From aa950e2ebcfa28c342e904423136c61abad82b74 Mon Sep 17 00:00:00 2001 From: Gustavo Lopes Date: Mon, 4 Dec 2023 09:38:40 +0000 Subject: [PATCH] Roadrunner appsec support --- appsec/CMakeLists.txt | 7 +- appsec/cmake/extension.cmake | 5 +- appsec/cmake/patchelf.cmake | 17 + appsec/cmake/run-tests-wrapper.sh | 3 +- appsec/cmake/run_tests.cmake | 5 +- appsec/run-tests-internal.php | 6 +- appsec/src/extension/commands/client_init.c | 28 +- appsec/src/extension/commands/client_init.h | 3 +- appsec/src/extension/commands/request_exec.c | 17 +- appsec/src/extension/commands/request_init.c | 97 +- appsec/src/extension/commands/request_init.h | 8 +- .../src/extension/commands/request_shutdown.c | 89 +- .../src/extension/commands/request_shutdown.h | 18 +- appsec/src/extension/commands_ctx.h | 9 + appsec/src/extension/commands_helpers.c | 48 +- appsec/src/extension/commands_helpers.h | 10 +- appsec/src/extension/configuration.c | 8 +- appsec/src/extension/configuration.h | 3 +- appsec/src/extension/ddappsec.c | 188 +- appsec/src/extension/ddappsec.h | 17 +- appsec/src/extension/ddtrace.c | 165 +- appsec/src/extension/ddtrace.h | 37 +- appsec/src/extension/helper_process.c | 5 +- appsec/src/extension/helper_process.h | 4 +- appsec/src/extension/ip_extraction.c | 22 - appsec/src/extension/ip_extraction.h | 3 - appsec/src/extension/msgpack_helpers.c | 67 +- appsec/src/extension/msgpack_helpers.h | 3 + appsec/src/extension/php_compat.c | 17 + appsec/src/extension/php_compat.h | 28 +- appsec/src/extension/php_helpers.c | 32 +- appsec/src/extension/php_helpers.h | 9 +- appsec/src/extension/request_abort.c | 248 +- appsec/src/extension/request_abort.h | 6 +- appsec/src/extension/request_lifecycle.c | 647 ++ appsec/src/extension/request_lifecycle.h | 16 + appsec/src/extension/tags.c | 201 +- appsec/src/extension/tags.h | 3 +- appsec/src/extension/user_tracking.c | 23 +- appsec/src/helper/remote_config/http_api.cpp | 8 +- appsec/tests/extension/bad_env_ini.phpt | 7 +- .../tests/extension/client_init_bad_msg.phpt | 1 + .../tests/extension/phpinfo_enabled_01.phpt | 2 +- .../tests/extension/rinit_force_keep_02.phpt | 4 +- appsec/tests/extension/test-php.ini | 2 + .../track_custom_event_no_root_span.phpt | 4 +- ...user_login_failure_event_no_root_span.phpt | 4 +- ...user_login_success_event_no_root_span.phpt | 4 +- .../track_user_signup_event_no_root_span.phpt | 4 +- appsec/tests/extension/user_req_basic.phpt | 188 + .../user_req_content_negotiation.phpt | 46 + .../extension/user_req_no_root_span.phpt | 24 + appsec/tests/extension/user_req_redirect.phpt | 40 + .../extension/user_req_regular_sequence.phpt | 115 + .../extension/user_req_wrong_sequence.phpt | 100 + appsec/tests/integration/.gitattributes | 6 + appsec/tests/integration/.gitignore | 8 + appsec/tests/integration/build.gradle | 377 + appsec/tests/integration/gradle/images.gradle | 189 + .../gradle/wrapper/gradle-wrapper.jar | Bin 0 -> 59536 bytes .../gradle/wrapper/gradle-wrapper.properties | 5 + appsec/tests/integration/gradlew | 234 + appsec/tests/integration/gradlew.bat | 89 + appsec/tests/integration/settings.gradle | 1 + .../src/docker/apache2-fpm/Dockerfile | 27 + .../src/docker/apache2-fpm/entrypoint.sh | 23 + .../src/docker/apache2-fpm/php-site.conf | 16 + .../src/docker/apache2-mod/Dockerfile | 33 + .../src/docker/apache2-mod/entrypoint.sh | 22 + .../src/docker/apache2-mod/php.conf | 11 + .../src/docker/apache2-mod/php.load | 2 + .../src/docker/fpm-common/php-fpm.conf | 4 + .../src/docker/fpm-common/www.conf | 26 + .../src/docker/nginx-fpm/Dockerfile | 21 + .../integration/src/docker/nginx-fpm/default | 19 + .../src/docker/nginx-fpm/entrypoint.sh | 19 + .../integration/src/docker/php/Dockerfile | 37 + .../src/docker/php/Dockerfile-php-deps | 25 + .../src/docker/php/build_dev_php.sh | 439 ++ .../tests/integration/src/docker/php/php.ini | 27 + .../php/php_patches/configure_curl.patch | 14 + .../php/php_patches/configure_curl_old.patch | 14 + .../php/php_patches/configure_gmp.patch | 13 + .../php/php_patches/configure_icu.patch | 232 + .../php/php_patches/newish_libxml.patch | 51 + .../php/php_patches/opcache_num_var.patch | 11 + .../docker/php/php_patches/recent_icu.patch | 107 + .../src/docker/toolchain/CHECKSUMS | 9 + .../src/docker/toolchain/Dockerfile | 14 + .../integration/src/docker/toolchain/Makefile | 161 + .../src/docker/toolchain/Toolchain.cmake | 19 + .../src/docker/toolchain/Toolchain.env | 8 + .../src/docker/toolchain/ToolchainGCC.cmake | 14 + .../appsec/php/docker/AppSecContainer.groovy | 311 + .../php/docker/FailOnUnmatchedTraces.groovy | 14 + .../FailOnUnmatchedTracesExtension.groovy | 29 + .../php/docker/InspectContainerHelper.groovy | 18 + .../appsec/php/mock_agent/InfoHandler.groovy | 22 + .../php/mock_agent/MockDatadogAgent.groovy | 63 + .../php/mock_agent/MsgpackHelper.groovy | 62 + .../php/mock_agent/TracesV04Handler.groovy | 109 + .../datadog/appsec/php/model/Mapper.groovy | 18 + .../com/datadog/appsec/php/model/Span.groovy | 25 + .../com/datadog/appsec/php/model/Trace.groovy | 25 + .../appsec/php/test/JsonMatcher.groovy | 181 + .../php/test/NotifyTestLifecycle.groovy | 25 + .../php/test/StopContainerExtension.groovy | 22 + .../org.junit.jupiter.api.extension.Extension | 2 + .../main/resources/junit-platform.properties | 1 + .../src/main/resources/logback.xml | 15 + .../src/test/bin/enable_extensions.sh | 54 + .../integration/AlpineApache2FpmTests.groovy | 29 + .../php/integration/Apache2FpmTests.groovy | 80 + .../php/integration/Apache2ModTests.groovy | 53 + .../appsec/php/integration/CommonTests.groovy | 249 + .../php/integration/Laravel8xTests.groovy | 87 + .../php/integration/NginxFpmTests.groovy | 50 + .../php/integration/RoadRunnerTests.groovy | 163 + .../php/integration/Symfony62Tests.groovy | 91 + .../appsec/php/integration/TestParams.groovy | 26 + .../integration/src/test/waf/recommended.json | 6743 +++++++++++++++++ .../src/test/www/base/public/custom_event.php | 9 + .../src/test/www/base/public/example.html | 13 + .../src/test/www/base/public/hello.php | 2 + .../src/test/www/base/public/index.php | 3 + .../src/test/www/base/public/phpinfo.php | 6 + .../src/test/www/base/public/poolenv.php | 3 + .../src/test/www/base/public/user_id.php | 12 + .../www/base/public/user_login_failure.php | 9 + .../www/base/public/user_login_success.php | 10 + .../src/test/www/laravel8x/.editorconfig | 18 + .../src/test/www/laravel8x/.env.example | 8 + .../src/test/www/laravel8x/.gitattributes | 10 + .../src/test/www/laravel8x/.gitignore | 15 + .../src/test/www/laravel8x/.styleci.yml | 14 + .../src/test/www/laravel8x/README.md | 64 + .../test/www/laravel8x/app/Console/Kernel.php | 32 + .../www/laravel8x/app/Exceptions/Handler.php | 41 + .../app/Http/Controllers/Controller.php | 13 + .../app/Http/Controllers/LoginController.php | 57 + .../test/www/laravel8x/app/Http/Kernel.php | 67 + .../app/Http/Middleware/Authenticate.php | 21 + .../app/Http/Middleware/EncryptCookies.php | 17 + .../PreventRequestsDuringMaintenance.php | 17 + .../Middleware/RedirectIfAuthenticated.php | 32 + .../app/Http/Middleware/TrimStrings.php | 19 + .../app/Http/Middleware/TrustHosts.php | 20 + .../app/Http/Middleware/TrustProxies.php | 28 + .../app/Http/Middleware/VerifyCsrfToken.php | 17 + .../test/www/laravel8x/app/Models/User.php | 44 + .../app/Providers/AppServiceProvider.php | 28 + .../app/Providers/AuthServiceProvider.php | 30 + .../Providers/BroadcastServiceProvider.php | 21 + .../app/Providers/EventServiceProvider.php | 32 + .../app/Providers/RouteServiceProvider.php | 63 + .../src/test/www/laravel8x/artisan | 53 + .../src/test/www/laravel8x/bootstrap/app.php | 55 + .../www/laravel8x/bootstrap/cache/.gitignore | 2 + .../src/test/www/laravel8x/composer.json | 62 + .../src/test/www/laravel8x/config/app.php | 235 + .../src/test/www/laravel8x/config/auth.php | 111 + .../www/laravel8x/config/broadcasting.php | 64 + .../src/test/www/laravel8x/config/cache.php | 110 + .../src/test/www/laravel8x/config/cors.php | 34 + .../test/www/laravel8x/config/database.php | 147 + .../test/www/laravel8x/config/filesystems.php | 73 + .../src/test/www/laravel8x/config/hashing.php | 52 + .../src/test/www/laravel8x/config/logging.php | 118 + .../src/test/www/laravel8x/config/mail.php | 118 + .../src/test/www/laravel8x/config/queue.php | 93 + .../src/test/www/laravel8x/config/sanctum.php | 65 + .../test/www/laravel8x/config/services.php | 33 + .../src/test/www/laravel8x/config/session.php | 201 + .../src/test/www/laravel8x/config/view.php | 36 + .../test/www/laravel8x/database/.gitignore | 1 + .../database/factories/UserFactory.php | 39 + .../2014_10_12_000000_create_users_table.php | 36 + ...12_100000_create_password_resets_table.php | 32 + ..._08_19_000000_create_failed_jobs_table.php | 36 + ...01_create_personal_access_tokens_table.php | 36 + .../database/seeders/DatabaseSeeder.php | 24 + .../src/test/www/laravel8x/initialize.sh | 17 + .../src/test/www/laravel8x/package.json | 18 + .../src/test/www/laravel8x/phpunit.xml | 31 + .../src/test/www/laravel8x/public/.htaccess | 21 + .../src/test/www/laravel8x/public/favicon.ico | 0 .../src/test/www/laravel8x/public/index.php | 55 + .../src/test/www/laravel8x/public/robots.txt | 2 + .../test/www/laravel8x/resources/css/app.css | 0 .../test/www/laravel8x/resources/js/app.js | 1 + .../www/laravel8x/resources/js/bootstrap.js | 28 + .../www/laravel8x/resources/lang/en/auth.php | 20 + .../resources/lang/en/pagination.php | 19 + .../laravel8x/resources/lang/en/passwords.php | 22 + .../resources/lang/en/validation.php | 163 + .../resources/views/welcome.blade.php | 132 + .../src/test/www/laravel8x/routes/api.php | 19 + .../test/www/laravel8x/routes/channels.php | 18 + .../src/test/www/laravel8x/routes/console.php | 19 + .../src/test/www/laravel8x/routes/web.php | 22 + .../src/test/www/laravel8x/server.php | 21 + .../test/www/laravel8x/storage/app/.gitignore | 3 + .../laravel8x/storage/app/public/.gitignore | 2 + .../laravel8x/storage/framework/.gitignore | 9 + .../storage/framework/cache/.gitignore | 3 + .../storage/framework/cache/data/.gitignore | 2 + .../storage/framework/sessions/.gitignore | 2 + .../storage/framework/testing/.gitignore | 2 + .../storage/framework/views/.gitignore | 2 + .../www/laravel8x/storage/logs/.gitignore | 2 + .../laravel8x/tests/CreatesApplication.php | 22 + .../laravel8x/tests/Feature/ExampleTest.php | 21 + .../src/test/www/laravel8x/tests/TestCase.php | 10 + .../www/laravel8x/tests/Unit/ExampleTest.php | 18 + .../src/test/www/laravel8x/webpack.mix.js | 17 + .../src/test/www/roadrunner/.gitignore | 3 + .../src/test/www/roadrunner/.rr.yaml | 18 + .../src/test/www/roadrunner/composer.json | 11 + .../src/test/www/roadrunner/run.sh | 22 + .../www/roadrunner/src/HomePageHandler.php | 35 + .../src/test/www/roadrunner/src/Router.php | 16 + .../src/test/www/roadrunner/worker.php | 41 + .../integration/src/test/www/symfony62/.env | 29 + .../src/test/www/symfony62/.gitignore | 10 + .../src/test/www/symfony62/Dockerfile | 31 + .../src/test/www/symfony62/bin/console | 43 + .../src/test/www/symfony62/composer.json | 85 + .../src/test/www/symfony62/config/bundles.php | 12 + .../www/symfony62/config/packages/cache.yaml | 19 + .../symfony62/config/packages/doctrine.yaml | 46 + .../config/packages/doctrine_migrations.yaml | 6 + .../symfony62/config/packages/framework.yaml | 17 + .../symfony62/config/packages/monolog.yaml | 61 + .../config/packages/prod/routing.yaml | 3 + .../symfony62/config/packages/routing.yaml | 7 + .../symfony62/config/packages/security.yaml | 46 + .../config/packages/test/framework.yaml | 4 + .../symfony62/config/packages/test/twig.yaml | 2 + .../www/symfony62/config/packages/twig.yaml | 2 + .../symfony62/config/packages/validator.yaml | 13 + .../src/test/www/symfony62/config/preload.php | 5 + .../src/test/www/symfony62/config/routes.yaml | 3 + .../symfony62/config/routes/annotations.yaml | 7 + .../config/routes/dev/framework.yaml | 3 + .../symfony62/config/routes/framework.yaml | 4 + .../test/www/symfony62/config/services.yaml | 31 + .../src/test/www/symfony62/initialize.sh | 10 + .../test/www/symfony62/migrations/.gitignore | 0 .../migrations/Version20230721093441.php | 33 + .../src/test/www/symfony62/public/.htaccess | 70 + .../src/test/www/symfony62/public/index.php | 22 + .../src/Controller/HomeController.php | 23 + .../src/Controller/LoginController.php | 27 + .../src/Controller/RegistrationController.php | 43 + .../src/DataFixtures/AppFixtures.php | 20 + .../test/www/symfony62/src/Entity/User.php | 102 + .../src/Form/RegistrationFormType.php | 55 + .../src/test/www/symfony62/src/Kernel.php | 38 + .../src/Repository/UserRepository.php | 83 + .../src/test/www/symfony62/symfony.lock | 176 + .../www/symfony62/templates/base.html.twig | 19 + .../symfony62/templates/login/index.html.twig | 21 + .../templates/registration/register.html.twig | 19 + .../templates/twig_template.html.twig | 1 + appsec/tests/mock_helper/CMakeLists.txt | 5 +- appsec/third_party/CMakeLists.txt | 1 - appsec/valgrind.supp | 193 + cmake/Modules/FindPhpConfig.cmake | 2 +- config.m4 | 1 + ddtrace.sym | 6 +- .../services/request-replayer/src/index.php | 4 +- ext/ddtrace.c | 15 + ext/handlers_api.c | 1 + ext/hook/uhook.c | 116 +- ext/hook/uhook.stub.php | 21 + ext/hook/uhook_arginfo.h | 17 +- ext/priority_sampling/priority_sampling.c | 10 +- ext/priority_sampling/priority_sampling.h | 3 +- ext/span.c | 33 +- ext/span.h | 8 +- ext/user_request.c | 168 + ext/user_request.h | 21 + ext/user_request.stub.php | 39 + ext/user_request_arginfo.h | 36 + .../Roadrunner/RoadrunnerIntegration.php | 206 +- .../interceptor/php7/interceptor.c | 10 +- 286 files changed, 18659 insertions(+), 627 deletions(-) create mode 100644 appsec/cmake/patchelf.cmake create mode 100644 appsec/src/extension/commands_ctx.h create mode 100644 appsec/src/extension/request_lifecycle.c create mode 100644 appsec/src/extension/request_lifecycle.h create mode 100644 appsec/tests/extension/user_req_basic.phpt create mode 100644 appsec/tests/extension/user_req_content_negotiation.phpt create mode 100644 appsec/tests/extension/user_req_no_root_span.phpt create mode 100644 appsec/tests/extension/user_req_redirect.phpt create mode 100644 appsec/tests/extension/user_req_regular_sequence.phpt create mode 100644 appsec/tests/extension/user_req_wrong_sequence.phpt create mode 100644 appsec/tests/integration/.gitattributes create mode 100644 appsec/tests/integration/.gitignore create mode 100644 appsec/tests/integration/build.gradle create mode 100644 appsec/tests/integration/gradle/images.gradle create mode 100644 appsec/tests/integration/gradle/wrapper/gradle-wrapper.jar create mode 100644 appsec/tests/integration/gradle/wrapper/gradle-wrapper.properties create mode 100755 appsec/tests/integration/gradlew create mode 100644 appsec/tests/integration/gradlew.bat create mode 100644 appsec/tests/integration/settings.gradle create mode 100644 appsec/tests/integration/src/docker/apache2-fpm/Dockerfile create mode 100755 appsec/tests/integration/src/docker/apache2-fpm/entrypoint.sh create mode 100644 appsec/tests/integration/src/docker/apache2-fpm/php-site.conf create mode 100644 appsec/tests/integration/src/docker/apache2-mod/Dockerfile create mode 100755 appsec/tests/integration/src/docker/apache2-mod/entrypoint.sh create mode 100644 appsec/tests/integration/src/docker/apache2-mod/php.conf create mode 100644 appsec/tests/integration/src/docker/apache2-mod/php.load create mode 100644 appsec/tests/integration/src/docker/fpm-common/php-fpm.conf create mode 100644 appsec/tests/integration/src/docker/fpm-common/www.conf create mode 100644 appsec/tests/integration/src/docker/nginx-fpm/Dockerfile create mode 100644 appsec/tests/integration/src/docker/nginx-fpm/default create mode 100755 appsec/tests/integration/src/docker/nginx-fpm/entrypoint.sh create mode 100644 appsec/tests/integration/src/docker/php/Dockerfile create mode 100644 appsec/tests/integration/src/docker/php/Dockerfile-php-deps create mode 100755 appsec/tests/integration/src/docker/php/build_dev_php.sh create mode 100644 appsec/tests/integration/src/docker/php/php.ini create mode 100644 appsec/tests/integration/src/docker/php/php_patches/configure_curl.patch create mode 100644 appsec/tests/integration/src/docker/php/php_patches/configure_curl_old.patch create mode 100644 appsec/tests/integration/src/docker/php/php_patches/configure_gmp.patch create mode 100644 appsec/tests/integration/src/docker/php/php_patches/configure_icu.patch create mode 100644 appsec/tests/integration/src/docker/php/php_patches/newish_libxml.patch create mode 100644 appsec/tests/integration/src/docker/php/php_patches/opcache_num_var.patch create mode 100644 appsec/tests/integration/src/docker/php/php_patches/recent_icu.patch create mode 100644 appsec/tests/integration/src/docker/toolchain/CHECKSUMS create mode 100644 appsec/tests/integration/src/docker/toolchain/Dockerfile create mode 100644 appsec/tests/integration/src/docker/toolchain/Makefile create mode 100644 appsec/tests/integration/src/docker/toolchain/Toolchain.cmake create mode 100644 appsec/tests/integration/src/docker/toolchain/Toolchain.env create mode 100644 appsec/tests/integration/src/docker/toolchain/ToolchainGCC.cmake create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTraces.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTracesExtension.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/InspectContainerHelper.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/InfoHandler.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MockDatadogAgent.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MsgpackHelper.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/TracesV04Handler.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Mapper.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Span.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Trace.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/JsonMatcher.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/NotifyTestLifecycle.groovy create mode 100644 appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/StopContainerExtension.groovy create mode 100644 appsec/tests/integration/src/main/resources/META-INF/services/org.junit.jupiter.api.extension.Extension create mode 100644 appsec/tests/integration/src/main/resources/junit-platform.properties create mode 100644 appsec/tests/integration/src/main/resources/logback.xml create mode 100755 appsec/tests/integration/src/test/bin/enable_extensions.sh create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/AlpineApache2FpmTests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2FpmTests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2ModTests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Laravel8xTests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/NginxFpmTests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/RoadRunnerTests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Symfony62Tests.groovy create mode 100644 appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/TestParams.groovy create mode 100644 appsec/tests/integration/src/test/waf/recommended.json create mode 100644 appsec/tests/integration/src/test/www/base/public/custom_event.php create mode 100644 appsec/tests/integration/src/test/www/base/public/example.html create mode 100644 appsec/tests/integration/src/test/www/base/public/hello.php create mode 100644 appsec/tests/integration/src/test/www/base/public/index.php create mode 100644 appsec/tests/integration/src/test/www/base/public/phpinfo.php create mode 100644 appsec/tests/integration/src/test/www/base/public/poolenv.php create mode 100644 appsec/tests/integration/src/test/www/base/public/user_id.php create mode 100644 appsec/tests/integration/src/test/www/base/public/user_login_failure.php create mode 100644 appsec/tests/integration/src/test/www/base/public/user_login_success.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/.editorconfig create mode 100644 appsec/tests/integration/src/test/www/laravel8x/.env.example create mode 100644 appsec/tests/integration/src/test/www/laravel8x/.gitattributes create mode 100644 appsec/tests/integration/src/test/www/laravel8x/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/.styleci.yml create mode 100644 appsec/tests/integration/src/test/www/laravel8x/README.md create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Console/Kernel.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Exceptions/Handler.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Controllers/Controller.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Controllers/LoginController.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Kernel.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/Authenticate.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/EncryptCookies.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/PreventRequestsDuringMaintenance.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/RedirectIfAuthenticated.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrimStrings.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustHosts.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustProxies.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/VerifyCsrfToken.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Models/User.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Providers/AppServiceProvider.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Providers/AuthServiceProvider.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Providers/BroadcastServiceProvider.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Providers/EventServiceProvider.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/app/Providers/RouteServiceProvider.php create mode 100755 appsec/tests/integration/src/test/www/laravel8x/artisan create mode 100644 appsec/tests/integration/src/test/www/laravel8x/bootstrap/app.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/bootstrap/cache/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/composer.json create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/app.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/auth.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/broadcasting.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/cache.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/cors.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/database.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/filesystems.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/hashing.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/logging.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/mail.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/queue.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/sanctum.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/services.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/session.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/config/view.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/database/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/database/factories/UserFactory.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_000000_create_users_table.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_100000_create_password_resets_table.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_08_19_000000_create_failed_jobs_table.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_12_14_000001_create_personal_access_tokens_table.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/database/seeders/DatabaseSeeder.php create mode 100755 appsec/tests/integration/src/test/www/laravel8x/initialize.sh create mode 100644 appsec/tests/integration/src/test/www/laravel8x/package.json create mode 100644 appsec/tests/integration/src/test/www/laravel8x/phpunit.xml create mode 100644 appsec/tests/integration/src/test/www/laravel8x/public/.htaccess create mode 100644 appsec/tests/integration/src/test/www/laravel8x/public/favicon.ico create mode 100644 appsec/tests/integration/src/test/www/laravel8x/public/index.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/public/robots.txt create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/css/app.css create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/js/app.js create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/js/bootstrap.js create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/auth.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/pagination.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/passwords.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/validation.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/resources/views/welcome.blade.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/routes/api.