Merge branch 'master' into anilm3/global-context

.github/workflows/build.yml

@@ -54,24 +54,18 @@ jobs:
             ${{ github.workspace }}/packages/*.sha256
 
   macos-build:
-    runs-on: macos-14
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-          - x86_64
-          - arm64
+    runs-on: macos-12
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Create Build Directory
         run: cmake -E make_directory ${{ github.workspace }}/build ${{ github.workspace }}/packages
       - name: Generating Build Scripts
-        run: cmake -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch }} -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_INSTALL_PREFIX=${{ github.workspace }} -DCPACK_PACKAGE_DIRECTORY=${{ github.workspace }}/packages ${{ github.workspace }}
+        run: cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DMACOSX_DEPLOYMENT_TARGET=10.9 -DCMAKE_INSTALL_PREFIX=${{ github.workspace }} -DCPACK_PACKAGE_DIRECTORY=${{ github.workspace }}/packages ${{ github.workspace }}
         working-directory: ${{ github.workspace }}/build
       - name: Build Binaries
-        run: cmake --build . --config RelWithDebInfo --verbose --target all --target waf_test -j $(getconf _NPROCESSORS_ONLN)
+        run: cmake --build . --config RelWithDebInfo --verbose --target all --target waf_test -j
         working-directory: ${{ github.workspace }}/build
       - name: Test
         run: ${{ github.workspace }}/build/tests/waf_test
@@ -87,14 +81,44 @@ jobs:
         run: for file in *.tar.gz; do shasum -a 256 "$file" > "$file.sha256"; done
       - uses: actions/upload-artifact@v4
         with:
-          name: libddwaf-macos-${{ matrix.arch }}
+          name: libddwaf-macos-x86_64
+          path: |
+            ${{ github.workspace }}/packages/*.tar.gz
+            ${{ github.workspace }}/packages/*.sha256
+
+  macos-cross-build:
+    runs-on: macos-12
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Create Build Directory
+        run: cmake -E make_directory ${{ github.workspace }}/build ${{ github.workspace }}/packages
+      - name: Generating Build Scripts
+        run: cmake -DCMAKE_OSX_ARCHITECTURES=arm64 -DCMAKE_BUILD_TYPE=RelWithDebInfo -DMACOSX_DEPLOYMENT_TARGET=10.9 -DCMAKE_INSTALL_PREFIX=${{ github.workspace }} -DCPACK_PACKAGE_DIRECTORY=${{ github.workspace }}/packages ${{ github.workspace }}
+        working-directory: ${{ github.workspace }}/build
+      - name: Build Binaries
+        run: cmake --build . --config RelWithDebInfo --verbose --target all -j
+        working-directory: ${{ github.workspace }}/build
+      - name: Build Packages
+        run: cmake --build . --target package --config RelWithDebInfo --verbose
+        working-directory: ${{ github.workspace }}/build
+      - name: Remove Temporary Files
+        run: cmake -E remove_directory _CPack_Packages
+        working-directory: ${{ github.workspace }}/packages
+      - name: Generate Package sha256
+        working-directory: ${{ github.workspace }}/packages
+        run: for file in *.tar.gz; do shasum -a 256 "$file" > "$file.sha256"; done
+      - uses: actions/upload-artifact@v4
+        with:
+          name: libddwaf-macos-arm64
           path: |
             ${{ github.workspace }}/packages/*.tar.gz
             ${{ github.workspace }}/packages/*.sha256
 
   macos-universal-package:
-    runs-on: macos-14
-    needs: [macos-build]
+    runs-on: macos-12
+    needs: [macos-build, macos-cross-build]
     steps:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
@@ -123,14 +147,6 @@ jobs:
           # Change the current folder name with the universal name
           mv ./pack-temp/osx/libddwaf-*-darwin-* ./pack-temp/osx/$universalName
 
