Function ddwaf_run 

pub unsafe extern "C" fn ddwaf_run(
    context: ddwaf_context,
    persistent_data: *mut ddwaf_object,
    ephemeral_data: *mut ddwaf_object,
    result: *mut ddwaf_object,
    timeout: u64,
) -> DDWAF_RET_CODE

ddwaf_run

Perform a matching operation on the provided data

@param context WAF context to be used in this run, this will determine the ruleset which will be used and it will also ensure that parameters are taken into account across runs (nonnull)

@param persistent_data Data on which to perform the pattern matching. This data will be stored by the context and used across multiple calls to this function. Once the context is destroyed, the used-defined free function will be used to free the data provided. Note that the data passed must be valid until the destruction of the context. The object must be a map of {string, } in which each key represents the relevant address associated to the value, which can be of an arbitrary type. This parameter can be null if ephemeral data is provided.

@param ephemeral_data Data on which to perform the pattern matching. This data will not be cached by the WAF. Matches arising from this data will also not be cached at any level. The data will be freed at the end of the call to ddwaf_run. The object must be a map of {string, } in which each key represents the relevant address associated to the value, which can be of an arbitrary type. This parameter can be null if persistent data is provided.

@param result (nullable) Object map containing the following items: - events: an array of the generated events. - actions: a map of the generated actions in the format: {action type: { }, …} - duration: an unsigned specifying the total runtime of the call in nanoseconds. - timeout: whether there has been a timeout during the call. - attributes: a map containing all derived objects in the format: {tag, value} - keep: whether the data contained herein must override any transport sampling through the relevant mechanism. This structure must be freed by the caller and will contain all specified keys when the value returned by ddwaf_run is either DDWAF_OK or DDWAF_MATCH and will be empty otherwise. @param timeout Maximum time budget in microseconds.

@return Return code of the operation. @error DDWAF_ERR_INVALID_ARGUMENT The context is invalid, the data will not be freed. @error DDWAF_ERR_INVALID_OBJECT The data provided didn’t match the desired structure or contained invalid objects, the data will be freed by this function. @error DDWAF_ERR_INTERNAL There was an unexpected error and the operation did not succeed. The state of the WAF is undefined if this error is produced and the ownership of the data is unknown. The result structure will not be filled if this error occurs.

Notes on addresses:

• Within a single run, addresses provided should be unique. If duplicate persistent addresses are provided:
  • Within the same batch, the latest one in the structure will be the one used for evaluation.
• Within two different batches, the second batch will only use the new data.

Ephemeral addresses are designed to be duplicated across batches, but if duplicate addresses are provided within the same batch, the latest one seen will be the one used.

Duplicate addresses of different types (ephemeral, persistent), are not permitted. An existing address will never be replaced by a duplicate one of a different type, but it doesn’t result in a critical failure. Due to the nature of ephemerals, an ephemeral address can be replaced in a subsequent batch by a persistent address, however taking advantage of this is not recommended and might be explicitly rejected in the future.