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/routes/channels.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/routes/console.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/routes/web.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/server.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/app/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/app/public/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/framework/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/data/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/framework/sessions/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/framework/testing/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/framework/views/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/storage/logs/.gitignore create mode 100644 appsec/tests/integration/src/test/www/laravel8x/tests/CreatesApplication.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/tests/Feature/ExampleTest.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/tests/TestCase.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/tests/Unit/ExampleTest.php create mode 100644 appsec/tests/integration/src/test/www/laravel8x/webpack.mix.js create mode 100644 appsec/tests/integration/src/test/www/roadrunner/.gitignore create mode 100644 appsec/tests/integration/src/test/www/roadrunner/.rr.yaml create mode 100644 appsec/tests/integration/src/test/www/roadrunner/composer.json create mode 100755 appsec/tests/integration/src/test/www/roadrunner/run.sh create mode 100644 appsec/tests/integration/src/test/www/roadrunner/src/HomePageHandler.php create mode 100644 appsec/tests/integration/src/test/www/roadrunner/src/Router.php create mode 100644 appsec/tests/integration/src/test/www/roadrunner/worker.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/.env create mode 100644 appsec/tests/integration/src/test/www/symfony62/.gitignore create mode 100644 appsec/tests/integration/src/test/www/symfony62/Dockerfile create mode 100755 appsec/tests/integration/src/test/www/symfony62/bin/console create mode 100644 appsec/tests/integration/src/test/www/symfony62/composer.json create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/bundles.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/cache.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine_migrations.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/framework.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/monolog.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/prod/routing.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/routing.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/security.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/test/framework.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/test/twig.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/twig.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/packages/validator.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/preload.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/routes.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/routes/annotations.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/routes/dev/framework.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/routes/framework.yaml create mode 100644 appsec/tests/integration/src/test/www/symfony62/config/services.yaml create mode 100755 appsec/tests/integration/src/test/www/symfony62/initialize.sh create mode 100644 appsec/tests/integration/src/test/www/symfony62/migrations/.gitignore create mode 100644 appsec/tests/integration/src/test/www/symfony62/migrations/Version20230721093441.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/public/.htaccess create mode 100644 appsec/tests/integration/src/test/www/symfony62/public/index.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/Controller/HomeController.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/Controller/LoginController.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/Controller/RegistrationController.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/DataFixtures/AppFixtures.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/Entity/User.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/Form/RegistrationFormType.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/Kernel.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/src/Repository/UserRepository.php create mode 100644 appsec/tests/integration/src/test/www/symfony62/symfony.lock create mode 100644 appsec/tests/integration/src/test/www/symfony62/templates/base.html.twig create mode 100644 appsec/tests/integration/src/test/www/symfony62/templates/login/index.html.twig create mode 100644 appsec/tests/integration/src/test/www/symfony62/templates/registration/register.html.twig create mode 100644 appsec/tests/integration/src/test/www/symfony62/templates/twig_template.html.twig create mode 100644 appsec/valgrind.supp create mode 100644 ext/user_request.c create mode 100644 ext/user_request.h create mode 100644 ext/user_request.stub.php create mode 100644 ext/user_request_arginfo.h diff --git a/appsec/CMakeLists.txt b/appsec/CMakeLists.txt index 24864fc48f0..46d489a1cff 100644 --- a/appsec/CMakeLists.txt +++ b/appsec/CMakeLists.txt @@ -1,13 +1,14 @@ cmake_minimum_required(VERSION 3.14) + list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/../cmake/Modules") option(HUNTER_STATUS_DEBUG "Print Hunter debug info" OFF) include("cmake/HunterGate.cmake") HunterGate( - URL "https://github.com/cpp-pm/hunter/archive/v0.23.314.tar.gz" - SHA1 "95c47c92f68edb091b5d6d18924baabe02a6962a") + URL "https://github.com/cpp-pm/hunter/archive/v0.25.3.tar.gz" + SHA1 "0dfbc2cb5c4cf7e83533733bdfd2125ff96680cb") configure_file(${CMAKE_CURRENT_SOURCE_DIR}/hunter-cache.id.in ${CMAKE_CURRENT_SOURCE_DIR}/hunter-cache.id) @@ -30,6 +31,8 @@ option(DD_APPSEC_TESTING "Whether to enable testing" ON) add_subdirectory(third_party EXCLUDE_FROM_ALL) +include("cmake/patchelf.cmake") + if (DD_APPSEC_BUILD_EXTENSION) include("cmake/extension.cmake") endif() diff --git a/appsec/cmake/extension.cmake b/appsec/cmake/extension.cmake index b5f7a5053ed..4410ba11941 100644 --- a/appsec/cmake/extension.cmake +++ b/appsec/cmake/extension.cmake @@ -43,7 +43,7 @@ if(COMPILER_HAS_NO_GNU_UNIQUE) target_compile_options(extension PRIVATE $<$:-fno-gnu-unique>) endif() target_compile_options(extension PRIVATE $<$:-fno-rtti -fno-exceptions>) -target_compile_options(extension PRIVATE -Wall -Wextra -Wno-unused-parameter) +target_compile_options(extension PRIVATE -Wall -Wextra -Werror) # our thread local variables are only used by ourselves target_compile_options(extension PRIVATE -ftls-model=local-dynamic) @@ -54,9 +54,10 @@ target_linker_flag_conditional(extension -Wl,--as-needed) target_linker_flag_conditional(extension "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/ddappsec.version") # Mac OS -target_linker_flag_conditional(extension -flat_namespace -undefined suppress) +target_linker_flag_conditional(extension -flat_namespace "-undefined suppress") target_linker_flag_conditional(extension -Wl,-exported_symbol -Wl,_get_module) +patch_away_libc(extension) if(DD_APPSEC_TESTING) if(DD_APPSEC_ENABLE_COVERAGE) diff --git a/appsec/cmake/patchelf.cmake b/appsec/cmake/patchelf.cmake new file mode 100644 index 00000000000..0fc7384d590 --- /dev/null +++ b/appsec/cmake/patchelf.cmake @@ -0,0 +1,17 @@ +function(patch_away_libc target) + if (NOT ${DD_APPSEC_ENABLE_PATCHELF_LIBC}) + return() + endif() + + if (CMAKE_SYSTEM_NAME STREQUAL Darwin) + return() + endif() + + find_program(PATCHELF patchelf) + if (PATCHELF STREQUAL "PATCHELF-NOTFOUND") + message(FATAL_ERROR "patchelf not found") + endif() + + add_custom_command(TARGET ${target} POST_BUILD + COMMAND patchelf --remove-needed libc.so $ ${SYMBOL_FILE}) +endfunction() diff --git a/appsec/cmake/run-tests-wrapper.sh b/appsec/cmake/run-tests-wrapper.sh index bb140eea956..4910cb2764c 100755 --- a/appsec/cmake/run-tests-wrapper.sh +++ b/appsec/cmake/run-tests-wrapper.sh @@ -9,6 +9,7 @@ export DD_TRACE_ENABLED=true export DD_TRACE_GENERATE_ROOT_SPAN=true export DD_TRACE_CLI_ENABLED=true export DD_TRACE_AGENT_PORT=18126 +export PHPRC= CMAKE_BINARY_DIR="$1" MOCK_HELPER_BINARY="$2" @@ -44,7 +45,7 @@ function link_extensions { if [[ -L $ddtrace && $(readlink "$ddtrace") != $TRACER_EXT_FILE ]]; then rm -v "$ddtrace" fi - if [[ ! -f $ddtrace ]]; then + if [[ ! -L $ddtrace ]]; then ln -s -v "$TRACER_EXT_FILE" $ddtrace fi fi diff --git a/appsec/cmake/run_tests.cmake b/appsec/cmake/run_tests.cmake index 5104018852e..701958f1b99 100644 --- a/appsec/cmake/run_tests.cmake +++ b/appsec/cmake/run_tests.cmake @@ -1,7 +1,8 @@ -set(DD_APPSEC_TRACER_EXT_FILE ${CMAKE_SOURCE_DIR}/../tmp/build_extension/modules/ddtrace.so) +get_filename_component(DD_APPSEC_TRACER_EXT_FILE "${CMAKE_SOURCE_DIR}/../tmp/build_extension/modules/ddtrace.so" REALPATH) add_custom_target(ddtrace - COMMAND make + COMMAND ${CMAKE_COMMAND} -E env "PATH=${PhpConfig_ROOT_DIR}/bin:$ENV{PATH}" PHPRC= + make "${DD_APPSEC_TRACER_EXT_FILE}" BYPRODUCTS ${DD_APPSEC_TRACER_EXT_FILE} WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/../) diff --git a/appsec/run-tests-internal.php b/appsec/run-tests-internal.php index 6a26d14872f..7eb24f23fb6 100644 --- a/appsec/run-tests-internal.php +++ b/appsec/run-tests-internal.php @@ -2842,10 +2842,10 @@ function run_test($php, $file, array $env) gdb --args {$cmd} ;; "valgrind") - USE_ZEND_ALLOC=0 valgrind $2 ${cmd} + USE_ZEND_ALLOC=0 valgrind $2 {$cmd} ;; "rr") - rr record $2 ${cmd} + rr record $2 {$cmd} ;; *) {$cmd} @@ -3773,7 +3773,7 @@ public function __construct(array $environment, $tool = 'memcheck') public function wrapCommand($cmd, $memcheck_filename, $check_all) { $supp_file = INIT_DIR . "/valgrind.supp"; - $vcmd = "valgrind -q --tool={$this->tool} --trace-children=no --child-silent-after-fork=yes --leak-check=full " . + $vcmd = "valgrind --gen-suppressions=all -q --tool={$this->tool} --trace-children=no --child-silent-after-fork=yes --leak-check=full " . "--num-callers=16 --run-libc-freeres=no"; if (file_exists($supp_file)) { $vcmd .= " --suppressions='$supp_file'"; diff --git a/appsec/src/extension/commands/client_init.c b/appsec/src/extension/commands/client_init.c index 8945ba0cfca..81f1e5c688c 100644 --- a/appsec/src/extension/commands/client_init.c +++ b/appsec/src/extension/commands/client_init.c @@ -23,7 +23,8 @@ static const unsigned int MAX_TCP_PORT_ALLOWED = UINT16_MAX; static dd_result _pack_command(mpack_writer_t *nonnull w, void *nullable ctx); static dd_result _process_response(mpack_node_t root, void *nullable ctx); -static void _process_meta_and_metrics(mpack_node_t root); +static void _process_meta_and_metrics( + mpack_node_t root, struct req_info *nonnull ctx); static void _pack_agent_details(mpack_writer_t *nonnull w); static const dd_command_spec _spec = { @@ -78,24 +79,22 @@ static void _pack_agent_details(mpack_writer_t *nonnull w) } } -dd_result dd_client_init(dd_conn *nonnull conn) +dd_result dd_client_init(dd_conn *nonnull conn, struct req_info *nonnull ctx) { - return dd_command_exec_cred(conn, &_spec, NULL); + return dd_command_exec_cred(conn, &_spec, ctx); } static dd_result _pack_command( mpack_writer_t *nonnull w, ATTR_UNUSED void *nullable ctx) { - // unsigned pid, string client_version, runtime_version, rules_file mpack_write(w, (uint32_t)getpid()); dd_mpack_write_lstr(w, PHP_DDAPPSEC_VERSION); dd_mpack_write_lstr(w, PHP_VERSION); - enabled_configuration configuration = DDAPPSEC_G(enabled_by_configuration); - if (configuration == NOT_CONFIGURED) { + if (DDAPPSEC_G(enabled) == APPSEC_ENABLED_VIA_REMCFG) { mpack_write_nil(w); } else { - mpack_write_bool(w, configuration == ENABLED ? true : false); + mpack_write_bool(w, DDAPPSEC_G(active)); } // Service details @@ -206,7 +205,7 @@ static dd_result _process_response( mpack_node_t root, ATTR_UNUSED void *nullable ctx) { // Add any tags and metrics provided by the helper - _process_meta_and_metrics(root); + _process_meta_and_metrics(root, ctx); // check verdict mpack_node_t verdict = mpack_node_array_at(root, 0); @@ -246,15 +245,22 @@ static dd_result _process_response( return dd_error; } -static void _process_meta_and_metrics(mpack_node_t root) +static void _process_meta_and_metrics(mpack_node_t root, struct req_info *nonnull ctx) { + zend_object *span = ctx->root_span; + if (!span) { + mlog( + dd_log_debug, "Meta/metrics in client_init ignored (no root span)"); + return; + } + mpack_node_t meta = mpack_node_array_at(root, 3); if (mpack_node_map_count(meta) > 0) { - dd_command_process_meta(meta); + dd_command_process_meta(meta, span); } mpack_node_t metrics = mpack_node_array_at(root, 4); - dd_command_process_metrics(metrics); + dd_command_process_metrics(metrics, span); } static dd_result _check_helper_version(mpack_node_t root) diff --git a/appsec/src/extension/commands/client_init.h b/appsec/src/extension/commands/client_init.h index 1702b746095..ad4170cf108 100644 --- a/appsec/src/extension/commands/client_init.h +++ b/appsec/src/extension/commands/client_init.h @@ -6,5 +6,6 @@ #pragma once #include "../network.h" +#include "../commands_ctx.h" -dd_result dd_client_init(dd_conn *nonnull conn); +dd_result dd_client_init(dd_conn *nonnull conn, struct req_info *nonnull ctx); diff --git a/appsec/src/extension/commands/request_exec.c b/appsec/src/extension/commands/request_exec.c index de7511f1c66..d58284c9807 100644 --- a/appsec/src/extension/commands/request_exec.c +++ b/appsec/src/extension/commands/request_exec.c @@ -12,6 +12,11 @@ #include #include +struct ctx { + struct req_info req_info; // dd_command_proc_resp_verd_span_data expect it + zval *nonnull data; +}; + static dd_result _pack_command( mpack_writer_t *nonnull w, ATTR_UNUSED void *nullable ctx); @@ -32,14 +37,18 @@ dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data) return dd_error; } - return dd_command_exec(conn, &_spec, (void *)data); + struct ctx ctx = { .data = data }; + + return dd_command_exec(conn, &_spec, &ctx); } static dd_result _pack_command( - mpack_writer_t *nonnull w, ATTR_UNUSED void *nullable ctx) + mpack_writer_t *nonnull w, ATTR_UNUSED void *nullable _ctx) { - zval *data = (zval *)ctx; - dd_mpack_write_zval(w, data); + assert(_ctx != NULL); + struct ctx *ctx = _ctx; + + dd_mpack_write_zval(w, ctx->data); return dd_success; } diff --git a/appsec/src/extension/commands/request_init.c b/appsec/src/extension/commands/request_init.c index 0ae7a326358..0c59c0ed2bb 100644 --- a/appsec/src/extension/commands/request_init.c +++ b/appsec/src/extension/commands/request_init.c @@ -24,9 +24,12 @@ static dd_result _request_pack( mpack_writer_t *nonnull w, void *nullable ATTR_UNUSED ctx); static void _init_autoglobals(void); -static void _pack_headers(mpack_writer_t *nonnull w); -static void _pack_filenames(mpack_writer_t *nonnull w); -static void _pack_files_field_names(mpack_writer_t *nonnull w); +static void _pack_headers( + mpack_writer_t *nonnull w, const zend_array *nonnull server); +static void _pack_filenames( + mpack_writer_t *nonnull w, const zend_array *nonnull files); +static void _pack_files_field_names( + mpack_writer_t *nonnull w, const zend_array *nonnull files); static void _pack_path_params( mpack_writer_t *nonnull w, const zend_string *nullable uri_raw); @@ -39,15 +42,15 @@ static const dd_command_spec _spec = { .config_features_cb = dd_command_process_config_features, }; -dd_result dd_request_init(dd_conn *nonnull conn) +dd_result dd_request_init( + dd_conn *nonnull conn, struct req_info_init *nonnull ctx) { - return dd_command_exec(conn, &_spec, NULL); + return dd_command_exec(conn, &_spec, ctx); } -static dd_result _request_pack( - mpack_writer_t *nonnull w, void *nullable ATTR_UNUSED ctx) +static dd_result _request_pack(mpack_writer_t *nonnull w, void *nullable _ctx) { - UNUSED(ctx); + struct req_info_init *nullable ctx = _ctx; bool send_raw_body = get_global_DD_APPSEC_TESTING() && get_global_DD_APPSEC_TESTING_RAW_BODY(); @@ -63,45 +66,54 @@ static dd_result _request_pack( // 1. dd_mpack_write_lstr(w, "server.request.query"); - dd_mpack_write_zval( - w, dd_php_get_autoglobal(TRACK_VARS_GET, ZEND_STRL("_GET"))); + dd_mpack_write_array(w, dd_get_superglob_or_equiv(ZEND_STRL("_GET"), + TRACK_VARS_GET, ctx->superglob_equiv)); // 2. + const zend_array *nonnull server = dd_get_superglob_or_equiv( + ZEND_STRL("_SERVER"), TRACK_VARS_SERVER, ctx->superglob_equiv); dd_mpack_write_lstr(w, "server.request.method"); - mpack_write(w, request_info->request_method); + if (ctx->superglob_equiv) { + dd_mpack_write_nullable_zstr(w, + dd_php_get_string_elem_cstr(server, ZEND_STRL("REQUEST_METHOD"))); + } else { + mpack_write(w, request_info->request_method); + } // Pack data from server global - _init_autoglobals(); + if (!ctx->superglob_equiv) { + _init_autoglobals(); + } // 3. dd_mpack_write_lstr(w, "server.request.cookies"); - dd_mpack_write_zval( - w, dd_php_get_autoglobal(TRACK_VARS_COOKIE, ZEND_STRL("_COOKIE"))); + dd_mpack_write_array(w, dd_get_superglob_or_equiv(ZEND_STRL("_COOKIE"), + TRACK_VARS_COOKIE, ctx->superglob_equiv)); // 4. - zval *nullable server_ag = - dd_php_get_autoglobal(TRACK_VARS_SERVER, ZEND_STRL("_SERVER")); const zend_string *nullable request_uri = - dd_php_get_string_elem_cstr(server_ag, ZEND_STRL("REQUEST_URI")); + dd_php_get_string_elem_cstr(server, ZEND_STRL("REQUEST_URI")); dd_mpack_write_lstr(w, "server.request.uri.raw"); dd_mpack_write_nullable_zstr(w, request_uri); // 5. dd_mpack_write_lstr(w, "server.request.headers.no_cookies"); - _pack_headers(w); + _pack_headers(w, server); // 6. dd_mpack_write_lstr(w, "server.request.body"); - dd_mpack_write_zval( - w, dd_php_get_autoglobal(TRACK_VARS_POST, ZEND_STRL("_POST"))); + dd_mpack_write_array(w, dd_get_superglob_or_equiv(ZEND_STRL("_POST"), + TRACK_VARS_POST, ctx->superglob_equiv)); // 7. + const zend_array *nonnull files = dd_get_superglob_or_equiv( + ZEND_STRL("_FILES"), TRACK_VARS_FILES, ctx->superglob_equiv); dd_mpack_write_lstr(w, "server.request.body.filenames"); - _pack_filenames(w); + _pack_filenames(w, files); // 8. dd_mpack_write_lstr(w, "server.request.body.files_field_names"); - _pack_files_field_names(w); + _pack_files_field_names(w, files); // 9. dd_mpack_write_lstr(w, "server.request.path_params"); @@ -109,10 +121,10 @@ static dd_result _request_pack( // 10. dd_mpack_write_lstr(w, "http.client_ip"); - dd_mpack_write_nullable_zstr(w, dd_ip_extraction_get_ip()); + dd_mpack_write_nullable_zstr(w, ctx->req_info.client_ip); // 11. - if (send_raw_body) { + if (send_raw_body && !ctx->superglob_equiv) { dd_mpack_write_lstr(w, "server.request.body.raw"); zend_string *nonnull req_body = dd_request_body_buffered(DD_MAX_REQ_BODY_TO_BUFFER); @@ -150,22 +162,15 @@ static zend_string *_transform_header_name(const zend_string *orig) dd_string_normalize_header2(rp, wp, header_len); return ret; } -static void _pack_headers(mpack_writer_t *nonnull w) +static void _pack_headers( + mpack_writer_t *nonnull w, const zend_array *nonnull server) { - zval *server = - dd_php_get_autoglobal(TRACK_VARS_SERVER, ZEND_STRL("_SERVER")); - if (server == NULL) { - mpack_start_map(w, 0); - mpack_finish_map(w); - return; - } - mpack_build_map(w); // Pack headers zend_string *key; zval *val; - ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(server), key, val) + ZEND_HASH_FOREACH_STR_KEY_VAL((zend_array *)server, key, val) { if (!key) { continue; @@ -183,19 +188,13 @@ static void _pack_headers(mpack_writer_t *nonnull w) mpack_complete_map(w); } -static void _pack_filenames(mpack_writer_t *nonnull w) +static void _pack_filenames( + mpack_writer_t *nonnull w, const zend_array *nonnull files) { - zval *files = dd_php_get_autoglobal(TRACK_VARS_FILES, ZEND_STRL("_FILES")); - if (!files) { - mpack_start_array(w, 0); - mpack_finish_array(w); - return; - } - mpack_build_array(w); zval *val; - ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(files), val) + ZEND_HASH_FOREACH_VAL((zend_array *)files, val) { if (!val || Z_TYPE_P(val) != IS_ARRAY) { continue; @@ -213,20 +212,14 @@ static void _pack_filenames(mpack_writer_t *nonnull w) mpack_complete_array(w); } -static void _pack_files_field_names(mpack_writer_t *nonnull w) +static void _pack_files_field_names( + mpack_writer_t *nonnull w, const zend_array *nonnull files) { - zval *files = dd_php_get_autoglobal(TRACK_VARS_FILES, ZEND_STRL("_FILES")); - if (!files) { - mpack_start_array(w, 0); - mpack_finish_array(w); - return; - } - mpack_build_array(w); zend_ulong key_i; zend_string *key_s; - ZEND_HASH_FOREACH_KEY(Z_ARRVAL_P(files), key_i, key_s) + ZEND_HASH_FOREACH_KEY((zend_array *)files, key_i, key_s) { if (key_s) { dd_mpack_write_zstr(w, key_s); diff --git a/appsec/src/extension/commands/request_init.h b/appsec/src/extension/commands/request_init.h index 30fd262f072..b3f728354c3 100644 --- a/appsec/src/extension/commands/request_init.h +++ b/appsec/src/extension/commands/request_init.h @@ -6,5 +6,11 @@ #pragma once #include "../network.h" +#include "../commands_ctx.h" -dd_result dd_request_init(dd_conn *nonnull conn); +struct req_info_init { + struct req_info req_info; + zend_array *nullable superglob_equiv; +}; +dd_result dd_request_init( + dd_conn *nonnull conn, struct req_info_init *nonnull ctx); diff --git a/appsec/src/extension/commands/request_shutdown.c b/appsec/src/extension/commands/request_shutdown.c index 7e2c273f94d..0f66c3e380f 100644 --- a/appsec/src/extension/commands/request_shutdown.c +++ b/appsec/src/extension/commands/request_shutdown.c @@ -10,9 +10,11 @@ #include "../string_helpers.h" #include -static dd_result _request_pack( - mpack_writer_t *nonnull w, void *nullable ATTR_UNUSED ctx); -static void _pack_headers_no_cookies(mpack_writer_t *nonnull w); +static dd_result _request_pack(mpack_writer_t *nonnull w, void *nonnull ctx); +static void _pack_headers_no_cookies_llist( + mpack_writer_t *nonnull w, zend_llist *nonnull hl); +static void _pack_headers_no_cookies_map( + mpack_writer_t *nonnull w, const zend_array *nonnull headers); static const dd_command_spec _spec = { .name = "request_shutdown", @@ -23,15 +25,15 @@ static const dd_command_spec _spec = { .config_features_cb = dd_command_process_config_features_unexpected, }; -dd_result dd_request_shutdown(dd_conn *nonnull conn) +dd_result dd_request_shutdown( + dd_conn *nonnull conn, struct req_shutdown_info *nonnull req_info) { - return dd_command_exec(conn, &_spec, NULL); + return dd_command_exec(conn, &_spec, req_info); } -static dd_result _request_pack( - mpack_writer_t *nonnull w, void *nullable ATTR_UNUSED ctx) +static dd_result _request_pack(mpack_writer_t *nonnull w, void *nonnull ctx) { - UNUSED(ctx); + struct req_shutdown_info *nonnull req_info = ctx; #define REQUEST_SHUTDOWN_MAP_NUM_ENTRIES 2 mpack_start_map(w, REQUEST_SHUTDOWN_MAP_NUM_ENTRIES); @@ -40,15 +42,18 @@ static dd_result _request_pack( { _Static_assert(sizeof(int) == 4, "expected 32-bit int"); dd_mpack_write_lstr(w, "server.response.status"); - int response_code = SG(sapi_headers).http_response_code; char buf[sizeof("-2147483648")]; - int size = sprintf(buf, "%d", response_code); + int size = sprintf(buf, "%d", req_info->status_code); mpack_write_str(w, buf, (uint32_t)size); } // 2. dd_mpack_write_lstr(w, "server.response.headers.no_cookies"); - _pack_headers_no_cookies(w); + if (req_info->resp_headers_fmt == RESP_HEADERS_LLIST) { + _pack_headers_no_cookies_llist(w, req_info->resp_headers_llist); + } else { + _pack_headers_no_cookies_map(w, req_info->resp_headers_arr); + } mpack_finish_map(w); @@ -62,15 +67,14 @@ static void _dtor_headers_map(zval *zv) efree(l); } -static void _pack_headers_no_cookies(mpack_writer_t *nonnull w) +static void _pack_headers_no_cookies_llist( + mpack_writer_t *nonnull w, zend_llist *nonnull hl) { struct _header_val { const char *val; size_t len; }; - zend_llist *hl = &SG(sapi_headers).headers; - // first collect the headers in array of lists HashTable headers_map; zend_hash_init( @@ -94,7 +98,7 @@ static void _pack_headers_no_cookies(mpack_writer_t *nonnull w) coll = zend_hash_find_ptr(&headers_map, norm_header_name); if (!coll) { - coll = emalloc(sizeof *coll); // NOLINT + coll = emalloc(sizeof *coll); zend_llist_init(coll, sizeof(struct _header_val), NULL, 0); zend_hash_add_new_ptr(&headers_map, norm_header_name, coll); } @@ -130,3 +134,58 @@ static void _pack_headers_no_cookies(mpack_writer_t *nonnull w) zend_hash_destroy(&headers_map); } + +static void _pack_headers_no_cookies_map( + mpack_writer_t *nonnull w, const zend_array *nonnull headers) +{ + mpack_start_map(w, zend_array_count((zend_array *)headers)); + + zend_string *key; + zval *val; + zend_long idx; + ZEND_HASH_FOREACH_KEY_VAL((zend_array *)headers, idx, key, val) + { + if (!key) { + mlog(dd_log_warning, "unexpected header array key type: expected a " + "string, not numeric indices"); + key = zend_long_to_str(idx); + } else { + zend_string_addref(key); + } + + mpack_write_str(w, ZSTR_VAL(key), ZSTR_LEN(key)); + + if (Z_TYPE_P(val) == IS_ARRAY) { + mpack_start_array(w, zend_array_count(Z_ARRVAL_P(val))); + zval *zv; + ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(val), zv) + { + if (Z_TYPE_P(zv) == IS_STRING) { + mpack_write_str(w, Z_STRVAL_P(zv), Z_STRLEN_P(zv)); + } else { + mpack_write_str(w, ZEND_STRL("(invalid value)")); + mlog(dd_log_warning, + "unexpected header value type: %d (value is an array, " + "but found an element of it that's no string)", + Z_TYPE_P(zv)); + } + } + ZEND_HASH_FOREACH_END(); + } else if (Z_TYPE_P(val) == IS_STRING) { + mpack_start_array(w, 1); + mpack_write_str(w, Z_STRVAL_P(val), Z_STRLEN_P(val)); + } else { + mpack_start_array(w, 1); + mpack_write_str(w, ZEND_STRL("(invalid value)")); + mlog(dd_log_warning, + "unexpected header value type: %d (expected string or array of " + "strings)", + Z_TYPE_P(val)); + } + mpack_finish_array(w); + + zend_string_release(key); + } + ZEND_HASH_FOREACH_END(); + mpack_finish_map(w); +} diff --git a/appsec/src/extension/commands/request_shutdown.h b/appsec/src/extension/commands/request_shutdown.h index 8658f637634..77d9ee114a1 100644 --- a/appsec/src/extension/commands/request_shutdown.h +++ b/appsec/src/extension/commands/request_shutdown.h @@ -7,5 +7,21 @@ #include "../network.h" #include "../attributes.h" +#include "../commands_ctx.h" +#include -dd_result dd_request_shutdown(dd_conn *nonnull conn); +struct req_shutdown_info { + struct req_info req_info; + int status_code; + enum { + RESP_HEADERS_LLIST, + RESP_HEADERS_MAP_STRING_LIST, + } resp_headers_fmt; + union { + zend_llist *nonnull resp_headers_llist; + const zend_array *nonnull resp_headers_arr; + }; +}; + +dd_result dd_request_shutdown( + dd_conn *nonnull conn, struct req_shutdown_info *nonnull req_info); diff --git a/appsec/src/extension/commands_ctx.h b/appsec/src/extension/commands_ctx.h new file mode 100644 index 00000000000..9d78a3d53cb --- /dev/null +++ b/appsec/src/extension/commands_ctx.h @@ -0,0 +1,9 @@ +#pragma once + +#include "attributes.h" +#include + +struct req_info { + zend_object *nullable root_span; + zend_string *nullable client_ip; +}; diff --git a/appsec/src/extension/commands_helpers.c b/appsec/src/extension/commands_helpers.c index 9afadaafcf0..5ba4e5e55ef 100644 --- a/appsec/src/extension/commands_helpers.c +++ b/appsec/src/extension/commands_helpers.c @@ -4,6 +4,8 @@ // This product includes software developed at Datadog // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc. #include "commands_helpers.h" +#include "commands_ctx.h" +#include "configuration.h" #include "ddappsec.h" #include "ddtrace.h" #include "logging.h" @@ -167,8 +169,7 @@ static dd_result _dd_command_exec(dd_conn *nonnull conn, bool check_cred, err = _imsg_destroy(&imsg); if (err != mpack_ok) { mlog(dd_log_warning, - "Response message for %.