From 1c805a7278254b65ce76dd010dc75043e9a6d430 Mon Sep 17 00:00:00 2001
From: Anil Mahtani <929854+Anilm3@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:59:07 +0000
Subject: [PATCH 1/2] Upgrade libddwaf to v1.22.0

---
 appsec/tests/helper/client_test.cpp | 2 +-
 appsec/tests/helper/waf_test.cpp    | 6 ++++--
 appsec/third_party/libddwaf         | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/appsec/tests/helper/client_test.cpp b/appsec/tests/helper/client_test.cpp
index 2a2824beee..2ed3c18827 100644
--- a/appsec/tests/helper/client_test.cpp
+++ b/appsec/tests/helper/client_test.cpp
@@ -2760,7 +2760,7 @@ TEST(ClientTest, RaspCalls)
             dynamic_cast<network::request_shutdown::response *>(res.get());
 
         EXPECT_EQ(msg_res->metrics.size(), 3);
-        EXPECT_GT(msg_res->metrics[metrics::waf_duration], 0.0);
+        EXPECT_GE(msg_res->metrics[metrics::waf_duration], 0.0);
         EXPECT_EQ(msg_res->metrics[metrics::rasp_rule_eval], 1);
         EXPECT_GE(msg_res->metrics[metrics::rasp_duration], 0.0);
     }
diff --git a/appsec/tests/helper/waf_test.cpp b/appsec/tests/helper/waf_test.cpp
index d9d470dc11..cd71d69f6b 100644
--- a/appsec/tests/helper/waf_test.cpp
+++ b/appsec/tests/helper/waf_test.cpp
@@ -117,8 +117,10 @@ TEST(WafTest, RunWithTimeout)
 
         EXPECT_CALL(submitm, submit_span_metric(metrics::rasp_timeout, 1));
         EXPECT_CALL(submitm, submit_span_metric(metrics::rasp_rule_eval, 1.0));
-        EXPECT_CALL(submitm, submit_span_metric(metrics::waf_duration, 0.0));
-        EXPECT_CALL(submitm, submit_span_metric(metrics::rasp_duration, 0.0));
+        // Since v1.22.0 libddwaf will still attempt to run denylists, which
+        // will cause the duration to be non-zero
+        EXPECT_CALL(submitm, submit_span_metric(metrics::waf_duration, _));
+        EXPECT_CALL(submitm, submit_span_metric(metrics::rasp_duration, _));
         parameter_view pv(p);
         dds::event e;
         bool is_rasp = true;
diff --git a/appsec/third_party/libddwaf b/appsec/third_party/libddwaf
index de06f7afb2..990e73c55f 160000
--- a/appsec/third_party/libddwaf
+++ b/appsec/third_party/libddwaf
@@ -1 +1 @@
-Subproject commit de06f7afb2112152b9f7e137109358cf4762f90d
+Subproject commit 990e73c55fb070225bdb853ab2334efe7c151dc2

From 7c4b3c29aadbd5ffe72ffa18f8f857f1154e9cdc Mon Sep 17 00:00:00 2001
From: Anil Mahtani <929854+Anilm3@users.noreply.github.com>
Date: Thu, 19 Dec 2024 14:56:55 +0000
Subject: [PATCH 2/2] Fix integration tests

---
 .../appsec/php/integration/CommonTests.groovy       |  2 +-
 .../tests/integration/src/test/waf/recommended.json | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
index d56ce2d1dd..972ba03577 100644
--- a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
+++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
@@ -181,7 +181,7 @@ trait CommonTests {
 
     @Test
     void 'test blocking and stack generation'() {
-        HttpRequest req = container.buildReq('/generate_stack.php?id=user2020').GET().build()
+        HttpRequest req = container.buildReq('/generate_stack.php?id=stack_user').GET().build()
         def trace = container.traceFromRequest(req, ofString()) { HttpResponse<String> re ->
             assert re.statusCode() == 403
             assert re.body().contains('blocked')
diff --git a/appsec/tests/integration/src/test/waf/recommended.json b/appsec/tests/integration/src/test/waf/recommended.json
index 8b8ec5695d..6d60f3236e 100644
--- a/appsec/tests/integration/src/test/waf/recommended.json
+++ b/appsec/tests/integration/src/test/waf/recommended.json
@@ -44,7 +44,7 @@
                 "address": "usr.id"
               }
             ],
-            "data": "blocked_users"
+            "data": "blocked_users_with_stack"
           },
           "operator": "exact_match"
         }
@@ -6894,6 +6894,17 @@
         }
       ]
     },
+    {
+      "id": "blocked_users_with_stack",
+      "type": "data_with_expiration",
+      "data": [
+        {
+          "value": "stack_user",
+          "expiration": 0
+        }
+      ]
+    },
+
     {
       "id": "redirected_users",
       "type": "data_with_expiration",