feat(libddwaf): bump to 1.20.1

appsec/tests/helper/client_test.cpp

@@ -155,7 +155,7 @@ TEST(ClientTest, ClientInit)
     EXPECT_STREQ(msg_res->status.c_str(), "ok");
     EXPECT_EQ(msg_res->meta.size(), 2);
     EXPECT_STREQ(
-        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.18.0");
+        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.20.1");
     EXPECT_STREQ(
         msg_res->meta[std::string(tag::event_rules_errors)].c_str(), "{}");
 
@@ -264,7 +264,7 @@ TEST(ClientTest, ClientInitInvalidRules)
     EXPECT_STREQ(msg_res->status.c_str(), "ok");
     EXPECT_EQ(msg_res->meta.size(), 2);
     EXPECT_STREQ(
-        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.18.0");
+        msg_res->meta[std::string(tag::waf_version)].c_str(), "1.20.1");
 
     rapidjson::Document doc;
     doc.Parse(msg_res->meta[std::string(tag::event_rules_errors)]);
@@ -637,8 +637,8 @@ TEST(ClientTest, EventWithMultipleActions)
         EXPECT_EQ(msg_res->actions.size(),
             3); // Block is not generated since there is a redirect
         EXPECT_STREQ(msg_res->actions[0].verdict.c_str(), "redirect");
-        EXPECT_STREQ(
-            msg_res->actions[0].parameters["location"].c_str(), "localhost");
+        EXPECT_STREQ(msg_res->actions[0].parameters["location"].c_str(),
+            "https://localhost");
         EXPECT_STREQ(
             msg_res->actions[0].parameters["status_code"].c_str(), "303");
         EXPECT_STREQ(msg_res->actions[1].verdict.c_str(),

appsec/tests/helper/engine_test.cpp

@@ -4,14 +4,13 @@
 // This product includes software developed at Datadog
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #include "common.hpp"
-#include "json_helper.hpp"
 #include <engine.hpp>
 #include <memory>
 #include <rapidjson/document.h>
 #include <subscriber/waf.hpp>
 
 const std::string waf_rule =
-    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":"^string.*"}},{"operator":"match_regex","parameters":{"inputs":[{"address":"arg2","key_path":[]}],"regex":".*"}}]}]})";
+    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":"^string.*"}},{"operator":"match_regex","parameters":{"inputs":[{"address":"arg2","key_path":[]}],"regex":".*"}}]},{"id":"2","name":"rule2","tags":{"type":"flow2","category":"category2"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg3","key_path":[]}],"regex":"^string.*"}}]}]})";
 const std::string waf_rule_with_data =
     R"({"version":"2.1","rules":[{"id":"blk-001-001","name":"Block IP Addresses","tags":{"type":"block_ip","category":"security_response"},"conditions":[{"parameters":{"inputs":[{"address":"http.client_ip"}],"data":"blocked_ips"},"operator":"ip_match"}],"transformers":[],"on_match":["block"]}]})";
 
@@ -704,7 +703,7 @@ TEST(EngineTest, WafSubscriptorUpdateRuleOverrideAndActions)
             R"({"rules_override": [{"rules_target":[{"rule_id":"1"}],
              "on_match": ["redirect"]}], "actions": [{"id": "redirect",
              "type": "redirect_request", "parameters": {"status_code": "303",
-             "location": "localhost"}}]})");
+             "location": "https://localhost"}}]})");
         e->update(update, meta, metrics);
     }
 

appsec/tests/helper/main.cpp

@@ -190,7 +190,7 @@ std::string create_sample_rules_ok()
       "id": "redirect",
       "type": "redirect_request",
       "parameters": {
-        "location": "localhost"
+        "location": "https://localhost"
       }
     }
   ]

appsec/tests/helper/remote_config/listeners/engine_listener_test.cpp

@@ -6,18 +6,16 @@
 
 #include "../../common.hpp"
 #include "../mocks.hpp"
-#include "base64.h"
 #include "engine.hpp"
 #include "json_helper.hpp"
 #include "remote_config/exception.hpp"
 #include "remote_config/listeners/engine_listener.hpp"
-#include "remote_config/product.hpp"
 #include "subscriber/waf.hpp"
 #include <memory>
 #include <rapidjson/writer.h>
 