*s does not " - "have the expected form", + "Response message for %.*s does not have the expected form", NAME_L); return dd_error; @@ -411,8 +412,11 @@ static void _command_process_redirect_parameters(mpack_node_t root) } dd_result dd_command_proc_resp_verd_span_data( - mpack_node_t root, ATTR_UNUSED void *unspecnull ctx) + mpack_node_t root, void *unspecnull _ctx) { + struct req_info *ctx = _ctx; + assert(ctx != NULL); + // expected: ['ok' / 'record' / 'block' / 'redirect'] mpack_node_t verdict = mpack_node_array_at(root, 0); if (mlog_should_log(dd_log_debug)) { @@ -450,12 +454,14 @@ dd_result dd_command_proc_resp_verd_span_data( } // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers) - if (mpack_node_array_length(root) >= 6) { + if (mpack_node_array_length(root) >= 6 && ctx->root_span) { + zend_object *span = ctx->root_span; + mpack_node_t meta = mpack_node_array_at(root, 4); - dd_command_process_meta(meta); + dd_command_process_meta(meta, span); // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers) mpack_node_t metrics = mpack_node_array_at(root, 5); - dd_command_process_metrics(metrics); + dd_command_process_metrics(metrics, span); } return res; @@ -488,11 +494,12 @@ static void _set_appsec_span_data(mpack_node_t node) } } -void dd_command_process_meta(mpack_node_t root) +void dd_command_process_meta(mpack_node_t root, zend_object *nonnull span) { if (mpack_node_type(root) != mpack_type_map) { return; } + size_t count = mpack_node_map_count(root); for (size_t i = 0; i < count; i++) { @@ -514,8 +521,8 @@ void dd_command_process_meta(mpack_node_t root) key_len = INT_MAX; } - bool res = dd_trace_root_span_add_tag_str( - key_str, key_len, mpack_node_str(value), mpack_node_strlen(value)); + bool res = dd_trace_span_add_tag_str(span, key_str, key_len, + mpack_node_str(value), mpack_node_strlen(value)); if (!res) { mlog(dd_log_warning, "Failed to add tag %.*s", (int)key_len, @@ -525,9 +532,9 @@ void dd_command_process_meta(mpack_node_t root) } } -bool dd_command_process_metrics(mpack_node_t root) +bool dd_command_process_metrics(mpack_node_t root, zend_object *nonnull span) { - zval *metrics_zv = dd_trace_root_span_get_metrics(); + zval *metrics_zv = dd_trace_span_get_metrics(span); if (metrics_zv == NULL) { return false; } @@ -632,13 +639,24 @@ dd_result dd_command_process_config_features( mpack_node_t first_element = mpack_node_array_at(root, 0); bool new_status = mpack_node_bool(first_element); - if (DDAPPSEC_G(enabled_by_configuration) == ENABLED && !new_status) { - DDAPPSEC_G(enabled) = ENABLED; // Configuration dictates + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_ENABLED && !new_status) { mlog(dd_log_debug, "Remote config is trying to disable extension but " "it is enabled by config"); - return dd_success; + } else { + DDAPPSEC_G(to_be_configured) = false; + + if (DDAPPSEC_G(active) == new_status) { + mlog(dd_log_debug, + "Remote config has not changed extension status: still %s", + new_status ? "enabled" : "disabled"); + } else { + mlog(dd_log_info, + "Remote config has changed extension status from %s to %s", + DDAPPSEC_G(active) ? "enabled" : "disabled", + new_status ? "enabled" : "disabled"); + DDAPPSEC_G(active) = new_status; + } } - DDAPPSEC_G(enabled) = new_status ? ENABLED : DISABLED; return dd_success; } diff --git a/appsec/src/extension/commands_helpers.h b/appsec/src/extension/commands_helpers.h index df106514b55..58154031c7c 100644 --- a/appsec/src/extension/commands_helpers.h +++ b/appsec/src/extension/commands_helpers.h @@ -6,10 +6,10 @@ #pragma once #include "attributes.h" +#include "commands_ctx.h" #include "dddefs.h" #include "network.h" #include -#include typedef struct _dd_command_spec { const char *nonnull name; @@ -29,12 +29,12 @@ dd_result ATTR_WARN_UNUSED dd_command_exec_cred(dd_conn *nonnull conn, const dd_command_spec *nonnull spec, void *unspecnull ctx); /* Baked response */ -dd_result dd_command_proc_resp_verd_span_data( - mpack_node_t root, ATTR_UNUSED void *unspecnull ctx); +dd_result dd_command_proc_resp_verd_span_data(mpack_node_t root, + void *unspecnull ctx /* actually struct req_info* nonnull */); /* Common helpers */ -void dd_command_process_meta(mpack_node_t root); -bool dd_command_process_metrics(mpack_node_t root); +void dd_command_process_meta(mpack_node_t root, zend_object *nonnull span); +bool dd_command_process_metrics(mpack_node_t root, zend_object *nonnull span); dd_result dd_command_process_config_features( mpack_node_t root, ATTR_UNUSED void *nullable ctx); dd_result dd_command_process_config_features_unexpected( diff --git a/appsec/src/extension/configuration.c b/appsec/src/extension/configuration.c index 1b7c3a869b8..a3d3bd12e67 100644 --- a/appsec/src/extension/configuration.c +++ b/appsec/src/extension/configuration.c @@ -299,9 +299,15 @@ static void _register_testing_objects() dd_phpobj_reg_funcs(testing_functions); } -bool dd_is_config_using_default(dd_config_id id) +static bool _is_config_using_default(dd_config_id id) { zai_config_memoized_entry config = zai_config_memoized_entries[id]; return config.name_index == -1; } + +bool dd_cfg_enable_via_remcfg(void) +{ + return _is_config_using_default(DDAPPSEC_CONFIG_DD_APPSEC_ENABLED) && + get_DD_REMOTE_CONFIG_ENABLED(); +} diff --git a/appsec/src/extension/configuration.h b/appsec/src/extension/configuration.h index d349fdbb92f..e3996c9dcdb 100644 --- a/appsec/src/extension/configuration.h +++ b/appsec/src/extension/configuration.h @@ -32,6 +32,7 @@ extern bool runtime_config_first_init; // clang-format off #define DD_CONFIGURATION \ CONFIG(BOOL, DD_APPSEC_ENABLED, "false") \ + SYSCFG(BOOL, DD_APPSEC_CLI_START_ON_RINIT, "false") \ SYSCFG(STRING, DD_APPSEC_RULES, "") \ SYSCFG(CUSTOM(uint64_t), DD_APPSEC_WAF_TIMEOUT, "10000", .parser = _parse_uint64) \ SYSCFG(CUSTOM(uint32_t), DD_APPSEC_TRACE_RATE_LIMIT, "100", .parser = _parse_uint32) \ @@ -117,6 +118,6 @@ DD_CONFIGURATION #undef CUSTOM #undef CALIAS -bool dd_is_config_using_default(dd_config_id id); +bool dd_cfg_enable_via_remcfg(void); #endif // DD_CONFIGURATION_H diff --git a/appsec/src/extension/ddappsec.c b/appsec/src/extension/ddappsec.c index c08fc2e4f37..f1ea856bc58 100644 --- a/appsec/src/extension/ddappsec.c +++ b/appsec/src/extension/ddappsec.c @@ -23,6 +23,7 @@ #include "commands/request_exec.h" #include "commands/request_init.h" #include "commands/request_shutdown.h" +#include "commands_ctx.h" #include "configuration.h" #include "ddappsec.h" #include "dddefs.h" @@ -35,6 +36,7 @@ #include "php_helpers.h" #include "php_objects.h" #include "request_abort.h" +#include "request_lifecycle.h" #include "string_helpers.h" #include "tags.h" #include "user_tracking.h" @@ -43,7 +45,6 @@ static atomic_int _thread_count; #endif -static int _do_rinit(INIT_FUNC_ARGS); static void _check_enabled(void); #ifdef TESTING static void _register_testing_objects(void); @@ -194,7 +195,7 @@ static PHP_MINIT_FUNCTION(ddappsec) return FAILURE; } - DDAPPSEC_G(enabled) = NOT_CONFIGURED; + DDAPPSEC_G(enabled) = APPSEC_ENABLED_VIA_REMCFG; dd_log_startup(); @@ -204,6 +205,7 @@ static PHP_MINIT_FUNCTION(ddappsec) dd_helper_startup(); dd_trace_startup(); + dd_req_lifecycle_startup(); dd_user_tracking_startup(); dd_request_abort_startup(); dd_tags_startup(); @@ -236,26 +238,27 @@ static pthread_once_t _rinit_once_control = PTHREAD_ONCE_INIT; static void _rinit_once() { dd_config_first_rinit(); - dd_request_abort_rinit_once(); } +// NOLINTNEXTLINE static PHP_RINIT_FUNCTION(ddappsec) { + UNUSED(type); + UNUSED(module_number); + // Safety precaution DDAPPSEC_G(during_request_shutdown) = false; pthread_once(&_rinit_once_control, _rinit_once); zai_config_rinit(); - _check_enabled(); - if (DDAPPSEC_G(enabled_by_configuration) == DISABLED) { + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) { return SUCCESS; } DDAPPSEC_G(skip_rshutdown) = false; - dd_trace_rinit(); - dd_ip_extraction_rinit(); + dd_req_lifecycle_rinit(false); if (UNEXPECTED(get_global_DD_APPSEC_TESTING())) { if (get_global_DD_APPSEC_TESTING_ABORT_RINIT()) { @@ -264,59 +267,6 @@ static PHP_RINIT_FUNCTION(ddappsec) dd_request_abort_static_page(); } } - return SUCCESS; - } - return _do_rinit(INIT_FUNC_ARGS_PASSTHRU); -} - -static dd_result _acquire_conn_cb(dd_conn *nonnull conn) -{ - return dd_client_init(conn); -} - -// NOLINTNEXTLINE(bugprone-easily-swappable-parameters) -static int _do_rinit(INIT_FUNC_ARGS) -{ - UNUSED(type); - UNUSED(module_number); - - if (DDAPPSEC_G(enabled_by_configuration) == DISABLED) { - return SUCCESS; - } - - dd_tags_rinit(); - - // connect/client_init - dd_conn *conn = dd_helper_mgr_acquire_conn(_acquire_conn_cb); - if (conn == NULL) { - mlog_g(dd_log_debug, "No connection; skipping rest of RINIT"); - return SUCCESS; - } - - int res = dd_success; - if (DDAPPSEC_G(enabled) == ENABLED) { - // request_init - res = dd_request_init(conn); - } else { - // config_sync - res = dd_config_sync(conn); - if (res == SUCCESS && DDAPPSEC_G(enabled) == ENABLED) { - // Since it came as enabled, lets proceed - res = dd_request_init(conn); - } - } - if (res == dd_network) { - mlog_g(dd_log_info, - "request_init/config_sync failed with dd_network; closing " - "connection to helper"); - dd_helper_close_conn(); - } else if (res == dd_should_block) { - dd_request_abort_static_page(); - } else if (res == dd_should_redirect) { - dd_request_abort_redirect(); - } else if (res) { - mlog_g( - dd_log_info, "request init failed: %s", dd_result_to_string(res)); } return SUCCESS; @@ -334,7 +284,7 @@ static PHP_RSHUTDOWN_FUNCTION(ddappsec) // Here now we have to disconnect from the helper in all the cases but when // disabled by config - if (DDAPPSEC_G(enabled_by_configuration) == DISABLED) { + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) { goto exit; } @@ -342,54 +292,16 @@ static PHP_RSHUTDOWN_FUNCTION(ddappsec) goto exit; } - if (UNEXPECTED(get_global_DD_APPSEC_TESTING())) { - dd_tags_rshutdown_testing(); - goto exit; - } - result = dd_appsec_rshutdown(false); exit: - dd_ip_extraction_rshutdown(); DDAPPSEC_G(during_request_shutdown) = false; return result; } int dd_appsec_rshutdown(bool ignore_verdict) { - int verdict = dd_success; - dd_conn *conn = dd_helper_mgr_cur_conn(); - if (conn && DDAPPSEC_G(enabled) == ENABLED) { - int res = dd_request_shutdown(conn); - if (res == dd_network) { - mlog_g(dd_log_info, - "request_shutdown failed with dd_network; closing " - "connection to helper"); - dd_helper_close_conn(); - } else if (res == dd_should_block || res == dd_should_redirect) { - verdict = ignore_verdict ? dd_success : res; - } else if (res) { - mlog_g(dd_log_info, "request shutdown failed: %s", - dd_result_to_string(res)); - } - } - - dd_helper_rshutdown(); - - if (DDAPPSEC_G(enabled) == ENABLED) { - dd_tags_add_tags(); - } - dd_tags_rshutdown(); - - // TODO when blocking on shutdown, let the tracer handle flushing - if (verdict == dd_should_block) { - dd_trace_close_all_spans_and_flush(); - dd_request_abort_static_page(); - } else if (verdict == dd_should_redirect) { - dd_trace_close_all_spans_and_flush(); - dd_request_abort_redirect(); - } - + dd_req_lifecycle_rshutdown(ignore_verdict, false); return SUCCESS; } @@ -413,20 +325,16 @@ static PHP_MINFO_FUNCTION(ddappsec) PUTS("(c) Datadog 2021\n"); php_info_print_box_end(); - char *state; - if (DDAPPSEC_G(enabled) == ENABLED) { - state = "Enabled"; - } else if (DDAPPSEC_G(enabled) == DISABLED) { - state = "Disabled"; - } else { - state = "Not configured"; - } - php_info_print_table_start(); php_info_print_table_row(2, "State managed by remote config", - DDAPPSEC_G(enabled_by_configuration) == NOT_CONFIGURED ? "Yes" : "No"); - php_info_print_table_row(2, "Current state", state); + DDAPPSEC_G(enabled) == APPSEC_ENABLED_VIA_REMCFG ? "Yes" : "No"); + php_info_print_table_row(2, "Current state", + DDAPPSEC_G(active) ? "Enabled" + : DDAPPSEC_G(to_be_configured) ? "Not configured" + : "Disabled"); php_info_print_table_row(2, "Version", PHP_DDAPPSEC_VERSION); + php_info_print_table_row( + 2, "Connected to helper?", dd_helper_mgr_cur_conn() ? "Yes" : "No"); php_info_print_table_end(); DISPLAY_INI_ENTRIES(); @@ -438,23 +346,21 @@ __thread void *unspecnull TSRMLS_CACHE = NULL; static void _check_enabled() { - if (!get_global_DD_APPSEC_TESTING() && - (!dd_trace_enabled() || strcmp(sapi_module.name, "cli") == 0 || - (sapi_module.phpinfo_as_text != 0))) { - DDAPPSEC_G(enabled_by_configuration) = DISABLED; - } else if (!dd_is_config_using_default(DDAPPSEC_CONFIG_DD_APPSEC_ENABLED)) { - DDAPPSEC_G(enabled_by_configuration) = - get_DD_APPSEC_ENABLED() ? ENABLED : DISABLED; + if ((!get_global_DD_APPSEC_TESTING() && !dd_trace_enabled()) || + (strcmp(sapi_module.name, "cli") != 0 && sapi_module.phpinfo_as_text)) { + DDAPPSEC_G(enabled) = APPSEC_FULLY_DISABLED; + DDAPPSEC_G(active) = false; + DDAPPSEC_G(to_be_configured) = false; + } else if (!dd_cfg_enable_via_remcfg()) { + DDAPPSEC_G(enabled) = + get_DD_APPSEC_ENABLED() ? APPSEC_FULLY_ENABLED : APPSEC_FULLY_DISABLED; + DDAPPSEC_G(active) = get_DD_APPSEC_ENABLED() ? true : false; + DDAPPSEC_G(to_be_configured) = false; } else { - DDAPPSEC_G(enabled_by_configuration) = NOT_CONFIGURED; + DDAPPSEC_G(enabled) = APPSEC_ENABLED_VIA_REMCFG; + DDAPPSEC_G(active) = false; + DDAPPSEC_G(to_be_configured) = true; }; - - // If not enabled explicitly and RC is disabled, then extension is disabled - if (DDAPPSEC_G(enabled_by_configuration) == NOT_CONFIGURED && - !get_global_DD_REMOTE_CONFIG_ENABLED()) { - DDAPPSEC_G(enabled_by_configuration) = DISABLED; - } - DDAPPSEC_G(enabled) = DDAPPSEC_G(enabled_by_configuration); } static PHP_FUNCTION(datadog_appsec_is_enabled) @@ -462,7 +368,7 @@ static PHP_FUNCTION(datadog_appsec_is_enabled) if (zend_parse_parameters_none() == FAILURE) { RETURN_FALSE; } - RETURN_BOOL(DDAPPSEC_G(enabled) == ENABLED); + RETURN_BOOL(DDAPPSEC_G(active)); } static PHP_FUNCTION(datadog_appsec_testing_rinit) @@ -472,12 +378,8 @@ static PHP_FUNCTION(datadog_appsec_testing_rinit) } mlog(dd_log_debug, "Running rinit actions"); - int res = _do_rinit(MODULE_PERSISTENT, 0 /* we don't use it */); - if (res == 0) { - RETURN_TRUE; - } else { - RETURN_FALSE; - } + dd_req_lifecycle_rinit(true); + RETURN_TRUE; } static PHP_FUNCTION(datadog_appsec_testing_rshutdown) @@ -487,13 +389,9 @@ static PHP_FUNCTION(datadog_appsec_testing_rshutdown) } DDAPPSEC_G(during_request_shutdown) = true; mlog(dd_log_debug, "Running rshutdown actions"); - int res = dd_appsec_rshutdown(false); + dd_req_lifecycle_rshutdown(false, true); DDAPPSEC_G(during_request_shutdown) = false; - if (res == 0) { - RETURN_TRUE; - } else { - RETURN_FALSE; - } + RETURN_TRUE; } static PHP_FUNCTION(datadog_appsec_testing_helper_mgr_acquire_conn) { @@ -501,7 +399,11 @@ static PHP_FUNCTION(datadog_appsec_testing_helper_mgr_acquire_conn) RETURN_FALSE; } - dd_conn *conn = dd_helper_mgr_acquire_conn(_acquire_conn_cb); + struct req_info ctx = { + .root_span = dd_trace_get_active_root_span(), + }; + dd_conn *conn = + dd_helper_mgr_acquire_conn((client_init_func)dd_client_init, &ctx); if (conn) { RETURN_TRUE; } else { @@ -531,7 +433,11 @@ static PHP_FUNCTION(datadog_appsec_testing_request_exec) RETURN_FALSE; } - dd_conn *conn = dd_helper_mgr_acquire_conn(_acquire_conn_cb); + struct req_info ctx = { + .root_span = dd_trace_get_active_root_span(), + }; + dd_conn *conn = + dd_helper_mgr_acquire_conn((client_init_func)dd_client_init, &ctx); if (conn == NULL) { mlog_g(dd_log_debug, "No connection; skipping request_exec"); RETURN_FALSE; diff --git a/appsec/src/extension/ddappsec.h b/appsec/src/extension/ddappsec.h index 507e734c14d..d19fc835fc6 100644 --- a/appsec/src/extension/ddappsec.h +++ b/appsec/src/extension/ddappsec.h @@ -16,20 +16,19 @@ #include typedef enum _enabled_configuration { - NOT_CONFIGURED = 0, - ENABLED, - DISABLED + APPSEC_ENABLED_VIA_REMCFG = 0, + APPSEC_FULLY_ENABLED, + APPSEC_FULLY_DISABLED } enabled_configuration; // define zend_ddappsec_globals type // clang-format off ZEND_BEGIN_MODULE_GLOBALS(ddappsec) - //Defines if extension has been enabled/disabled by ini/env - enabled_configuration enabled_by_configuration; - //Defines enablement status computed taking into account enabled_by_configuration and remote config - enabled_configuration enabled; - bool skip_rshutdown; - bool during_request_shutdown; + enabled_configuration enabled : 2; + bool active : 1; + bool to_be_configured : 1; + bool skip_rshutdown : 1; + bool during_request_shutdown : 1; ZEND_END_MODULE_GLOBALS(ddappsec) // clang-format on diff --git a/appsec/src/extension/ddtrace.c b/appsec/src/extension/ddtrace.c index 6ea9563e704..5cdf7a78227 100644 --- a/appsec/src/extension/ddtrace.c +++ b/appsec/src/extension/ddtrace.c @@ -6,7 +6,6 @@ #include "ddtrace.h" #include #include -#include #include "configuration.h" #include "ddappsec.h" @@ -14,7 +13,10 @@ #include "php_compat.h" #include "php_helpers.h" #include "php_objects.h" +#include "request_lifecycle.h" #include "string_helpers.h" +#include "zend_object_handlers.h" +#include "zend_types.h" static int (*_orig_ddtrace_shutdown)(SHUTDOWN_FUNC_ARGS); static int _mod_type; @@ -25,19 +27,19 @@ static zend_string *_ddtrace_root_span_fname; static zend_string *_meta_propname; static zend_string *_metrics_propname; static THREAD_LOCAL_ON_ZTS bool _suppress_ddtrace_rshutdown; -static THREAD_LOCAL_ON_ZTS zval *_span_meta; -static THREAD_LOCAL_ON_ZTS zval *_span_metrics; static uint8_t *_ddtrace_runtime_id = NULL; static zend_module_entry *_find_ddtrace_module(void); static int _ddtrace_rshutdown_testing(SHUTDOWN_FUNC_ARGS); static void _register_testing_objects(void); -static zval *(*nullable _ddtrace_root_span_get_meta)(); -static zval *(*nullable _ddtrace_root_span_get_metrics)(); -static void (*nullable _ddtrace_close_all_spans_and_flush)(); -static void (*nullable _ddtrace_set_priority_sampling_on_root)( - zend_long priority, enum dd_sampling_mechanism mechanism); +static zend_object *(*nullable _ddtrace_get_root_span)(void); +static void (*nullable _ddtrace_close_all_spans_and_flush)(void); +static void (*nullable _ddtrace_set_priority_sampling_on_span_zobj)( + zend_object *nonnull zobj, zend_long priority, enum dd_sampling_mechanism mechanism); + +static bool (*nullable _ddtrace_user_req_add_listeners)( + ddtrace_user_req_listeners *listeners); static void dd_trace_load_symbols(void) { @@ -54,24 +56,15 @@ static void dd_trace_load_symbols(void) _ddtrace_close_all_spans_and_flush = dlsym(handle, "ddtrace_close_all_spans_and_flush"); if (_ddtrace_close_all_spans_and_flush == NULL && !testing) { - // NOLINTNEXTLINE(concurrency-mt-unsafe) mlog(dd_log_error, + // NOLINTNEXTLINE(concurrency-mt-unsafe) "Failed to load ddtrace_close_all_spans_and_flush: %s", dlerror()); } - _ddtrace_root_span_get_meta = dlsym(handle, "ddtrace_root_span_get_meta"); - if (_ddtrace_root_span_get_meta == NULL && !testing) { - // NOLINTNEXTLINE(concurrency-mt-unsafe) - mlog(dd_log_error, "Failed to load ddtrace_root_span_get_meta: %s", - dlerror()); - } - - _ddtrace_root_span_get_metrics = - dlsym(handle, "ddtrace_root_span_get_metrics"); - if (_ddtrace_root_span_get_metrics == NULL && !testing) { - // NOLINTNEXTLINE(concurrency-mt-unsafe) - mlog(dd_log_error, "Failed to load ddtrace_root_span_get_metrics: %s", - dlerror()); + _ddtrace_get_root_span = dlsym(handle, "ddtrace_get_root_span"); + if (_ddtrace_get_root_span == NULL && !testing) { + mlog(dd_log_error, "Failed to load ddtrace_get_root_span: %s", + dlerror()); // NOLINT(concurrency-mt-unsafe) } _ddtrace_runtime_id = dlsym(handle, "ddtrace_runtime_id"); @@ -80,14 +73,21 @@ static void dd_trace_load_symbols(void) mlog(dd_log_debug, "Failed to load ddtrace_runtime_id: %s", dlerror()); } - _ddtrace_set_priority_sampling_on_root = - dlsym(handle, "ddtrace_set_priority_sampling_on_root"); - if (_ddtrace_set_priority_sampling_on_root == NULL) { - // NOLINTNEXTLINE(concurrency-mt-unsafe) + _ddtrace_set_priority_sampling_on_span_zobj = + dlsym(handle, "ddtrace_set_priority_sampling_on_span_zobj"); + if (_ddtrace_set_priority_sampling_on_span_zobj == NULL) { mlog(dd_log_error, - "Failed to load ddtrace_set_priority_sampling_on_root: %s", - dlerror()); + "Failed to load ddtrace_set_priority_sampling_on_span_zobj: %s", + dlerror()); // NOLINT(concurrency-mt-unsafe) } + + _ddtrace_user_req_add_listeners = + dlsym(handle, "ddtrace_user_req_add_listeners"); + if (_ddtrace_user_req_add_listeners == NULL) { + mlog(dd_log_error, "Failed to load ddtrace_user_req_add_listeners: %s", + dlerror()); // NOLINT(concurrency-mt-unsafe) + } + dlclose(handle); } @@ -122,18 +122,6 @@ void dd_trace_startup() } } -void dd_trace_rinit() -{ - _span_meta = NULL; - _span_metrics = NULL; - // DDTrace might not be loaded during tests - if (!dd_trace_enabled()) { - return; - } - _span_meta = dd_trace_root_span_get_meta(); - _span_metrics = dd_trace_root_span_get_metrics(); -} - static zend_module_entry *_find_ddtrace_module() { zend_string *ddtrace_name = @@ -169,9 +157,10 @@ const char *nullable dd_trace_version() { return _mod_version; } bool dd_trace_loaded() { return _ddtrace_loaded; } bool dd_trace_enabled() { return _ddtrace_loaded && get_DD_TRACE_ENABLED(); } -bool dd_trace_root_span_add_tag(zend_string *nonnull tag, zval *nonnull value) +bool dd_trace_span_add_tag( + zend_object *nonnull span, zend_string *nonnull tag, zval *nonnull value) { - zval *meta = dd_trace_root_span_get_meta(); + zval *meta = dd_trace_span_get_meta(span); if (!meta) { if (!get_global_DD_APPSEC_TESTING()) { mlog(dd_log_warning, "Failed to retrieve root span meta"); @@ -195,15 +184,16 @@ bool dd_trace_root_span_add_tag(zend_string *nonnull tag, zval *nonnull value) return true; } -bool dd_trace_root_span_add_tag_str(const char *nonnull tag, size_t tag_len, - const char *nonnull value, size_t value_len) +bool dd_trace_span_add_tag_str(zend_object *nonnull span, + const char *nonnull tag, size_t tag_len, const char *nonnull value, + size_t value_len) { if (UNEXPECTED(value_len > INT_MAX)) { mlog(dd_log_warning, "Value for tag is too large"); return false; } - zval *meta = dd_trace_root_span_get_meta(); + zval *meta = dd_trace_span_get_meta(span); if (!meta) { if (!get_global_DD_APPSEC_TESTING()) { mlog(dd_log_warning, "Failed to retrieve root span meta"); @@ -244,22 +234,46 @@ void dd_trace_close_all_spans_and_flush() (*_ddtrace_close_all_spans_and_flush)(); } -zval *nullable dd_trace_root_span_get_meta() +static zval *_get_span_modifiable_array_property( + zend_object *nonnull zobj, zend_string *nonnull propname) { - if (_ddtrace_root_span_get_meta == NULL) { +#if PHP_VERSION_ID >= 80000 + zval *res = + zobj->handlers->get_property_ptr_ptr(zobj, propname, BP_VAR_R, NULL); +#else + zval obj; + ZVAL_OBJ(&obj, zobj); + zval prop; + ZVAL_STR(&prop, propname); + zval *res = zobj->handlers->get_property_ptr_ptr(&obj, &prop, BP_VAR_R, + NULL); + +#endif + + if (Z_TYPE_P(res) == IS_REFERENCE) { + ZVAL_DEREF(res); + if (Z_TYPE_P(res) == IS_ARRAY) { + return res; + } return NULL; } + if (Z_TYPE_P(res) != IS_ARRAY) { + return NULL; + } + + SEPARATE_ZVAL_NOREF(res); - return _ddtrace_root_span_get_meta(); + return res; } -zval *nullable dd_trace_root_span_get_metrics() +zval *nullable dd_trace_span_get_meta(zend_object *nonnull zobj) { - if (_ddtrace_root_span_get_metrics == NULL) { - return NULL; - } + return _get_span_modifiable_array_property(zobj, _meta_propname); +} - return _ddtrace_root_span_get_metrics(); +zval *nullable dd_trace_span_get_metrics(zend_object *nonnull zobj) +{ + return _get_span_modifiable_array_property(zobj, _metrics_propname); } // NOLINTBEGIN(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers) @@ -290,14 +304,32 @@ zend_string *nullable dd_trace_get_formatted_runtime_id(bool persistent) } // NOLINTEND(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers) -void dd_trace_set_priority_sampling_on_root( +void dd_trace_set_priority_sampling_on_span_zobj(zend_object *nonnull root_span, zend_long priority, enum dd_sampling_mechanism mechanism) { - if (_ddtrace_set_priority_sampling_on_root == NULL) { + if (_ddtrace_set_priority_sampling_on_span_zobj == NULL) { return; } - _ddtrace_set_priority_sampling_on_root(priority, mechanism); + _ddtrace_set_priority_sampling_on_span_zobj(root_span, priority, mechanism); +} + +bool dd_trace_user_req_add_listeners(ddtrace_user_req_listeners *nonnull listeners) +{ + if (_ddtrace_user_req_add_listeners == NULL) { + return false; + } + + return _ddtrace_user_req_add_listeners(listeners); +} + +zend_object *nullable dd_trace_get_active_root_span() +{ + if (UNEXPECTED(_ddtrace_get_root_span == NULL)) { + return NULL; + } + + return _ddtrace_get_root_span(); } static PHP_FUNCTION(datadog_appsec_testing_ddtrace_rshutdown) @@ -334,8 +366,13 @@ static PHP_FUNCTION(datadog_appsec_testing_root_span_add_tag) RETURN_FALSE; } + __auto_type root_span = dd_trace_get_active_root_span(); + if (!root_span) { + RETURN_FALSE; + } + Z_TRY_ADDREF_P(value); - bool result = dd_trace_root_span_add_tag(tag, value); + bool result = dd_trace_span_add_tag(root_span, tag, value); RETURN_BOOL(result); } @@ -346,7 +383,12 @@ static PHP_FUNCTION(datadog_appsec_testing_root_span_get_meta) // NOLINT RETURN_FALSE; } - zval *meta_zv = dd_trace_root_span_get_meta(); + __auto_type root_span = dd_trace_get_active_root_span(); + if (!root_span) { + RETURN_NULL(); + } + + zval *meta_zv = dd_trace_span_get_meta(root_span); if (meta_zv) { RETURN_ZVAL(meta_zv, 1 /* copy */, 0 /* no destroy original */); } @@ -358,7 +400,12 @@ static PHP_FUNCTION(datadog_appsec_testing_root_span_get_metrics) // NOLINT RETURN_FALSE; } - zval *metrics_zv = dd_trace_root_span_get_metrics(); + __auto_type root_span = dd_trace_get_active_root_span(); + if (!root_span) { + RETURN_NULL(); + } + + zval *metrics_zv = dd_trace_span_get_metrics(root_span); if (metrics_zv) { RETURN_ZVAL(metrics_zv, 1 /* copy */, 0 /* no destroy original */); } diff --git a/appsec/src/extension/ddtrace.h b/appsec/src/extension/ddtrace.h index 5435acdd050..c65e5fe6017 100644 --- a/appsec/src/extension/ddtrace.h +++ b/appsec/src/extension/ddtrace.h @@ -27,7 +27,6 @@ typedef zend_object root_span_t; void dd_trace_startup(void); void dd_trace_shutdown(void); -void dd_trace_rinit(void); // Returns the tracer version const char *nullable dd_trace_version(void); // This function should only be used in RINIT @@ -35,22 +34,44 @@ bool dd_trace_enabled(void); // This function should be used before loading tracer symbols bool dd_trace_loaded(void); +zend_object *nullable dd_trace_get_active_root_span(void); + // increases the refcount of tag, but not value (like zval_hash_add) // however, it destroy value if the operation fails (unlike zval_hash_add) -bool dd_trace_root_span_add_tag(zend_string *nonnull tag, zval *nonnull value); +bool dd_trace_span_add_tag( + zend_object *nonnull zobj, zend_string *nonnull tag, zval *nonnull value); -bool dd_trace_root_span_add_tag_str(const char *nonnull tag, size_t tag_len, - const char *nonnull value, size_t value_len); +bool dd_trace_span_add_tag_str(zend_object *nonnull zobj, + const char *nonnull tag, size_t tag_len, const char *nonnull value, + size_t value_len); // Flush the tracer spans, can be used on RINIT void dd_trace_close_all_spans_and_flush(void); // Provides the array zval representing $root_span->meta, if any. // It is ready for modification, with refcount == 1 -zval *nullable dd_trace_root_span_get_meta(void); -zval *nullable dd_trace_root_span_get_metrics(void); +zval *nullable dd_trace_span_get_meta(zend_object *nonnull); +zval *nullable dd_trace_span_get_metrics(zend_object *nonnull); zend_string *nullable dd_trace_get_formatted_runtime_id(bool persistent); // Set sampling priority on root span -void dd_trace_set_priority_sampling_on_root(zend_long priority, - enum dd_sampling_mechanism mechanism); +void dd_trace_set_priority_sampling_on_span_zobj(zend_object *nonnull root_span, + zend_long priority, enum dd_sampling_mechanism mechanism); + +typedef struct _ddtrace_user_req_listeners ddtrace_user_req_listeners; +struct _ddtrace_user_req_listeners { + zend_array *nullable (*nonnull start_user_req)( + ddtrace_user_req_listeners *nonnull self, zend_object *nonnull span, + zend_array *nonnull variables); + zend_array *nullable(*nonnull response_committed)( + ddtrace_user_req_listeners *nonnull self, zend_object *nonnull span, + int status, zend_array *nonnull headers); + void (*nonnull finish_user_req)( + ddtrace_user_req_listeners *nonnull self, zend_object *nonnull span); + void (*nonnull set_blocking_function)( + ddtrace_user_req_listeners *nonnull self, + zend_object *nonnull span, zval *nonnull blocking_function); + void (*nullable delete)(ddtrace_user_req_listeners *nonnull self); +}; +bool dd_trace_user_req_add_listeners( + ddtrace_user_req_listeners *nonnull listeners); diff --git a/appsec/src/extension/helper_process.c b/appsec/src/extension/helper_process.c index caa9967dd34..04e914d2592 100644 --- a/appsec/src/extension/helper_process.c +++ b/appsec/src/extension/helper_process.c @@ -111,7 +111,8 @@ static void _inc_failed_counter(void); static void _prevent_launch_attempts(int lock_fd); static bool /* retry */ _maybe_launch_helper(void); static void _connection_succeeded(void); -dd_conn *nullable dd_helper_mgr_acquire_conn(client_init_func nonnull init_func) +dd_conn *nullable dd_helper_mgr_acquire_conn( + client_init_func nonnull init_func, void *unspecnull ctx) { dd_conn *conn = &_mgr.conn; if (dd_conn_connected(conn)) { @@ -159,7 +160,7 @@ dd_conn *nullable dd_helper_mgr_acquire_conn(client_init_func nonnull init_func) dd_conn_set_timeout(conn, comm_type_send, timeout_send); dd_conn_set_timeout(conn, comm_type_recv, timeout_recv_initial); - res = init_func(conn); + res = init_func(conn, ctx); if (res) { mlog_g(dd_log_warning, "Initial exchange with helper failed; " "abandoning the connection"); diff --git a/appsec/src/extension/helper_process.h b/appsec/src/extension/helper_process.h index 8f5f06eacb5..481a86f12d4 100644 --- a/appsec/src/extension/helper_process.h +++ b/appsec/src/extension/helper_process.h @@ -15,8 +15,8 @@ void dd_helper_shutdown(void); void dd_helper_gshutdown(void); void dd_helper_rshutdown(void); -typedef dd_result (*client_init_func)(dd_conn *nonnull); -dd_conn *nullable dd_helper_mgr_acquire_conn(client_init_func nonnull); +typedef dd_result (*client_init_func)(dd_conn *nonnull, void *unspecnull ctx); +dd_conn *nullable dd_helper_mgr_acquire_conn(client_init_func nonnull, void *unspecnull ctx); dd_conn *nullable dd_helper_mgr_cur_conn(void); void dd_helper_close_conn(void); diff --git a/appsec/src/extension/ip_extraction.c b/appsec/src/extension/ip_extraction.c index 879667fd092..91c265c96fc 100644 --- a/appsec/src/extension/ip_extraction.c +++ b/appsec/src/extension/ip_extraction.c @@ -53,7 +53,6 @@ typedef enum _priority_header_id { static header_map_node priority_header_map[MAX_HEADER_ID]; static zend_string *nonnull _remote_addr_key; -static THREAD_LOCAL_ON_ZTS zend_string *nullable client_ip; static void _register_testing_objects(void); static zend_string *nullable _fetch_arr_str( @@ -195,27 +194,6 @@ zend_string *nullable dd_ip_extraction_find(zval *nonnull server) return _try_extract(server, _remote_addr_key, &_parse_plain_raw); } -void dd_ip_extraction_rinit(void) -{ - zval *_server = - dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); - if (!_server) { - mlog(dd_log_info, "No SERVER autoglobal available"); - return; - } - client_ip = dd_ip_extraction_find(_server); -} - -void dd_ip_extraction_rshutdown(void) -{ - if (client_ip) { - zend_string_release(client_ip); - client_ip = NULL; - } -} - -zend_string *nullable dd_ip_extraction_get_ip() { return client_ip; } - static zend_string *_try_extract(const zval *nonnull server, zend_string *nonnull key, extract_func_t nonnull extract_func) { diff --git a/appsec/src/extension/ip_extraction.h b/appsec/src/extension/ip_extraction.h index 47169419591..7c0fa94a52f 100644 --- a/appsec/src/extension/ip_extraction.h +++ b/appsec/src/extension/ip_extraction.h @@ -15,8 +15,6 @@ #include void dd_ip_extraction_startup(void); -void dd_ip_extraction_rinit(void); -void dd_ip_extraction_rshutdown(void); // Since the headers looked at can in principle be forged, it's very much // recommended that a datadog.appsec.ipheader is set to a header that the server @@ -24,4 +22,3 @@ void dd_ip_extraction_rshutdown(void); zend_string *nullable dd_ip_extraction_find(zval *nonnull server); bool dd_parse_client_ip_header_config( zai_str value, zval *nonnull decoded_value, bool persistent); -zend_string *nullable dd_ip_extraction_get_ip(); diff --git a/appsec/src/extension/msgpack_helpers.c b/appsec/src/extension/msgpack_helpers.c index 829c0a9fd5f..dc683ff7084 100644 --- a/appsec/src/extension/msgpack_helpers.c +++ b/appsec/src/extension/msgpack_helpers.c @@ -61,6 +61,44 @@ void dd_mpack_write_zval(mpack_writer_t *nonnull w, zval *nullable zv) _mpack_write_zval(w, zv); } +// NOLINTNEXTLINE(misc-no-recursion) +void dd_mpack_write_array( + mpack_writer_t *nonnull w, const zend_array *nullable arr) +{ + if (!arr) { + mpack_write_nil(w); + } + + uint32_t num_elems = zend_hash_num_elements(arr); + dd_php_array_type arr_type = dd_php_determine_array_type(arr); + if (arr_type == php_array_type_sequential) { + mpack_start_array(w, num_elems); + zval *val; + ZEND_HASH_FOREACH_VAL((zend_array*)arr, val) { _mpack_write_zval(w, val); } + ZEND_HASH_FOREACH_END(); + mpack_finish_array(w); + } else { + mpack_start_map(w, num_elems); + + zend_string *key_s; + zend_ulong key_i; + zval *val; + ZEND_HASH_FOREACH_KEY_VAL((zend_array*)arr, key_i, key_s, val) + { + if (key_s) { + mpack_write_str(w, ZSTR_VAL(key_s), ZSTR_LEN(key_s)); + } else { + char buf[ZEND_LTOA_BUF_LEN]; + ZEND_LTOA((zend_long)key_i, buf, sizeof(buf)); + mpack_write(w, buf); + } + _mpack_write_zval(w, val); + } + ZEND_HASH_FOREACH_END(); + mpack_finish_map(w); + } +} + // NOLINTNEXTLINE static void _mpack_write_zval(mpack_writer_t *nonnull w, zval *nonnull zv) { @@ -98,34 +136,7 @@ static void _mpack_write_zval(mpack_writer_t *nonnull w, zval *nonnull zv) case IS_ARRAY: { zend_array *arr = Z_ARRVAL_P(zv); - uint32_t num_elems = zend_hash_num_elements(arr); - dd_php_array_type arr_type = dd_php_determine_array_type(zv); - if (arr_type == php_array_type_sequential) { - mpack_start_array(w, num_elems); - zval *val; - ZEND_HASH_FOREACH_VAL(arr, val) { _mpack_write_zval(w, val); } - ZEND_HASH_FOREACH_END(); - mpack_finish_array(w); - } else { - mpack_start_map(w, num_elems); - - zend_string *key_s; - zend_ulong key_i; - zval *val; - ZEND_HASH_FOREACH_KEY_VAL(arr, key_i, key_s, val) - { - if (key_s) { - mpack_write_str(w, ZSTR_VAL(key_s), ZSTR_LEN(key_s)); - } else { - char buf[ZEND_LTOA_BUF_LEN]; - ZEND_LTOA((zend_long)key_i, buf, sizeof(buf)); - mpack_write(w, buf); - } - _mpack_write_zval(w, val); - } - ZEND_HASH_FOREACH_END(); - mpack_finish_map(w); - } + dd_mpack_write_array(w, arr); break; } diff --git a/appsec/src/extension/msgpack_helpers.h b/appsec/src/extension/msgpack_helpers.h index 143e9aaef7f..6f89c346f9d 100644 --- a/appsec/src/extension/msgpack_helpers.h +++ b/appsec/src/extension/msgpack_helpers.h @@ -32,6 +32,9 @@ void dd_mpack_write_zstr( void dd_mpack_write_nullable_zstr( mpack_writer_t *nonnull w, const zend_string *nullable zstr); +void dd_mpack_write_array( + mpack_writer_t *nonnull w, const zend_array *nullable arr); + void dd_mpack_write_zval(mpack_writer_t *nonnull w, zval *nullable zv); void dd_mpack_writer_init_iov( diff --git a/appsec/src/extension/php_compat.c b/appsec/src/extension/php_compat.c index 9aef115d6a0..19c0d508add 100644 --- a/appsec/src/extension/php_compat.c +++ b/appsec/src/extension/php_compat.c @@ -15,4 +15,21 @@ zend_bool zend_ini_parse_bool(zend_string *str) } return atoi(ZSTR_VAL(str)) != 0; // NOLINT } + +static const uint32_t uninitialized_bucket[-HT_MIN_MASK] = { + HT_INVALID_IDX, HT_INVALID_IDX}; + +const HashTable zend_empty_array = {.gc.refcount = 2, + .gc.u.type_info = IS_ARRAY, + .u.flags = + HASH_FLAG_STATIC_KEYS | HASH_FLAG_INITIALIZED | HASH_FLAG_PERSISTENT, + .nTableMask = HT_MIN_MASK, + .arData = (Bucket *)(((char *)(&uninitialized_bucket)) + + HT_HASH_SIZE(HT_MIN_MASK)), + .nNumUsed = 0, + .nNumOfElements = 0, + .nTableSize = HT_MIN_SIZE, + .nInternalPointer = HT_INVALID_IDX, + .nNextFreeElement = 0, + .pDestructor = ZVAL_PTR_DTOR}; #endif diff --git a/appsec/src/extension/php_compat.h b/appsec/src/extension/php_compat.h index db2f400e09b..dd6fa6a5fbc 100644 --- a/appsec/src/extension/php_compat.h +++ b/appsec/src/extension/php_compat.h @@ -34,6 +34,13 @@ static zend_always_inline zend_string *zend_string_init_interned( #endif #if PHP_VERSION_ID < 70300 +extern const HashTable zend_empty_array; + +# define GC_ADDREF(x) (++GC_REFCOUNT(x)) +# define GC_DELREF(x) (--GC_REFCOUNT(x)) +# define GC_TRY_ADDREF GC_ADDREF +# define GC_TRY_DELREF GC_DELREF + zend_bool zend_ini_parse_bool(zend_string *str); # define zend_string_efree zend_string_free @@ -45,6 +52,23 @@ static inline HashTable *zend_new_array(uint32_t nSize) { #endif #if PHP_VERSION_ID < 70400 -#define tsrm_env_lock() -#define tsrm_env_unlock() +# define tsrm_env_lock() +# define tsrm_env_unlock() +#endif + +#if PHP_VERSION_ID >= 70300 && PHP_VERSION_ID < 80100 +static zend_always_inline void _gc_try_addref(zend_refcounted_h *rc) +{ + if (!(rc->u.type_info & GC_IMMUTABLE)) { + rc->refcount++; + } +} +static zend_always_inline void _gc_try_delref(zend_refcounted_h *rc) +{ + if (!(rc->u.type_info & GC_IMMUTABLE)) { + rc->refcount--; + } +} +#define GC_TRY_ADDREF(p) _gc_try_addref(&(p)->gc) +#define GC_TRY_DELREF(p) _gc_try_delref(&(p)->gc) #endif diff --git a/appsec/src/extension/php_helpers.c b/appsec/src/extension/php_helpers.c index 2e4c61a36da..18a62a91d2c 100644 --- a/appsec/src/extension/php_helpers.c +++ b/appsec/src/extension/php_helpers.c @@ -7,10 +7,8 @@ #include "ddappsec.h" #include "php_compat.h" -dd_php_array_type dd_php_determine_array_type(zval *nonnull zv) +dd_php_array_type dd_php_determine_array_type(const zend_array *nonnull myht) { - HashTable *myht = Z_ARRVAL_P(zv); - uint32_t size = myht ? zend_hash_num_elements(myht) : 0; if (size == 0) { return php_array_type_sequential; @@ -23,7 +21,7 @@ dd_php_array_type dd_php_determine_array_type(zval *nonnull zv) zend_string *key_s; zend_ulong key_i; zend_ulong i = 0; - ZEND_HASH_FOREACH_KEY(myht, key_i, key_s) + ZEND_HASH_FOREACH_KEY((zend_array *)myht, key_i, key_s) { if (key_s) { return php_array_type_associative; @@ -58,14 +56,32 @@ zval *nullable dd_php_get_autoglobal( return NULL; } +const zend_array *nonnull dd_get_superglob_or_equiv( + // NOLINTNEXTLINE + const char *name, size_t name_len, int track, zend_array *nullable equiv) +{ + zval *ret; + if (equiv) { + ret = zend_hash_str_find(equiv, name, name_len); + } else { + ret = dd_php_get_autoglobal(track, ZEND_STRL("_GET")); + } + + if (!ret || Z_TYPE_P(ret) != IS_ARRAY) { + return &zend_empty_array; + } + + return Z_ARRVAL_P(ret); +} + zend_string *nullable dd_php_get_string_elem_cstr( - const zval *nullable arr, const char *nonnull name, size_t len) + const zend_array *nullable arr, const char *nonnull name, size_t len) { if (UNEXPECTED(!arr)) { return NULL; } - zval *zresult = zend_hash_str_find(Z_ARRVAL_P(arr), name, len); + zval *zresult = zend_hash_str_find(arr, name, len); if (zresult == NULL) { return NULL; } @@ -80,13 +96,13 @@ zend_string *nullable dd_php_get_string_elem_cstr( } zend_string *nullable dd_php_get_string_elem( - const zval *nullable arr, zend_string *nonnull zstr) + const zend_array *nullable arr, zend_string *nonnull zstr) { if (UNEXPECTED(!arr)) { return NULL; } - zval *zresult = zend_hash_find(Z_ARRVAL_P(arr), zstr); + zval *zresult = zend_hash_find(arr, zstr); if (zresult == NULL) { return NULL; } diff --git a/appsec/src/extension/php_helpers.h b/appsec/src/extension/php_helpers.h index 1bf8c8fcff2..552b1e4688b 100644 --- a/appsec/src/extension/php_helpers.h +++ b/appsec/src/extension/php_helpers.h @@ -28,7 +28,7 @@ typedef enum { php_array_type_associative, } dd_php_array_type; -dd_php_array_type dd_php_determine_array_type(zval *nonnull); +dd_php_array_type dd_php_determine_array_type(const zend_array *nonnull); #define ZEND_INI_MH_UNUSED() \ do { \ @@ -41,7 +41,10 @@ dd_php_array_type dd_php_determine_array_type(zval *nonnull); zval *nullable dd_php_get_autoglobal( int track_var, const char *nonnull name, size_t len); +const zend_array *nonnull dd_get_superglob_or_equiv( + const char *nonnull name, size_t name_len, int track, + zend_array *nullable equiv); zend_string *nullable dd_php_get_string_elem( - const zval *nullable arr, zend_string *nonnull zstr); + const zend_array *nullable arr, zend_string *nonnull zstr); zend_string *nullable dd_php_get_string_elem_cstr( - const zval *nullable arr, const char *nonnull name, size_t len); + const zend_array *nullable arr, const char *nonnull name, size_t len); diff --git a/appsec/src/extension/request_abort.c b/appsec/src/extension/request_abort.c index 21fe4bfa095..c913dd3cece 100644 --- a/appsec/src/extension/request_abort.c +++ b/appsec/src/extension/request_abort.c @@ -12,6 +12,7 @@ #include "attributes.h" #include "configuration.h" #include "ddappsec.h" +#include "dddefs.h" #include "ddtrace.h" #include "logging.h" #include "php_compat.h" @@ -55,8 +56,18 @@ static const char static_error_json[] = "u cannot access this page. Please contact the customer service team. Secur" "ity provided by Datadog.\"}]}"; -static zend_string *_custom_error_html = NULL; -static zend_string *_custom_error_json = NULL; +static zend_string *_initial_cwd; +static zend_string *_body_error_html_def; +static zend_string *_body_error_json_def; +static zend_string *_status_zstr; +static zend_string *_headers_zstr; +static zend_string *_body_zstr; +static zend_string *_content_type_zstr; +static zend_string *_content_length_zstr; +static zend_string *_location_zstr; +static zend_string *_content_type_html_zstr; +static zend_string *_content_type_json_zstr; +static zend_string *_empty_zstr; // older versions don't have zend_empty_string static THREAD_LOCAL_ON_ZTS int _response_code = DEFAULT_BLOCKING_RESPONSE_CODE; static THREAD_LOCAL_ON_ZTS dd_response_type _response_type = DEFAULT_RESPONSE_TYPE; @@ -68,21 +79,36 @@ static bool _abort_prelude(void); void _request_abort_static_page(int response_code, int type); ATTR_FORMAT(1, 2) static void _emit_error(const char *format, ...); +static zend_string *nonnull _get_json_blocking_template(void); +static zend_string *nonnull _get_html_blocking_template(void); -zend_string *nullable read_file_contents( - const char *nonnull path, int persistent) +static zend_string *nullable _read_file_contents(const char *nonnull path) { - php_stream *fs = - php_stream_open_wrapper_ex(path, "rb", REPORT_ERRORS, NULL, NULL); + php_stream *fs; + if (ZSTR_LEN(_initial_cwd) > 0 && path[0] != '/') { + char *full_path; + spprintf(&full_path, 0, "%s/%s", ZSTR_VAL(_initial_cwd), path); + mlog(dd_log_debug, "Reading blocking template from %s", full_path); + fs = php_stream_open_wrapper_ex( + full_path, "rb", REPORT_ERRORS, NULL, NULL); + efree(full_path); + } else { + mlog(dd_log_debug, "Reading blocking template from %s", path); + fs = php_stream_open_wrapper_ex(path, "rb", REPORT_ERRORS, NULL, NULL); + } + if (fs == NULL) { return NULL; } zend_string *contents; - contents = php_stream_copy_to_mem(fs, PHP_STREAM_COPY_ALL, persistent); + contents = php_stream_copy_to_mem(fs, PHP_STREAM_COPY_ALL, 0); php_stream_close(fs); + if (!contents) { + return _empty_zstr; + } return contents; } @@ -113,17 +139,10 @@ static void _set_output_zstr(const zend_string *str) _set_output(ZSTR_VAL(str), ZSTR_LEN(str)); } -static dd_response_type _get_response_type_from_accept_header() +static dd_response_type _get_response_type_from_accept_header(const zend_array *nonnull _server) { - zval *_server = - dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); - if (!_server) { - mlog(dd_log_info, "No SERVER autoglobal available"); - goto exit; - } - - const zend_string *accept_zstr = - dd_php_get_string_elem_cstr(_server, LSTRARG("HTTP_ACCEPT")); + const zend_string *accept_zstr = dd_php_get_string_elem_cstr( + _server, LSTRARG("HTTP_ACCEPT")); if (!accept_zstr) { mlog(dd_log_info, "Could not find Accept header, using default content-type"); @@ -228,38 +247,66 @@ void dd_request_abort_redirect() } } +zend_array *nonnull dd_request_abort_redirect_spec() +{ + zend_array *arr = zend_new_array(2); + + zval status; + ZVAL_LONG(&status, _redirection_response_code); + zend_hash_add_new(arr, _status_zstr, &status); + + zend_array *headers = zend_new_array(1); + zval location; + ZVAL_STR(&location, _redirection_location); + zend_hash_add_new(headers, _location_zstr, &location); + zval headers_zv; + ZVAL_ARR(&headers_zv, headers); + zend_hash_add_new(arr, _headers_zstr, &headers_zv); + + return arr; +} + // NOLINTNEXTLINE(bugprone-easily-swappable-parameters) void _request_abort_static_page(int response_code, int type) { - if (!_abort_prelude()) { - return; - } - SG(sapi_headers).http_response_code = response_code; dd_response_type response_type = type; if (response_type == response_type_auto) { - response_type = _get_response_type_from_accept_header(); + zval *server = + dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); + if (!server) { + mlog(dd_log_info, "Could not find _SERVER"); + response_type = response_type_json; + } else { + response_type = + _get_response_type_from_accept_header(Z_ARRVAL_P(server)); + } } + + zend_string *body = NULL; + const char *content_type; if (response_type == response_type_html) { - _set_content_type(HTML_CONTENT_TYPE); - if (_custom_error_html != NULL) { - _set_output_zstr(_custom_error_html); - } else { - _set_output(static_error_html, sizeof(static_error_html) - 1); - } + content_type = HTML_CONTENT_TYPE; + body = _get_html_blocking_template(); } else if (response_type == response_type_json) { - _set_content_type(JSON_CONTENT_TYPE); - if (_custom_error_json != NULL) { - _set_output_zstr(_custom_error_json); - } else { - _set_output(static_error_json, sizeof(static_error_json) - 1); - } + content_type = JSON_CONTENT_TYPE; + body = _get_json_blocking_template(); } else { - mlog(dd_log_warning, "unknown response type (bug) %d", response_type); + mlog(dd_log_error, "unknown response type (bug) %d", response_type); + return; } + if (!