From 38b0b857d339e6c51bc43107a3319db4730ffedf Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Tue, 11 Apr 2023 22:59:02 +0200 Subject: [PATCH 1/3] Protect Processor::Context#run with a mutex --- lib/datadog/appsec/processor.rb | 5 +++++ sig/datadog/appsec/processor.rbs | 2 ++ 2 files changed, 7 insertions(+) diff --git a/lib/datadog/appsec/processor.rb b/lib/datadog/appsec/processor.rb index ceebbfa8d81..e439e625e9e 100644 --- a/lib/datadog/appsec/processor.rb +++ b/lib/datadog/appsec/processor.rb @@ -14,9 +14,12 @@ def initialize(processor) @time_ext_ns = 0.0 @timeouts = 0 @events = [] + @run_mutex = Mutex.new end def run(input, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT) + @run_mutex.lock + start_ns = Core::Utils::Time.get_time(:nanosecond) # TODO: remove multiple assignment @@ -30,6 +33,8 @@ def run(input, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT) @timeouts += 1 if res.timeout res + ensure + @run_mutex.unlock end def finalize diff --git a/sig/datadog/appsec/processor.rbs b/sig/datadog/appsec/processor.rbs index 94cecee5733..2e5e281bcb3 100644 --- a/sig/datadog/appsec/processor.rbs +++ b/sig/datadog/appsec/processor.rbs @@ -12,6 +12,8 @@ module Datadog @context: WAF::Context + @run_mutex: ::Thread::Mutex + def initialize: (Processor processor) -> void def run: (data input, ?::Integer timeout) -> WAF::Result def finalize: () -> void From 299452869d1784ecec2525c121bce4b0467c2b57 Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Wed, 12 Apr 2023 14:38:44 +0200 Subject: [PATCH 2/3] Fix run return value typing --- lib/datadog/appsec/processor.rb | 3 +-- vendor/rbs/libddwaf/0/datadog/appsec/waf.rbs | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/datadog/appsec/processor.rb b/lib/datadog/appsec/processor.rb index e439e625e9e..c84f8f2e5f4 100644 --- a/lib/datadog/appsec/processor.rb +++ b/lib/datadog/appsec/processor.rb @@ -23,8 +23,7 @@ def run(input, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT) start_ns = Core::Utils::Time.get_time(:nanosecond) # TODO: remove multiple assignment - _code, res = _ = @context.run(input, timeout) - # @type var res: WAF::Result + _code, res = @context.run(input, timeout) stop_ns = Core::Utils::Time.get_time(:nanosecond) diff --git a/vendor/rbs/libddwaf/0/datadog/appsec/waf.rbs b/vendor/rbs/libddwaf/0/datadog/appsec/waf.rbs index 300353a0c9b..fd4bdd95cb3 100644 --- a/vendor/rbs/libddwaf/0/datadog/appsec/waf.rbs +++ b/vendor/rbs/libddwaf/0/datadog/appsec/waf.rbs @@ -202,7 +202,7 @@ module Datadog def initialize: (Handle handle) -> void def finalize: () -> void - def run: (data input, ?::Integer timeout) -> ::Array[top] + def run: (data input, ?::Integer timeout) -> [::Symbol, Result] private From e0c9ba17b2439b3abb3f10a19080f279f3116ebe Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Thu, 13 Apr 2023 15:59:29 +0200 Subject: [PATCH 3/3] Clarify mutex protection --- lib/datadog/appsec/processor.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/datadog/appsec/processor.rb b/lib/datadog/appsec/processor.rb index c84f8f2e5f4..62b522ba150 100644 --- a/lib/datadog/appsec/processor.rb +++ b/lib/datadog/appsec/processor.rb @@ -22,11 +22,13 @@ def run(input, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT) start_ns = Core::Utils::Time.get_time(:nanosecond) + # this WAF::Context#run call is not thread safe as it mutates the context # TODO: remove multiple assignment _code, res = @context.run(input, timeout) stop_ns = Core::Utils::Time.get_time(:nanosecond) + # these updates are not thread safe and should be protected @time_ns += res.total_runtime @time_ext_ns += (stop_ns - start_ns) @timeouts += 1 if res.timeout