v1.18.0 (unstable)
This version introduces a new operator sqli_detector
for the detection of SQL injections. In addition, the ruleset parser has been updated to allow non-string parameter values on action definitions.
- SQL Injection (SQLi) Detection Operator (#284)
- Fix mishandling invalid actions key type (#286)
- Convert non-string object types into string during ruleset parsing (#285)
- Use SSE4.1 ceilf when available and add badges to readme (#288)
- SQLi Detector Fuzzer and improvements (#291)
v1.17.0 (unstable)
This new version introduces RASP rules and supporting features, including:
- Multivariate operators for the development of complex rules.
- A new operator
lfi_detector
for the detection of local file inclusion (LFI) / path traversal attacks. - A new operator
ssrf_detector
for the detection of server-side request forgery (SSRF) attacks. - Better support for rule actions, as well as internal default actions:
block
,stack_trace
andextract_schema
.
The upgrading guide has also been updated to cover the new breaking changes.
- Multivariate operator support (#241)
- Local file inclusion (LFI) operator (#258)
- Server-side request forgery (SSRF) detection operator (#268)
- Action semantics and related improvements (#277)
- Reduce benchmark noise (#257, #259, #260)
- Add support for old glibc (e.g. RHEL 6) (#262)
- Add weak ceilf symbol and definition (#263)
- Fix parsing of variadic arguments (#267)
- Update node-16 actions to node-20 ones (#266)
- Attempt to build libddwaf on arm64 runner (#270)
- Run tests on arm64 (#271)
- LFI detector fuzzer (#274)
- Remove rpath from linux-musl binary (#282)
v1.17.0-alpha3 (unstable)
- Action semantics and related improvements (#277)
- LFI detector fuzzer (#274)
v1.17.0-alpha2 (unstable)
- Server-side request forgery (SSRF) detection operator (#268)
v1.17.0-alpha1 (unstable)
- Fix parsing of variadic arguments (#267)
- Update node-16 actions to node-20 ones (#266)
v1.17.0-alpha0 (unstable)
v1.16.1 (unstable)
v1.16.0 (unstable)
- Address a libinjection false positive (#251)
- Remove a few fingerprints causing false positives (#252)
- Fix SSE2 lowercase transformer (#253)
- Build tools on CI to avoid breaking tool users (#229)
- Remove legacy linux builds (#230)
- Vendorize re2 and utf8proc (#231)
- Refactor cmake scripts and support LTO (#232)
- Microbenchmarks (#242, #243, #244, #245, #246, #247, #248, #250)
v1.15.1 (unstable)
- Fix duplicate processor check (#234)
v1.15.0 (unstable)
This new version of the WAF includes the following new features:
- Ephemeral addresses for composite requests
- Naive duplicate address support on input filters
- Required / Optional address diagnostics
The upgrading guide has also been updated to cover the new changes.
- Support ephemeral addresses on
ddwaf_run
(#219) - Rename
ddwaf_required_addresses
toddwaf_known_addresses
(#221)
- Schema extraction scanners: reduce false positives on arrays (#220)
- Ephemeral addresses for rules & exclusion filters (#219)(#224)
- Address diagnostics (#221)
- Naive duplicate address support on input/object filters (#222)
- Update nuget packaging to use new musl linux binaries (#217)
- Validator improvements (#225)
- Use
fmt::format
for logging and vendorize some dependencies withinsrc/
(#226) - Reduce linux binary size and fix some flaky tests (#227)
v1.14.0 (unstable)
This release of the WAF includes the following new features:
- Schema data classification through the use of scanners.
- A vectorized version of the
lowercase
transformer using SSE2. - Generalized processors which are evaluated before or after filters and rules based on their outcome.
- Optimizations to avoid unnecessary rule and filter evaluation.