-          echo "--- x86_64 target ---"
-          file ./pack-temp/osx-x64/$x64Name/lib/libddwaf.dylib
-          otool -l ./pack-temp/osx-x64/$x64Name/lib/libddwaf.dylib | egrep "(minos|sdk)"
-
-          echo "--- arm64 target ---"
-          file ./pack-temp/osx-arm64/$arm64Name/lib/libddwaf.dylib
-          otool -l ./pack-temp/osx-arm64/$arm64Name/lib/libddwaf.dylib | egrep "(minos|sdk)"
-
           # Create the universal binary for the shared library: libddwaf.dylib
           lipo ./pack-temp/osx-x64/$x64Name/lib/libddwaf.dylib ./pack-temp/osx-arm64/$arm64Name/lib/libddwaf.dylib -create -output ./pack-temp/osx/$universalName/lib/libddwaf.dylib
           # Check the universal binary
@@ -301,7 +317,7 @@ jobs:
           path: ${{ github.workspace }}/output-packages
 
   release:
-    needs: [ windows-builds, macos-build, docker-builds, linux-musl-build, package-nuget]
+    needs: [ windows-builds, macos-build, macos-cross-build, docker-builds, linux-musl-build, package-nuget]
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/')
     permissions:

CHANGELOG.md

@@ -1,5 +1,12 @@
 # libddwaf release
 
+## v1.20.1 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
+#### Changes
+- Shell injection for array-based resources ([#333](https://github.com/DataDog/libddwaf/pull/333))
+
+#### Fixes
+- Fix logic error on `lfi_detector` for windows and introduce `lfi_detector@v2` ([#346](https://github.com/DataDog/libddwaf/pull/346))
+
 ## v1.20.0 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
 ### New features
 This new version of `libddwaf` introduces a small set of convenience features and expands some of the existing functionality.

CMakeLists.txt

@@ -4,10 +4,6 @@ file(READ "version" version)
 
 string(REGEX REPLACE "-(alpha|beta)[0-9]*$" "" mmp_version ${version})
 
-if (APPLE)
-    set(CMAKE_OSX_DEPLOYMENT_TARGET "12.7" CACHE STRING "Minimum OS X deployment version")
-endif()
-
 project(libddwaf VERSION "${mmp_version}")
 
 # Resetting the version allows for alpha and beta suffix releases
@@ -39,6 +35,10 @@ option(LIBDDWAF_VECTORIZED_TRANSFORMERS "Enable vectorization for transformers"
 option(LIBDDWAF_ENABLE_LTO "Enable link-time optimisation" OFF)
 
 if(NOT MSVC)
+    if (APPLE)
+        set(CMAKE_OSX_DEPLOYMENT_TARGET "10.12" CACHE STRING "Minimum OS X deployment version")
+    endif()
+
     add_compile_options(-Wall -Wextra -Wno-narrowing)
     if (CMAKE_BUILD_TYPE MATCHES Debug OR CMAKE_BUILD_TYPE MATCHES RelWithDebInfo)
         add_compile_options(-ggdb)
@@ -65,18 +65,6 @@ try_compile(STDLIB_MAP_RECURSIVE ${CMAKE_CURRENT_BINARY_DIR}
     SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/try_rec_map.cpp
     CXX_STANDARD 20)
 
-try_compile(STDLIB_MEMORY_RESOURCE_FTM ${CMAKE_CURRENT_BINARY_DIR}
-    SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/try_mem_resource_ftm.cpp
-    CXX_STANDARD 20)
-
-try_compile(STDLIB_MONOTONIC_RESOURCE ${CMAKE_CURRENT_BINARY_DIR}
-    SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/try_monotonic_resource.cpp
-    CXX_STANDARD 20)
-
-message(STATUS "Has recursive unordered_map    : ${STDLIB_MAP_RECURSIVE}")
-message(STATUS "Has memory_resource test macro : ${STDLIB_MEMORY_RESOURCE_FTM}")
-message(STATUS "Has monotonic_resource         : ${STDLIB_MONOTONIC_RESOURCE}")
-
 # System dependencies
 set(LIBDDWAF_INTERFACE_LIBRARIES "")
 if(LINUX)

cmake/objects.cmake

@@ -135,12 +135,6 @@ function(gen_objects target_name)
         target_compile_definitions(${target_name} PRIVATE HAS_NONRECURSIVE_UNORDERED_MAP)
     endif()
 