_abort_prelude()) { + zend_string_release(body); + return; + } + + _set_content_type(content_type); + _set_output_zstr(body); + zend_string_release(body); + if (sapi_flush() != SUCCESS) { mlog(dd_log_info, "call to sapi_flush() failed"); } @@ -278,6 +325,58 @@ void dd_request_abort_static_page() _request_abort_static_page(_response_code, _response_type); } +zend_array *nonnull dd_request_abort_static_page_spec( + const zend_array *nonnull _server) +{ + zend_array *arr = zend_new_array(3); + + zval status; + ZVAL_LONG(&status, _response_code); + zend_hash_add_new(arr, _status_zstr, &status); + + zend_array *headers = zend_new_array(2); + dd_response_type response_type = _response_type; + if (response_type == response_type_auto) { + response_type = _get_response_type_from_accept_header(_server); + } + + zval content_type; + zval body; + size_t body_len; + if (response_type == response_type_html) { + ZVAL_STR(&content_type, _content_type_html_zstr); + zend_hash_add_new(headers, _content_type_zstr, &content_type); + + zend_string *content = _get_html_blocking_template(); + body_len = content->len; + ZVAL_STR(&body, content); + zend_hash_add_new(arr, _body_zstr, &body); + } else { + ZVAL_STR(&content_type, _content_type_json_zstr); + zend_hash_add_new(headers, _content_type_zstr, &content_type); + + zend_string *content = _get_json_blocking_template(); + body_len = content->len; + ZVAL_STR(&body, content); + zend_hash_add_new(arr, _body_zstr, &body); + } + + { + char buf[sizeof("18446744073709551615") - 1]; + size_t len = sprintf(buf, "%zu", body_len); + zend_string *s = zend_string_init(buf, len, 0); + zval cont_len_zv; + ZVAL_STR(&cont_len_zv, s); + zend_hash_add_new(headers, _content_length_zstr, &cont_len_zv); + } + + zval headers_zv; + ZVAL_ARR(&headers_zv, headers); + zend_hash_add_new(arr, _headers_zstr, &headers_zv); + + return arr; +} + static void _force_destroy_output_handlers(void); static bool _abort_prelude() { @@ -464,6 +563,37 @@ static const zend_function_entry functions[] = { void dd_request_abort_startup() { + { + char buf[PATH_MAX]; + char *cwd = getcwd(buf, sizeof buf); + if (cwd == NULL) { + mlog(dd_log_warning, "Could not get current working directory"); + _initial_cwd = zend_string_init_interned(ZEND_STRL("/"), 1); + } else { + _initial_cwd = zend_string_init_interned(cwd, strlen(cwd), 1); + } + } + + _body_error_json_def = + zend_string_init_interned(ZEND_STRL(static_error_json), 1); + + _body_error_html_def = + zend_string_init_interned(ZEND_STRL(static_error_html), 1); + + _status_zstr = zend_string_init_interned(ZEND_STRL("status"), 1); + _headers_zstr = zend_string_init_interned(ZEND_STRL("headers"), 1); + _body_zstr = zend_string_init_interned(ZEND_STRL("body"), 1); + _content_type_zstr = + zend_string_init_interned(ZEND_STRL("Content-Type"), 1); + _content_length_zstr = + zend_string_init_interned(ZEND_STRL("Content-Length"), 1); + _location_zstr = zend_string_init_interned(ZEND_STRL("Location"), 1); + _content_type_html_zstr = + zend_string_init_interned(ZEND_STRL(HTML_CONTENT_TYPE), 1); + _content_type_json_zstr = + zend_string_init_interned(ZEND_STRL(JSON_CONTENT_TYPE), 1); + _empty_zstr = zend_string_init_interned(&(char){0}, 0, 1); + if (!get_global_DD_APPSEC_TESTING()) { return; } @@ -471,35 +601,45 @@ void dd_request_abort_startup() dd_phpobj_reg_funcs(functions); } -void dd_request_abort_rinit_once() +static zend_string *nonnull _get_json_blocking_template() { zend_string *json_template_file = get_DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON(); if (json_template_file != NULL && ZSTR_LEN(json_template_file) > 0) { - _custom_error_json = - read_file_contents(ZSTR_VAL(json_template_file), 1); - if (_custom_error_json != NULL) { - if (ZSTR_LEN(_custom_error_json) == 0) { - zend_string_release(_custom_error_json); - _custom_error_json = NULL; - } else { - zend_new_interned_string(_custom_error_json); - } + zend_string *nullable body_error_json = + _read_file_contents(ZSTR_VAL(json_template_file)); + // the very odd logic here is: + // * if the template file is not found, return an empty template + // * if the template file is empty, return the default + if (!body_error_json) { + return _empty_zstr; + } + if (ZSTR_LEN(body_error_json) == 0) { + return _body_error_json_def; } + + return body_error_json; } + return _body_error_json_def; +} + +static zend_string *nonnull _get_html_blocking_template() +{ zend_string *html_template_file = get_DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML(); if (html_template_file != NULL && ZSTR_LEN(html_template_file) > 0) { - _custom_error_html = - read_file_contents(ZSTR_VAL(html_template_file), 1); - if (_custom_error_html != NULL) { - if (ZSTR_LEN(_custom_error_html) == 0) { - zend_string_release(_custom_error_html); - _custom_error_html = NULL; - } else { - zend_new_interned_string(_custom_error_html); - } + zend_string *nullable body_error_html = + _read_file_contents(ZSTR_VAL(html_template_file)); + if (!body_error_html) { + return _empty_zstr; } + if (ZSTR_LEN(body_error_html) == 0) { + return _body_error_html_def; + } + + return body_error_html; } + + return _body_error_html_def; } diff --git a/appsec/src/extension/request_abort.h b/appsec/src/extension/request_abort.h index 47a114d5468..3dcef1f5b74 100644 --- a/appsec/src/extension/request_abort.h +++ b/appsec/src/extension/request_abort.h @@ -5,6 +5,8 @@ // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc. #pragma once +#include "ddtrace.h" + typedef enum { response_type_auto = 0, response_type_html = 1, @@ -21,7 +23,9 @@ void dd_set_redirect_code_and_location( int code, zend_string *nullable location); void dd_request_abort_startup(void); -void dd_request_abort_rinit_once(void); // noreturn unless called from rinit on fpm void dd_request_abort_static_page(void); +zend_array *nonnull dd_request_abort_static_page_spec( + const zend_array *nonnull); void dd_request_abort_redirect(void); +zend_array *nonnull dd_request_abort_redirect_spec(); diff --git a/appsec/src/extension/request_lifecycle.c b/appsec/src/extension/request_lifecycle.c new file mode 100644 index 00000000000..eb172520bba --- /dev/null +++ b/appsec/src/extension/request_lifecycle.c @@ -0,0 +1,647 @@ +#include "request_lifecycle.h" +#include "attributes.h" +#include "commands/client_init.h" +#include "commands/config_sync.h" +#include "commands/request_init.h" +#include "commands/request_shutdown.h" +#include "configuration.h" +#include "ddappsec.h" +#include "dddefs.h" +#include "ddtrace.h" +#include "helper_process.h" +#include "ip_extraction.h" +#include "logging.h" +#include "php_compat.h" +#include "php_helpers.h" +#include "php_objects.h" +#include "request_abort.h" +#include "string_helpers.h" +#include "tags.h" + +#include +#include + +static void _do_request_finish_php(bool ignore_verdict); +static zend_array *nullable _do_request_begin(bool user_req); +static void _do_request_begin_php(void); +static zend_array *_do_request_finish_user_req(bool ignore_verdict, + zend_array *nonnull superglob_equiv, int status_code, + zend_array *nullable resp_headers); +static zend_array *nullable _do_request_begin_user_req(void); +static zend_string *nullable _extract_ip_from_autoglobal(void); +static void _set_cur_span(zend_object *nullable span); +static void _reset_globals(void); +const zend_array *nonnull _get_server_equiv( + const zend_array *nonnull superglob_equiv); +static void _register_testing_objects(void); + +static bool _enabled_user_req; +static zend_string *_server_zstr; + +static THREAD_LOCAL_ON_ZTS zend_object *nullable _cur_req_span; +static THREAD_LOCAL_ON_ZTS zend_array *nullable _superglob_equiv; +static THREAD_LOCAL_ON_ZTS zend_string *nullable _client_ip; +static THREAD_LOCAL_ON_ZTS zval _blocking_function; +static THREAD_LOCAL_ON_ZTS bool _shutdown_done_on_commit; +#define CLIENT_IP_LOOKUP_FAILED ((zend_string *)-1) + +bool dd_req_is_user_req() +{ + return _enabled_user_req; +} + +void dd_req_lifecycle_startup() +{ + _enabled_user_req = strcmp(sapi_module.name, "cli") == 0 && + !get_global_DD_APPSEC_CLI_START_ON_RINIT(); + + if (_enabled_user_req) { + bool res = dd_trace_user_req_add_listeners(&dd_user_req_listeners); + if (!res) { + if (!get_global_DD_APPSEC_TESTING()) { + // on testing, ddtrace is frequently not loaded + mlog(dd_log_warning, + "Failed to register user request listeners"); + } + } else { + mlog(dd_log_debug, "Request lifecycle driven by user request"); + } + } else { + mlog(dd_log_debug, "Request lifecycle matches PHP's"); + } + + _server_zstr = zend_string_init_interned(LSTRARG("_SERVER"), 1); + + _register_testing_objects(); +} + +void dd_req_lifecycle_rinit(bool force) +{ + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) { + mlog(dd_log_debug, + "Skipping request init actions because appsec is fully disabled"); + return; + } + + if (_enabled_user_req) { + mlog(dd_log_debug, "Skipping automatic request init on CLI because " + "DD_APPSEC_CLI_START_ON_RINIT=false"); + return; + } + + if (get_global_DD_APPSEC_TESTING() && !force) { + mlog(dd_log_debug, "Skipping automatic request init in testing"); + if (!_enabled_user_req) { + _set_cur_span(dd_trace_get_active_root_span()); + if (!_cur_req_span) { + mlog(dd_log_debug, "No root span available on request init"); + } + } + return; + } + + _set_cur_span(dd_trace_get_active_root_span()); + if (!_cur_req_span) { + mlog(dd_log_debug, "No root span available on request init"); + } + _do_request_begin_php(); +} + +static void _do_request_begin_php() +{ + (void) _do_request_begin(false); +} + +static zend_array *nullable _do_request_begin_user_req() +{ + return _do_request_begin(true); +} + +static zend_array *nullable _do_request_begin(bool user_req) +{ + dd_tags_rinit(); + + struct req_info_init req_info = { + .req_info.root_span = dd_req_lifecycle_get_cur_span(), + .req_info.client_ip = dd_req_lifecycle_get_client_ip(), + .superglob_equiv = _superglob_equiv, + }; + + // connect/client_init + dd_conn *conn = + dd_helper_mgr_acquire_conn((client_init_func)dd_client_init, &req_info); + if (conn == NULL) { + mlog_g(dd_log_debug, + "No connection; skipping rest of request initialization"); + return NULL; + } + + int res = dd_success; + if (DDAPPSEC_G(active)) { + // request_init + res = dd_request_init(conn, &req_info); + } else if (DDAPPSEC_G(enabled) == APPSEC_ENABLED_VIA_REMCFG) { + // config_sync + res = dd_config_sync(conn); + if (res == SUCCESS && DDAPPSEC_G(active)) { + // Since it came as enabled, lets proceed + res = dd_request_init(conn, &req_info); + } + } + + if (res == dd_network) { + mlog_g(dd_log_info, + "request_init/config_sync failed with dd_network; closing " + "connection to helper"); + dd_helper_close_conn(); + } else if (res == dd_should_block) { + if (user_req) { + const zend_array *nonnull sv = _get_server_equiv(_superglob_equiv); + return dd_request_abort_static_page_spec(sv); + } + dd_request_abort_static_page(); + } else if (res == dd_should_redirect) { + if (user_req) { + return dd_request_abort_redirect_spec(); + } + dd_request_abort_redirect(); + } else if (res) { + mlog_g( + dd_log_info, "request init failed: %s", dd_result_to_string(res)); + } + + return NULL; +} + +void dd_req_lifecycle_rshutdown(bool ignore_verdict, bool force) +{ + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) { + mlog_g(dd_log_debug, "Skipping all request shutdown actions because " + "appsec is fully disabled"); + return; + } + + if (get_global_DD_APPSEC_TESTING() && !force) { + mlog_g(dd_log_debug, "Skipping automatic request shutdown in testing"); + _reset_globals(); + return; + } + + if (_enabled_user_req) { + if (_cur_req_span) { + mlog_g(dd_log_info, + "Finishing user request whose corresponding " + "span is presumably still unclosed on rshutdown"); + _do_request_finish_user_req(true, _superglob_equiv, 0, NULL); + _reset_globals(); + } + } else { + _do_request_finish_php(ignore_verdict); + // _rest_globals already called + } +} + +static void _do_request_finish_php(bool ignore_verdict) +{ + int verdict = dd_success; + dd_conn *conn = dd_helper_mgr_cur_conn(); + + if (conn && DDAPPSEC_G(active)) { + struct req_shutdown_info ctx = { + .req_info.root_span = dd_req_lifecycle_get_cur_span(), + .req_info.client_ip = dd_req_lifecycle_get_client_ip(), + .status_code = SG(sapi_headers).http_response_code, + .resp_headers_fmt = RESP_HEADERS_LLIST, + .resp_headers_llist = &SG(sapi_headers).headers, + }; + + int res = dd_request_shutdown(conn, &ctx); + if (res == dd_network) { + mlog_g(dd_log_info, + "request_shutdown failed with dd_network; closing " + "connection to helper"); + dd_helper_close_conn(); + } else if (res == dd_should_block || res == dd_should_redirect) { + verdict = ignore_verdict ? dd_success : res; + } else if (res) { + mlog_g(dd_log_info, "request shutdown failed: %s", + dd_result_to_string(res)); + } + } + + dd_helper_rshutdown(); + + if (DDAPPSEC_G(active) && _cur_req_span) { + dd_tags_add_tags(_cur_req_span, NULL); + } + dd_tags_rshutdown(); + + _reset_globals(); + + // TODO when blocking on shutdown, let the tracer handle flushing + if (verdict == dd_should_block) { + dd_trace_close_all_spans_and_flush(); + dd_request_abort_static_page(); + } else if (verdict == dd_should_redirect) { + dd_trace_close_all_spans_and_flush(); + dd_request_abort_redirect(); + } +} + +static zend_array *_do_request_finish_user_req( + bool ignore_verdict, zend_array *nonnull superglob_equiv, + int status_code, zend_array *nullable resp_headers) +{ + int verdict = dd_success; + dd_conn *conn = dd_helper_mgr_cur_conn(); + + if (conn && DDAPPSEC_G(active)) { + struct req_shutdown_info ctx = { + .req_info.root_span = dd_req_lifecycle_get_cur_span(), + .req_info.client_ip = dd_req_lifecycle_get_client_ip(), + .status_code = status_code, + .resp_headers_fmt = RESP_HEADERS_MAP_STRING_LIST, + .resp_headers_arr = resp_headers ? resp_headers : &zend_empty_array, + }; + + int res = dd_request_shutdown(conn, &ctx); + if (res == dd_network) { + mlog_g(dd_log_info, + "request_shutdown failed with dd_network; closing " + "connection to helper"); + dd_helper_close_conn(); + } else if (res == dd_should_block || res == dd_should_redirect) { + verdict = ignore_verdict ? dd_success : res; + } else if (res) { + mlog_g(dd_log_info, "request shutdown failed: %s", + dd_result_to_string(res)); + } + } + + dd_helper_rshutdown(); + + if (DDAPPSEC_G(active) && _cur_req_span) { + dd_tags_add_tags(_cur_req_span, superglob_equiv); + } + + if (verdict == dd_should_block) { + const zend_array *nonnull sv = _get_server_equiv(superglob_equiv); + return dd_request_abort_static_page_spec(sv); + } + if (verdict == dd_should_redirect) { + return dd_request_abort_redirect_spec(); + } + + return NULL; +} + +static void _reset_globals() +{ + _set_cur_span(NULL); + + if (_superglob_equiv) { + if (GC_TRY_DELREF(_superglob_equiv), // could be zend_empty_array + GC_REFCOUNT(_superglob_equiv) == 0) { + zend_array_destroy(_superglob_equiv); + } + + _superglob_equiv = NULL; + } + + if (_client_ip && _client_ip != CLIENT_IP_LOOKUP_FAILED) { + zend_string_release(_client_ip); + _client_ip = NULL; + } + + if (Z_TYPE(_blocking_function) != IS_UNDEF) { + zval_ptr_dtor(&_blocking_function); + } + ZVAL_UNDEF(&_blocking_function); + + _shutdown_done_on_commit = false; + dd_tags_rshutdown(); +} + +static zend_string *nullable _extract_ip_from_autoglobal() +{ + zval *_server = + dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); + if (!_server) { + mlog(dd_log_info, "No SERVER autoglobal available"); + return NULL; + } + return dd_ip_extraction_find(_server); +} + +static void _set_cur_span(zend_object *nullable span) +{ + if (_cur_req_span) { + if (GC_DELREF(_cur_req_span) == 0) { + zend_objects_store_del(_cur_req_span); + } + } + _cur_req_span = span; + if (_cur_req_span) { + GC_ADDREF(_cur_req_span); + } +} + +zend_object *nullable dd_req_lifecycle_get_cur_span() { return _cur_req_span; } + +zend_string *nullable dd_req_lifecycle_get_client_ip() +{ + if (!_client_ip) { + if (_superglob_equiv) { + zval *_server = zend_hash_find(_superglob_equiv, _server_zstr); + if (_server) { + _client_ip = dd_ip_extraction_find(_server); + } + } else { + _client_ip = _extract_ip_from_autoglobal(); + } + if (!_client_ip) { + _client_ip = CLIENT_IP_LOOKUP_FAILED; + } + } + + if (_client_ip == CLIENT_IP_LOOKUP_FAILED) { + return NULL; + } + return _client_ip; +} + +static zend_array *nullable _start_user_req( + ddtrace_user_req_listeners *listener, zend_object *span, + zend_array *super_global_equiv) +{ + UNUSED(listener); + + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) { + return NULL; + } + + if (_cur_req_span != NULL) { + mlog(dd_log_warning, "User request already started; only one user " + "request can be active at a time. Finishing the " + "previous request before starting the new one"); + zend_array *spec = + _do_request_finish_user_req(true, _superglob_equiv, 0, NULL); + _reset_globals(); + UNUSED(spec); + assert(spec == NULL); + } + + mlog(dd_log_debug, "Starting user request for span %p", span); + + _set_cur_span(span); + GC_TRY_ADDREF(super_global_equiv); + _superglob_equiv = super_global_equiv; + return _do_request_begin_user_req(); +} + +static zend_array *nullable _response_commit( + ddtrace_user_req_listeners *listener, zend_object *span, int status, + zend_array *resp_headers) +{ + UNUSED(listener); + + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) { + return NULL; + } + + if (!_cur_req_span) { + mlog( + dd_log_warning, "Request commit callback called, but there is no " + "root span currently associated through the " + "request started span (or it was cleared already)"); + return NULL; + } + if (_cur_req_span != span) { + mlog(dd_log_warning, + "Request commit callback called, but the root span currently " + "associated is not the same as the one that was provided"); + return NULL; + } + if (_shutdown_done_on_commit) { + mlog(dd_log_warning, + "Request commit callback called twice for the same span"); + return NULL; + } + + mlog(dd_log_debug, "Committing user request for span %p", span); + + zend_array *res = _do_request_finish_user_req( + false, _superglob_equiv, status, resp_headers); + + _shutdown_done_on_commit = true; + + return res; +} + +static void _finish_user_req( + ddtrace_user_req_listeners *listener, zend_object *span) +{ + UNUSED(listener); + + if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) { + return; + } + + if (_shutdown_done_on_commit) { + mlog(dd_log_debug, "Skipping user request shutdown because it was " + "already done on commit"); + _reset_globals(); + return; + } + + if (_cur_req_span == NULL) { + mlog( + dd_log_warning, "Request finished callback called, but there is no " + "root span currently associated through the " + "request started span (or it was cleared already). " + "Resetting"); + _reset_globals(); + return; + } + if (_cur_req_span != span) { + mlog(dd_log_warning, + "Request finished callback called, but the root span currently " + "associated is not the same as the one that was provided. " + "Resetting"); + _reset_globals(); + } + + mlog(dd_log_debug, "Finishing user request for span %p", span); + + zend_array *arr = + _do_request_finish_user_req(true, _superglob_equiv, 0, NULL); + UNUSED(arr); + assert(arr == NULL); + _reset_globals(); +} + +const zend_array *nonnull _get_server_equiv( + const zend_array *nonnull superglob_equiv) +{ + zval *_server = zend_hash_str_find(superglob_equiv, LSTRARG("_SERVER")); + if (_server && Z_TYPE_P(_server) == IS_ARRAY) { + return Z_ARRVAL_P(_server); + } + + return &zend_empty_array; +} + +static void _set_blocking_function(ddtrace_user_req_listeners *nonnull self, + zend_object *nonnull span, zval *nonnull blocking_function) +{ + UNUSED(self); + + if (_cur_req_span == NULL) { + mlog(dd_log_warning, "set_blocking_function called, but there is no " + "root span currently associated through " + "notify_start (or it was cleared already)"); + return; + } + if (_cur_req_span != span) { + mlog(dd_log_warning, + "set_blocking_function called, but the root span currently " + "associated is not the same as the one that was provided"); + return; + } + if (_shutdown_done_on_commit) { + mlog(dd_log_warning, + "set_blocking_function called after request shutdown"); + return; + } + if (Z_TYPE(_blocking_function) != IS_UNDEF) { + mlog(dd_log_warning, + "set_blocking_function called twice for the same span"); + return; + } + + ZVAL_COPY(&_blocking_function, blocking_function); +} + +void dd_req_call_blocking_function(dd_result res) +{ + if (Z_TYPE(_blocking_function) == IS_UNDEF) { + mlog(dd_log_debug, "dd_req_call_blocking_function called with no " + "blocking function set"); + return; + } + if (!_superglob_equiv) { + mlog(dd_log_warning, "dd_req_call_blocking_function called, but there " + "is no active span"); + return; + } + if (_shutdown_done_on_commit) { + mlog(dd_log_warning, + "dd_user_req_abort_static_page called after request shutdown"); + return; + } + + mlog(dd_log_debug, "Calling blocking function for span %p", _cur_req_span); + + const zend_array *nonnull sv = _get_server_equiv(_superglob_equiv); + zend_array *spec = NULL; + if (res == dd_should_block) { + spec = dd_request_abort_static_page_spec(sv); + } else if (res == dd_should_redirect) { + spec = dd_request_abort_redirect_spec(sv); + } else { + mlog(dd_log_warning, "dd_req_call_blocking_function called with " + "invalid result %d", res); + } + assert(spec != NULL); + + zend_fcall_info fci; + zend_fcall_info_cache fcc; + char *error = NULL; + if (zend_fcall_info_init( + &_blocking_function, 0, &fci, &fcc, NULL, &error) == FAILURE) { + mlog(dd_log_warning, "Failure resolving callable: %s", + error ? error : ""); + if (error) { + efree(error); + } + return; + } + fci.param_count = 1; + zval zv; + ZVAL_ARR(&zv, spec); + fci.params = &zv; + zval retval; + fci.retval = &retval; + if (zend_call_function(&fci, &fcc) == FAILURE) { + mlog(dd_log_warning, "Failure calling blocking function"); + return; + } + if (EG(exception)) { + mlog(dd_log_debug, "Blocking function threw an exception"); + } + zval_ptr_dtor(&retval); +} + +ddtrace_user_req_listeners dd_user_req_listeners = { + .start_user_req = _start_user_req, + .response_committed = _response_commit, + .set_blocking_function = _set_blocking_function, + .finish_user_req = _finish_user_req, +}; + +PHP_FUNCTION(datadog_appsec_testing_dump_req_lifecycle_state) +{ + if (zend_parse_parameters_none() == FAILURE) { + return; + } + + array_init(return_value); + { + zval zcur_span; + if (_cur_req_span) { + GC_ADDREF(_cur_req_span); + ZVAL_OBJ(&zcur_span, _cur_req_span); + } else { + ZVAL_NULL(&zcur_span); + } + zend_hash_str_add_new( + Z_ARRVAL_P(return_value), "span", sizeof("span") - 1, &zcur_span); + } + { + zval zsuperglob_equiv; + if (_superglob_equiv) { + // may be zend_empty_array; dup it unconditionally because this is + // for testing and it's not so simple to handle for all PHP versions + ZVAL_ARR(&zsuperglob_equiv, zend_array_dup(_superglob_equiv)); + } else { + ZVAL_NULL(&zsuperglob_equiv); + } + zend_hash_str_add_new(Z_ARRVAL_P(return_value), "superglob_equiv", + sizeof("superglob_equiv") - 1, &zsuperglob_equiv); + } + { + zval zshutdown_on_commit; + ZVAL_BOOL(&zshutdown_on_commit, _shutdown_done_on_commit); + zend_hash_str_add_new(Z_ARRVAL_P(return_value), + "shutdown_done_on_commit", sizeof("shutdown_done_on_commit") - 1, + &zshutdown_on_commit); + } +} + +// clang-format off +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(dump_arginfo, 0, 0, IS_ARRAY, 0) +ZEND_END_ARG_INFO() + +static const zend_function_entry functions[] = { + ZEND_RAW_FENTRY(DD_TESTING_NS "dump_req_lifecycle_state", PHP_FN(datadog_appsec_testing_dump_req_lifecycle_state), dump_arginfo, 0) + PHP_FE_END +}; +// clang-format on + +static void _register_testing_objects() +{ + if (!get_global_DD_APPSEC_TESTING()) { + return; + } + dd_phpobj_reg_funcs(functions); +} diff --git a/appsec/src/extension/request_lifecycle.h b/appsec/src/extension/request_lifecycle.h new file mode 100644 index 00000000000..83a70276ca4 --- /dev/null +++ b/appsec/src/extension/request_lifecycle.h @@ -0,0 +1,16 @@ +#pragma once + +#include "ddappsec.h" +#include "dddefs.h" +#include "ddtrace.h" + +extern ddtrace_user_req_listeners dd_user_req_listeners; + +bool dd_req_is_user_req(void); +void dd_req_lifecycle_startup(void); +void dd_req_lifecycle_rinit(bool force); +void dd_req_lifecycle_rshutdown(bool ignore_verdict, bool force); +void dd_req_call_blocking_function(dd_result res); + +zend_object *nullable dd_req_lifecycle_get_cur_span(void); +zend_string *nullable dd_req_lifecycle_get_client_ip(void); diff --git a/appsec/src/extension/tags.c b/appsec/src/extension/tags.c index 0cf42f8f2d6..94eec86852c 100644 --- a/appsec/src/extension/tags.c +++ b/appsec/src/extension/tags.c @@ -12,6 +12,7 @@ #include "php_compat.h" #include "php_helpers.h" #include "php_objects.h" +#include "request_lifecycle.h" #include "string_helpers.h" #include "user_tracking.h" #include @@ -106,6 +107,7 @@ static zend_string *_track_zstr; static zend_string *_usr_exists_zstr; static zend_string *_uuid_zstr; static zend_string *_id_zstr; +static zend_string *_server_zstr; static HashTable _relevant_headers; static HashTable _relevant_ip_headers; static THREAD_LOCAL_ON_ZTS bool _appsec_json_frags_inited; @@ -117,9 +119,11 @@ static THREAD_LOCAL_ON_ZTS bool _force_keep; static void _init_relevant_headers(void); static zend_string *_concat_json_fragments(void); static void _zend_string_release_indirect(void *s); -static void _add_basic_ancillary_tags(void); -static bool _add_all_ancillary_tags(void); -void _set_runtime_family(void); +static void _add_basic_ancillary_tags( + zend_object *nonnull span, const zend_array *nonnull server); +static bool _add_all_ancillary_tags( + zend_object *nonnull span, const zend_array *nonnull server); +void _set_runtime_family(zend_object *nonnull span); static bool _set_appsec_enabled(zval *metrics_zv); static void _register_functions(void); static void _register_test_functions(void); @@ -205,6 +209,8 @@ void dd_tags_startup() _id_zstr = zend_string_init_interned(LSTRARG("/^\\d+$/"), 1 /* permanent */); + _server_zstr = zend_string_init_interned(LSTRARG("_SERVER"), 1); + _mode_safe_cstr = zend_string_init_interned(LSTRARG("safe"), 1 /* permanent */); _mode_extended_cstr = @@ -318,9 +324,13 @@ void dd_tags_rshutdown() } } -void dd_tags_add_tags() +void dd_tags_add_tags( + zend_object *nonnull span, zend_array *nullable superglob_equiv) { - zval *metrics_zv = dd_trace_root_span_get_metrics(); + const zend_array *nonnull server = dd_get_superglob_or_equiv( + LSTRARG("_SERVER"), TRACK_VARS_SERVER, superglob_equiv); + + zval *metrics_zv = dd_trace_span_get_metrics(span); if (metrics_zv) { // metric _dd.appsec.enabled bool added = _set_appsec_enabled(metrics_zv); @@ -331,16 +341,18 @@ void dd_tags_add_tags() } } // tag _dd.runtime_family - _set_runtime_family(); + _set_runtime_family(span); if (_force_keep) { - dd_trace_set_priority_sampling_on_root( + dd_trace_set_priority_sampling_on_span_zobj(span, PRIORITY_SAMPLING_USER_KEEP, DD_MECHANISM_MANUAL); mlog(dd_log_debug, "Updated sampling priority to user_keep"); } if (zend_llist_count(&_appsec_json_frags) == 0) { - _add_basic_ancillary_tags(); + if (server) { + _add_basic_ancillary_tags(span, server); + } return; } @@ -350,7 +362,7 @@ void dd_tags_add_tags() ZVAL_STR(&tag_value_zv, tag_value); // tag _dd.appsec.json - bool res = dd_trace_root_span_add_tag(_dd_tag_data_zstr, &tag_value_zv); + bool res = dd_trace_span_add_tag(span, _dd_tag_data_zstr, &tag_value_zv); if (!res) { mlog(dd_log_info, "Failed adding tag " DD_TAG_DATA " to root span"); return; @@ -359,27 +371,22 @@ void dd_tags_add_tags() // tag appsec.event zval true_zv; ZVAL_STR_COPY(&true_zv, _true_zstr); - res = dd_trace_root_span_add_tag(_dd_tag_event_zstr, &true_zv); + res = dd_trace_span_add_tag(span, _dd_tag_event_zstr, &true_zv); if (!res) { mlog(dd_log_info, "Failed adding tag " DD_TAG_EVENT " to root span"); return; } // Add tags with request/response information - if (!