- Many other quality of life, correctness and performance improvements
- Rename
preprocessor
top-level key toprocessor
(#209)
- Fix missing top-level key for processor diagnostics (#209)
- SSE2 lowercase transformer (#195)
- Reduce schema extraction limits (#208)
- Skip rule and filter evaluation when no new rule targets exist (#207)
- Refactor preprocessors into preprocessors and postprocessors (#209)
- Convert float to (un)signed within the parsing stage (#210)
- Scanners for schema scalar classification (#211)
- Remove ptr typedefs (#212)
- Indexer abstraction to encapsulate rule and scanner search and storage (#213)
v1.13.1 (unstable)
- Allow conversions between signed/unsigned types during parsing (#205)
v1.13.0 (unstable)
This new version of the WAF includes the following new features:
- Schema extraction preprocessor
- New and improved universal linux buids, including support for i386 and armv7
float
andnull
types- Equals operator for arbitrary type equality comparison within conditions
- Many other quality of life, correctness and performance improvements
The upgrading guide has also been updated to cover the new changes.
- Add object types
DDWAF_OBJ_FLOAT
andDDWAF_OBJ_NULL
(#197) - Add
double
fieldf64
inddwaf_object
(#197) - Add
ddwaf_object_null
,ddwaf_object_float
andddwaf_object_get_float
(#197) - Rename
ddwaf_object_signed
toddwaf_object_string_from_signed
(#197) - Rename
ddwaf_object_unsigned
toddwaf_object_string_from_unsigned
(#197) - Rename
ddwaf_object_signed_force
toddwaf_object_signed
(#197) - Rename
ddwaf_object_unsigned_force
toddwaf_object_unsigned
(#197) - Add
derivatives
field toddwaf_result
for output objects generated through preprocessors (#182)
- Encapsulate conditions within expressions (#192)
- Equals operator and arbitrary operator type support (#194)
- Float and null type support (#197)
- Schema Extraction Preprocessor (#182)(#202)
- Minor improvements (#193)
- Rename operation to matcher (#196)
- Fix coverage (#199)
- Linux musl/libc++ builds using alpine-based sysroots and llvm16 (#198)(#200)(#201)
v1.12.0 (unstable)
- Per-input transformers support on exclusion filter conditions (#177)
- Read-only transformers (#178)(#185)(#190)
- Rule filter bypass / monitor mode support (#184)(#188)
- Object schemas (#174)
- Simple IP Match Benchmark (#176)
- Remove Manifest (#179)
- Reduce build parallelism (#183)
- Change standard to C++20 (#186)
v1.11.0 (unstable)
- Full ruleset parsing diagnostics (#161)
- Event result as
ddwaf_object
(#162) - Replace
ddwaf_result.actions
with addwaf_object
array (#165)
- Multithreaded fuzzer (#166)
- Fix benchmark, test output and update ruleset to 1.7.0 (#171)
- Validator: add support for per-directory tests and ruleset (#172)
- Rename examples directory to tools (#173)
- Update ruleset to 1.7.1 (#173)
- Refactor and simplify tools to reduce code duplication (#173)
v1.10.0 (unstable)
- Add all rule tags to event (#160)
v1.9.0 (unstable)
- Remove a libinjection signature (#145)
- Priority collection, rule and filter simplification (#150)
- Improve allocation / deallocation performance within the context using a
context_allocator
(#151) - Longest rule data expiration takes precedence for
ip_match
andexact_match
operators (#152) - Custom rules support (#154)
- Add vdso support for aarch64 (#157)
- Upgrade CodeQL Github Action to v2 (#144)
- Fix broken builds (#147)
- Benchmark: context destroy fixture (#148)
- Remove unused json rule files and vendorise aho-corasick submodule (#153)
- Cancel jobs in progress (#158)
v1.8.2 (unstable)
- Use raw pointers instead of shared pointers for rule targets (#141)
v1.8.1 (unstable)
- Return
NULL
handle when incorrect version or empty rules provided toddwaf_init
(#139)
v1.8.0 (unstable)
- Add
ddwaf_update
for all-in-one ruleset updates (#138) - Remove
ddwaf_required_rule_data_ids
