Implement LFI #2770

estringana · 2024-07-23T11:12:31Z

Description

This PR implements the first exploit prevention added to PHP. That means that apart of wrapping the LFI php functions, it also implements everything else to report exploits. This PR consists on:

Wrapped certain file operations
- file_get_contents
- file_put_contents
- fopen
- readfile
Add exploit preventions metrics
Add LFI capability to RC
Add rasp configurations

Related Jiras: APPSEC-52929, APPSEC-53812, APPSEC-53813

codecov-commenter · 2024-07-23T11:26:17Z

Codecov Report

Attention: Patch coverage is 39.70588% with 41 lines in your changes missing coverage. Please review.

Project coverage is 78.07%. Comparing base (46173ca) to head (fdbbb12).

Files with missing lines	Patch %	Lines
.../Integrations/Filesystem/FilesystemIntegration.php	0.00%	37 Missing ⚠️
appsec/src/extension/ddappsec.c	87.50%	0 Missing and 2 partials ⚠️
appsec/src/extension/tags.c	75.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2770      +/-   ##
============================================
- Coverage     80.91%   78.07%   -2.84%     
- Complexity     2526     2535       +9     
============================================
  Files           146      174      +28     
  Lines         14713    18811    +4098     
  Branches          0      992     +992     
============================================
+ Hits          11905    14687    +2782     
- Misses         2808     3581     +773     
- Partials          0      543     +543

Flag	Coverage Δ
appsec-extension	`68.50% <87.09%> (?)`
tracer-extension	`78.10% <ø> (ø)`
tracer-php	`81.80% <0.00%> (-0.30%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
appsec/src/extension/backtrace.c	`71.15% <100.00%> (ø)`
appsec/src/extension/commands/request_exec.c	`100.00% <100.00%> (ø)`
appsec/src/extension/configuration.h	`100.00% <ø> (ø)`
appsec/src/extension/user_tracking.c	`71.69% <100.00%> (ø)`
appsec/src/extension/ddappsec.c	`72.13% <87.50%> (ø)`
appsec/src/extension/tags.c	`79.80% <75.00%> (ø)`
.../Integrations/Filesystem/FilesystemIntegration.php	`0.00% <0.00%> (ø)`

... and 21 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 46173ca...fdbbb12. Read the comment docs.

pr-commenter · 2024-07-23T11:43:44Z

Benchmarks

Benchmark execution time: 2024-09-20 09:39:55

Comparing candidate commit eb254e3 in PR branch estringana/implement-lfi with baseline commit 339adfc in branch estringana/add-appsec-benchmarks.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario:WordPressBench/benchWordPressOverhead-appsec

🟥 execution_time [+3.357ms; +3.691ms] or [+12.342%; +13.570%]

cataphract · 2024-10-22T10:53:31Z

tests/ext/telemetry/integration_filesystem.phpt

@@ -0,0 +1,105 @@
+--TEST--
+Filesystem integration depends on RASP. If RASP enabled, integration is enabled


I don't get this one. What it shows enabled is your TestSandboxedIntegration

estringana changed the base branch from master to estringana/report-backtrace July 23, 2024 11:12

estringana force-pushed the estringana/implement-lfi branch from 94dfbb8 to d027f9d Compare July 23, 2024 11:16

estringana force-pushed the estringana/implement-lfi branch 5 times, most recently from 96857dd to f710e93 Compare July 29, 2024 09:52

estringana force-pushed the estringana/report-backtrace branch 2 times, most recently from af1a36f to 1ac82f6 Compare July 30, 2024 09:08

estringana force-pushed the estringana/implement-lfi branch 2 times, most recently from 26c41f1 to 2b2ebb0 Compare August 2, 2024 11:20

estringana force-pushed the estringana/report-backtrace branch from 996e2ab to 7a5690c Compare August 5, 2024 09:20

estringana force-pushed the estringana/implement-lfi branch 5 times, most recently from 3ff1e35 to 3d4bf57 Compare August 9, 2024 09:30

estringana force-pushed the estringana/report-backtrace branch from 7b89b53 to 2320656 Compare August 12, 2024 07:22

estringana force-pushed the estringana/implement-lfi branch 2 times, most recently from e59193b to 3618a4d Compare August 12, 2024 09:35

estringana force-pushed the estringana/report-backtrace branch 3 times, most recently from 0304b3e to 83e6358 Compare August 13, 2024 08:25

estringana force-pushed the estringana/implement-lfi branch from 3618a4d to 63ed611 Compare August 13, 2024 08:25

estringana force-pushed the estringana/report-backtrace branch from 291f49b to 6ee5ac1 Compare August 19, 2024 12:59

estringana force-pushed the estringana/implement-lfi branch from 63ed611 to 5efcdfd Compare August 19, 2024 13:00

Base automatically changed from estringana/report-backtrace to master August 21, 2024 13:45

estringana force-pushed the estringana/implement-lfi branch from 5efcdfd to b431a34 Compare August 21, 2024 13:48

estringana added 23 commits October 21, 2024 11:51

Add rasp duration tag

b51f550

Add optional rasp metrics

f5c1b77

Add duration_ext tag

82bbd97

Add DD_APPSEC_RASP_ENABLED configuration

d626280

Add lfi capability

b22eca9

Amend issue with rasp events tags

2f0c6ca

Move rasp.duration_ext to appsec extension

f8b2a57

Ensure rasp tags are created

e9b4496

Ensure duration_ext is added

efb6de9

Avoid loaded wrappers when appsec no loaded

59a82c9

Change comment

1bb6228

Disable rasp by default

0e7fb90

Fix error loading filesytem integration on test_c tests

844fdf8

Add more rasp tests

77c40e7

Stop creating not needed spans

8d8c184

Lint

785db5e

Lint

e85757b

Enable rasp manually on integration tests

21e3338

Amend test

9bd9682

Lint

7d253e0

Change approach to calculate elapsed

fc21135

Reduce calls to waf on LFI functions

a0944a9

Changes suggested on PR

1f898e6

estringana force-pushed the estringana/implement-lfi branch from e48e8cf to cde4c05 Compare October 21, 2024 09:59

Remove stat and lstat

2b8b6de

estringana force-pushed the estringana/implement-lfi branch from cde4c05 to 2b8b6de Compare October 21, 2024 10:06

estringana added 2 commits October 21, 2024 14:45

Return not loaded when filesytem integration is wrapping no functions

6249b87

Avoid reporting filesytem integration on telemetry

fdbbb12

cataphract reviewed Oct 22, 2024

View reviewed changes

Leiyks approved these changes Nov 6, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement LFI #2770

Implement LFI #2770

estringana commented Jul 23, 2024 •

edited

Loading

codecov-commenter commented Jul 23, 2024 •

edited

Loading

pr-commenter bot commented Jul 23, 2024 •

edited

Loading

cataphract Oct 22, 2024

		@@ -0,0 +1,105 @@
		--TEST--
		Filesystem integration depends on RASP. If RASP enabled, integration is enabled

Implement LFI #2770

Are you sure you want to change the base?

Implement LFI #2770

Conversation

estringana commented Jul 23, 2024 • edited Loading

Description

codecov-commenter commented Jul 23, 2024 • edited Loading

Codecov Report

pr-commenter bot commented Jul 23, 2024 • edited Loading

Benchmarks

scenario:WordPressBench/benchWordPressOverhead-appsec

cataphract Oct 22, 2024

Choose a reason for hiding this comment

estringana commented Jul 23, 2024 •

edited

Loading

codecov-commenter commented Jul 23, 2024 •

edited

Loading

pr-commenter bot commented Jul 23, 2024 •

edited

Loading