_add_all_ancillary_tags()) { - return; + if (server) { + if (!_add_all_ancillary_tags(span, server)) { + return; + } } } void dd_tags_add_blocked() { _blocked = true; } -void dd_tags_rshutdown_testing() -{ - // in testing, we don't add the data/event tags, but we still - // need to clean the fragments to avoid leaking - dd_tags_rshutdown(); -} - void dd_tags_set_sampling_priority() { _force_keep = true; } static void _zend_string_release_indirect(void *s) @@ -428,64 +435,62 @@ static zend_string *_concat_json_fragments() return tag_value; } -static void _add_basic_tags_to_meta(zval *nonnull meta); -static void _add_all_tags_to_meta(zval *nonnull meta); +static void _add_basic_tags_to_meta( + zval *nonnull meta, const zend_array *nonnull server); +static void _add_all_tags_to_meta( + zval *nonnull meta, const zend_array *nonnull server); static void _dd_http_method(zend_array *meta_ht); -static void _dd_http_url(zend_array *meta_ht, zval *_server); -static void _dd_http_user_agent(zend_array *meta_ht, zval *_server); +static void _dd_http_url( + zend_array *meta_ht, const zend_array *nonnull _server); +static void _dd_http_user_agent( + zend_array *meta_ht, const zend_array *nonnull _server); static void _dd_http_status_code(zend_array *meta_ht); -static void _dd_http_network_client_ip(zend_array *meta_ht, zval *_server); +static void _dd_http_network_client_ip( + zend_array *meta_ht, const zend_array *_server); static void _dd_http_client_ip(zend_array *meta_ht); -static void _dd_request_headers( - zend_array *meta_ht, zval *_server, HashTable *relevant_headers); +static void _dd_request_headers(zend_array *meta_ht, const zend_array *_server, + const zend_array *nonnull relevant_headers); static void _dd_response_headers(zend_array *meta_ht); static void _dd_event_user_id(zend_array *meta_ht); static void _dd_appsec_blocked(zend_array *meta_ht); -static void _add_basic_ancillary_tags() +static void _add_basic_ancillary_tags(zend_object *nonnull span, const zend_array *nonnull server) { - zval *nullable meta = dd_trace_root_span_get_meta(); + zval *nullable meta = dd_trace_span_get_meta(span); if (!meta) { return; } - _add_basic_tags_to_meta(meta); + _add_basic_tags_to_meta(meta, server); } -static bool _add_all_ancillary_tags() +static bool _add_all_ancillary_tags( + zend_object *nonnull span, const zend_array *nonnull server) { - zval *nullable meta = dd_trace_root_span_get_meta(); + zval *nullable meta = dd_trace_span_get_meta(span); if (!meta) { return false; } - _add_all_tags_to_meta(meta); + _add_all_tags_to_meta(meta, server); return true; } -static void _add_basic_tags_to_meta(zval *nonnull meta) +// NOLINTNEXTLINE(bugprone-easily-swappable-parameters) +static void _add_basic_tags_to_meta( + zval *nonnull meta, const zend_array *nonnull _server) { zend_array *meta_ht = Z_ARRVAL_P(meta); - zval *_server = - dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); - if (!_server) { - mlog(dd_log_info, "No SERVER autoglobal available"); - return; - } _dd_http_client_ip(meta_ht); _dd_request_headers(meta_ht, _server, &_relevant_ip_headers); } -static void _add_all_tags_to_meta(zval *nonnull meta) +// NOLINTNEXTLINE(bugprone-easily-swappable-parameters) +static void _add_all_tags_to_meta( + zval *nonnull meta, const zend_array *nonnull _server) { zend_array *meta_ht = Z_ARRVAL_P(meta); - zval *_server = - dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); - if (!_server) { - mlog(dd_log_info, "No SERVER autoglobal available"); - return; - } _dd_http_method(meta_ht); _dd_http_url(meta_ht, _server); _dd_http_user_agent(meta_ht, _server); @@ -536,7 +541,7 @@ static void _dd_http_method(zend_array *meta_ht) _add_new_zstr_to_meta( meta_ht, _dd_tag_http_method_zstr, method_zstr, false, false); } -static void _dd_http_url(zend_array *meta_ht, zval *_server) +static void _dd_http_url(zend_array *meta_ht, const zend_array *_server) { if (zend_hash_exists(meta_ht, _dd_tag_http_url_zstr)) { return; @@ -569,7 +574,7 @@ static void _dd_http_url(zend_array *meta_ht, zval *_server) } } - bool has_https = zend_hash_exists(Z_ARRVAL_P(_server), _key_https_zstr); + bool has_https = zend_hash_exists(_server, _key_https_zstr); size_t final_len = (has_https ? LSTRLEN("https") : LSTRLEN("http")) + LSTRLEN("://") + ZSTR_LEN(http_host_zstr) + uri_len; smart_str url_str = {0}; @@ -587,7 +592,8 @@ static void _dd_http_url(zend_array *meta_ht, zval *_server) meta_ht, _dd_tag_http_url_zstr, url_str.s, false, false); } -static void _dd_http_user_agent(zend_array *meta_ht, zval *_server) +static void _dd_http_user_agent( + zend_array *meta_ht, const zend_array *nonnull _server) { if (zend_hash_exists(meta_ht, _dd_tag_http_user_agent_zstr)) { return; @@ -621,7 +627,8 @@ static void _dd_http_status_code(zend_array *meta_ht) meta_ht, _dd_tag_http_status_code_zstr, Z_STR(zv), false, false); } -static void _dd_http_network_client_ip(zend_array *meta_ht, zval *_server) +static void _dd_http_network_client_ip( + zend_array *meta_ht, const zend_array *_server) { if (zend_hash_exists(meta_ht, _dd_tag_network_client_ip_zstr)) { return; @@ -642,7 +649,7 @@ static void _dd_http_client_ip(zend_array *meta_ht) zend_hash_exists(meta_ht, _dd_multiple_ip_headers)) { return; } - zend_string *client_ip = dd_ip_extraction_get_ip(); + zend_string *client_ip = dd_req_lifecycle_get_client_ip(); if (client_ip) { _add_new_zstr_to_meta( meta_ht, _dd_tag_http_client_ip_zstr, client_ip, true, false); @@ -650,12 +657,14 @@ static void _dd_http_client_ip(zend_array *meta_ht) } static void _dd_request_headers( - zend_array *meta_ht, zval *_server, HashTable *relevant_headers) + // NOLINTNEXTLINE(bugprone-easily-swappable-parameters) + zend_array *meta_ht, const zend_array *nonnull _server, + const zend_array *relevant_headers) { // Pack headers zend_string *key; zval *val; - ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(_server), key, val) + ZEND_HASH_FOREACH_STR_KEY_VAL((zend_array *)_server, key, val) { if (!key) { continue; @@ -784,9 +793,9 @@ static zend_string *nullable _is_relevant_resp_header( return NULL; } -void _set_runtime_family() +void _set_runtime_family(zend_object *nonnull span) { - bool res = dd_trace_root_span_add_tag_str( + bool res = dd_trace_span_add_tag_str(span, LSTRARG(DD_TAG_RUNTIME_FAMILY), LSTRARG("php")); if (!res && !get_global_DD_APPSEC_TESTING()) { mlog(dd_log_warning, @@ -850,16 +859,31 @@ bool match_regex(zend_string *pattern, zend_string *subject) return Z_TYPE(ret) == IS_LONG && Z_LVAL(ret) > 0; } -bool is_user_id_sensitive(zend_string *user_id) +static bool _is_user_id_sensitive(zend_string *user_id) { return !( match_regex(_uuid_zstr, user_id) || match_regex(_id_zstr, user_id)); } +static zval *nullable _root_span_get_meta() +{ + zend_object *nullable span = dd_req_lifecycle_get_cur_span(); + if (!span) { + mlog(dd_log_warning, "No root span being tracked by appsec"); + return NULL; + } + + zval *nullable meta = dd_trace_span_get_meta(span); + if (!meta) { + mlog(dd_log_warning, "Failed to retrieve root span meta"); + } + return meta; +} + static PHP_FUNCTION(datadog_appsec_track_user_signup_event) { UNUSED(return_value); - if (DDAPPSEC_G(enabled) != ENABLED) { + if (!DDAPPSEC_G(active)) { mlog(dd_log_debug, "Trying to access to track_user_signup_event " "function while appsec is disabled"); return; @@ -880,7 +904,7 @@ static PHP_FUNCTION(datadog_appsec_track_user_signup_event) } if (automated_user_events_tracking == SAFE) { - if (user_id != NULL && is_user_id_sensitive(user_id)) { + if (user_id != NULL && _is_user_id_sensitive(user_id)) { user_id = NULL; } @@ -895,11 +919,11 @@ static PHP_FUNCTION(datadog_appsec_track_user_signup_event) } } - zval *nullable meta = dd_trace_root_span_get_meta(); + zval *nullable meta = _root_span_get_meta(); if (!meta) { - mlog(dd_log_warning, "Failed to retrieve root span meta"); return; } + zend_array *meta_ht = Z_ARRVAL_P(meta); bool override = !automated; @@ -935,7 +959,7 @@ static PHP_FUNCTION(datadog_appsec_track_user_signup_event) static PHP_FUNCTION(datadog_appsec_track_user_login_success_event) { UNUSED(return_value); - if (DDAPPSEC_G(enabled) != ENABLED) { + if (!DDAPPSEC_G(active)) { mlog(dd_log_debug, "Trying to access to track_user_login_success_event " "function while appsec is disabled"); return; @@ -956,7 +980,7 @@ static PHP_FUNCTION(datadog_appsec_track_user_login_success_event) } if (automated_user_events_tracking == SAFE) { - if (user_id != NULL && is_user_id_sensitive(user_id)) { + if (user_id != NULL && _is_user_id_sensitive(user_id)) { user_id = NULL; } @@ -971,11 +995,12 @@ static PHP_FUNCTION(datadog_appsec_track_user_login_success_event) } } - zval *nullable meta = dd_trace_root_span_get_meta(); + + zval *nullable meta = _root_span_get_meta(); if (!meta) { - mlog(dd_log_warning, "Failed to retrieve root span meta"); return; } + zend_array *meta_ht = Z_ARRVAL_P(meta); bool override = !automated; @@ -1013,7 +1038,7 @@ static PHP_FUNCTION(datadog_appsec_track_user_login_success_event) static PHP_FUNCTION(datadog_appsec_track_user_login_failure_event) { UNUSED(return_value); - if (DDAPPSEC_G(enabled) != ENABLED) { + if (!DDAPPSEC_G(active)) { mlog(dd_log_debug, "Trying to access to track_user_login_failure_event " "function while appsec is disabled"); return; @@ -1036,7 +1061,7 @@ static PHP_FUNCTION(datadog_appsec_track_user_login_failure_event) } if (automated_user_events_tracking == SAFE) { - if (is_user_id_sensitive(user_id)) { + if (_is_user_id_sensitive(user_id)) { user_id = NULL; } @@ -1046,11 +1071,12 @@ static PHP_FUNCTION(datadog_appsec_track_user_login_failure_event) } } - zval *nullable meta = dd_trace_root_span_get_meta(); + + zval *nullable meta = _root_span_get_meta(); if (!meta) { - mlog(dd_log_warning, "Failed to retrieve root span meta"); return; } + zend_array *meta_ht = Z_ARRVAL_P(meta); bool override = !automated; @@ -1091,7 +1117,7 @@ static PHP_FUNCTION(datadog_appsec_track_user_login_failure_event) static PHP_FUNCTION(datadog_appsec_track_custom_event) { UNUSED(return_value); - if (DDAPPSEC_G(enabled) != ENABLED) { + if (!DDAPPSEC_G(active)) { mlog(dd_log_debug, "Trying to access to track_custom_event " "function while appsec is disabled"); return; @@ -1111,11 +1137,12 @@ static PHP_FUNCTION(datadog_appsec_track_custom_event) return; } - zval *nullable meta = dd_trace_root_span_get_meta(); + + zval *nullable meta = _root_span_get_meta(); if (!meta) { - mlog(dd_log_warning, "Failed to retrieve root span meta"); return; } + zend_array *meta_ht = Z_ARRVAL_P(meta); // Generate full event name @@ -1141,7 +1168,7 @@ static PHP_FUNCTION(datadog_appsec_track_custom_event) static bool _set_appsec_enabled(zval *metrics_zv) { zval zv; - ZVAL_LONG(&zv, DDAPPSEC_G(enabled) == ENABLED ? 1 : 0); + ZVAL_LONG(&zv, DDAPPSEC_G(active) ? 1 : 0); return zend_hash_add(Z_ARRVAL_P(metrics_zv), _dd_metric_enabled, &zv) != NULL; } @@ -1183,25 +1210,47 @@ static PHP_FUNCTION(datadog_appsec_testing_add_all_ancillary_tags) { UNUSED(return_value); zval *arr; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "a/", &arr) == FAILURE) { + zval *server = NULL; + if (zend_parse_parameters(ZEND_NUM_ARGS(), "a/|a!", &arr, &server) == + FAILURE) { + return; + } + + if (!server) { + server = dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); + } + if (!server) { + mlog(dd_log_warning, "Could not retrieve _SERVER"); return; } - _add_all_tags_to_meta(arr); + + _add_all_tags_to_meta(arr, Z_ARRVAL_P(server)); } static PHP_FUNCTION(datadog_appsec_testing_add_basic_ancillary_tags) { UNUSED(return_value); zval *arr; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "a/", &arr) == FAILURE) { + zval *server = NULL; + if (zend_parse_parameters(ZEND_NUM_ARGS(), "a/|a!", &arr, &server) == + FAILURE) { + return; + } + + if (!server) { + server = dd_php_get_autoglobal(TRACK_VARS_SERVER, LSTRARG("_SERVER")); + } + if (!server) { + mlog(dd_log_warning, "Could not retrieve _SERVER"); return; } - _add_basic_tags_to_meta(arr); + _add_basic_tags_to_meta(arr, Z_ARRVAL_P(server)); } // clang-format off ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(add_ancillary_tags, 0, 1, IS_VOID, 0) ZEND_ARG_TYPE_INFO(1, "dest", IS_ARRAY, 0) + ZEND_ARG_TYPE_INFO(2, "_server", IS_ARRAY, 0) ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(track_user_login_success_event_arginfo, 0, 0, IS_VOID, 3) diff --git a/appsec/src/extension/tags.h b/appsec/src/extension/tags.h index e113a5ae133..19beb1084b4 100644 --- a/appsec/src/extension/tags.h +++ b/appsec/src/extension/tags.h @@ -16,9 +16,8 @@ void dd_tags_startup(void); void dd_tags_shutdown(void); void dd_tags_rinit(void); void dd_tags_rshutdown(void); -void dd_tags_add_tags(void); +void dd_tags_add_tags(zend_object *nonnull span, zend_array *nullable superglob_equiv); void dd_tags_add_blocked(void); -void dd_tags_rshutdown_testing(void); void dd_tags_set_sampling_priority(); diff --git a/appsec/src/extension/user_tracking.c b/appsec/src/extension/user_tracking.c index d1c9909b6d2..43017fc0d03 100644 --- a/appsec/src/extension/user_tracking.c +++ b/appsec/src/extension/user_tracking.c @@ -7,20 +7,22 @@ #include "user_tracking.h" #include "commands/request_exec.h" #include "ddappsec.h" +#include "dddefs.h" #include "ddtrace.h" #include "helper_process.h" #include "logging.h" #include "php_compat.h" #include "request_abort.h" +#include "request_lifecycle.h" #include "string_helpers.h" #include "tags.h" +#include static void (*_ddtrace_set_user)(INTERNAL_FUNCTION_PARAMETERS) = NULL; static PHP_FUNCTION(set_user_wrapper) { - if (DDAPPSEC_G(enabled) == ENABLED || - UNEXPECTED(get_global_DD_APPSEC_TESTING())) { + if (DDAPPSEC_G(active) || UNEXPECTED(get_global_DD_APPSEC_TESTING())) { zend_string *user_id = NULL; HashTable *metadata = NULL; zend_bool propagate = false; @@ -73,8 +75,7 @@ void dd_user_tracking_shutdown(void) void dd_find_and_apply_verdict_for_user(zend_string *nonnull user_id) { - if (DDAPPSEC_G(enabled) != ENABLED && - UNEXPECTED(!get_global_DD_APPSEC_TESTING())) { + if (!DDAPPSEC_G(active) && UNEXPECTED(!get_global_DD_APPSEC_TESTING())) { return; } @@ -102,9 +103,15 @@ void dd_find_and_apply_verdict_for_user(zend_string *nonnull user_id) dd_tags_set_event_user_id(user_id); - if (res == dd_should_block) { - dd_request_abort_static_page(); - } else if (res == dd_should_redirect) { - dd_request_abort_redirect(); + if (dd_req_is_user_req()) { + if (res == dd_should_block || res == dd_should_redirect) { + dd_req_call_blocking_function(res); + } + } else { + if (res == dd_should_block) { + dd_request_abort_static_page(); + } else if (res == dd_should_redirect) { + dd_request_abort_redirect(); + } } } diff --git a/appsec/src/helper/remote_config/http_api.cpp b/appsec/src/helper/remote_config/http_api.cpp index 7230f34bd2e..c06ff0ee856 100644 --- a/appsec/src/helper/remote_config/http_api.cpp +++ b/appsec/src/helper/remote_config/http_api.cpp @@ -68,11 +68,11 @@ std::string execute_request(const std::string &host, const std::string &port, // If we get here then the connection is closed gracefully } catch (std::exception const &e) { - SPDLOG_ERROR("Connection error - {} - {}", request.target().to_string(), - e.what()); + auto sv = request.target(); + std::string err{sv.data(), sv.size()}; + SPDLOG_ERROR("Connection error - {} - {}", err, e.what()); throw dds::remote_config::network_exception( - "Connection error - " + request.target().to_string() + " - " + - e.what()); + "Connection error - " + err + " - " + e.what()); } return result; diff --git a/appsec/tests/extension/bad_env_ini.phpt b/appsec/tests/extension/bad_env_ini.phpt index a1ed6fa4a2f..0dba85ed06d 100644 --- a/appsec/tests/extension/bad_env_ini.phpt +++ b/appsec/tests/extension/bad_env_ini.phpt @@ -14,6 +14,11 @@ extension=ddtrace.so var_dump(ini_get("datadog.appsec.log_level")); ?> --EXPECTF-- +Notice: %s: [ddappsec] Skipping automatic request init in testing in Unknown on line %d string(5) "trace" -Notice: PHP Shutdown: [ddappsec] Shutting down the file logging in Unknown on line 0 +Notice: %s: [ddappsec] Skipping automatic request shutdown in testing in Unknown on line %d + +Notice: PHP Startup: [ddappsec] Request lifecycle matches PHP's in Unknown on line %d + +Notice: PHP Shutdown: [ddappsec] Shutting down the file logging in Unknown on line %d diff --git a/appsec/tests/extension/client_init_bad_msg.phpt b/appsec/tests/extension/client_init_bad_msg.phpt index 23463b53c7b..b62c4bd3f3b 100644 --- a/appsec/tests/extension/client_init_bad_msg.phpt +++ b/appsec/tests/extension/client_init_bad_msg.phpt @@ -14,6 +14,7 @@ $helper = Helper::createRun([ response_list(response_client_init(['msg' => ['y' => 'ok']])) ]); +sleep(1); var_dump(rinit()); match_log('/Unexpected client_init response: mpack_error_type/'); diff --git a/appsec/tests/extension/phpinfo_enabled_01.phpt b/appsec/tests/extension/phpinfo_enabled_01.phpt index dad6c2b7403..5d791d7570f 100644 --- a/appsec/tests/extension/phpinfo_enabled_01.phpt +++ b/appsec/tests/extension/phpinfo_enabled_01.phpt @@ -9,4 +9,4 @@ var_dump(get_configuration_value("Current state")); --EXPECT-- string(3) "Yes" -string(14) "Not configured" \ No newline at end of file +string(14) "Not configured" diff --git a/appsec/tests/extension/rinit_force_keep_02.phpt b/appsec/tests/extension/rinit_force_keep_02.phpt index 2eecaa1cc50..577788a487e 100644 --- a/appsec/tests/extension/rinit_force_keep_02.phpt +++ b/appsec/tests/extension/rinit_force_keep_02.phpt @@ -3,7 +3,6 @@ Sampling priority is left as it is when not forced --INI-- extension=ddtrace.so datadog.appsec.enabled=1 -datadog.appsec.log_file=/tmp/php_appsec_test.log --FILE-- --EXPECTF-- -found message in log matching /Failed to retrieve root span meta/ +found message in log matching /No root span available on request init/ diff --git a/appsec/tests/extension/track_user_login_failure_event_no_root_span.phpt b/appsec/tests/extension/track_user_login_failure_event_no_root_span.phpt index 221b8e161ee..87dcb811071 100644 --- a/appsec/tests/extension/track_user_login_failure_event_no_root_span.phpt +++ b/appsec/tests/extension/track_user_login_failure_event_no_root_span.phpt @@ -24,7 +24,7 @@ track_user_login_failure_event("Admin", false, require __DIR__ . '/inc/logging.php'; -match_log("/Failed to retrieve root span meta/"); +match_log("/No root span available on request init/"); ?> --EXPECTF-- -found message in log matching /Failed to retrieve root span meta/ +found message in log matching /No root span available on request init/ diff --git a/appsec/tests/extension/track_user_login_success_event_no_root_span.phpt b/appsec/tests/extension/track_user_login_success_event_no_root_span.phpt index 4159adb7899..9f0e7a17bf0 100644 --- a/appsec/tests/extension/track_user_login_success_event_no_root_span.phpt +++ b/appsec/tests/extension/track_user_login_success_event_no_root_span.phpt @@ -24,7 +24,7 @@ track_user_login_success_event("Admin", require __DIR__ . '/inc/logging.php'; -match_log("/Failed to retrieve root span meta/"); +match_log("/No root span available on request init/"); ?> --EXPECTF-- -found message in log matching /Failed to retrieve root span meta/ +found message in log matching /No root span available on request init/ diff --git a/appsec/tests/extension/track_user_signup_event_no_root_span.phpt b/appsec/tests/extension/track_user_signup_event_no_root_span.phpt index 957a536cf92..3e5d7270ed0 100644 --- a/appsec/tests/extension/track_user_signup_event_no_root_span.phpt +++ b/appsec/tests/extension/track_user_signup_event_no_root_span.phpt @@ -24,7 +24,7 @@ track_user_signup_event("Admin", require __DIR__ . '/inc/logging.php'; -match_log("/Failed to retrieve root span meta/"); +match_log("/No root span available on request init/"); ?