Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement LFI #2770

Merged
merged 32 commits into from
Dec 12, 2024
Merged

Implement LFI #2770

merged 32 commits into from
Dec 12, 2024

Conversation

estringana
Copy link
Contributor

@estringana estringana commented Jul 23, 2024
edited
Loading

Description

This PR implements the first exploit prevention added to PHP. That means that apart of wrapping the LFI php functions, it also implements everything else to report exploits. This PR consists on:

  • Wrapped certain file operations
    • file_get_contents
    • file_put_contents
    • fopen
    • readfile
  • Add exploit preventions metrics
  • Add LFI capability to RC
  • Add rasp configurations

Related Jiras: APPSEC-52929, APPSEC-53812, APPSEC-53813

@estringana estringana changed the base branch from master to estringana/report-backtrace July 23, 2024 11:12
@estringana estringana force-pushed the estringana/implement-lfi branch from 94dfbb8 to d027f9d Compare July 23, 2024 11:16
@codecov-commenter
Copy link

codecov-commenter commented Jul 23, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 39.70588% with 41 lines in your changes missing coverage. Please review.

Project coverage is 72.75%. Comparing base (8273bb7) to head (1526965).
Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
.../Integrations/Filesystem/FilesystemIntegration.php 0.00% 37 Missing ⚠️
appsec/src/extension/ddappsec.c 87.50% 0 Missing and 2 partials ⚠️
appsec/src/extension/tags.c 75.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #2770      +/-   ##
============================================
- Coverage     72.90%   72.75%   -0.16%     
- Complexity     2741     2750       +9     
============================================
  Files           137      138       +1     
  Lines         14978    15038      +60     
  Branches       1016     1020       +4     
============================================
+ Hits          10920    10941      +21     
- Misses         3506     3543      +37     
- Partials        552      554       +2
Flag Coverage Δ
appsec-extension 67.97% <87.09%> (+0.13%) ⬆️
tracer-php 74.56% <0.00%> (-0.26%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
appsec/src/extension/backtrace.c 70.88% <100.00%> (+0.18%) ⬆️
appsec/src/extension/commands/request_exec.c 100.00% <100.00%> (ø)
appsec/src/extension/configuration.h 100.00% <ø> (ø)
appsec/src/extension/user_tracking.c 71.69% <100.00%> (ø)
appsec/src/extension/ddappsec.c 79.07% <87.50%> (+1.20%) ⬆️
appsec/src/extension/tags.c 79.80% <75.00%> (-0.07%) ⬇️
.../Integrations/Filesystem/FilesystemIntegration.php 0.00% <0.00%> (ø)

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8273bb7...1526965. Read the comment docs.

@pr-commenter
Copy link

pr-commenter bot commented Jul 23, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-09-20 09:39:55

Comparing candidate commit eb254e3 in PR branch estringana/implement-lfi with baseline commit 339adfc in branch estringana/add-appsec-benchmarks.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario:WordPressBench/benchWordPressOverhead-appsec

  • 🟥 execution_time [+3.357ms; +3.691ms] or [+12.342%; +13.570%]

@estringana estringana force-pushed the estringana/implement-lfi branch 5 times, most recently from 96857dd to f710e93 Compare July 29, 2024 09:52
@estringana estringana force-pushed the estringana/report-backtrace branch 2 times, most recently from af1a36f to 1ac82f6 Compare July 30, 2024 09:08
@estringana estringana force-pushed the estringana/implement-lfi branch 2 times, most recently from 26c41f1 to 2b2ebb0 Compare August 2, 2024 11:20
@estringana estringana force-pushed the estringana/report-backtrace branch from 996e2ab to 7a5690c Compare August 5, 2024 09:20
@estringana estringana force-pushed the estringana/implement-lfi branch 5 times, most recently from 3ff1e35 to 3d4bf57 Compare August 9, 2024 09:30
@estringana estringana force-pushed the estringana/report-backtrace branch from 7b89b53 to 2320656 Compare August 12, 2024 07:22
@estringana estringana force-pushed the estringana/implement-lfi branch 2 times, most recently from e59193b to 3618a4d Compare August 12, 2024 09:35
@estringana estringana force-pushed the estringana/report-backtrace branch 3 times, most recently from 0304b3e to 83e6358 Compare August 13, 2024 08:25
@estringana estringana force-pushed the estringana/implement-lfi branch from 3618a4d to 63ed611 Compare August 13, 2024 08:25
@estringana estringana force-pushed the estringana/report-backtrace branch from 291f49b to 6ee5ac1 Compare August 19, 2024 12:59
@estringana estringana force-pushed the estringana/implement-lfi branch from 63ed611 to 5efcdfd Compare August 19, 2024 13:00
Base automatically changed from estringana/report-backtrace to master August 21, 2024 13:45
@estringana estringana force-pushed the estringana/implement-lfi branch from 5efcdfd to b431a34 Compare August 21, 2024 13:48
@estringana
Add DD_APPSEC_RASP_ENABLED configuration
ab85684
@estringana
Add lfi capability
6428f36
@estringana
Amend issue with rasp events tags
6683312
@estringana
Move rasp.duration_ext to appsec extension
f57a0ba
@estringana
Ensure rasp tags are created
17565f2
@estringana
Ensure duration_ext is added
fb751a4
@estringana
Avoid loaded wrappers when appsec no loaded
f94e637
@estringana
Change comment
5fb4b3c
@estringana
Disable rasp by default
f80d189
@estringana
Fix error loading filesytem integration on test_c tests
a8b8281
@estringana
Add more rasp tests
4671edc
@estringana
Stop creating not needed spans
8a3dccf
@estringana
Lint
22840b3
@estringana
Lint
e248102
@estringana
Enable rasp manually on integration tests
48bc7f9
@estringana
Amend test
c419a52
@estringana
Lint
28a590a
@estringana
Change approach to calculate elapsed
b2407b7
@estringana
Reduce calls to waf on LFI functions
7340c8d
@estringana
Changes suggested on PR
d674b8e
@estringana
Remove stat and lstat
ec7f6a2
@estringana
Return not loaded when filesytem integration is wrapping no functions
d0fb2b9
@estringana
Avoid reporting filesytem integration on telemetry
5231521
@estringana
Test filesystem integration
8330471
@estringana
Fix tests adding new filesystem integration
2375169
@estringana
Adapt lfi to new telemetry approach
1526965
@estringana estringana force-pushed the estringana/implement-lfi branch from 5130384 to 1526965 Compare December 12, 2024 11:37
@estringana estringana merged commit 4cc2897 into master Dec 12, 2024
707 of 755 checks passed
@estringana estringana deleted the estringana/implement-lfi branch December 12, 2024 15:11
@github-actions github-actions bot added this to the 1.6.0 milestone Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwoebi bwoebi bwoebi left review comments

@Anilm3 Anilm3 Anilm3 left review comments

@Leiyks Leiyks Leiyks approved these changes

@cataphract cataphract cataphract approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.6.0
Development

Successfully merging this pull request may close these issues.
6 participants
@estringana @codecov-commenter @cataphract @Anilm3 @bwoebi @Leiyks