Update to latest commit from DataDog/libddwaf-rust#5

Author: RomainMuller

bottlecap/Cargo.lock

@@ -64,7 +64,7 @@ datadog-trace-obfuscation = { git = "https://github.com/DataDog/libdatadog", rev
 dogstatsd = { git = "https://github.com/DataDog/serverless-components", rev = "c3d8ed4f90591c6958921145d485463860307f78", default-features = false }
 datadog-trace-agent = { git = "https://github.com/DataDog/serverless-components", rev = "c3d8ed4f90591c6958921145d485463860307f78" }
 datadog-fips = { git = "https://github.com/DataDog/serverless-components", rev = "c3d8ed4f90591c6958921145d485463860307f78", default-features = false }
-libddwaf = { version = "1.25.1", git = "https://github.com/DataDog/libddwaf-rust", rev = "1353c5cf1c2ff6b8474b950bd96bccd5d89cf4f3", default-features = false, features = ["default"] }
+libddwaf = { version = "1.25.1", git = "https://github.com/DataDog/libddwaf-rust", rev = "b23b2d7e6abd6340b30dc8031482a6326bda57cd", default-features = false, features = ["default"] }
 
 [dev-dependencies]
 figment = { version = "0.10", default-features = false, features = ["yaml", "env", "test"] }

bottlecap/Cargo.toml

@@ -5,16 +5,17 @@ use aws_lambda_events::{
     lambda_function_urls, s3, sns, sqs,
 };
 use bytes::{Buf, Bytes};
-use libddwaf::object::{WAFArray, WAFMap, WAFObject};
+use libddwaf::object::{WafArray, WafMap, WafObject};
 use tracing::warn;
 
 mod request;
 
+
 trait IsValid {
     fn is_valid(map: &serde_json::Map<String, serde_json::Value>) -> bool;
 }
 
-struct HTTPRequestData {
+struct HttpRequestData {
     source_ip: Option<String>,
     route: Option<String>,
     client_ip: Option<String>,
@@ -23,16 +24,16 @@ struct HTTPRequestData {
     cookies: Option<HashMap<String, Vec<String>>>,
     query: Option<HashMap<String, Vec<String>>>,
     path_params: Option<HashMap<String, String>>,
-    body: Option<WAFObject>,
-    response_body: Option<WAFObject>,
+    body: Option<WafObject>,
+    response_body: Option<WafObject>,
     response_status: Option<u32>,
 }
 
-trait ToWAFMap {
-    fn to_waf_map(self) -> WAFMap;
+trait ToWafMap {
+    fn to_waf_map(self) -> WafMap;
 }
-impl ToWAFMap for HTTPRequestData {
-    fn to_waf_map(self) -> WAFMap {
+impl ToWafMap for HttpRequestData {
+    fn to_waf_map(self) -> WafMap {
         let count = [
             self.client_ip.is_some(),
             self.raw_uri.is_some(),
@@ -47,7 +48,7 @@ impl ToWAFMap for HTTPRequestData {
         .into_iter()
         .filter(|b| *b)
         .count();
-        let mut map = WAFMap::new(count as u64);
+        let mut map = WafMap::new(count as u64);
         let mut i = 0;
 
         if let Some(client_ip) = self.client_ip {
@@ -92,12 +93,12 @@ impl ToWAFMap for HTTPRequestData {
         map
     }
 }
-impl ToWAFMap for HashMap<String, Vec<String>> {
-    fn to_waf_map(self) -> WAFMap {
-        let mut map = WAFMap::new(self.len() as u64);
+impl ToWafMap for HashMap<String, Vec<String>> {
+    fn to_waf_map(self) -> WafMap {
+        let mut map = WafMap::new(self.len() as u64);
 
         for (i, (k, v)) in self.into_iter().enumerate() {
-            let mut arr = WAFArray::new(v.len() as u64);
+            let mut arr = WafArray::new(v.len() as u64);
             for (j, v) in v.into_iter().enumerate() {
                 arr[j] = v.as_str().into();
             }
@@ -108,9 +109,9 @@ impl ToWAFMap for HashMap<String, Vec<String>> {
         map
     }
 }
-impl ToWAFMap for HashMap<String, String> {
-    fn to_waf_map(self) -> WAFMap {
-        let mut map = WAFMap::new(self.len() as u64);
+impl ToWafMap for HashMap<String, String> {
+    fn to_waf_map(self) -> WafMap {
+        let mut map = WafMap::new(self.len() as u64);
 
         for (i, (k, v)) in self.into_iter().enumerate() {
             map[i] = (k.as_str(), v.as_str()).into();
@@ -120,11 +121,23 @@ impl ToWAFMap for HashMap<String, String> {
     }
 }
 