> --EXPECTF-- -found message in log matching /Failed to retrieve root span meta/ +found message in log matching /No root span available on request init/ diff --git a/appsec/tests/extension/user_req_basic.phpt b/appsec/tests/extension/user_req_basic.phpt new file mode 100644 index 00000000000..2aeddf82332 --- /dev/null +++ b/appsec/tests/extension/user_req_basic.phpt @@ -0,0 +1,188 @@ +--TEST-- +User requests: basic functionality +--INI-- +extension=ddtrace.so +datadog.appsec.enabled=true +datadog.appsec.cli_start_on_rinit=false +--ENV-- +DD_TRACE_GENERATE_ROOT_SPAN=0 +--FILE-- + ['k1' => ['v1', 'v2'], 'k2' => 'v3 x'], + '_POST' => ['k3' => ['v4', 'v5'], 'k4' => 'v6'], + '_SERVER' => [ + 'REMOTE_ADDR' => '1.2.3.4', + 'SERVER_PROTOCOL' => 'HTTP/1.1', + 'REQUEST_METHOD' => 'GET', + 'REQUEST_URI' => '/foo?k1[]=v1&k1[]=v2&k2=>v3%20x', + 'HTTPS' => 'off', + 'SERVER_NAME' => 'example.com', + 'SERVER_PORT' => 80, + 'HTTP_HOST' => 'example2.com', + 'HTTP_CLIENT_IP' => '2.3.4.5', + 'COOKIE' => 'a=b', + ], + '_COOKIE' => ['a' => 'b'], + '_FILES' => [ + 'myfile' => [ + 'name' => 'myfile.txt', + 'type' => 'text/plain;charset=utf-8', + 'size' => '123', + 'tmp_name' => '/tmp/fake_name.txt', + ], + ] +)); +echo "Result of notify_start:\n"; +print_r($res); + +$res = notify_commit($span, 200, array( + 'Content-type' => 'text/html', + 'Set-Cookie' => ['a=x', 'b=y'], +)); +echo "Result of notify_commit:\n"; +print_r($res); + + +switch_stack($stack); + +close_span(100.0); + +$c = $helper->get_commands(); +print_r($c[1]); +print_r($c[2]); +--EXPECT-- +Result of notify_start: +Array +( + [status] => 403 + [body] => {"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]} + [headers] => Array + ( + [Content-Type] => application/json + [Content-Length] => 167 + ) + +) +Result of notify_commit: +Array +( + [status] => 403 + [body] => {"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]} + [headers] => Array + ( + [Content-Type] => application/json + [Content-Length] => 167 + ) + +) +Array +( + [0] => request_init + [1] => Array + ( + [0] => Array + ( + [server.request.query] => Array + ( + [k1] => Array + ( + [0] => v1 + [1] => v2 + ) + + [k2] => v3 x + ) + + [server.request.method] => GET + [server.request.cookies] => Array + ( + [a] => b + ) + + [server.request.uri.raw] => /foo?k1[]=v1&k1[]=v2&k2=>v3%20x + [server.request.headers.no_cookies] => Array + ( + [host] => example2.com + [client-ip] => 2.3.4.5 + ) + + [server.request.body] => Array + ( + [k3] => Array + ( + [0] => v4 + [1] => v5 + ) + + [k4] => v6 + ) + + [server.request.body.filenames] => Array + ( + [0] => myfile.txt + ) + + [server.request.body.files_field_names] => Array + ( + [0] => myfile + ) + + [server.request.path_params] => Array + ( + [0] => foo + ) + + [http.client_ip] => 1.2.3.4 + ) + + ) + +) +Array +( + [0] => request_shutdown + [1] => Array + ( + [0] => Array + ( + [server.response.status] => 200 + [server.response.headers.no_cookies] => Array + ( + [Content-type] => Array + ( + [0] => text/html + ) + + [Set-Cookie] => Array + ( + [0] => a=x + [1] => b=y + ) + + ) + + ) + + ) + +) diff --git a/appsec/tests/extension/user_req_content_negotiation.phpt b/appsec/tests/extension/user_req_content_negotiation.phpt new file mode 100644 index 00000000000..88add8abb13 --- /dev/null +++ b/appsec/tests/extension/user_req_content_negotiation.phpt @@ -0,0 +1,46 @@ +--TEST-- +User requests: content negotiation +--INI-- +extension=ddtrace.so +datadog.appsec.enabled=true +datadog.appsec.cli_start_on_rinit=false +datadog.appsec.log_level=error +--ENV-- +DD_TRACE_GENERATE_ROOT_SPAN=0 +--FILE-- + [ + 'HTTP_ACCEPT' => 'text/html', + ], +)); +echo "Result of notify_start:\n"; +print_r($res); + +\datadog\appsec\testing\rshutdown(); +--EXPECTF-- +Result of notify_start: +Array +( + [status] => 403 + [body] => %s + [headers] => Array + ( + [Content-Type] => text/html + [Content-Length] => 1460 + ) + +) diff --git a/appsec/tests/extension/user_req_no_root_span.phpt b/appsec/tests/extension/user_req_no_root_span.phpt new file mode 100644 index 00000000000..67aa08ff3a0 --- /dev/null +++ b/appsec/tests/extension/user_req_no_root_span.phpt @@ -0,0 +1,24 @@ +--TEST-- +User requests: no root span +--INI-- +extension=ddtrace.so +datadog.appsec.enabled=true +datadog.appsec.cli_start_on_rinit=false +datado +--ENV-- +DD_TRACE_GENERATE_ROOT_SPAN=1 +--FILE-- + '302', 'location' => 'https://www.example.com'], ['{"yet another":"attack"}'], true])), + response_list(response_request_shutdown(['ok', [], [], []])) +]); + +$span = start_span(); + +$res = notify_start($span, array()); +echo "Result of notify_start:\n"; +print_r($res); + +close_span(100.0); +--EXPECTF-- +Result of notify_start: +Array +( + [status] => 302 + [headers] => Array + ( + [Location] => https://www.example.com + ) + +) diff --git a/appsec/tests/extension/user_req_regular_sequence.phpt b/appsec/tests/extension/user_req_regular_sequence.phpt new file mode 100644 index 00000000000..31c13c6eb6e --- /dev/null +++ b/appsec/tests/extension/user_req_regular_sequence.phpt @@ -0,0 +1,115 @@ +--TEST-- +User requests: regular sequence +--INI-- +extension=ddtrace.so +datadog.appsec.enabled=true +datadog.appsec.cli_start_on_rinit=false +--ENV-- +DD_TRACE_GENERATE_ROOT_SPAN=0 +--FILE-- + !empty($d['span']) ? "span {$d['span']->id}" : '(none)', + 'shutdown_done_on_commit' => $d['shutdown_done_on_commit'] + )); +} +$span = start_span(); + +echo "Initial:\n"; +d(); +notify_start($span, array()); +echo "After notify_start:\n"; +d(); +notify_commit($span, 200, array()); +echo "After notify_commit:\n"; +d(); +close_span(100.0); +echo "After close_span():\n"; +d(); + + +echo "Initial:\n"; +d(); +$span = start_span(); +$res = notify_start($span, array()); +echo "After notify_start:\n"; +d(); +notify_commit($span, 200, array()); +echo "After notify_commit:\n"; +d(); +close_span(100.0); +echo "After close_span():\n"; +d(); +--EXPECTF-- +Initial: +array(2) { + ["span"]=> + string(6) "(none)" + ["shutdown_done_on_commit"]=> + bool(false) +} +After notify_start: +array(2) { + ["span"]=> + string(%d) "span %s" + ["shutdown_done_on_commit"]=> + bool(false) +} +After notify_commit: +array(2) { + ["span"]=> + string(%d) "span %s" + ["shutdown_done_on_commit"]=> + bool(true) +} +After close_span(): +array(2) { + ["span"]=> + string(6) "(none)" + ["shutdown_done_on_commit"]=> + bool(false) +} +Initial: +array(2) { + ["span"]=> + string(6) "(none)" + ["shutdown_done_on_commit"]=> + bool(false) +} +After notify_start: +array(2) { + ["span"]=> + string(%d) "span %s" + ["shutdown_done_on_commit"]=> + bool(false) +} +After notify_commit: +array(2) { + ["span"]=> + string(%d) "span %s" + ["shutdown_done_on_commit"]=> + bool(true) +} +After close_span(): +array(2) { + ["span"]=> + string(6) "(none)" + ["shutdown_done_on_commit"]=> + bool(false) +} diff --git a/appsec/tests/extension/user_req_wrong_sequence.phpt b/appsec/tests/extension/user_req_wrong_sequence.phpt new file mode 100644 index 00000000000..aff1472a344 --- /dev/null +++ b/appsec/tests/extension/user_req_wrong_sequence.phpt @@ -0,0 +1,100 @@ +--TEST-- +User requests: regular sequence +--INI-- +extension=ddtrace.so +datadog.appsec.enabled=true +datadog.appsec.cli_start_on_rinit=false +datadog.appsec.log_level=warning +--ENV-- +DD_TRACE_GENERATE_ROOT_SPAN=0 +--FILE-- + !empty($d['span']) ? "span {$d['span']->id}" : '(none)', + 'shutdown_done_on_commit' => $d['shutdown_done_on_commit'] + )); +} +$span = start_span(); +notify_start($span, array()); +echo "# Double notify_start\n"; +notify_start($span, array()); +d(); +close_span(100.0); +echo "After close_span\n"; +d(); + +echo "\n# Start with closed span\n"; +notify_start($span, array()); + +echo "\n# Commit span with closed span\n"; +notify_commit($span, 200, array()); + +echo "\n# Commit unstarted span\n"; +$span = start_span(); +notify_commit($span, 200, array()); +close_span(); + +echo "\n# Double commit\n"; +$span = start_span(); +notify_start($span, array()); +notify_commit($span, 200, array()); +notify_commit($span, 200, array()); +d(); + +--EXPECTF-- +# Double notify_start + +Warning: DDTrace\UserRequest\notify_start(): Start of span already notified in %s on line %d +array(2) { + ["span"]=> + string(%d) "span %s" + ["shutdown_done_on_commit"]=> + bool(false) +} +After close_span +array(2) { + ["span"]=> + string(6) "(none)" + ["shutdown_done_on_commit"]=> + bool(false) +} + +# Start with closed span + +Warning: DDTrace\UserRequest\notify_start(): Span already finished in %s on line %d + +# Commit span with closed span + +Warning: DDTrace\UserRequest\notify_commit(): [ddappsec] Request commit callback called, but there is no root span currently associated through the request started span (or it was cleared already) in %s on line %d + +# Commit unstarted span + +Warning: DDTrace\UserRequest\notify_commit(): [ddappsec] Request commit callback called, but there is no root span currently associated through the request started span (or it was cleared already) in %s on line %d + +# Double commit + +Warning: DDTrace\UserRequest\notify_commit(): [ddappsec] Request commit callback called twice for the same span in %s on line %d +array(2) { + ["span"]=> + string(%d) "span %s" + ["shutdown_done_on_commit"]=> + bool(true) +} + +Warning: %s: [ddappsec] Request finished callback called, but there is no root span currently associated through the request started span (or it was cleared already). Resetting in Unknown on line %d diff --git a/appsec/tests/integration/.gitattributes b/appsec/tests/integration/.gitattributes new file mode 100644 index 00000000000..00a51aff5e5 --- /dev/null +++ b/appsec/tests/integration/.gitattributes @@ -0,0 +1,6 @@ +# +# https://help.github.com/articles/dealing-with-line-endings/ +# +# These are explicitly windows files and should use crlf +*.bat text eol=crlf + diff --git a/appsec/tests/integration/.gitignore b/appsec/tests/integration/.gitignore new file mode 100644 index 00000000000..275b5188d0f --- /dev/null +++ b/appsec/tests/integration/.gitignore @@ -0,0 +1,8 @@ +# Ignore Gradle project-specific cache directory +/.gradle + +# Ignore Gradle build output directory +/build/ + +/.idea + diff --git a/appsec/tests/integration/build.gradle b/appsec/tests/integration/build.gradle new file mode 100644 index 00000000000..17f4804f3bf --- /dev/null +++ b/appsec/tests/integration/build.gradle @@ -0,0 +1,377 @@ +plugins { + id 'groovy' + id 'application' + id 'de.undercouch.download' version '4.0.4' +} + +repositories { + mavenCentral() +} + +dependencies { + implementation 'ch.qos.logback:logback-classic:1.4.7' + implementation 'org.slf4j:jul-to-slf4j:1.7.36' + + implementation 'org.apache.groovy:groovy:4.0.16' + implementation 'com.google.guava:guava:32.1.3-jre' + implementation 'org.msgpack:msgpack-core:0.9.6' + implementation 'io.javalin:javalin:5.4.2' + + implementation platform('org.testcontainers:testcontainers-bom:1.16.2') + implementation "org.testcontainers:junit-jupiter" + implementation 'org.junit.jupiter:junit-jupiter-engine:5.9.2' + implementation 'com.flipkart.zjsonpatch:zjsonpatch:0.4.13' +} + +test { +} +tasks['test'].enabled(false) + +ext.testMatrix = ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3'].collectMany { + [[it, 'release'], [it, 'release-zts']] +} +apply from: "$rootDir/gradle/images.gradle" + +def uuid = "id -u".execute().text.trim() + +def dockerPullTask(String tag) { + String taskName = "dockerPull-${tag}" + if (tasks.findByName(taskName) != null) { + return tasks[taskName] + } + + tasks.register("dockerPull-${tag}", Exec) { + String imageName = "datadog/dd-appsec-php-ci:$tag" + description = "Pull ${imageName} from Docker Hub" + + onlyIf { + Process proc = ['docker', 'image', 'inspect', imageName].execute() + proc.waitForOrKill(5_000) + proc.exitValue() != 0 + } + + commandLine 'docker', 'pull', imageName + } +} + +def creationDateOf(String image) { + Process proc = ['docker', 'image', 'inspect', '--format="{{.Created}}"', image].execute() + proc.waitForOrKill(5_000) + if (proc.exitValue() != 0) { + return 0 + } + def imageModifiedStr = proc.text.trim().replace('"', '') + Date volumeDate = Date.from(OffsetDateTime.parse(imageModifiedStr).toInstant()) + volumeDate.time +} + +def createVolumeTask = { String volumeName -> + String taskName = "createVolume-$volumeName" + if (tasks.findByName(taskName) != null) { + return tasks[taskName] + } + tasks.register(taskName, Exec) { Exec it -> + onlyIf { + Process proc = ['docker', 'volume', 'inspect', volumeName].execute() + proc.waitForOrKill(5_000) + proc.exitValue() != 0 + } + it.commandLine 'docker', 'volume', 'create', volumeName + doLast { + exec { + commandLine 'docker', 'run', '--rm', '-v', "${volumeName}:/vol", 'busybox', 'sh', '-c', + "chown -R ${uuid} /vol" + } + } + } +} + +task downloadComposerOld(type: Download) { + src 'https://getcomposer.org/download/latest-2.2.x/composer.phar' + dest 'build/composer-2.2.x.phar' + overwrite false + doLast { + exec { + commandLine 'chmod', '+x', outputFiles.first().toString() + } + } +} + +task downloadComposer(type: Download) { + src 'https://getcomposer.org/download/2.6.6/composer.phar' + dest 'build/composer-2.6.6.phar' + overwrite false + doLast { + exec { + commandLine 'chmod', '+x', outputFiles.first().toString() + } + } +} + +def buildRunInDockerTask = { Map options -> + String baseName = options.get('baseName') + def version = options.get('version') + def variant = options.get('variant') + String imageTag = "${options.get('baseTag', 'php')}-$version-$variant" + String imageName = "$ext.repo:$imageTag" + def pullTask = dockerPullTask(imageTag) + + def volumes = [:] + def binds = [ + ("${projectDir}/../../..".toString()): '/project' + ] + + if (options.get('needsTracer', true)) { + volumes["php-tracer-${version}-${variant}"] = [ + mountPoint: '/project/tmp', + ] + } + if (options.get('needsAppsec', true)) { + volumes["php-appsec-${version}-${variant}"] = [ + mountPoint: '/appsec', + ] + } + if (options.get('needsHunterCache', true)) { + volumes['php-appsec-hunter-cache'] = [ + mountPoint: '/root/.hunter', + ] + } + if (options.get('needsCargoCache', true)) { + volumes['php-tracer-cargo-cache'] = [ + mountPoint: '/root/.cargo/registry', + ] + } + + def composerDlTask + if (options.get('composer', false)) { + if (version in ['7.0', '7.1']) { + composerDlTask = tasks['downloadComposerOld'] + } else { + composerDlTask = tasks['downloadComposer'] + } + String composerFile = composerDlTask.outputFiles.first() + binds[composerFile] = '/usr/local/bin/composer' + } + + volumes.keySet().each { volumeName -> + volumes[volumeName]['task'] = createVolumeTask(volumeName) + } + + def t = tasks.register("$baseName-$version-$variant", Exec) { + if (options['description']) { + description = "${options['description']} for PHP $version $variant" + + def inputsSpec = options.get('inputs', [:]) + inputsSpec.get('dirs', []).each { + inputs.dir it + } + inputsSpec.get('files', []).each { + inputs.file it + } + + if (!options['outputs']) { + outputs.upToDateWhen { false } + } else { + String volumeName = "${options['outputs']['volume']}-${version}-${variant}" + def files = options['outputs']['files'] + outputs.upToDateWhen { + Process proc = ['docker', 'run', '--rm', '--mount', + "type=volume,src=$volumeName,dst=/vol", + 'busybox', 'sh', '-c', + "stat -c %Y ${files.collect { "'/vol/$it'" }.join(' ')} | sort -n | head -1"] + .execute() + + proc.waitForOrKill(5_000) + if (proc.exitValue() != 0) { + return false + } + def procOutput = proc.text.trim() + if (procOutput == '') { + return false + } + long outputsTime = procOutput.toLong() * 1000 + long latestInputDate = inputs.files.collect { it.lastModified() }.max() + if (latestInputDate > outputsTime) { + return false + } + + long imageTime = creationDateOf(imageName) + imageTime < outputsTime + } + } + + def commandLine = [ + 'docker', 'run', '--init', '--rm', + '--entrypoint', '/bin/bash', + '--user', uuid, + '-e', 'HOME=/tmp', + ] + binds.each { source, dest -> + commandLine.addAll(['--mount', "type=bind,src=${source},dst=${dest}"]) + } + volumes.each { volumeName, volumeSpec -> + commandLine << '--mount' + commandLine << "type=volume,src=${volumeName},dst=${volumeSpec['mountPoint']}" + dependsOn volumeSpec['task'] + } + commandLine << imageName + dependsOn pullTask + + commandLine.addAll(options['command']) + it.commandLine commandLine + + if (composerDlTask) { + dependsOn composerDlTask + } + } + } + + if (options.containsKey('outputs') && options['outputs'].containsKey('volume')) { + String taskName = "cleanVolume-${options['outputs']['volume']}-${version}-${variant}" + if (!tasks.findByName(taskName)) { + def task = tasks.register(taskName, Exec) { + description = "Clean volume ${options['outputs']['volume']} for PHP $version $variant" + commandLine 'docker', 'volume', 'rm', "${options['outputs']['volume']}-${version}-${variant}" + } + tasks['clean'].dependsOn task + } + } + + t +} + +def buildTracerTask = { String version, String variant -> + buildRunInDockerTask( + baseName: 'buildTracer', + baseTag: 'php', + version: version, + variant: variant, + needsAppsec: false, + description: 'Build tracer for PHP', + inputs: [ + dirs: ['../../../ext', '../../../zend_abstract_interface'], + ], + outputs: [ + volume: 'php-tracer', + files: ['build_extension/modules/ddtrace.so'], + ], + command: [ + '-e', '-c', + ''' + cd /project + PHPRC= make /project/tmp/build_extension/modules/ddtrace.so + ''' + ] + ) +} + +def buildAppSecTask = { String version, String variant -> + buildRunInDockerTask( + baseName: 'buildAppsec', + baseTag: 'php', + version: version, + variant: variant, + needsTracer: false, + description: 'Build appsec for PHP', + inputs: [ + dirs: [ + '../../../cmake', + '../../../zend_abstract_interface', + '../../cmake', + '../../third_party', + '../../src'], + files: ['../../CMakeLists.txt'], + ], + outputs: [ + volume: 'php-appsec', + files: ['ddappsec.so', 'ddappsec-helper'], + ], + command: [ + '-e', '-c', + ''' + git config --global --add safe.directory '*' + cd /appsec + test -f CMakeCache.txt || \\ + cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \\ + -DCMAKE_INSTALL_PREFIX=/appsec \\ + -DDD_APPSEC_ENABLE_PATCHELF_LIBC=ON \\ + -DCMAKE_TOOLCHAIN_FILE=/build/Toolchain.cmake \\ + -DDD_APPSEC_TESTING=ON /project/appsec + make -j extension ddappsec-helper && \\ + touch ddappsec.so ddappsec-helper + ''' + ] + ) +} + +def runUnitTestsTask = { String phpVersion, String variant -> + def env = '' + if (project.hasProperty('tests')) { + env = "TESTS='${project.getProperty('tests')}' " + } + def task = buildRunInDockerTask( + baseName: 'xtest', + baseTag: 'php', + version: phpVersion, + variant: variant, + description: 'Build appsec for PHP', + command: [ + '-e', '-c', + """ + cd /appsec + ${env}make -j xtest + """ + ] + ) + + task.configure { + dependsOn "buildTracer-$phpVersion-$variant" + dependsOn "buildAppsec-$phpVersion-$variant" + } +} + +['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2'].each { phpVersion -> + ['release', 'release-zts'].each { variant -> + buildTracerTask(phpVersion, variant) + buildAppSecTask(phpVersion, variant) + runUnitTestsTask(phpVersion, variant) + } +} + +testMatrix.each { spec -> + def phpVersion = spec[0] + def variant = spec[1] + + + def task = tasks.register("test${phpVersion}-$variant", Test) { + group = 'Verification' + description = "Run tests for PHP ${phpVersion} ${variant}" + + it.outputs.upToDateWhen { false } + + it.useJUnitPlatform { + includeEngines('junit-jupiter') + excludeEngines('junit-vintage') + } + + it.systemProperty 'PHP_VERSION', phpVersion + it.systemProperty 'VARIANT', variant + if (project.hasProperty('XDEBUG')) { + it.systemProperty 'XDEBUG', '1' + } + + dependsOn "buildTracer-${phpVersion}-${variant}" + dependsOn "buildAppsec-${phpVersion}-${variant}" + } + + tasks['check'].dependsOn task +} + +if (hasProperty('buildScan')) { + buildScan { + termsOfServiceUrl = 'https://gradle.com/terms-of-service' + termsOfServiceAgree = 'yes' + } +} + +// vim: set et sw=4 ts=4: diff --git a/appsec/tests/integration/gradle/images.gradle b/appsec/tests/integration/gradle/images.gradle new file mode 100644 index 00000000000..be1ea2ad290 --- /dev/null +++ b/appsec/tests/integration/gradle/images.gradle @@ -0,0 +1,189 @@ +ext.repo = 'datadog/dd-appsec-php-ci' +final String repo = ext.repo + +def phpVersions = [ + '7.0': '7.0.33', + '7.1': '7.1.33', + '7.2': '7.2.34', + '7.3': '7.3.33', + '7.4': '7.4.29', + '8.0': '8.0.18', + '8.1': '8.1.26', + '8.2': '8.2.13', + '8.3': '8.3.0', +] + +def imageUpToDate = { inputs, String image -> + return { + long volumeTime = creationDateOf(image) + if (volumeTime == 0) { + return false + } + long latestInputDate = inputs.files.collect { it.lastModified() }.max() + latestInputDate <= volumeTime + } +} +def imageIsNewerThan = { image1, image2 -> + creationDateOf(image1) > creationDateOf(image2) +} + +tasks.register('buildToolchain', Exec) { + description = "Build the toolchain image" + inputs.dir 'src/docker/toolchain' + outputs.upToDateWhen imageUpToDate(inputs, "$repo:toolchain") + commandLine 'docker', 'build', '-t', "$repo:toolchain", 'src/docker/toolchain' +} + +tasks.register('buildPhpDeps', Exec) { + description = "Build the PHP deps image" + inputs.file file('src/docker/php/Dockerfile-php-deps') + inputs.file file('src/docker/php/build_dev_php.sh') + outputs.upToDateWhen { + imageUpToDate(inputs, "$repo:php-deps")() && + imageIsNewerThan("$repo:php-deps", "$repo:toolchain") + } + commandLine 'docker', 'build', '-t', "$repo:php-deps", '-f', 'src/docker/php/Dockerfile-php-deps', 'src/docker/php' + + dependsOn 'buildToolchain' +} + +def buildPhp = { String version, String variant -> + tasks.register("buildPhp-$version-$variant", Exec) { + String tag = "php-${version}-${variant}" + String image = "$repo:$tag" + description = "Build the image for PHP ${version} ${variant}" + inputs.file file('src/docker/php/Dockerfile') + inputs.file file('src/docker/php/build_dev_php.sh') + inputs.file file('src/docker/php/php.ini') + inputs.dir 'src/docker/php/php_patches' + outputs.upToDateWhen { + imageUpToDate(inputs, image)() && + imageIsNewerThan(image, "$repo:php-deps") + } + commandLine 'docker', 'build', '--build-arg', "PHP_VERSION=${phpVersions[version]}", + '--build-arg', "VARIANT=$variant", '-t', "$repo:$tag", 'src/docker/php' + + dependsOn 'buildPhpDeps' + } +} + +testMatrix.each { spec -> + buildPhp(spec[0], spec[1]) +} +tasks.register('buildAllPhp') { + testMatrix.each { spec -> + dependsOn "buildPhp-${spec[0]}-${spec[1]}" + } +} + +def buildApache2ModTask = { String version, String variant -> + tasks.register("buildApache2Mod-$version-$variant", Exec) { + String tag = "apache2-mod-php-${version}-${variant}" + String image = "$repo:$tag" + description = "Build the image for Apache2 mod_php ${version} ${variant}" + inputs.dir 'src/docker/apache2-mod' + inputs.dir 'src/docker/common' + outputs.upToDateWhen { + imageUpToDate(inputs, image)() && + imageIsNewerThan(image, "$repo:php-$version-$variant") + } + commandLine 'docker', 'build', '--build-arg', "PHP_VERSION=$version", + '--build-arg', "VARIANT=$variant", '-t', "$repo:$tag", 'src/docker', + '-f', 'src/docker/apache2-mod/Dockerfile' + + dependsOn "buildPhp-${version}-${variant}" + } +} + +testMatrix.each { spec -> + buildApache2ModTask(spec[0], spec[1]) +} +tasks.register('buildAllApache2Mod') { + testMatrix.each { spec -> + dependsOn "buildApache2Mod-${spec[0]}-${spec[1]}" + } +} + +def buildApache2FpmTask = { String version, String variant -> + tasks.register("buildApache2Fpm-$version-$variant", Exec) { + String tag = "apache2-fpm-php-${version}-${variant}" + String image = "$repo:$tag" + description = "Build the image for Apache2 + fpm ${version} ${variant}" + inputs.dir 'src/docker/apache2-fpm' + inputs.dir 'src/docker/fpm-common' + inputs.dir 'src/docker/common' + outputs.upToDateWhen { + imageUpToDate(inputs, image)() && + imageIsNewerThan(image, "$repo:php-$version-$variant") + } + commandLine 'docker', 'build', '--build-arg', "PHP_VERSION=$version", + '--build-arg', "VARIANT=$variant", '-t', "$repo:$tag", 'src/docker', + '-f', 'src/docker/apache2-fpm/Dockerfile' + + dependsOn "buildPhp-${version}-${variant}" + } +} + +testMatrix.each { spec -> + buildApache2FpmTask(spec[0], spec[1]) +} + +tasks.register('buildAllApache2Fpm') { + testMatrix.each { spec -> + dependsOn "buildApache2Fpm-${spec[0]}-${spec[1]}" + } +} + +def buildNginxFpmTask = { String version, String variant -> + tasks.register("buildNginxFpm-$version-$variant", Exec) { + String tag = "nginx-fpm-php-${version}-${variant}" + String image = "$repo:$tag" + description = "Build the image for Nginx + fpm ${version} ${variant}" + inputs.dir 'src/docker/nginx-fpm' + inputs.dir 'src/docker/fpm-common' + inputs.dir 'src/docker/common' + outputs.upToDateWhen { + imageUpToDate(inputs, image)() && + imageIsNewerThan(image, "$repo:php-$version-$variant") + } + commandLine 'docker', 'build', '--build-arg', "PHP_VERSION=$version", + '--build-arg', "VARIANT=$variant", '-t', "$repo:$tag", 'src/docker', + '-f', 'src/docker/nginx-fpm/Dockerfile' + + dependsOn "buildPhp-${version}-${variant}" + } +} +testMatrix.each { spec -> + buildNginxFpmTask(spec[0], spec[1]) +} +tasks.register('buildAllNginxFpm') { + testMatrix.each { spec -> + dependsOn "buildNginxFpm-${spec[0]}-${spec[1]}" + } +} + +def buildPushTask = { String tag, requirement -> + def task = tasks.register("pushImage${tag}", Exec) { + String image = "$repo:$tag" + description = "Push image $image" + + dependsOn requirement + commandLine 'docker', 'push', image + } +} +def allPushTasks = [ + buildPushTask("toolchain", 'buildToolchain'), + buildPushTask("php-deps", 'buildPhpDeps'), + *testMatrix.collect { spec -> + buildPushTask("php-${spec[0]}-${spec[1]}", "buildPhp-${spec[0]}-${spec[1]}") + }, + *testMatrix.collect { spec -> + buildPushTask("apache2-mod-php-${spec[0]}-${spec[1]}", "buildApache2Mod-${spec[0]}-${spec[1]}") + }, + *testMatrix.collect { spec -> + buildPushTask("nginx-fpm-php-${spec[0]}-${spec[1]}", "buildNginxFpm-${spec[0]}-${spec[1]}") + }, +] +tasks.register('pushAll') { + dependsOn allPushTasks +} diff --git a/appsec/tests/integration/gradle/wrapper/gradle-wrapper.jar b/appsec/tests/integration/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000000000000000000000000000000000000..7454180f2ae8848c63b8b4dea2cb829da983f2fa GIT binary patch literal 59536 zcma&NbC71ylI~qywr$(CZQJHswz}-9F59+k+g;UV+cs{`J?GrGXYR~=-ydruB3JCa zB64N^cILAcWk5iofq)<(fq;O7{th4@;QxID0)qN`mJ?GIqLY#rX8-|G{5M0pdVW5^ zzXk$-2kQTAC?_N@B`&6-N-rmVFE=$QD?>*=4<|!MJu@}isLc4AW#{m2if&A5T5g&~ ziuMQeS*U5sL6J698wOd)K@oK@1{peP5&Esut<#VH^u)gp`9H4)`uE!2$>RTctN+^u z=ASkePDZA-X8)rp%D;p*~P?*a_=*Kwc<^>QSH|^<0>o37lt^+Mj1;4YvJ(JR-Y+?%Nu}JAYj5 z_Qc5%Ao#F?q32i?ZaN2OSNhWL;2oDEw_({7ZbgUjna!Fqn3NzLM@-EWFPZVmc>(fZ z0&bF-Ch#p9C{YJT9Rcr3+Y_uR^At1^BxZ#eo>$PLJF3=;t_$2|t+_6gg5(j{TmjYU zK12c&lE?Eh+2u2&6Gf*IdKS&6?rYbSEKBN!rv{YCm|Rt=UlPcW9j`0o6{66#y5t9C zruFA2iKd=H%jHf%ypOkxLnO8#H}#Zt{8p!oi6)7#NqoF({t6|J^?1e*oxqng9Q2Cc zg%5Vu!em)}Yuj?kaP!D?b?