v1.17.0-alpha1 (unstable)

Fixes

• Fix parsing of variadic arguments (#267)

Miscellaneous

• Update node-16 actions to node-20 ones (#266)

v1.17.0-alpha0 (unstable)

Fixes

• Add support for old glibc (e.g. RHEL 6) (#262)
• Add weak ceilf symbol and definition (#263)

Changes

• Multivariate operator support (#241)
• Local file inclusion (LFI) operator (#258)

Miscellaneous

• Reduce benchmark noise (#257, #259, #260)

v1.16.0 (unstable)

Note: while there are no breaking changes in this release, legacy linux builds are no longer being produced.

Fixes

• Address a libinjection false positive (#251)
• Remove a few fingerprints causing false positives (#252)
• Fix SSE2 lowercase transformer (#253)

Changes

• Support ephemeral addresses on processors (#240)
• Phrase match: enforce word boundary option (#256)

Miscellaneous

• Build tools on CI to avoid breaking tool users (#229)
• Remove legacy linux builds (#230)
• Vendorize re2 and utf8proc (#231)
• Refactor cmake scripts and support LTO (#232)
• Microbenchmarks (#242, #243, #244, #245, #246, #247, #248, #250)

v1.15.1 (unstable)

Fixes

• Fix duplicate processor check (#234)

v1.15.0 (unstable)

This new version of the WAF includes the following new features:

• Ephemeral addresses for composite requests
• Naive duplicate address support on input filters
• Required / Optional address diagnostics

The upgrading guide has also been updated to cover the new changes.

API & Breaking Changes

• Support ephemeral addresses on ddwaf_run (#219)
• Rename ddwaf_required_addresses to ddwaf_known_addresses (#221)

Fixes

• Schema extraction scanners: reduce false positives on arrays (#220)

Changes

• Ephemeral addresses for rules & exclusion filters (#219)(#224)
• Address diagnostics (#221)
• Naive duplicate address support on input/object filters (#222)

Miscellaneous

• Update nuget packaging to use new musl linux binaries (#217)
• Validator improvements (#225)
• Use fmt::format for logging and vendorize some dependencies within src/ (#226)
• Reduce linux binary size and fix some flaky tests (#227)

v1.14.0 (unstable)

This release of the WAF includes the following new features:

• Schema data classification through the use of scanners.
• A vectorized version of the lowercase transformer using SSE2.
• Generalized processors which are evaluated before or after filters and rules based on their outcome.
• Optimizations to avoid unnecessary rule and filter evaluation.
• Many other quality of life, correctness and performance improvements

API & Breaking Changes

• Rename preprocessors top-level key to processors (#209)

Fixes

• Fix missing top-level key for processor diagnostics (#209)

Changes

• SSE2 lowercase transformer (#195)
• Reduce schema extraction limits (#208)
• Skip rule and filter evaluation when no new rule targets exist (#207)
• Refactor preprocessors into preprocessors and postprocessors (#209)
• Convert float to (un)signed within the parsing stage (#210)
• Scanners for schema scalar classification (#211)
• Remove ptr typedefs (#212)
• Indexer abstraction to encapsulate rule and scanner search and storage (#213)

v1.13.1 (unstable)

Changes

• Allow conversions between signed/unsigned types during parsing (#205)

v1.13.0 (unstable)

This new version of the WAF includes the following new features:

• Schema extraction preprocessor
• New and improved universal linux buids, including support for i386 and armv7
• float and null types
• Equals operator for arbitrary type equality comparison within conditions
• Many other quality of life, correctness and performance improvements

The upgrading guide has also been updated to cover the new changes.

API & Breaking Changes

• Add object types DDWAF_OBJ_FLOAT and DDWAF_OBJ_NULL (#197)
• Add double field f64 in ddwaf_object (#197)
• Add ddwaf_object_null, ddwaf_object_floatand ddwaf_object_get_float (#197)
• Rename ddwaf_object_signed to ddwaf_object_string_from_signed (#197)
• Rename ddwaf_object_unsigned to ddwaf_object_string_from_unsigned (#197)
• Rename ddwaf_object_signed_force to ddwaf_object_signed(#197)
• Rename ddwaf_object_unsigned_force to ddwaf_object_unsigned(#197)
• Add derivatives field to ddwaf_result for output objects generated through preprocessors (#182)

Changes

• Encapsulate conditions within expressions (#192)
• Equals operator and arbitrary operator type support (#194)
• Float and null type support (#197)
• Schema Extraction Preprocessor (#182)(#202)

Miscellaneous

• Minor improvements (#193)
• Rename operation to matcher (#196)
• Fix coverage (#199)
• Linux musl/libc++ builds using alpine-based sysroots and llvm16 (#198)(#200)(#201)

v1.12.0 (unstable)

Changes

• Per-input transformers support on exclusion filter conditions (#177)
• Read-only transformers (#178)(#185)(#190)
• Rule filter bypass / monitor mode support (#184)(#188)

Miscellaneous

• Object schemas (#174)
• Simple IP Match Benchmark (#176)
• Remove Manifest (#179)
• Reduce build parallelism (#183)
• Change standard to C++20 (#186)

v1.11.0 (unstable)

API & Breaking Changes

• Full ruleset parsing diagnostics (#161)
• Event result as ddwaf_object (#162)
• Replace ddwaf_result.actions with a ddwaf_object array (#165)

Changes

• Add logging and remove dead code (#169)
• Support for per-input transformers (#170)

Miscellaneous

• Multithreaded fuzzer (#166)
• Fix benchmark, test output and update ruleset to 1.7.0 (#171)
• Validator: add support for per-directory tests and ruleset (#172)
• Rename examples directory to tools (#173)
• Update ruleset to 1.7.1 (#173)
• Refactor and simplify tools to reduce code duplication (#173)