Propagate ephemeral flag from filters

src/context.cpp

@@ -126,7 +126,7 @@ const memory::unordered_map<rule *, filter_mode> &context::filter_rules(ddwaf::t
         rule_filter::cache_type &cache = it->second;
         auto exclusion = filter->match(store_, cache, deadline);
         if (exclusion.has_value()) {
-            for (auto &&rule : exclusion->get()) {
+            for (auto &&rule : exclusion->rules) {
                 auto [it, res] = rules_to_exclude_.emplace(rule, filter->get_mode());
                 // Bypass has precedence over monitor
                 if (!res && it != rules_to_exclude_.end() && it->second != filter_mode::bypass) {

src/exclusion/input_filter.cpp

@@ -26,19 +26,23 @@ std::optional<excluded_set> input_filter::match(
 {
     DDWAF_DEBUG("Evaluating input filter '%s'", id_.c_str());
 
+    bool ephemeral = false;
     // An event was already produced, so we skip the rule
     // Note that conditions in a filter are optional
-    if (!expr_->empty() && !expression::get_result(cache.expr_cache) &&
-        !expr_->eval(cache.expr_cache, store, {}, {}, deadline).outcome) {
-        return std::nullopt;
+    if (!expr_->empty() && !expression::get_result(cache.expr_cache)) {
+        auto res = expr_->eval(cache.expr_cache, store, {}, {}, deadline);
+        if (!res.outcome) {
+            return std::nullopt;
+        }
+        ephemeral = res.ephemeral;
     }
 
     auto objects = filter_->match(store, cache.object_filter_cache, deadline);
     if (objects.empty()) {
         return std::nullopt;
     }
 
-    return {{rule_targets_, std::move(objects)}};
+    return {{rule_targets_, std::move(objects), ephemeral}};
 }
 
 } // namespace ddwaf::exclusion

src/exclusion/input_filter.hpp

@@ -23,6 +23,7 @@ class input_filter {
     struct excluded_set {
         const std::set<rule *> &rules;
         object_set objects;
+        bool ephemeral{false};
     };
 
     struct cache_type {

src/exclusion/rule_filter.cpp

@@ -9,6 +9,8 @@
 
 namespace ddwaf::exclusion {
 
+using excluded_set = rule_filter::excluded_set;
+
 rule_filter::rule_filter(std::string id, std::shared_ptr<expression> expr,
     std::set<rule *> rule_targets, filter_mode mode)
     : id_(std::move(id)), expr_(std::move(expr)), mode_(mode)
@@ -23,23 +25,29 @@ rule_filter::rule_filter(std::string id, std::shared_ptr<expression> expr,
     }
 }
 
-optional_ref<const std::unordered_set<rule *>> rule_filter::match(
+std::optional<excluded_set> rule_filter::match(
     const object_store &store, cache_type &cache, ddwaf::timer &deadline) const
 {
     DDWAF_DEBUG("Evaluating rule filter '%s'", id_.c_str());
 
+    bool ephemeral = false;
+
     // Note that conditions in a filter are optional
     if (!expr_->empty()) {
         if (expression::get_result(cache)) {
             return std::nullopt;
         }
 
-        if (!expr_->eval(cache, store, {}, {}, deadline).outcome) {
+        auto res = expr_->eval(cache, store, {}, {}, deadline);
+
+        if (!res.outcome) {
             return std::nullopt;
         }
+
+        ephemeral = res.ephemeral;
     }
 
-    return {rule_targets_};
+    return {{rule_targets_, ephemeral}};
 }
 
 } // namespace ddwaf::exclusion

src/exclusion/rule_filter.hpp

@@ -20,6 +20,11 @@ enum class filter_mode { bypass, monitor };
 
 class rule_filter {
 public:
+    struct excluded_set {
+        const std::unordered_set<rule *> &rules;
+        bool ephemeral{false};
+    };
+
     using cache_type = expression::cache_type;
 
     rule_filter(std::string id, std::shared_ptr<expression> expr, std::set<rule *> rule_targets,
@@ -30,7 +35,7 @@ class rule_filter {
     rule_filter &operator=(rule_filter &&) = default;
     virtual ~rule_filter() = default;
 
-    virtual optional_ref<const std::unordered_set<rule *>> match(
+    virtual std::optional<excluded_set> match(
         const object_store &store, cache_type &cache, ddwaf::timer &deadline) const;
 
     std::string_view get_id() const { return id_; }