Merge pull request #2773 from DataDog/add-processor-run-mutex

Protect Processor::Context#run with a mutex

lib/datadog/appsec/processor.rb

@@ -14,22 +14,28 @@ def initialize(processor)
           @time_ext_ns = 0.0
           @timeouts = 0
           @events = []
+          @run_mutex = Mutex.new
         end
 
         def run(input, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+          @run_mutex.lock
+
           start_ns = Core::Utils::Time.get_time(:nanosecond)
 
+          # this WAF::Context#run call is not thread safe as it mutates the context
           # TODO: remove multiple assignment
-          _code, res = _ = @context.run(input, timeout)
-          # @type var res: WAF::Result
+          _code, res = @context.run(input, timeout)
 
           stop_ns = Core::Utils::Time.get_time(:nanosecond)
 
+          # these updates are not thread safe and should be protected
           @time_ns += res.total_runtime
           @time_ext_ns += (stop_ns - start_ns)
           @timeouts += 1 if res.timeout
 
           res
+        ensure
+          @run_mutex.unlock
         end
 
         def finalize

sig/datadog/appsec/processor.rbs

@@ -12,6 +12,8 @@ module Datadog
 
         @context: WAF::Context
 
+        @run_mutex: ::Thread::Mutex
+
         def initialize: (Processor processor) -> void
         def run: (data input, ?::Integer timeout) -> WAF::Result
         def finalize: () -> void

vendor/rbs/libddwaf/0/datadog/appsec/waf.rbs

@@ -202,7 +202,7 @@ module Datadog
         def initialize: (Handle handle) -> void
         def finalize: () -> void
 
-        def run: (data input, ?::Integer timeout) -> ::Array[top]
+        def run: (data input, ?::Integer timeout) -> [::Symbol, Result]
 
         private