 const std::string waf_rule =
-    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":".*"}}]}]})";
+    R"({"version":"2.1","rules":[{"id":"1","name":"rule1","tags":{"type":"flow1","category":"category1"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"arg1","key_path":[]}],"regex":".*"}}]},{"id":"2","name":"rule2","tags":{"type":"flow2","category":"category2"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"dummy","key_path":[]}],"regex":".*"}}]}]})";
 
 namespace dds::remote_config {
 
@@ -978,7 +976,7 @@ TEST(RemoteConfigEngineListener, EngineRuleOverrideAndActionsUpdate)
     }
     const std::string update =
         R"({"actions": [{"id": "redirect", "type": "redirect_request", "parameters":
-            {"status_code": "303", "location": "localhost"}}],"rules_override":
+            {"status_code": "303", "location": "https://localhost"}}],"rules_override":
             [{"rules_target": [{"rule_id": "1"}], "on_match": ["redirect"]}]})";
 
     listener.on_update(get_config("ASM", update));

appsec/tests/helper/waf_test.cpp

@@ -48,7 +48,7 @@ TEST(WafTest, InitWithInvalidRules)
         waf::instance::from_settings(cs, ruleset, meta, metrics)};
 
     EXPECT_EQ(meta.size(), 2);
-    EXPECT_STREQ(meta[std::string(tag::waf_version)].c_str(), "1.18.0");
+    EXPECT_STREQ(meta[std::string(tag::waf_version)].c_str(), "1.20.1");
 
     rapidjson::Document doc;
     doc.Parse(meta[std::string(tag::event_rules_errors)]);

appsec/tests/integration/build.gradle

@@ -333,7 +333,6 @@ def buildAppSecTask = { String version, String variant ->
                         cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \\
                               -DCMAKE_INSTALL_PREFIX=/appsec \\
                               -DDD_APPSEC_ENABLE_PATCHELF_LIBC=ON \\
-                              -DCMAKE_TOOLCHAIN_FILE=/build/Toolchain.cmake \\
                               -DDD_APPSEC_TESTING=ON /project/appsec
                     make -j extension ddappsec-helper && \\
                         touch ddappsec.so libddappsec-helper.so

appsec/tests/integration/gradle/images.gradle

@@ -33,7 +33,7 @@ tasks.register('buildToolchain', Exec) {
     description = "Build the toolchain image"
     inputs.dir 'src/docker/toolchain'
     outputs.upToDateWhen imageUpToDate(inputs, "$repo:toolchain")
-    commandLine 'docker', 'build', '-t', "$repo:toolchain", 'src/docker/toolchain'
+    commandLine 'docker', 'build', '-t', "$repo:toolchain", 'src/docker/toolchain', "--build-arg", "ARCH=$arch"
 }
 
 tasks.register('buildPhpDeps', Exec) {

appsec/tests/integration/src/docker/apache2-fpm/Dockerfile

@@ -3,8 +3,10 @@ ARG VARIANT
 FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT
 
 RUN apt-get update && apt-get install -y \
-	apache2 \
-	&& rm -rf /var/lib/apt/lists/*
+    apache2 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN usermod -a -G linux_users www-data
 
 RUN rm -rf /var/www/html
 RUN sed -i '/<Directory \/var\/www\/>/,/<\/Directory>/s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf

appsec/tests/integration/src/docker/apache2-mod/Dockerfile

@@ -3,8 +3,10 @@ ARG VARIANT
 FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT
 
 RUN apt-get update && apt-get install -y \
-	apache2 \
-	&& rm -rf /var/lib/apt/lists/*
+    apache2 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN usermod -a -G linux_users www-data
 
 RUN rm -rf /var/www/html
 RUN sed -i 's@/var/www/html@/var/www/public@' /etc/apache2/sites-available/000-default.conf

appsec/tests/integration/src/docker/nginx-fpm/Dockerfile

@@ -4,8 +4,10 @@ ARG VARIANT
 FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT
 
 RUN apt-get update && apt-get install -y \
-	nginx \
-	&& rm -rf /var/lib/apt/lists/*
+    nginx \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN usermod -a -G linux_users www-data
 