(#138) - Remove
ddwaf_update_rule_data
(#138) - Remove
ddwaf_toggle_rules
(#138)
- Add WAF Builder (#138)
v1.7.0 (unstable) - 2023/02/06
v1.6.2 (unstable) - 2023/01/26
- Add boolean getter (#132)
- Add support for converting string to bool in parameter bool cast operator (#133)
- Add parameter
int64_t
cast operator (#133) - Add support for
enabled
flag on ruleset parser (#133)
- Replace
isdigit
with custom version due to windows locale-dependence (#133) - Minor fixes and parsing improvements (#133)
v1.6.1 (unstable) - 2023/01/17
v1.6.0 (unstable) - 2023/01/10
- Exclusion filters: targets and conditions (#110)
- Exclusion filters: inputs (#117)
- Add ID to exclusion filters (#120)
- Rework path trie for exclusion (#122)
- Priority collections (#123)
- Support for glob component and arrays on object filter (#124)
- Experiment building libddwaf on the oldest available macos target (#111)
- Strip libddwaf.a for darwin/linux release (#107)
- linux/aarch64: add missing libunwind.a artefact (#109)
- Add option to prevent loading test targets (#108)
- Upgrade deprecated actions (#114)
- Include mac arm binaries in nuget (#115)
- Run clang tidy / format on CI (#116)
- Exclusion filters on fuzzer (#118)
v1.5.1 (unstable) - 2022/09/22
- Add
ddwaf_required_rule_data_ids
to obtain the rule data IDs defined in the ruleset (#104)
- GTest
ddwaf_result
validators (#102) - Replace
std::optional::value()
withstd::optional::operator*()
(#105) - Add new and missing exports (#106)
v1.5.0 (unstable) - 2022/09/08
- Remove
ddwaf_version
,ddwaf_get_version
now returns a version string (#89) - Move free function from
ddwaf_context_init
toddwaf_config
(#89) - Add
ddwaf_result.actions
struct containing achar*
array and its size (#91) - Add
ddwaf_update_rule_data
(#91) - Remote
DDWAF_BLOCK
(#91) - Rename
DDWAF_GOOD
toDDWAF_OK
(#92) - Rename
DDWAF_MONITOR
toDDWAF_MATCH
(#92) - Deanonymize nested structs (#97)
- Add
ddwaf_object_bool
for backwards-compatible support for booleanddwaf_object
(#99) - Add
ddwaf_toggle_rules
to enable or disable rules at runtime (#99)
- Add
unicode_normalize
transformer (#82) - Remove
PWRetriever
,PWArgsWrapper
,Iterator
andArgsIterator
(#77) - Add
ddwaf::object_store
to manage all targets and objects provided to the WAF (#77) - Add
ddwaf::value_iterator
for object value traversal (#77) - Add
ddwaf::key_iterator
for object key traversal (#77) - Simplify target manifest (#78)
- Remove input object validation (#85)
- Merge
PWAdditive
andPWProcessor
and rename toddwaf::context
(#89) - Rename
PowerWAF
toddwaf::waf
(#89) - Add
ddwaf::timer
to abstract deadline (#89) - Simplify rule processors (#89)
- Add
ip_match
operator and tests (#87) - Refactor ip handling into
ip_utils
(#87) - Add
exact_match
operator and tests (#87) - Rename existing rule processors to more closely resemble their operator name (#87)
- Rename
IPWRuleProcessor
torule_processor_base
(#87) - Add support for per-rule
on_match
array in ruleset (#91) - Add optional
on_match
to JSON event format (#91) - Remove
PWRetManager
andMatchGatherer
(#91) - Add
ddwaf::event
to collect all relevant rule match data in one structure (#91) - Add
ddwaf::event_serializer
for JSON event (#91) - Update processors to use
std::string_view
rather thanchar *
and length (#91) - Add
ddwaf::timeout_exception
to avoid error code propagation (#91) - Disable the
1)c
libinjection fingerprint (#94) - Configurable rule data (#96)
- Timeout error propagation (#89)
- Pass object limits configuration to iterators (#89)
- Apply string limits (#89)
- Fix missing exports (#101)
- Add
utf8proc
license (#84) - Add codecov support (#86)
- Add CODEOWNERS (#88)
- Add
benchmerge
to merge multiple benchmark results (#85) - Update ruleset version for testing to 1.3.2 (#101)
- Fix missing build flags from
utf8proc
build (#100)
v1.5.0-rc0 (unstable) - 2022/09/02