-    if (NOT STDLIB_MEMORY_RESOURCE_FTM AND STDLIB_MONOTONIC_RESOURCE)
-        # For some reason __cpp_lib_memory_resource seems to be missing in macos-14 when
-        # using the correct CMAKE_OSX_DEPLOYMENT_TARGET
-        target_compile_definitions(${target_name} PRIVATE __cpp_lib_memory_resource)
-    endif()
-
     if (LIBDDWAF_VECTORIZED_TRANSFORMERS)
         target_compile_definitions(${target_name} PRIVATE LIBDDWAF_VECTORIZED_TRANSFORMERS)
     endif()

cmake/package.cmake

@@ -3,7 +3,7 @@
 install(FILES ${libddwaf_SOURCE_DIR}/include/ddwaf.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})
 install(EXPORT libddwaf-config DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/cmake/libddwaf)
 
-if(APPLE AND CMAKE_OSX_ARCHITECTURES MATCHES "x86_64")
+if(APPLE AND CMAKE_OSX_ARCHITECTURES MATCHES "arm64")
     set(LIBDDWAF_PACKAGE_PROCESSOR ${CMAKE_OSX_ARCHITECTURES} CACHE STRING "Alternative processor for packaging purposes")
 else()
     set(LIBDDWAF_PACKAGE_PROCESSOR ${CMAKE_SYSTEM_PROCESSOR} CACHE STRING "Alternative processor for packaging purposes")

src/condition/lfi_detector.cpp

@@ -71,7 +71,7 @@ bool lfi_impl_windows(std::string_view path, std::string_view param)
 {
     static constexpr std::size_t min_str_len = 2;
 
-    if (param.size() < min_str_len && !path.ends_with(param)) {
+    if (param.size() < min_str_len || !path.ends_with(param)) {
         return false;
     }
 

src/condition/lfi_detector.hpp

@@ -12,7 +12,7 @@ namespace ddwaf {
 
 class lfi_detector : public base_impl<lfi_detector> {
 public:
-    static constexpr unsigned version = 1;
+    static constexpr unsigned version = 2;
     static constexpr std::array<std::string_view, 2> param_names{"resource", "params"};
 
     explicit lfi_detector(std::vector<condition_parameter> args, const object_limits &limits = {})

src/condition/match_iterator.hpp

@@ -10,11 +10,13 @@
 
 namespace ddwaf {
 
-template <std::size_t MinLength = 2, typename Iterator = object::kv_iterator> class match_iterator {
+template <std::size_t MinLength = 2, typename IteratorType = object::kv_iterator,
+    typename ResourceType = std::string_view>
+class match_iterator {
 public:
     static constexpr std::size_t npos = std::string_view::npos;
 
-    explicit match_iterator(std::string_view resource, const ddwaf_object *obj,
+    explicit match_iterator(ResourceType resource, const ddwaf_object *obj,
         const exclusion::object_set_ref &exclude, const object_limits &limits = object_limits())
         : resource_(resource), it_(obj, {}, exclude, limits)
     {
@@ -76,10 +78,10 @@ template <std::size_t MinLength = 2, typename Iterator = object::kv_iterator> cl
     }
 
 protected:
-    std::string_view resource_;
+    ResourceType resource_;
     std::string_view current_param_{};
     std::size_t current_index_{npos};
-    Iterator it_;
+    IteratorType it_;
 };
 
 } // namespace ddwaf