skip passing waf addresses when the value is empty

DataDog · Oct 6, 2023 · 0b90575 · 0b90575
1 parent 5933056
commit 0b90575
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 1 deletion.
diff --git a/lib/datadog/appsec/processor.rb b/lib/datadog/appsec/processor.rb
@@ -22,7 +22,9 @@ def run(input, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
 
           start_ns = Core::Utils::Time.get_time(:nanosecond)
 
-          _code, res = @context.run(input, timeout)
+          cleaned_input = remove_empty_entries(input)
+
+          _code, res = @context.run(cleaned_input, timeout)
 
           stop_ns = Core::Utils::Time.get_time(:nanosecond)
 
@@ -60,6 +62,18 @@ def extract_schema?
           Datadog.configuration.appsec.api_security.enabled &&
             Datadog.configuration.appsec.api_security.sample_rate.sample?
         end
+
+        def remove_empty_entries(entries)
+          entries.each_with_object({}) do |(k, v), acc|
+            acc[k] = v unless empty_value?(v)
+          end
+        end
+
+        def empty_value?(v)
+          return true unless v
+
+          v.empty?
+        end
       end
 
       attr_reader :diagnostics, :addresses

diff --git a/sig/datadog/appsec/processor.rbs b/sig/datadog/appsec/processor.rbs
@@ -21,6 +21,8 @@ module Datadog
 
         private
         def extract_schema?: () -> bool
+        def remove_empty_entries: (untyped entries) -> data
+        def empty_value?: (untyped v) -> bool
       end
 
       def self.active_context: () -> Context

diff --git a/spec/datadog/appsec/processor_spec.rb b/spec/datadog/appsec/processor_spec.rb
@@ -217,6 +217,68 @@
       matches.map(&:actions)
     end
 
+    context 'clear key with empty values' do
+      it 'removes nil values' do
+        input = {
+          'nil_value' => nil,
+          'string_value' => 'hello'
+        }
+        expect(context.instance_variable_get(:@context)).to receive(:run).with(
+          {
+            'string_value' => 'hello'
+          },
+          timeout
+        ).and_call_original
+
+        context.run(input, timeout)
+      end
+
+      it 'removes empty string values' do
+        input = {
+          'empty_string_value' => '',
+          'string_value' => 'hello'
+        }
+        expect(context.instance_variable_get(:@context)).to receive(:run).with(
+          {
+            'string_value' => 'hello'
+          },
+          timeout
+        ).and_call_original
+
+        context.run(input, timeout)
+      end
+
+      it 'removes empty arrays values' do
+        input = {
+          'empty_array' => [],
+          'non_empty_array_value' => [1, 2],
+        }
+        expect(context.instance_variable_get(:@context)).to receive(:run).with(
+          {
+            'non_empty_array_value' => [1, 2]
+          },
+          timeout
+        ).and_call_original
+
+        context.run(input, timeout)
+      end
+
+      it 'removes empty hash values' do
+        input = {
+          'empty_hash' => {},
+          'non_empty_hash_value' => { 'hello' => 'world' },
+        }
+        expect(context.instance_variable_get(:@context)).to receive(:run).with(
+          {
+            'non_empty_hash_value' => { 'hello' => 'world' }
+          },
+          timeout
+        ).and_call_original
+
+        context.run(input, timeout)
+      end
+    end
+
     context 'no attack' do
       let(:input) { input_safe }