- Add
ddwaf_object_bool
for backwards-compatible support for booleanddwaf_object
(#99) - Add
ddwaf_toggle_rules
to enable or disable rules at runtime (#99)
- Fix missing exports (#101)
- Update ruleset version for testing to 1.3.2 (#101)
- Fix missing build flags from
utf8proc
build (#100)
v1.5.0-alpha1 (unstable) - 2022/08/30
- Deanonymize nested structs (#97)
v1.5.0-alpha0 (unstable) - 2022/08/04
- Remove
ddwaf_version
,ddwaf_get_version
now returns a version string (#89) - Move free function from
ddwaf_context_init
toddwaf_config
(#89) - Add
ddwaf_result.actions
struct containing achar*
array and its size (#91) - Add dummy
ddwaf_update_rule_data
for future use (#91) - Remote
DDWAF_BLOCK
(#91) - Rename
DDWAF_GOOD
toDDWAF_OK
(#92) - Rename
DDWAF_MONITOR
toDDWAF_MATCH
(#92)
- Add
unicode_normalize
transformer (#82) - Remove
PWRetriever
,PWArgsWrapper
,Iterator
andArgsIterator
(#77) - Add
ddwaf::object_store
to manage all targets and objects provided to the WAF (#77) - Add
ddwaf::value_iterator
for object value traversal (#77) - Add
ddwaf::key_iterator
for object key traversal (#77) - Simplify target manifest (#78)
- Remove input object validation (#85)
- Merge
PWAdditive
andPWProcessor
and rename toddwaf::context
(#89) - Rename
PowerWAF
toddwaf::waf
(#89) - Add
ddwaf::timer
to abstract deadline (#89) - Simplify rule processors (#89)
- Add
ip_match
operator and tests (#87) - Refactor ip handling into
ip_utils
(#87) - Add
exact_match
operator and tests (#87) - Rename existing rule processors to more closely resemble their operator name (#87)
- Rename
IPWRuleProcessor
torule_processor_base
(#87) - Add support for per-rule
on_match
array in ruleset (#91) - Add optional
on_match
to JSON event format (#91) - Remove
PWRetManager
andMatchGatherer
(#91) - Add
ddwaf::event
to collect all relevant rule match data in one structure (#91) - Add
ddwaf::event_serializer
for JSON event (#91) - Update processors to use
std::string_view
rather thanchar *
and length (#91) - Add
ddwaf::timeout_exception
to avoid error code propagation (#91)
- Timeout error propagation (#89)
- Pass object limits configuration to iterators (#89)
- Apply string limits (#89)
- Add
utf8proc
license (#84) - Add codecov support (#86)
- Add CODEOWNERS (#88)
- Add
benchmerge
to merge multiple benchmark results (#85)
v1.4.0 (unstable) - 2022/06/29
- Correct nuget url (#68)
- Only take params ownership when needed (#69)
- WAF Benchmark Utility (#70)
- WAF Validator (#74)
- Make libinjection look for backticks (#80)
- Add version semantic and unstable release information (#81)
- WAF event obfuscator.
- Add obfuscator configuration to
ddwaf_config
. - Changes to limits in
ddwaf_config
:- Rename
maxArrayLength
tolimits.max_container_size
. - Rename
maxMapDepth
tolimits.max_container_depth
. - Add
limits.max_string_length
, currently unused. - All limits are now
uint32
. - Relevant macros renamed accordingly.
- Rename
- Fix issue on ruleset error map reallocation causing cached pointer invalidation.
- Add check for empty input map on parser.
- Update github actions windows build VM to windows-2019.
- Remove metrics collector.
- Add
total_runtime
toddwaf_result
. - Fix issue when reporting timeouts.
- Add
ddwaf_object
getters. - Provide ruleset parsing diagnostics on
ddwaf_init
. - Add support for metrics collection on
ddwaf_run
. - Add
keys_only
transformer. - Improve support for older platforms.
- Remove indirection and reduce string operations when processing flows.
- Refactor input verification.
- Remove deprecated features.
- Add arm64 build to nuget package.
- Upgrade RE2 to 2022-02-01.
- Add missing libunwind to x86_64 linux build.
- Fix potential integer overflow in
DDWAF_LOG_HELPER
. - Add missing shared mingw64 build.
- Add example tool to run the WAF on a single rule with multiple test vectors.
