Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to libddwaf 1.5.1 #2306

Merged
merged 27 commits into from
Oct 17, 2022
Merged

Update to libddwaf 1.5.1 #2306

merged 27 commits into from
Oct 17, 2022

Commits on Oct 11, 2022

  1. Update libddwaf to 1.5.1 

    Also update vendored rulesets to 1.4.1

Notable libddwaf API changes include:
- ability to set sideband rule data
- ability to toggle rules
- proper separation of return code vs decided action
- ability to hint at multiple actions
- non-reliance on garbage collector (finalization must be explicit)
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    f80e0a1 View commit details
    Browse the repository at this point in the history

  2. Add AppSec spec rake tasks

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    891ffdf View commit details
    Browse the repository at this point in the history

  3. Update libddwaf in appraisal locks

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    7da6156 View commit details
    Browse the repository at this point in the history

  4. Use source for grpc and google-protobuf on Ruby preview 

    While the presence of a ruby-platform gem for these should be picked up
by bundler, sometimes it is not. Also, this makes it a bit more
future-proof, so that bundler doesn't attempt to pick a version that has
no ruby platform gem, and then proceed to fail.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    ba1ef94 View commit details
    Browse the repository at this point in the history

  5. Use source for nokogiri on 3.2 in appraisal 

    While the presence of a ruby-platform gem for these should be picked up
by bundler, sometimes it is not. Also, this makes it a bit more
future-proof, so that bundler doesn't attempt to pick a version that has
no ruby platform gem, and then proceed to fail.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    a7c03b5 View commit details
    Browse the repository at this point in the history

  6. Add rack-contrib to contrib appraisals 

    Some AppSec spec examples have to be tested against rack-contrib
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    80220fc View commit details
    Browse the repository at this point in the history

  7. Update appraisal locks

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    2b67d30 View commit details
    Browse the repository at this point in the history

  8. Support verbs beyond GET in Rails test app routes

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    23f77fd View commit details
    Browse the repository at this point in the history

  9. Set appsec.event tag when span is still active 

    Previoulsy setting the tag would work but the change would be silently
dropped, resulting in the change being absent from the final trace.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    1f4d18a View commit details
    Browse the repository at this point in the history

  10. Make instrumentation gateway idempotent 

    Prevents accumulation of instrumentation middlewares if multiple
configure blocks are being called, like over app hot-reloading (e.g
Rails development mode, which rereads initializers) or across a sequence
of examples within a spec suite.

Since watchers are essentially static, they need only to be set up once
per process, ever.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    4d881c5 View commit details
    Browse the repository at this point in the history

  11. Make Rack and Rails parse known request bodies for AppSec analysis 

    Rack and Rails are lazily populating upon access. Depending on the
access pattern this may mean that body data would not be available to
AppSec for analysis. This is worked around by a call to the
side-effectful accessors.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    b81054d View commit details
    Browse the repository at this point in the history

  12. Skip AppSec in a Rack context when AppSec is disabled 

    Consequently, context will not be set in Rack env, trickling down to
either disablement or enablement of other instrumented calls,
consistently for the whole request.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    f948cbb View commit details
    Browse the repository at this point in the history

  13. Release context, freeing backing C objects 

    This would apply to handle as well, yet currently handle is a value that
exists only once per application, so is never to be freed since there is
no place for its finalize to be called.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    731028a View commit details
    Browse the repository at this point in the history

  14. Add AppSec integration specs 

    This covers the following AppSec integrations:
- Rack
- Rails
- Sinatra
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    35f67c4 View commit details
    Browse the repository at this point in the history

  15. Fix log for catchall case

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    ed9a11f View commit details
    Browse the repository at this point in the history

  16. Comply with linter

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    eb0a401 View commit details
    Browse the repository at this point in the history

  17. Run AppSec specs in CI

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    08d9b11 View commit details
    Browse the repository at this point in the history

  18. Handle old rack-contrib in specs 

    JSONBodyParser replaces PostBodyContentTypeParser
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    a961764 View commit details
    Browse the repository at this point in the history

  19. Handle old Rails in specs 

    With POST requests, a CSRF token is theoretically needed, but we have
none. Skip the filter, using the appropriate method depending on Rails
versions. Also the mock app may not have the filter defined.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    2990268 View commit details
    Browse the repository at this point in the history

  20. Handle old rack-test 

    Prior to 0.7 an argument is lacking to generate multipart requests
without uploading a file.
    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    052644c View commit details
    Browse the repository at this point in the history

  21. Remove useless reference to middleware

    @lloeki
    lloeki committed Oct 11, 2022
    Configuration menu
    Copy the full SHA
    397ec9a View commit details
    Browse the repository at this point in the history

Commits on Oct 14, 2022

  1. Force grpc build CPU for integration test apps

    @lloeki
    lloeki committed Oct 14, 2022
    Configuration menu
    Copy the full SHA
    b24ac6a View commit details
    Browse the repository at this point in the history

Commits on Oct 17, 2022

  1. Revert "Use source for grpc and google-protobuf on Ruby preview" 

    This reverts commit ba1ef94.
    @lloeki
    lloeki committed Oct 17, 2022
    Configuration menu
    Copy the full SHA
    3a5351f View commit details
    Browse the repository at this point in the history

  2. Simplify integration test spec requires

    @lloeki
    lloeki committed Oct 17, 2022
    Configuration menu
    Copy the full SHA
    ef66af9 View commit details
    Browse the repository at this point in the history

  3. Add disabled AppSec case for span shared examples on Rack

    @lloeki
    lloeki committed Oct 17, 2022
    Configuration menu
    Copy the full SHA
    8798f66 View commit details
    Browse the repository at this point in the history

  4. Simplify result status being match

    @lloeki
    lloeki committed Oct 17, 2022
    Configuration menu
    Copy the full SHA
    5fff719 View commit details
    Browse the repository at this point in the history

  5. Add spec comments explaining result.actions assertions

    @lloeki
    lloeki committed Oct 17, 2022
    Configuration menu
    Copy the full SHA
    cdb04fe View commit details
    Browse the repository at this point in the history