-trait Extractor<'d>: serde::de::Deserialize<'d> + IsValid {
-    fn extract(self) -> HTTPRequestData;
+enum RequestType {
+    APIGatewayV1, // Or Kong
+    APIGatewayV2Http,
+    APIGatewayV2Websocket,
+    APIGatewayLambdaAuthorizerToken,
+    APIGatewayLambdaAuthorizerRequest,
+    Alb,
+    LambdaFunctionUrl,
+}
+
+
+trait Extractor {
+    const TYPE: RequestType;
+    fn extract(self) -> HttpRequestData;
 }
 
-pub(super) fn extract_request_address_data(body: &Bytes) -> Option<WAFMap> {
+pub(super) fn extract_request_address_data(body: &Bytes) -> Option<WafMap> {
     let reader = body.clone().reader();
     let data: serde_json::Map<String, serde_json::Value> = match serde_json::from_reader(reader) {
         Ok(data) => data,
@@ -185,7 +198,7 @@ pub(super) fn extract_request_address_data(body: &Bytes) -> Option<WAFMap> {
     None
 }
 
-pub(super) fn extract_response_address_data(body: &Bytes) -> Option<WAFMap> {
+pub(super) fn extract_response_address_data(body: &Bytes) -> Option<WafMap> {
     let reader = body.clone().reader();
     let data: serde_json::Map<String, serde_json::Value> = match serde_json::from_reader(reader) {
         Ok(data) => data,

bottlecap/src/appsec/payload/mod.rs

@@ -1,4 +1,4 @@
-use super::{Extractor, HTTPRequestData, IsValid};
+use super::{Extractor, HttpRequestData, IsValid, RequestType};
 
 use std::collections::hash_map::Entry;
 use std::collections::HashMap;
@@ -9,7 +9,7 @@ use aws_lambda_events::{
     lambda_function_urls, s3, sns, sqs,
 };
 use bytes::Buf;
-use libddwaf::object::{WAFObject, WAFString};
+use libddwaf::object::{WafObject, WafString};
 use tracing::debug;
 
 /// Kong API Gateway events are a subset of [`apigw::ApiGatewayProxyRequest`].
@@ -49,8 +49,10 @@ impl IsValid for apigw::ApiGatewayProxyRequest {
             && !apigw::ApiGatewayCustomAuthorizerRequestTypeRequest::is_valid(map)
     }
 }
-impl Extractor<'_> for apigw::ApiGatewayProxyRequest {
-    fn extract(self) -> HTTPRequestData {
+impl Extractor for apigw::ApiGatewayProxyRequest {
+    const TYPE: RequestType = RequestType::APIGatewayV1;
+
+    fn extract(self) -> HttpRequestData {
         let (headers, cookies) = filter_headers(self.multi_value_headers);
 
         // Headers are normalized to lowercase by [`filter_headers`].
@@ -61,7 +63,7 @@ impl Extractor<'_> for apigw::ApiGatewayProxyRequest {
                 .flatten()
         });
 
-        HTTPRequestData {
+        HttpRequestData {
             source_ip: self.request_context.identity.source_ip.clone(),
             route: self.resource,
             client_ip: self.request_context.identity.source_ip, // API Gateway exposes the Client IP as the Source IP
@@ -102,8 +104,10 @@ impl IsValid for apigw::ApiGatewayV2httpRequest {
         }
     }
 }
-impl Extractor<'_> for apigw::ApiGatewayV2httpRequest {
-    fn extract(self) -> HTTPRequestData {
+impl Extractor for apigw::ApiGatewayV2httpRequest {
+    const TYPE: RequestType = RequestType::APIGatewayV2Http;
+
+    fn extract(self) -> HttpRequestData {
         let (headers, cookies) = filter_headers(self.headers);
 
         let content_type = headers["content-type"].first().map(String::as_str);
@@ -113,7 +117,7 @@ impl Extractor<'_> for apigw::ApiGatewayV2httpRequest {
                 .flatten()
         });
 