- Fix duplicate matches in output (#36)
- Support
min_length
option onregex_match
operator. - Remove
DDWAF_ERR_TIMEOUT
and update value of other errors. - Add timeout field to
ddwaf_result
. - Remove action field from
ddwaf_result
. - Support MacOS 10.9.
- Minor CMake compatibility improvements.
- WAF output now conforms to the appsec event format v1.0.0.
- Add schema for output validation.
- Remove zip package generation.
- Minor improvements.
- Add support for ruleset format v2.1.
- Update fuzzer.
- Fix addresses with key path missing from ddwaf_required_addresses.
- Improve ruleset parsing logging.
- Add libinjection SQL and XSS rule processors.
- Add support for ruleset format v1.1 (adding is_sqli and is_xss operators).
- Improved universal x86_64 and arm64 builds.
- Added darwin arm64 build.
- Fixed error on corpus generator for fuzzer.
- Improve contributor onboarding and readme.
- Cross-compile aarch64 static/shared libraries.
- Improve corpus generator for fuzzer.
- Add license to nuget package.
- Renamed static windows library to
ddwaf_static
. - Correctly publish DSO dependencies.
- Add license and notice.
- Add copyright note to source files.
- Add issue and pull-request templates.
- Removed spdlog dependency.
- Fixed crash on base64encode transformer.
- Fixed crash on compressWhiteSpace transformer.
- Updated and fixed fuzzer.
- Fixed missing static library on windows packages.
- Other minor fixes and improvements.
- Support for new rule format, using
ddwaf::object
. - Interface updated with
ddwaf
namespace. - Removed pass-by-value and return-by-value from interface.
- Removed WAF singleton interface.
- Simplified WAF interface to be handle based and always additive.
- Clarified the ownership of
ddwaf::object
passed to the WAF. - Removed functionality not supported by the new rule format.
- Added exception catch-all on interface functions to prevent std::terminate.
- Convert integers to strings at the input of the WAF
- Report the manifest key of the parameter that we matched in the trigger report
- Fix a bug where we could send reports from a previously reported attack in follow-up executions of the additive API
- Fix behavior of @exist on empty list
- Improve the cache bypass logic to only bypass it once per run
- Fix the cache overwrite logic when the bypass resulted in a match
- Fix an issue where we wouldn't run on keys if the associtated value was a container in specific encapsulated containers
- Introduce a
numerize
transformer to better handleContent-Length
- Fix an issue where we wouldn't run on keys if the associtated value was a container
- Fix an issue where reports would be generated when no action is triggered
- Fix an issue where only the last step of a flow will trigger a report
- Fix an issue where reports would be incomplete if some rules triggered in previous run of the additive API
- Fix a bug where we wouldn't run on keys if the associated value was shorter than a rule's options.min_length
- Introduce transformers to extract CRS targets from the raw URI
- Introduce
removeComments
transformer - Introduce
@ipMatch
operator
- Introduce modifiers for a rule execution
- Introduce
@exist
operator - Improve performance of the Additive API
- Reduce the frequency of perf cap check
- Return the detailed performance of the slowest rules
- Introduce allocation helpers
- Other performance optimisations
- Introduce Additive API
- Introduce expanded initialization format
- Introduce Handle API
- Report performance metrics on each run
- Report the runtime of the slowest rules of each run
- Report the path of a match
- Introduce new transformers
- Rename and shorten the API names
- More...
- Fix false positives in libinjection SQL heuristics
- Fix a false positive in libinjection XSS heuristics
- When running a rule with multiple parameters, don't stop processing if a parameter is missing
- Add support for the
config
key in the init payload - Add support for prefixes to operators
- Add a switch through both means to revert the first fix
- Replace the clock we were using with a more efficient one
- When processing a multi step rule where a parameter is missing to one step, fail the step instead of ignoring it
- Fix a bug where the Compare operators could read one byte after the end of a PWArgs buffer
- Fix a bug where lib injection might read one byte past an internal buffer
- Give more control over the safety features to the API
- Introduce
@pm
operator
- Introduce
@beginsWith
,@contains
, and@endsWith
operators - Cap the memory each RE2 object can use to 512kB
- Introduce
powerwaf_initializePowerWAFWithDiag
- Fix a UTF-8 trucation bug (SQR-8164)
- Cleanup headers
- Improved locking performance
- Initial release