 RUN rm -rf /var/www/html
 

appsec/tests/integration/src/docker/php/Dockerfile

@@ -35,4 +35,7 @@ ENV CARGO_HOME=/root/.cargo
 ENV RUSTUP_HOME=/root/.rustup
 ENV LD_LIBRARY_PATH=/root/php/icu-60/lib
 
+RUN groupadd -g 1000 linux_users && \
+    useradd -G linux_users -u 1000 linux_user
+
 ENTRYPOINT ["php"]

appsec/tests/integration/src/docker/toolchain/CHECKSUMS

@@ -1,10 +1,2 @@
-9b0b259cc43d5e4d20200676be153de81b485b3fdf065623ff71c7e1894ec5c8ed9d99c1416f70246ab0f417cbba6d1d4af9f3769e2e6577400681a791346231  compiler-rt-11.1.0.src.tar.xz
-a1d2e3f5ad529a04f87059903b31fc3c9803cd86f44aed1aebd87ce7e423d8dd2b6776be12e85a0374a6215f581420438d224c130aad5e6355920af32c02aa7b  compiler-rt-10.0.1.src.tar.xz
-d77145858cda538127b631a8072fafc3fa01a5a9648d4ca1cb6d563009061c56f93ca606f4f7f9e706d5cc0dd8f4e0895f496439ca173f175a1c8ee740b5d30a  gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu.tar.xz
-af5333da5b90f4a46a5184532164f4c6522e3c03a580131627c0f167ab98fb3e71b3e15518d6e22414141484ec5ab0d184294ae7f10034ebfed28e7072836b28  libcxx-11.1.0.src.tar.xz
-0bf3806fd9382ca6790ca2a8e991424caf64e81415386875243565034243f2ac7442c596e3c55ece80932c2ec59b71801e3e415dedc9db4dd4c3f66b6a893558  libcxxabi-11.1.0.src.tar.xz
-507f29cf1a318d9761fe6306b2e9b57c02a342f138b47ec5420dce527132a33f7affcd386913792c472ceeb9fb1c1b105bba3234a1575aae0f68024e94c8d596  libunwind-11.1.0.src.tar.xz
-07bf9973384151a18d5cc2892103e5f28a88c632e8e49662fde56d123632f2ed1b3710fa7a87b6b821955d0ec44160ff36f2aa4f233e389e14d628e9bf8dc764  llvm-11.1.0.src.tar.xz
-5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82  musl-1.2.2.tar.gz
 9591360672ba6192c606404caf70101538728a1cd5d548efcbb952f663f182bd1954d63743ffc9dd18f5c649a62a042c5e36d1ff423634dfd074f672dd1f4af9  cmake-3.28.0-linux-x86_64.tar.gz
 48a20095711870b23bd5db342de0e058a7c6876bafad4c6ce9ff9bce672ca1e95ed9ac890d519b0884cd277d091575eda7e60a97cad377ee57c1e20dee25feb1  cmake-3.28.0-linux-aarch64.tar.gz

appsec/tests/integration/src/docker/toolchain/Dockerfile

@@ -1,14 +1,24 @@
 FROM debian@sha256:08db48d59c0a91afb802ebafc921be3154e200c452e4d0b19634b426b03e0e25 AS toolchain
-RUN apt-get update && \
-	apt-get install -y curl xz-utils make file lld clang git patchelf gcc libgcc-s1 sed autoconf wget libssl-dev wget libxml2
+
+RUN apt-get update && apt-get install -y \
+  binutils \
+  build-essential \
+  curl \
+  git \
+  gnupg \
+  libncurses5-dev \
+  lld \
+  lsb-release \
+  patchelf \
+  software-properties-common \
+  wget \
+  wget \
+  xz-utils
 
 RUN ln -s /bin/sed /usr/bin/sed
-RUN mkdir /build
-ADD . /build/
+COPY . /build/
 
 RUN wget https://github.com/Kitware/CMake/releases/download/v3.28.0/cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz && \
-    grep -F "cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz" ./build/CHECKSUMS | sha512sum --check && \
-    tar --strip-components=1 -C /usr/local -xvzf cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz && \
-    rm cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz
-
-RUN cd /build && make install && make clean
+  grep -F "cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz" ./build/CHECKSUMS | sha512sum --check && \
+  tar --strip-components=1 -C /usr/local -xvzf cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz && \
+  rm cmake-3.28.0-linux-$(arch | sed s/arm/aarch/).tar.gz