-        HTTPRequestData {
+        HttpRequestData {
             source_ip: self.request_context.http.source_ip.clone(),
             route: self.route_key,
             client_ip: self.request_context.http.source_ip, // API Gateway exposes the Client IP as the Source IP
@@ -135,8 +139,10 @@ impl IsValid for KongAPIGatewayEvent {
             && matches!(map.get("resource"), Some(serde_json::Value::String(_)))
     }
 }
-impl Extractor<'_> for KongAPIGatewayEvent {
-    fn extract(self) -> HTTPRequestData {
+impl Extractor for KongAPIGatewayEvent {
+    const TYPE: RequestType = RequestType::APIGatewayV1;
+
+    fn extract(self) -> HttpRequestData {
         self.0.extract()
     }
 }
@@ -153,8 +159,10 @@ impl IsValid for apigw::ApiGatewayWebsocketProxyRequest {
         }
     }
 }
-impl Extractor<'_> for apigw::ApiGatewayWebsocketProxyRequest {
-    fn extract(self) -> HTTPRequestData {
+impl Extractor for apigw::ApiGatewayWebsocketProxyRequest {
+    const TYPE: RequestType = RequestType::APIGatewayV2Websocket;
+
+    fn extract(self) -> HttpRequestData {
         let (headers, cookies) = filter_headers(self.multi_value_headers);
 
         let content_type = headers["content-type"].first().map(String::as_str);
@@ -164,7 +172,7 @@ impl Extractor<'_> for apigw::ApiGatewayWebsocketProxyRequest {
                 .flatten()
         });
 
-        HTTPRequestData {
+        HttpRequestData {
             source_ip: self.request_context.identity.source_ip.clone(),
             route: self.resource,
             client_ip: self.request_context.identity.source_ip, // API Gateway exposes the Client IP as the Source IP
@@ -194,9 +202,11 @@ impl IsValid for apigw::ApiGatewayCustomAuthorizerRequest {
         }
     }
 }
-impl Extractor<'_> for apigw::ApiGatewayCustomAuthorizerRequest {
-    fn extract(self) -> HTTPRequestData {
-        HTTPRequestData {
+impl Extractor for apigw::ApiGatewayCustomAuthorizerRequest {
+    const TYPE: RequestType = RequestType::APIGatewayLambdaAuthorizerToken;
+
+    fn extract(self) -> HttpRequestData {
+        HttpRequestData {
             source_ip: None,
             route: None,
             client_ip: None,
@@ -238,13 +248,15 @@ impl IsValid for apigw::ApiGatewayCustomAuthorizerRequestTypeRequest {
         }
     }
 }
-impl Extractor<'_> for apigw::ApiGatewayCustomAuthorizerRequestTypeRequest {
-    fn extract(self) -> HTTPRequestData {
+impl Extractor for apigw::ApiGatewayCustomAuthorizerRequestTypeRequest {
+    const TYPE: RequestType = RequestType::APIGatewayLambdaAuthorizerRequest;
+
+    fn extract(self) -> HttpRequestData {
         let source_ip = self.request_context.identity.and_then(|i| i.source_ip);
 
         let (headers, cookies) = filter_headers(self.headers);
 
-        HTTPRequestData {
+        HttpRequestData {
             source_ip: source_ip.clone(),
             route: self.resource,
             client_ip: source_ip,
@@ -272,8 +284,10 @@ impl IsValid for alb::AlbTargetGroupRequest {
         }
     }
 }
-impl Extractor<'_> for alb::AlbTargetGroupRequest {
-    fn extract(self) -> HTTPRequestData {
+impl Extractor for alb::AlbTargetGroupRequest {
+    const TYPE: RequestType = RequestType::Alb;
+
+    fn extract(self) -> HttpRequestData {
         // Based on configuration, ALB provides headers EITHER in multi-value form OR in single-value form, never both.
         let (headers, cookies) = filter_headers(if self.multi_value_headers.is_empty() {
             self.headers
@@ -294,7 +308,7 @@ impl Extractor<'_> for alb::AlbTargetGroupRequest {
                 .flatten()
         });
 
