggered in previous run of the additive API
- Fix a bug where we wouldn't run on keys if the associated value was shorter than a rule's options.min_length
- Introduce transformers to extract CRS targets from the raw URI
- Introduce
removeCommentstransformer - Introduce
@ipMatchoperator
- Introduce modifiers for a rule execution
- Introduce
@existoperator - Improve performance of the Additive API
- Reduce the frequency of perf cap check
- Return the detailed performance of the slowest rules
- Introduce allocation helpers
- Other performance optimisations
- Introduce Additive API
- Introduce expanded initialization format
- Introduce Handle API
- Report performance metrics on each run
- Report the runtime of the slowest rules of each run
- Report the path of a match
- Introduce new transformers
- Rename and shorten the API names
- More...
- Fix false positives in libinjection SQL heuristics
- Fix a false positive in libinjection XSS heuristics
- When running a rule with multiple parameters, don't stop processing if a parameter is missing
- Add support for the
configkey in the init payload - Add support for prefixes to operators
- Add a switch through both means to revert the first fix
- Replace the clock we were using with a more efficient one
- When processing a multi step rule where a parameter is missing to one step, fail the step instead of ignoring it
- Fix a bug where the Compare operators could read one byte after the end of a PWArgs buffer
- Fix a bug where lib injection might read one byte past an internal buffer
- Give more control over the safety features to the API
- Introduce
@pmoperator
- Introduce
@beginsWith,@contains, and@endsWithoperators - Cap the memory each RE2 object can use to 512kB
- Introduce
powerwaf_initializePowerWAFWithDiag - Fix a UTF-8 trucation bug (SQR-8164)
- Cleanup headers
- Improved locking performance
- Initial release