-        HTTPRequestData {
+        HttpRequestData {
             source_ip: None,
             route: None,
             client_ip: None,
@@ -375,8 +389,10 @@ impl IsValid for lambda_function_urls::LambdaFunctionUrlRequest {
         }
     }
 }
-impl Extractor<'_> for lambda_function_urls::LambdaFunctionUrlRequest {
-    fn extract(self) -> HTTPRequestData {
+impl Extractor for lambda_function_urls::LambdaFunctionUrlRequest {
+    const TYPE: RequestType = RequestType::LambdaFunctionUrl;
+
+    fn extract(self) -> HttpRequestData {
         let (headers, cookies) = filter_headers(self.headers);
 
         let content_type = headers["content-type"].first().map(String::as_str);
@@ -386,7 +402,7 @@ impl Extractor<'_> for lambda_function_urls::LambdaFunctionUrlRequest {
                 .flatten()
         });
 
-        HTTPRequestData {
+        HttpRequestData {
             source_ip: self.request_context.http.source_ip.clone(),
             route: None,
             client_ip: self.request_context.http.source_ip,
@@ -458,7 +474,7 @@ fn parse_body(
     body: impl AsRef<[u8]>,
     is_base64_encoded: bool,
     content_type: Option<&str>,
-) -> Result<Option<WAFObject>, Box<dyn std::error::Error>> {
+) -> Result<Option<WafObject>, Box<dyn std::error::Error>> {
     let body = body.as_ref();
     let reader: Box<dyn Read> = if is_base64_encoded {
         Box::new(base64::read::DecoderReader::new(
@@ -481,7 +497,7 @@ fn parse_body(
         (mime::APPLICATION, mime::WWW_FORM_URLENCODED) => todo!(),
         (mime::APPLICATION | mime::TEXT, mime::XML) => todo!(),
         (mime::MULTIPART, mime::FORM_DATA) => todo!(),
-        (mime::TEXT, mime::PLAIN) => Some(WAFString::new(body).into()),
+        (mime::TEXT, mime::PLAIN) => Some(WafString::new(body).into()),
         _ => {
             debug!("appsec: unsupported content type: {mime_type}");
             None

bottlecap/src/appsec/payload/request.rs

@@ -4,7 +4,7 @@ use crate::appsec::{is_enabled, is_standalone, payload};
 use crate::config::Config;
 
 use bytes::Bytes;
-use libddwaf::object::{WAFMap, WAFOwned};
+use libddwaf::object::{WafMap, WafOwned};
 use libddwaf::{Builder, Config as WAFConfig, Context, Handle};
 use tracing::{debug, info, warn};
 /// The App & API Protection processor.
@@ -13,7 +13,7 @@ use tracing::{debug, info, warn};
 /// the request payload, and evaluate in-app WAF rules against that data.
 pub struct Processor {
     handle: Handle,
-    diagnostics: WAFOwned<WAFMap>,
+    diagnostics: WafOwned<WafMap>,
     waf_timeout: Duration,
 }
 
@@ -42,7 +42,7 @@ impl Processor {
         };
 
         let rules = Self::get_rules(config)?;
-        let mut diagnostics = WAFOwned::<WAFMap>::default();
+        let mut diagnostics = WafOwned::<WafMap>::default();
         if !builder.add_or_update_config("rules", &rules, Some(&mut diagnostics)) {
             return Err("Failed to add ruleset to the WAF builder".into());
         }
@@ -93,7 +93,7 @@ impl Processor {
 
     /// Parses the App & API Protection ruleset from the provided [Config], falling back to the
     /// default built-in ruleset if the [Config] has [None].
-    fn get_rules(config: &Config) -> Result<WAFMap, Box<dyn std::error::Error>> {
+    fn get_rules(config: &Config) -> Result<WafMap, Box<dyn std::error::Error>> {
         // Default on recommended rules
         match &config.appsec_rules {
             None => {
@@ -117,7 +117,7 @@ pub struct ProcessorContext {
 }
 impl ProcessorContext {
     /// Evaluates the in-app WAF rules against the provided address data.
-    fn run(&mut self, address_data: WAFMap) {
+    fn run(&mut self, address_data: WafMap) {
         let result = match self
             .waf_context
             .run(Some(address_data), None, self.waf_timeout)