(C*w!1;>R=j90+RTkyEXz+9CufZ$C^umX^+4|JYaO<5 zmIM3#dv`DGM;@F6;(t!WngZSYzHx?9&$xEF70D1BvfVj<%+b#)vz)2iLCrTeYzUcL z(OBnNoG6Le%M+@2oo)&jdOg=iCszzv59e zDRCeaX8l1hC=8LbBt|k5?CXgep=3r9BXx1uR8!p%Z|0+4Xro=xi0G!e{c4U~1j6!) zH6adq0}#l{%*1U(Cb%4AJ}VLWKBPi0MoKFaQH6x?^hQ!6em@993xdtS%_dmevzeNl z(o?YlOI=jl(`L9^ z0O+H9k$_@`6L13eTT8ci-V0ljDMD|0ifUw|Q-Hep$xYj0hTO@0%IS^TD4b4n6EKDG z??uM;MEx`s98KYN(K0>c!C3HZdZ{+_53DO%9k5W%pr6yJusQAv_;IA}925Y%;+!tY z%2k!YQmLLOr{rF~!s<3-WEUs)`ix_mSU|cNRBIWxOox_Yb7Z=~Q45ZNe*u|m^|)d* zog=i>`=bTe!|;8F+#H>EjIMcgWcG2ORD`w0WD;YZAy5#s{65~qfI6o$+Ty&-hyMyJ z3Ra~t>R!p=5ZpxA;QkDAoPi4sYOP6>LT+}{xp}tk+<0k^CKCFdNYG(Es>p0gqD)jP zWOeX5G;9(m@?GOG7g;e74i_|SmE?`B2i;sLYwRWKLy0RLW!Hx`=!LH3&k=FuCsM=9M4|GqzA)anEHfxkB z?2iK-u(DC_T1};KaUT@3nP~LEcENT^UgPvp!QC@Dw&PVAhaEYrPey{nkcn(ro|r7XUz z%#(=$7D8uP_uU-oPHhd>>^adbCSQetgSG`e$U|7mr!`|bU0aHl_cmL)na-5x1#OsVE#m*+k84Y^+UMeSAa zbrVZHU=mFwXEaGHtXQq`2ZtjfS!B2H{5A<3(nb-6ARVV8kEmOkx6D2x7~-6hl;*-*}2Xz;J#a8Wn;_B5=m zl3dY;%krf?i-Ok^Pal-}4F`{F@TYPTwTEhxpZK5WCpfD^UmM_iYPe}wpE!Djai6_{ z*pGO=WB47#Xjb7!n2Ma)s^yeR*1rTxp`Mt4sfA+`HwZf%!7ZqGosPkw69`Ix5Ku6G z@Pa;pjzV&dn{M=QDx89t?p?d9gna*}jBly*#1!6}5K<*xDPJ{wv4& zM$17DFd~L*Te3A%yD;Dp9UGWTjRxAvMu!j^Tbc}2v~q^59d4bz zvu#!IJCy(BcWTc`;v$9tH;J%oiSJ_i7s;2`JXZF+qd4C)vY!hyCtl)sJIC{ebI*0> z@x>;EzyBv>AI-~{D6l6{ST=em*U( z(r$nuXY-#CCi^8Z2#v#UXOt`dbYN1z5jzNF2 z411?w)whZrfA20;nl&C1Gi+gk<`JSm+{|*2o<< zqM#@z_D`Cn|0H^9$|Tah)0M_X4c37|KQ*PmoT@%xHc3L1ZY6(p(sNXHa&49Frzto& zR`c~ClHpE~4Z=uKa5S(-?M8EJ$zt0&fJk~p$M#fGN1-y$7!37hld`Uw>Urri(DxLa;=#rK0g4J)pXMC zxzraOVw1+kNWpi#P=6(qxf`zSdUC?D$i`8ZI@F>k6k zz21?d+dw7b&i*>Kv5L(LH-?J%@WnqT7j#qZ9B>|Zl+=> z^U-pV@1y_ptHo4hl^cPRWewbLQ#g6XYQ@EkiP z;(=SU!yhjHp%1&MsU`FV1Z_#K1&(|5n(7IHbx&gG28HNT)*~-BQi372@|->2Aw5It z0CBpUcMA*QvsPy)#lr!lIdCi@1k4V2m!NH)%Px(vu-r(Q)HYc!p zJ^$|)j^E#q#QOgcb^pd74^JUi7fUmMiNP_o*lvx*q%_odv49Dsv$NV;6J z9GOXKomA{2Pb{w}&+yHtH?IkJJu~}Z?{Uk++2mB8zyvh*xhHKE``99>y#TdD z&(MH^^JHf;g(Tbb^&8P*;_i*2&fS$7${3WJtV7K&&(MBV2~)2KB3%cWg#1!VE~k#C z!;A;?p$s{ihyojEZz+$I1)L}&G~ml=udD9qh>Tu(ylv)?YcJT3ihapi!zgPtWb*CP zlLLJSRCj-^w?@;RU9aL2zDZY1`I3d<&OMuW=c3$o0#STpv_p3b9Wtbql>w^bBi~u4 z3D8KyF?YE?=HcKk!xcp@Cigvzy=lnFgc^9c%(^F22BWYNAYRSho@~*~S)4%AhEttv zvq>7X!!EWKG?mOd9&n>vvH1p4VzE?HCuxT-u+F&mnsfDI^}*-d00-KAauEaXqg3k@ zy#)MGX!X;&3&0s}F3q40ZmVM$(H3CLfpdL?hB6nVqMxX)q=1b}o_PG%r~hZ4gUfSp zOH4qlEOW4OMUc)_m)fMR_rl^pCfXc{$fQbI*E&mV77}kRF z&{<06AJyJ!e863o-V>FA1a9Eemx6>^F$~9ppt()ZbPGfg_NdRXBWoZnDy2;#ODgf! zgl?iOcF7Meo|{AF>KDwTgYrJLb$L2%%BEtO>T$C?|9bAB&}s;gI?lY#^tttY&hfr# zKhC+&b-rpg_?~uVK%S@mQleU#_xCsvIPK*<`E0fHE1&!J7!xD#IB|SSPW6-PyuqGn3^M^Rz%WT{e?OI^svARX&SAdU77V(C~ zM$H{Kg59op{<|8ry9ecfP%=kFm(-!W&?U0@<%z*+!*<e0XesMxRFu9QnGqun6R_%T+B%&9Dtk?*d$Q zb~>84jEAPi@&F@3wAa^Lzc(AJz5gsfZ7J53;@D<;Klpl?sK&u@gie`~vTsbOE~Cd4 z%kr56mI|#b(Jk&;p6plVwmNB0H@0SmgdmjIn5Ne@)}7Vty(yb2t3ev@22AE^s!KaN zyQ>j+F3w=wnx7w@FVCRe+`vUH)3gW%_72fxzqX!S&!dchdkRiHbXW1FMrIIBwjsai8`CB2r4mAbwp%rrO>3B$Zw;9=%fXI9B{d(UzVap7u z6piC-FQ)>}VOEuPpuqznpY`hN4dGa_1Xz9rVg(;H$5Te^F0dDv*gz9JS<|>>U0J^# z6)(4ICh+N_Q`Ft0hF|3fSHs*?a=XC;e`sJaU9&d>X4l?1W=|fr!5ShD|nv$GK;j46@BV6+{oRbWfqOBRb!ir88XD*SbC(LF}I1h#6@dvK%Toe%@ zhDyG$93H8Eu&gCYddP58iF3oQH*zLbNI;rN@E{T9%A8!=v#JLxKyUe}e}BJpB{~uN zqgxRgo0*-@-iaHPV8bTOH(rS(huwK1Xg0u+e!`(Irzu@Bld&s5&bWgVc@m7;JgELd zimVs`>vQ}B_1(2#rv#N9O`fJpVfPc7V2nv34PC);Dzbb;p!6pqHzvy?2pD&1NE)?A zt(t-ucqy@wn9`^MN5apa7K|L=9>ISC>xoc#>{@e}m#YAAa1*8-RUMKwbm|;5p>T`Z zNf*ph@tnF{gmDa3uwwN(g=`Rh)4!&)^oOy@VJaK4lMT&5#YbXkl`q?<*XtsqD z9PRK6bqb)fJw0g-^a@nu`^?71k|m3RPRjt;pIkCo1{*pdqbVs-Yl>4E>3fZx3Sv44grW=*qdSoiZ9?X0wWyO4`yDHh2E!9I!ZFi zVL8|VtW38}BOJHW(Ax#KL_KQzarbuE{(%TA)AY)@tY4%A%P%SqIU~8~-Lp3qY;U-} z`h_Gel7;K1h}7$_5ZZT0&%$Lxxr-<89V&&TCsu}LL#!xpQ1O31jaa{U34~^le*Y%L za?7$>Jk^k^pS^_M&cDs}NgXlR>16AHkSK-4TRaJSh#h&p!-!vQY%f+bmn6x`4fwTp z$727L^y`~!exvmE^W&#@uY!NxJi`g!i#(++!)?iJ(1)2Wk;RN zFK&O4eTkP$Xn~4bB|q8y(btx$R#D`O@epi4ofcETrx!IM(kWNEe42Qh(8*KqfP(c0 zouBl6>Fc_zM+V;F3znbo{x#%!?mH3`_ANJ?y7ppxS@glg#S9^MXu|FM&ynpz3o&Qh z2ujAHLF3($pH}0jXQsa#?t--TnF1P73b?4`KeJ9^qK-USHE)4!IYgMn-7z|=ALF5SNGkrtPG@Y~niUQV2?g$vzJN3nZ{7;HZHzWAeQ;5P|@Tl3YHpyznGG4-f4=XflwSJY+58-+wf?~Fg@1p1wkzuu-RF3j2JX37SQUc? zQ4v%`V8z9ZVZVqS8h|@@RpD?n0W<=hk=3Cf8R?d^9YK&e9ZybFY%jdnA)PeHvtBe- zhMLD+SSteHBq*q)d6x{)s1UrsO!byyLS$58WK;sqip$Mk{l)Y(_6hEIBsIjCr5t>( z7CdKUrJTrW%qZ#1z^n*Lb8#VdfzPw~OIL76aC+Rhr<~;4Tl!sw?Rj6hXj4XWa#6Tp z@)kJ~qOV)^Rh*-?aG>ic2*NlC2M7&LUzc9RT6WM%Cpe78`iAowe!>(T0jo&ivn8-7 zs{Qa@cGy$rE-3AY0V(l8wjI^uB8Lchj@?L}fYal^>T9z;8juH@?rG&g-t+R2dVDBe zq!K%{e-rT5jX19`(bP23LUN4+_zh2KD~EAYzhpEO3MUG8@}uBHH@4J zd`>_(K4q&>*k82(dDuC)X6JuPrBBubOg7qZ{?x!r@{%0);*`h*^F|%o?&1wX?Wr4b z1~&cy#PUuES{C#xJ84!z<1tp9sfrR(i%Tu^jnXy;4`Xk;AQCdFC@?V%|; zySdC7qS|uQRcH}EFZH%mMB~7gi}a0utE}ZE_}8PQH8f;H%PN41Cb9R%w5Oi5el^fd z$n{3SqLCnrF##x?4sa^r!O$7NX!}&}V;0ZGQ&K&i%6$3C_dR%I7%gdQ;KT6YZiQrW zk%q<74oVBV>@}CvJ4Wj!d^?#Zwq(b$E1ze4$99DuNg?6t9H}k_|D7KWD7i0-g*EO7 z;5{hSIYE4DMOK3H%|f5Edx+S0VI0Yw!tsaRS2&Il2)ea^8R5TG72BrJue|f_{2UHa z@w;^c|K3da#$TB0P3;MPlF7RuQeXT$ zS<<|C0OF(k)>fr&wOB=gP8!Qm>F41u;3esv7_0l%QHt(~+n; zf!G6%hp;Gfa9L9=AceiZs~tK+Tf*Wof=4!u{nIO90jH@iS0l+#%8=~%ASzFv7zqSB^?!@N7)kp0t&tCGLmzXSRMRyxCmCYUD2!B`? zhs$4%KO~m=VFk3Buv9osha{v+mAEq=ik3RdK@;WWTV_g&-$U4IM{1IhGX{pAu%Z&H zFfwCpUsX%RKg);B@7OUzZ{Hn{q6Vv!3#8fAg!P$IEx<0vAx;GU%}0{VIsmFBPq_mb zpe^BChDK>sc-WLKl<6 zwbW|e&d&dv9Wu0goueyu>(JyPx1mz0v4E?cJjFuKF71Q1)AL8jHO$!fYT3(;U3Re* zPPOe%*O+@JYt1bW`!W_1!mN&=w3G9ru1XsmwfS~BJ))PhD(+_J_^N6j)sx5VwbWK| zwRyC?W<`pOCY)b#AS?rluxuuGf-AJ=D!M36l{ua?@SJ5>e!IBr3CXIxWw5xUZ@Xrw z_R@%?{>d%Ld4p}nEsiA@v*nc6Ah!MUs?GA7e5Q5lPpp0@`%5xY$C;{%rz24$;vR#* zBP=a{)K#CwIY%p} zXVdxTQ^HS@O&~eIftU+Qt^~(DGxrdi3k}DdT^I7Iy5SMOp$QuD8s;+93YQ!OY{eB24%xY7ml@|M7I(Nb@K_-?F;2?et|CKkuZK_>+>Lvg!>JE~wN`BI|_h6$qi!P)+K-1Hh(1;a`os z55)4Q{oJiA(lQM#;w#Ta%T0jDNXIPM_bgESMCDEg6rM33anEr}=|Fn6)|jBP6Y}u{ zv9@%7*#RI9;fv;Yii5CI+KrRdr0DKh=L>)eO4q$1zmcSmglsV`*N(x=&Wx`*v!!hn6X-l0 zP_m;X??O(skcj+oS$cIdKhfT%ABAzz3w^la-Ucw?yBPEC+=Pe_vU8nd-HV5YX6X8r zZih&j^eLU=%*;VzhUyoLF;#8QsEfmByk+Y~caBqSvQaaWf2a{JKB9B>V&r?l^rXaC z8)6AdR@Qy_BxQrE2Fk?ewD!SwLuMj@&d_n5RZFf7=>O>hzVE*seW3U?_p|R^CfoY`?|#x9)-*yjv#lo&zP=uI`M?J zbzC<^3x7GfXA4{FZ72{PE*-mNHyy59Q;kYG@BB~NhTd6pm2Oj=_ zizmD?MKVRkT^KmXuhsk?eRQllPo2Ubk=uCKiZ&u3Xjj~<(!M94c)Tez@9M1Gfs5JV z->@II)CDJOXTtPrQudNjE}Eltbjq>6KiwAwqvAKd^|g!exgLG3;wP+#mZYr`cy3#39e653d=jrR-ulW|h#ddHu(m9mFoW~2yE zz5?dB%6vF}+`-&-W8vy^OCxm3_{02royjvmwjlp+eQDzFVEUiyO#gLv%QdDSI#3W* z?3!lL8clTaNo-DVJw@ynq?q!%6hTQi35&^>P85G$TqNt78%9_sSJt2RThO|JzM$iL zg|wjxdMC2|Icc5rX*qPL(coL!u>-xxz-rFiC!6hD1IR%|HSRsV3>Kq~&vJ=s3M5y8SG%YBQ|{^l#LGlg!D?E>2yR*eV%9m$_J6VGQ~AIh&P$_aFbh zULr0Z$QE!QpkP=aAeR4ny<#3Fwyw@rZf4?Ewq`;mCVv}xaz+3ni+}a=k~P+yaWt^L z@w67!DqVf7D%7XtXX5xBW;Co|HvQ8WR1k?r2cZD%U;2$bsM%u8{JUJ5Z0k= zZJARv^vFkmWx15CB=rb=D4${+#DVqy5$C%bf`!T0+epLJLnh1jwCdb*zuCL}eEFvE z{rO1%gxg>1!W(I!owu*mJZ0@6FM(?C+d*CeceZRW_4id*D9p5nzMY&{mWqrJomjIZ z97ZNnZ3_%Hx8dn;H>p8m7F#^2;T%yZ3H;a&N7tm=Lvs&lgJLW{V1@h&6Vy~!+Ffbb zv(n3+v)_D$}dqd!2>Y2B)#<+o}LH#%ogGi2-?xRIH)1!SD)u-L65B&bsJTC=LiaF+YOCif2dUX6uAA|#+vNR z>U+KQekVGon)Yi<93(d!(yw1h3&X0N(PxN2{%vn}cnV?rYw z$N^}_o!XUB!mckL`yO1rnUaI4wrOeQ(+&k?2mi47hzxSD`N#-byqd1IhEoh!PGq>t z_MRy{5B0eKY>;Ao3z$RUU7U+i?iX^&r739F)itdrTpAi-NN0=?^m%?{A9Ly2pVv>Lqs6moTP?T2-AHqFD-o_ znVr|7OAS#AEH}h8SRPQ@NGG47dO}l=t07__+iK8nHw^(AHx&Wb<%jPc$$jl6_p(b$ z)!pi(0fQodCHfM)KMEMUR&UID>}m^(!{C^U7sBDOA)$VThRCI0_+2=( zV8mMq0R(#z;C|7$m>$>`tX+T|xGt(+Y48@ZYu#z;0pCgYgmMVbFb!$?%yhZqP_nhn zy4<#3P1oQ#2b51NU1mGnHP$cf0j-YOgAA}A$QoL6JVLcmExs(kU{4z;PBHJD%_=0F z>+sQV`mzijSIT7xn%PiDKHOujX;n|M&qr1T@rOxTdxtZ!&u&3HHFLYD5$RLQ=heur zb>+AFokUVQeJy-#LP*^)spt{mb@Mqe=A~-4p0b+Bt|pZ+@CY+%x}9f}izU5;4&QFE zO1bhg&A4uC1)Zb67kuowWY4xbo&J=%yoXlFB)&$d*-}kjBu|w!^zbD1YPc0-#XTJr z)pm2RDy%J3jlqSMq|o%xGS$bPwn4AqitC6&e?pqWcjWPt{3I{>CBy;hg0Umh#c;hU3RhCUX=8aR>rmd` z7Orw(5tcM{|-^J?ZAA9KP|)X6n9$-kvr#j5YDecTM6n z&07(nD^qb8hpF0B^z^pQ*%5ePYkv&FabrlI61ntiVp!!C8y^}|<2xgAd#FY=8b*y( zuQOuvy2`Ii^`VBNJB&R!0{hABYX55ooCAJSSevl4RPqEGb)iy_0H}v@vFwFzD%>#I>)3PsouQ+_Kkbqy*kKdHdfkN7NBcq%V{x^fSxgXpg7$bF& zj!6AQbDY(1u#1_A#1UO9AxiZaCVN2F0wGXdY*g@x$ByvUA?ePdide0dmr#}udE%K| z3*k}Vv2Ew2u1FXBaVA6aerI36R&rzEZeDDCl5!t0J=ug6kuNZzH>3i_VN`%BsaVB3 zQYw|Xub_SGf{)F{$ZX5`Jc!X!;eybjP+o$I{Z^Hsj@D=E{MnnL+TbC@HEU2DjG{3-LDGIbq()U87x4eS;JXnSh;lRlJ z>EL3D>wHt-+wTjQF$fGyDO$>d+(fq@bPpLBS~xA~R=3JPbS{tzN(u~m#Po!?H;IYv zE;?8%^vle|%#oux(Lj!YzBKv+Fd}*Ur-dCBoX*t{KeNM*n~ZPYJ4NNKkI^MFbz9!v z4(Bvm*Kc!-$%VFEewYJKz-CQN{`2}KX4*CeJEs+Q(!kI%hN1!1P6iOq?ovz}X0IOi z)YfWpwW@pK08^69#wSyCZkX9?uZD?C^@rw^Y?gLS_xmFKkooyx$*^5#cPqntNTtSG zlP>XLMj2!VF^0k#ole7`-c~*~+_T5ls?x4)ah(j8vo_ zwb%S8qoaZqY0-$ZI+ViIA_1~~rAH7K_+yFS{0rT@eQtTAdz#8E5VpwnW!zJ_^{Utv zlW5Iar3V5t&H4D6A=>?mq;G92;1cg9a2sf;gY9pJDVKn$DYdQlvfXq}zz8#LyPGq@ z+`YUMD;^-6w&r-82JL7mA8&M~Pj@aK!m{0+^v<|t%APYf7`}jGEhdYLqsHW-Le9TL z_hZZ1gbrz7$f9^fAzVIP30^KIz!!#+DRLL+qMszvI_BpOSmjtl$hh;&UeM{ER@INV zcI}VbiVTPoN|iSna@=7XkP&-4#06C};8ajbxJ4Gcq8(vWv4*&X8bM^T$mBk75Q92j z1v&%a;OSKc8EIrodmIiw$lOES2hzGDcjjB`kEDfJe{r}yE6`eZL zEB`9u>Cl0IsQ+t}`-cx}{6jqcANucqIB>Qmga_&<+80E2Q|VHHQ$YlAt{6`Qu`HA3 z03s0-sSlwbvgi&_R8s={6<~M^pGvBNjKOa>tWenzS8s zR>L7R5aZ=mSU{f?ib4Grx$AeFvtO5N|D>9#)ChH#Fny2maHWHOf2G=#<9Myot#+4u zWVa6d^Vseq_0=#AYS(-m$Lp;*8nC_6jXIjEM`omUmtH@QDs3|G)i4j*#_?#UYVZvJ z?YjT-?!4Q{BNun;dKBWLEw2C-VeAz`%?A>p;)PL}TAZn5j~HK>v1W&anteARlE+~+ zj>c(F;?qO3pXBb|#OZdQnm<4xWmn~;DR5SDMxt0UK_F^&eD|KZ=O;tO3vy4@4h^;2 zUL~-z`-P1aOe?|ZC1BgVsL)2^J-&vIFI%q@40w0{jjEfeVl)i9(~bt2z#2Vm)p`V_ z1;6$Ae7=YXk#=Qkd24Y23t&GvRxaOoad~NbJ+6pxqzJ>FY#Td7@`N5xp!n(c!=RE& z&<<@^a$_Ys8jqz4|5Nk#FY$~|FPC0`*a5HH!|Gssa9=~66&xG9)|=pOOJ2KE5|YrR zw!w6K2aC=J$t?L-;}5hn6mHd%hC;p8P|Dgh6D>hGnXPgi;6r+eA=?f72y9(Cf_ho{ zH6#)uD&R=73^$$NE;5piWX2bzR67fQ)`b=85o0eOLGI4c-Tb@-KNi2pz=Ke@SDcPn za$AxXib84`!Sf;Z3B@TSo`Dz7GM5Kf(@PR>Ghzi=BBxK8wRp>YQoXm+iL>H*Jo9M3 z6w&E?BC8AFTFT&Tv8zf+m9<&S&%dIaZ)Aoqkak_$r-2{$d~0g2oLETx9Y`eOAf14QXEQw3tJne;fdzl@wV#TFXSLXM2428F-Q}t+n2g%vPRMUzYPvzQ9f# zu(liiJem9P*?0%V@RwA7F53r~|I!Ty)<*AsMX3J{_4&}{6pT%Tpw>)^|DJ)>gpS~1rNEh z0$D?uO8mG?H;2BwM5a*26^7YO$XjUm40XmBsb63MoR;bJh63J;OngS5sSI+o2HA;W zdZV#8pDpC9Oez&L8loZO)MClRz!_!WD&QRtQxnazhT%Vj6Wl4G11nUk8*vSeVab@N#oJ}`KyJv+8Mo@T1-pqZ1t|?cnaVOd;1(h9 z!$DrN=jcGsVYE-0-n?oCJ^4x)F}E;UaD-LZUIzcD?W^ficqJWM%QLy6QikrM1aKZC zi{?;oKwq^Vsr|&`i{jIphA8S6G4)$KGvpULjH%9u(Dq247;R#l&I0{IhcC|oBF*Al zvLo7Xte=C{aIt*otJD}BUq)|_pdR>{zBMT< z(^1RpZv*l*m*OV^8>9&asGBo8h*_4q*)-eCv*|Pq=XNGrZE)^(SF7^{QE_~4VDB(o zVcPA_!G+2CAtLbl+`=Q~9iW`4ZRLku!uB?;tWqVjB0lEOf}2RD7dJ=BExy=<9wkb- z9&7{XFA%n#JsHYN8t5d~=T~5DcW4$B%3M+nNvC2`0!#@sckqlzo5;hhGi(D9=*A4` z5ynobawSPRtWn&CDLEs3Xf`(8^zDP=NdF~F^s&={l7(aw&EG}KWpMjtmz7j_VLO;@ zM2NVLDxZ@GIv7*gzl1 zjq78tv*8#WSY`}Su0&C;2F$Ze(q>F(@Wm^Gw!)(j;dk9Ad{STaxn)IV9FZhm*n+U} zi;4y*3v%A`_c7a__DJ8D1b@dl0Std3F||4Wtvi)fCcBRh!X9$1x!_VzUh>*S5s!oq z;qd{J_r79EL2wIeiGAqFstWtkfIJpjVh%zFo*=55B9Zq~y0=^iqHWfQl@O!Ak;(o*m!pZqe9 z%U2oDOhR)BvW8&F70L;2TpkzIutIvNQaTjjs5V#8mV4!NQ}zN=i`i@WI1z0eN-iCS z;vL-Wxc^Vc_qK<5RPh(}*8dLT{~GzE{w2o$2kMFaEl&q zP{V=>&3kW7tWaK-Exy{~`v4J0U#OZBk{a9{&)&QG18L@6=bsZ1zC_d{{pKZ-Ey>I> z;8H0t4bwyQqgu4hmO`3|4K{R*5>qnQ&gOfdy?z`XD%e5+pTDzUt3`k^u~SaL&XMe= z9*h#kT(*Q9jO#w2Hd|Mr-%DV8i_1{J1MU~XJ3!WUplhXDYBpJH><0OU`**nIvPIof z|N8@I=wA)sf45SAvx||f?Z5uB$kz1qL3Ky_{%RPdP5iN-D2!p5scq}buuC00C@jom zhfGKm3|f?Z0iQ|K$Z~!`8{nmAS1r+fp6r#YDOS8V*;K&Gs7Lc&f^$RC66O|)28oh`NHy&vq zJh+hAw8+ybTB0@VhWN^0iiTnLsCWbS_y`^gs!LX!Lw{yE``!UVzrV24tP8o;I6-65 z1MUiHw^{bB15tmrVT*7-#sj6cs~z`wk52YQJ*TG{SE;KTm#Hf#a~|<(|ImHH17nNM z`Ub{+J3dMD!)mzC8b(2tZtokKW5pAwHa?NFiso~# z1*iaNh4lQ4TS)|@G)H4dZV@l*Vd;Rw;-;odDhW2&lJ%m@jz+Panv7LQm~2Js6rOW3 z0_&2cW^b^MYW3)@o;neZ<{B4c#m48dAl$GCc=$>ErDe|?y@z`$uq3xd(%aAsX)D%l z>y*SQ%My`yDP*zof|3@_w#cjaW_YW4BdA;#Glg1RQcJGY*CJ9`H{@|D+*e~*457kd z73p<%fB^PV!Ybw@)Dr%(ZJbX}xmCStCYv#K3O32ej{$9IzM^I{6FJ8!(=azt7RWf4 z7ib0UOPqN40X!wOnFOoddd8`!_IN~9O)#HRTyjfc#&MCZ zZAMzOVB=;qwt8gV?{Y2?b=iSZG~RF~uyx18K)IDFLl})G1v@$(s{O4@RJ%OTJyF+Cpcx4jmy|F3euCnMK!P2WTDu5j z{{gD$=M*pH!GGzL%P)V2*ROm>!$Y=z|D`!_yY6e7SU$~a5q8?hZGgaYqaiLnkK%?0 zs#oI%;zOxF@g*@(V4p!$7dS1rOr6GVs6uYCTt2h)eB4?(&w8{#o)s#%gN@BBosRUe z)@P@8_Zm89pr~)b>e{tbPC~&_MR--iB{=)y;INU5#)@Gix-YpgP<-c2Ms{9zuCX|3 z!p(?VaXww&(w&uBHzoT%!A2=3HAP>SDxcljrego7rY|%hxy3XlODWffO_%g|l+7Y_ zqV(xbu)s4lV=l7M;f>vJl{`6qBm>#ZeMA}kXb97Z)?R97EkoI?x6Lp0yu1Z>PS?2{ z0QQ(8D)|lc9CO3B~e(pQM&5(1y&y=e>C^X$`)_&XuaI!IgDTVqt31wX#n+@!a_A0ZQkA zCJ2@M_4Gb5MfCrm5UPggeyh)8 zO9?`B0J#rkoCx(R0I!ko_2?iO@|oRf1;3r+i)w-2&j?=;NVIdPFsB)`|IC0zk6r9c zRrkfxWsiJ(#8QndNJj@{@WP2Ackr|r1VxV{7S&rSU(^)-M8gV>@UzOLXu9K<{6e{T zXJ6b92r$!|lwjhmgqkdswY&}c)KW4A)-ac%sU;2^fvq7gfUW4Bw$b!i@duy1CAxSn z(pyh$^Z=&O-q<{bZUP+$U}=*#M9uVc>CQVgDs4swy5&8RAHZ~$)hrTF4W zPsSa~qYv_0mJnF89RnnJTH`3}w4?~epFl=D(35$ zWa07ON$`OMBOHgCmfO(9RFc<)?$x)N}Jd2A(<*Ll7+4jrRt9w zwGxExUXd9VB#I|DwfxvJ;HZ8Q{37^wDhaZ%O!oO(HpcqfLH%#a#!~;Jl7F5>EX_=8 z{()l2NqPz>La3qJR;_v+wlK>GsHl;uRA8%j`A|yH@k5r%55S9{*Cp%uw6t`qc1!*T za2OeqtQj7sAp#Q~=5Fs&aCR9v>5V+s&RdNvo&H~6FJOjvaj--2sYYBvMq;55%z8^o z|BJDA4vzfow#DO#ZQHh;Oq_{r+qP{R9ox2TOgwQiv7Ow!zjN+A@BN;0tA2lUb#+zO z(^b89eV)D7UVE+h{mcNc6&GtpOqDn_?VAQ)Vob$hlFwW%xh>D#wml{t&Ofmm_d_+; zKDxzdr}`n2Rw`DtyIjrG)eD0vut$}dJAZ0AohZ+ZQdWXn_Z@dI_y=7t3q8x#pDI-K z2VVc&EGq445Rq-j0=U=Zx`oBaBjsefY;%)Co>J3v4l8V(T8H?49_@;K6q#r~Wwppc z4XW0(4k}cP=5ex>-Xt3oATZ~bBWKv)aw|I|Lx=9C1s~&b77idz({&q3T(Y(KbWO?+ zmcZ6?WeUsGk6>km*~234YC+2e6Zxdl~<_g2J|IE`GH%n<%PRv-50; zH{tnVts*S5*_RxFT9eM0z-pksIb^drUq4>QSww=u;UFCv2AhOuXE*V4z?MM`|ABOC4P;OfhS(M{1|c%QZ=!%rQTDFx`+}?Kdx$&FU?Y<$x;j7z=(;Lyz+?EE>ov!8vvMtSzG!nMie zsBa9t8as#2nH}n8xzN%W%U$#MHNXmDUVr@GX{?(=yI=4vks|V)!-W5jHsU|h_&+kY zS_8^kd3jlYqOoiI`ZqBVY!(UfnAGny!FowZWY_@YR0z!nG7m{{)4OS$q&YDyw6vC$ zm4!$h>*|!2LbMbxS+VM6&DIrL*X4DeMO!@#EzMVfr)e4Tagn~AQHIU8?e61TuhcKD zr!F4(kEebk(Wdk-?4oXM(rJwanS>Jc%<>R(siF+>+5*CqJLecP_we33iTFTXr6W^G z7M?LPC-qFHK;E!fxCP)`8rkxZyFk{EV;G-|kwf4b$c1k0atD?85+|4V%YATWMG|?K zLyLrws36p%Qz6{}>7b>)$pe>mR+=IWuGrX{3ZPZXF3plvuv5Huax86}KX*lbPVr}L z{C#lDjdDeHr~?l|)Vp_}T|%$qF&q#U;ClHEPVuS+Jg~NjC1RP=17=aQKGOcJ6B3mp z8?4*-fAD~}sX*=E6!}^u8)+m2j<&FSW%pYr_d|p_{28DZ#Cz0@NF=gC-o$MY?8Ca8 zr5Y8DSR^*urS~rhpX^05r30Ik#2>*dIOGxRm0#0YX@YQ%Mg5b6dXlS!4{7O_kdaW8PFSdj1=ryI-=5$fiieGK{LZ+SX(1b=MNL!q#lN zv98?fqqTUH8r8C7v(cx#BQ5P9W>- zmW93;eH6T`vuJ~rqtIBg%A6>q>gnWb3X!r0wh_q;211+Om&?nvYzL1hhtjB zK_7G3!n7PL>d!kj){HQE zE8(%J%dWLh1_k%gVXTZt zEdT09XSKAx27Ncaq|(vzL3gm83q>6CAw<$fTnMU05*xAe&rDfCiu`u^1)CD<>sx0i z*hr^N_TeN89G(nunZoLBf^81#pmM}>JgD@Nn1l*lN#a=B=9pN%tmvYFjFIoKe_(GF z-26x{(KXdfsQL7Uv6UtDuYwV`;8V3w>oT_I<`Ccz3QqK9tYT5ZQzbop{=I=!pMOCb zCU68`n?^DT%^&m>A%+-~#lvF!7`L7a{z<3JqIlk1$<||_J}vW1U9Y&eX<}l8##6i( zZcTT@2`9(Mecptm@{3A_Y(X`w9K0EwtPq~O!16bq{7c0f7#(3wn-^)h zxV&M~iiF!{-6A@>o;$RzQ5A50kxXYj!tcgme=Qjrbje~;5X2xryU;vH|6bE(8z^<7 zQ>BG7_c*JG8~K7Oe68i#0~C$v?-t@~@r3t2inUnLT(c=URpA9kA8uq9PKU(Ps(LVH zqgcqW>Gm?6oV#AldDPKVRcEyQIdTT`Qa1j~vS{<;SwyTdr&3*t?J)y=M7q*CzucZ&B0M=joT zBbj@*SY;o2^_h*>R0e({!QHF0=)0hOj^B^d*m>SnRrwq>MolNSgl^~r8GR#mDWGYEIJA8B<|{{j?-7p zVnV$zancW3&JVDtVpIlI|5djKq0(w$KxEFzEiiL=h5Jw~4Le23@s(mYyXWL9SX6Ot zmb)sZaly_P%BeX_9 zw&{yBef8tFm+%=--m*J|o~+Xg3N+$IH)t)=fqD+|fEk4AAZ&!wcN5=mi~Vvo^i`}> z#_3ahR}Ju)(Px7kev#JGcSwPXJ2id9%Qd2A#Uc@t8~egZ8;iC{e! z%=CGJOD1}j!HW_sgbi_8suYnn4#Ou}%9u)dXd3huFIb!ytlX>Denx@pCS-Nj$`VO&j@(z!kKSP0hE4;YIP#w9ta=3DO$7f*x zc9M4&NK%IrVmZAe=r@skWD`AEWH=g+r|*13Ss$+{c_R!b?>?UaGXlw*8qDmY#xlR= z<0XFbs2t?8i^G~m?b|!Hal^ZjRjt<@a? z%({Gn14b4-a|#uY^=@iiKH+k?~~wTj5K1A&hU z2^9-HTC)7zpoWK|$JXaBL6C z#qSNYtY>65T@Zs&-0cHeu|RX(Pxz6vTITdzJdYippF zC-EB+n4}#lM7`2Ry~SO>FxhKboIAF#Z{1wqxaCb{#yEFhLuX;Rx(Lz%T`Xo1+a2M}7D+@wol2)OJs$TwtRNJ={( zD@#zTUEE}#Fz#&(EoD|SV#bayvr&E0vzmb%H?o~46|FAcx?r4$N z&67W3mdip-T1RIxwSm_&(%U|+WvtGBj*}t69XVd&ebn>KOuL(7Y8cV?THd-(+9>G7*Nt%T zcH;`p={`SOjaf7hNd(=37Lz3-51;58JffzIPgGs_7xIOsB5p2t&@v1mKS$2D$*GQ6 zM(IR*j4{nri7NMK9xlDy-hJW6sW|ZiDRaFiayj%;(%51DN!ZCCCXz+0Vm#};70nOx zJ#yA0P3p^1DED;jGdPbQWo0WATN=&2(QybbVdhd=Vq*liDk`c7iZ?*AKEYC#SY&2g z&Q(Ci)MJ{mEat$ZdSwTjf6h~roanYh2?9j$CF@4hjj_f35kTKuGHvIs9}Re@iKMxS-OI*`0S z6s)fOtz}O$T?PLFVSeOjSO26$@u`e<>k(OSP!&YstH3ANh>)mzmKGNOwOawq-MPXe zy4xbeUAl6tamnx))-`Gi2uV5>9n(73yS)Ukma4*7fI8PaEwa)dWHs6QA6>$}7?(L8 ztN8M}?{Tf!Zu22J5?2@95&rQ|F7=FK-hihT-vDp!5JCcWrVogEnp;CHenAZ)+E+K5 z$Cffk5sNwD_?4+ymgcHR(5xgt20Z8M`2*;MzOM#>yhk{r3x=EyM226wb&!+j`W<%* zSc&|`8!>dn9D@!pYow~(DsY_naSx7(Z4i>cu#hA5=;IuI88}7f%)bRkuY2B;+9Uep zpXcvFWkJ!mQai63BgNXG26$5kyhZ2&*3Q_tk)Ii4M>@p~_~q_cE!|^A;_MHB;7s#9 zKzMzK{lIxotjc};k67^Xsl-gS!^*m*m6kn|sbdun`O?dUkJ{0cmI0-_2y=lTAfn*Y zKg*A-2sJq)CCJgY0LF-VQvl&6HIXZyxo2#!O&6fOhbHXC?%1cMc6y^*dOS{f$=137Ds1m01qs`>iUQ49JijsaQ( zksqV9@&?il$|4Ua%4!O15>Zy&%gBY&wgqB>XA3!EldQ%1CRSM(pp#k~-pkcCg4LAT zXE=puHbgsw)!xtc@P4r~Z}nTF=D2~j(6D%gTBw$(`Fc=OOQ0kiW$_RDd=hcO0t97h zb86S5r=>(@VGy1&#S$Kg_H@7G^;8Ue)X5Y+IWUi`o;mpvoV)`fcVk4FpcT|;EG!;? zHG^zrVVZOm>1KFaHlaogcWj(v!S)O(Aa|Vo?S|P z5|6b{qkH(USa*Z7-y_Uvty_Z1|B{rTS^qmEMLEYUSk03_Fg&!O3BMo{b^*`3SHvl0 zhnLTe^_vVIdcSHe)SQE}r~2dq)VZJ!aSKR?RS<(9lzkYo&dQ?mubnWmgMM37Nudwo z3Vz@R{=m2gENUE3V4NbIzAA$H1z0pagz94-PTJyX{b$yndsdKptmlKQKaaHj@3=ED zc7L?p@%ui|RegVYutK$64q4pe9+5sv34QUpo)u{1ci?)_7gXQd{PL>b0l(LI#rJmN zGuO+%GO`xneFOOr4EU(Wg}_%bhzUf;d@TU+V*2#}!2OLwg~%D;1FAu=Un>OgjPb3S z7l(riiCwgghC=Lm5hWGf5NdGp#01xQ59`HJcLXbUR3&n%P(+W2q$h2Qd z*6+-QXJ*&Kvk9ht0f0*rO_|FMBALen{j7T1l%=Q>gf#kma zQlg#I9+HB+z*5BMxdesMND`_W;q5|FaEURFk|~&{@qY32N$G$2B=&Po{=!)x5b!#n zxLzblkq{yj05#O7(GRuT39(06FJlalyv<#K4m}+vs>9@q-&31@1(QBv82{}Zkns~K ze{eHC_RDX0#^A*JQTwF`a=IkE6Ze@j#-8Q`tTT?k9`^ZhA~3eCZJ-Jr{~7Cx;H4A3 zcZ+Zj{mzFZbVvQ6U~n>$U2ZotGsERZ@}VKrgGh0xM;Jzt29%TX6_&CWzg+YYMozrM z`nutuS)_0dCM8UVaKRj804J4i%z2BA_8A4OJRQ$N(P9Mfn-gF;4#q788C@9XR0O3< zsoS4wIoyt046d+LnSCJOy@B@Uz*#GGd#+Ln1ek5Dv>(ZtD@tgZlPnZZJGBLr^JK+!$$?A_fA3LOrkoDRH&l7 zcMcD$Hsjko3`-{bn)jPL6E9Ds{WskMrivsUu5apD z?grQO@W7i5+%X&E&p|RBaEZ(sGLR@~(y^BI@lDMot^Ll?!`90KT!JXUhYS`ZgX3jnu@Ja^seA*M5R@f`=`ynQV4rc$uT1mvE?@tz)TN<=&H1%Z?5yjxcpO+6y_R z6EPuPKM5uxKpmZfT(WKjRRNHs@ib)F5WAP7QCADvmCSD#hPz$V10wiD&{NXyEwx5S z6NE`3z!IS^$s7m}PCwQutVQ#~w+V z=+~->DI*bR2j0^@dMr9`p>q^Ny~NrAVxrJtX2DUveic5vM%#N*XO|?YAWwNI$Q)_) zvE|L(L1jP@F%gOGtnlXtIv2&1i8q<)Xfz8O3G^Ea~e*HJsQgBxWL(yuLY+jqUK zRE~`-zklrGog(X}$9@ZVUw!8*=l`6mzYLtsg`AvBYz(cxmAhr^j0~(rzXdiOEeu_p zE$sf2(w(BPAvO5DlaN&uQ$4@p-b?fRs}d7&2UQ4Fh?1Hzu*YVjcndqJLw0#q@fR4u zJCJ}>_7-|QbvOfylj+e^_L`5Ep9gqd>XI3-O?Wp z-gt*P29f$Tx(mtS`0d05nHH=gm~Po_^OxxUwV294BDKT>PHVlC5bndncxGR!n(OOm znsNt@Q&N{TLrmsoKFw0&_M9$&+C24`sIXGWgQaz=kY;S{?w`z^Q0JXXBKFLj0w0U6P*+jPKyZHX9F#b0D1$&(- zrm8PJd?+SrVf^JlfTM^qGDK&-p2Kdfg?f>^%>1n8bu&byH(huaocL>l@f%c*QkX2i znl}VZ4R1en4S&Bcqw?$=Zi7ohqB$Jw9x`aM#>pHc0x z0$!q7iFu zZ`tryM70qBI6JWWTF9EjgG@>6SRzsd}3h+4D8d~@CR07P$LJ}MFsYi-*O%XVvD@yT|rJ+Mk zDllJ7$n0V&A!0flbOf)HE6P_afPWZmbhpliqJuw=-h+r;WGk|ntkWN(8tKlYpq5Ow z(@%s>IN8nHRaYb*^d;M(D$zGCv5C|uqmsDjwy4g=Lz>*OhO3z=)VD}C<65;`89Ye} zSCxrv#ILzIpEx1KdLPlM&%Cctf@FqTKvNPXC&`*H9=l=D3r!GLM?UV zOxa(8ZsB`&+76S-_xuj?G#wXBfDY@Z_tMpXJS7^mp z@YX&u0jYw2A+Z+bD#6sgVK5ZgdPSJV3>{K^4~%HV?rn~4D)*2H!67Y>0aOmzup`{D zzDp3c9yEbGCY$U<8biJ_gB*`jluz1ShUd!QUIQJ$*1;MXCMApJ^m*Fiv88RZ zFopLViw}{$Tyhh_{MLGIE2~sZ)t0VvoW%=8qKZ>h=adTe3QM$&$PO2lfqH@brt!9j ziePM8$!CgE9iz6B<6_wyTQj?qYa;eC^{x_0wuwV~W+^fZmFco-o%wsKSnjXFEx02V zF5C2t)T6Gw$Kf^_c;Ei3G~uC8SM-xyycmXyC2hAVi-IfXqhu$$-C=*|X?R0~hu z8`J6TdgflslhrmDZq1f?GXF7*ALeMmOEpRDg(s*H`4>_NAr`2uqF;k;JQ+8>A|_6ZNsNLECC%NNEb1Y1dP zbIEmNpK)#XagtL4R6BC{C5T(+=yA-(Z|Ap}U-AfZM#gwVpus3(gPn}Q$CExObJ5AC z)ff9Yk?wZ}dZ-^)?cbb9Fw#EjqQ8jxF4G3=L?Ra zg_)0QDMV1y^A^>HRI$x?Op@t;oj&H@1xt4SZ9(kifQ zb59B*`M99Td7@aZ3UWvj1rD0sE)d=BsBuW*KwkCds7ay(7*01_+L}b~7)VHI>F_!{ zyxg-&nCO?v#KOUec0{OOKy+sjWA;8rTE|Lv6I9H?CI?H(mUm8VXGwU$49LGpz&{nQp2}dinE1@lZ1iox6{ghN&v^GZv9J${7WaXj)<0S4g_uiJ&JCZ zr8-hsu`U%N;+9N^@&Q0^kVPB3)wY(rr}p7{p0qFHb3NUUHJb672+wRZs`gd1UjKPX z4o6zljKKA+Kkj?H>Ew63o%QjyBk&1!P22;MkD>sM0=z_s-G{mTixJCT9@_|*(p^bz zJ8?ZZ&;pzV+7#6Mn`_U-)k8Pjg?a;|Oe^us^PoPY$Va~yi8|?+&=y$f+lABT<*pZr zP}D{~Pq1Qyni+@|aP;ixO~mbEW9#c0OU#YbDZIaw=_&$K%Ep2f%hO^&P67hApZe`x zv8b`Mz@?M_7-)b!lkQKk)JXXUuT|B8kJlvqRmRpxtQDgvrHMXC1B$M@Y%Me!BSx3P z#2Eawl$HleZhhTS6Txm>lN_+I`>eV$&v9fOg)%zVn3O5mI*lAl>QcHuW6!Kixmq`X zBCZ*Ck6OYtDiK!N47>jxI&O2a9x7M|i^IagRr-fmrmikEQGgw%J7bO|)*$2FW95O4 zeBs>KR)izRG1gRVL;F*sr8A}aRHO0gc$$j&ds8CIO1=Gwq1%_~E)CWNn9pCtBE}+`Jelk4{>S)M)`Ll=!~gnn1yq^EX(+y*ik@3Ou0qU`IgYi3*doM+5&dU!cho$pZ zn%lhKeZkS72P?Cf68<#kll_6OAO26bIbueZx**j6o;I0cS^XiL`y+>{cD}gd%lux} z)3N>MaE24WBZ}s0ApfdM;5J_Ny}rfUyxfkC``Awo2#sgLnGPewK};dORuT?@I6(5~ z?kE)Qh$L&fwJXzK){iYx!l5$Tt|^D~MkGZPA}(o6f7w~O2G6Vvzdo*a;iXzk$B66$ zwF#;wM7A+(;uFG4+UAY(2`*3XXx|V$K8AYu#ECJYSl@S=uZW$ksfC$~qrrbQj4??z-)uz0QL}>k^?fPnJTPw% zGz)~?B4}u0CzOf@l^um}HZzbaIwPmb<)< zi_3@E9lc)Qe2_`*Z^HH;1CXOceL=CHpHS{HySy3T%<^NrWQ}G0i4e1xm_K3(+~oi$ zoHl9wzb?Z4j#90DtURtjtgvi7uw8DzHYmtPb;?%8vb9n@bszT=1qr)V_>R%s!92_` zfnHQPANx z<#hIjIMm#*(v*!OXtF+w8kLu`o?VZ5k7{`vw{Yc^qYclpUGIM_PBN1+c{#Vxv&E*@ zxg=W2W~JuV{IuRYw3>LSI1)a!thID@R=bU+cU@DbR^_SXY`MC7HOsCN z!dO4OKV7(E_Z8T#8MA1H`99?Z!r0)qKW_#|29X3#Jb+5+>qUidbeP1NJ@)(qi2S-X zao|f0_tl(O+$R|Qwd$H{_ig|~I1fbp_$NkI!0E;Y z6JrnU{1Ra6^on{9gUUB0mwzP3S%B#h0fjo>JvV~#+X0P~JV=IG=yHG$O+p5O3NUgG zEQ}z6BTp^Fie)Sg<){Z&I8NwPR(=mO4joTLHkJ>|Tnk23E(Bo`FSbPc05lF2-+)X? z6vV3*m~IBHTy*^E!<0nA(tCOJW2G4DsH7)BxLV8kICn5lu6@U*R`w)o9;Ro$i8=Q^V%uH8n3q=+Yf;SFRZu z!+F&PKcH#8cG?aSK_Tl@K9P#8o+jry@gdexz&d(Q=47<7nw@e@FFfIRNL9^)1i@;A z28+$Z#rjv-wj#heI|<&J_DiJ*s}xd-f!{J8jfqOHE`TiHHZVIA8CjkNQ_u;Ery^^t zl1I75&u^`1_q)crO+JT4rx|z2ToSC>)Or@-D zy3S>jW*sNIZR-EBsfyaJ+Jq4BQE4?SePtD2+jY8*%FsSLZ9MY>+wk?}}}AFAw)vr{ml)8LUG-y9>^t!{~|sgpxYc0Gnkg`&~R z-pilJZjr@y5$>B=VMdZ73svct%##v%wdX~9fz6i3Q-zOKJ9wso+h?VME7}SjL=!NUG{J?M&i!>ma`eoEa@IX`5G>B1(7;%}M*%-# zfhJ(W{y;>MRz!Ic8=S}VaBKqh;~7KdnGEHxcL$kA-6E~=!hrN*zw9N+_=odt<$_H_8dbo;0=42wcAETPCVGUr~v(`Uai zb{=D!Qc!dOEU6v)2eHSZq%5iqK?B(JlCq%T6av$Cb4Rko6onlG&?CqaX7Y_C_cOC3 zYZ;_oI(}=>_07}Oep&Ws7x7-R)cc8zfe!SYxJYP``pi$FDS)4Fvw5HH=FiU6xfVqIM!hJ;Rx8c0cB7~aPtNH(Nmm5Vh{ibAoU#J6 zImRCr?(iyu_4W_6AWo3*vxTPUw@vPwy@E0`(>1Qi=%>5eSIrp^`` zK*Y?fK_6F1W>-7UsB)RPC4>>Ps9)f+^MqM}8AUm@tZ->j%&h1M8s*s!LX5&WxQcAh z8mciQej@RPm?660%>{_D+7er>%zX_{s|$Z+;G7_sfNfBgY(zLB4Ey}J9F>zX#K0f6 z?dVNIeEh?EIShmP6>M+d|0wMM85Sa4diw1hrg|ITJ}JDg@o8y>(rF9mXk5M z2@D|NA)-7>wD&wF;S_$KS=eE84`BGw3g0?6wGxu8ys4rwI?9U=*^VF22t3%mbGeOh z`!O-OpF7#Vceu~F`${bW0nYVU9ecmk31V{tF%iv&5hWofC>I~cqAt@u6|R+|HLMMX zVxuSlMFOK_EQ86#E8&KwxIr8S9tj_goWtLv4f@!&h8;Ov41{J~496vp9vX=(LK#j! zAwi*21RAV-LD>9Cw3bV_9X(X3)Kr0-UaB*7Y>t82EQ%!)(&(XuAYtTsYy-dz+w=$ir)VJpe!_$ z6SGpX^i(af3{o=VlFPC);|J8#(=_8#vdxDe|Cok+ANhYwbE*FO`Su2m1~w+&9<_9~ z-|tTU_ACGN`~CNW5WYYBn^B#SwZ(t4%3aPp z;o)|L6Rk569KGxFLUPx@!6OOa+5OjQLK5w&nAmwxkC5rZ|m&HT8G%GVZxB_@ME z>>{rnXUqyiJrT(8GMj_ap#yN_!9-lO5e8mR3cJiK3NE{_UM&=*vIU`YkiL$1%kf+1 z4=jk@7EEj`u(jy$HnzE33ZVW_J4bj}K;vT?T91YlO(|Y0FU4r+VdbmQ97%(J5 zkK*Bed8+C}FcZ@HIgdCMioV%A<*4pw_n}l*{Cr4}a(lq|injK#O?$tyvyE`S%(1`H z_wwRvk#13ElkZvij2MFGOj`fhy?nC^8`Zyo%yVcUAfEr8x&J#A{|moUBAV_^f$hpaUuyQeY3da^ zS9iRgf87YBwfe}>BO+T&Fl%rfpZh#+AM?Dq-k$Bq`vG6G_b4z%Kbd&v>qFjow*mBl z-OylnqOpLg}or7_VNwRg2za3VBK6FUfFX{|TD z`Wt0Vm2H$vdlRWYQJqDmM?JUbVqL*ZQY|5&sY*?!&%P8qhA~5+Af<{MaGo(dl&C5t zE%t!J0 zh6jqANt4ABdPxSTrVV}fLsRQal*)l&_*rFq(Ez}ClEH6LHv{J#v?+H-BZ2)Wy{K@9 z+ovXHq~DiDvm>O~r$LJo!cOuwL+Oa--6;UFE2q@g3N8Qkw5E>ytz^(&($!O47+i~$ zKM+tkAd-RbmP{s_rh+ugTD;lriL~`Xwkad#;_aM?nQ7L_muEFI}U_4$phjvYgleK~`Fo`;GiC07&Hq1F<%p;9Q;tv5b?*QnR%8DYJH3P>Svmv47Y>*LPZJy8_{9H`g6kQpyZU{oJ`m%&p~D=K#KpfoJ@ zn-3cqmHsdtN!f?~w+(t+I`*7GQA#EQC^lUA9(i6=i1PqSAc|ha91I%X&nXzjYaM{8$s&wEx@aVkQ6M{E2 zfzId#&r(XwUNtPcq4Ngze^+XaJA1EK-%&C9j>^9(secqe{}z>hR5CFNveMsVA)m#S zk)_%SidkY-XmMWlVnQ(mNJ>)ooszQ#vaK;!rPmGKXV7am^_F!Lz>;~{VrIO$;!#30XRhE1QqO_~#+Ux;B_D{Nk=grn z8Y0oR^4RqtcYM)7a%@B(XdbZCOqnX#fD{BQTeLvRHd(irHKq=4*jq34`6@VAQR8WG z^%)@5CXnD_T#f%@-l${>y$tfb>2LPmc{~5A82|16mH)R?&r#KKLs7xpN-D`=&Cm^R zvMA6#Ahr<3X>Q7|-qfTY)}32HkAz$_mibYV!I)u>bmjK`qwBe(>za^0Kt*HnFbSdO z1>+ryKCNxmm^)*$XfiDOF2|{-v3KKB?&!(S_Y=Ht@|ir^hLd978xuI&N{k>?(*f8H z=ClxVJK_%_z1TH0eUwm2J+2To7FK4o+n_na)&#VLn1m;!+CX+~WC+qg1?PA~KdOlC zW)C@pw75_xoe=w7i|r9KGIvQ$+3K?L{7TGHwrQM{dCp=Z*D}3kX7E-@sZnup!BImw z*T#a=+WcTwL78exTgBn|iNE3#EsOorO z*kt)gDzHiPt07fmisA2LWN?AymkdqTgr?=loT7z@d`wnlr6oN}@o|&JX!yPzC*Y8d zu6kWlTzE1)ckyBn+0Y^HMN+GA$wUO_LN6W>mxCo!0?oiQvT`z$jbSEu&{UHRU0E8# z%B^wOc@S!yhMT49Y)ww(Xta^8pmPCe@eI5C*ed96)AX9<>))nKx0(sci8gwob_1}4 z0DIL&vsJ1_s%<@y%U*-eX z5rN&(zef-5G~?@r79oZGW1d!WaTqQn0F6RIOa9tJ=0(kdd{d1{<*tHT#cCvl*i>YY zH+L7jq8xZNcTUBqj(S)ztTU!TM!RQ}In*n&Gn<>(60G7}4%WQL!o>hbJqNDSGwl#H z`4k+twp0cj%PsS+NKaxslAEu9!#U3xT1|_KB6`h=PI0SW`P9GTa7caD1}vKEglV8# zjKZR`pluCW19c2fM&ZG)c3T3Um;ir3y(tSCJ7Agl6|b524dy5El{^EQBG?E61H0XY z`bqg!;zhGhyMFl&(o=JWEJ8n~z)xI}A@C0d2hQGvw7nGv)?POU@(kS1m=%`|+^ika zXl8zjS?xqW$WlO?Ewa;vF~XbybHBor$f<%I&*t$F5fynwZlTGj|IjZtVfGa7l&tK} zW>I<69w(cZLu)QIVG|M2xzW@S+70NinQzk&Y0+3WT*cC)rx~04O-^<{JohU_&HL5XdUKW!uFy|i$FB|EMu0eUyW;gsf`XfIc!Z0V zeK&*hPL}f_cX=@iv>K%S5kL;cl_$v?n(Q9f_cChk8Lq$glT|=e+T*8O4H2n<=NGmn z+2*h+v;kBvF>}&0RDS>)B{1!_*XuE8A$Y=G8w^qGMtfudDBsD5>T5SB;Qo}fSkkiV ze^K^M(UthkwrD!&*tTsu>Dacdj_q`~V%r_twr$(Ct&_dKeeXE?fA&4&yASJWJ*}~- zel=@W)tusynfC_YqH4ll>4Eg`Xjs5F7Tj>tTLz<0N3)X<1px_d2yUY>X~y>>93*$) z5PuNMQLf9Bu?AAGO~a_|J2akO1M*@VYN^VxvP0F$2>;Zb9;d5Yfd8P%oFCCoZE$ z4#N$^J8rxYjUE_6{T%Y>MmWfHgScpuGv59#4u6fpTF%~KB^Ae`t1TD_^Ud#DhL+Dm zbY^VAM#MrAmFj{3-BpVSWph2b_Y6gCnCAombVa|1S@DU)2r9W<> zT5L8BB^er3zxKt1v(y&OYk!^aoQisqU zH(g@_o)D~BufUXcPt!Ydom)e|aW{XiMnes2z&rE?og>7|G+tp7&^;q?Qz5S5^yd$i z8lWr4g5nctBHtigX%0%XzIAB8U|T6&JsC4&^hZBw^*aIcuNO47de?|pGXJ4t}BB`L^d8tD`H`i zqrP8?#J@8T#;{^B!KO6J=@OWKhAerih(phML`(Rg7N1XWf1TN>=Z3Do{l_!d~DND&)O)D>ta20}@Lt77qSnVsA7>)uZAaT9bsB>u&aUQl+7GiY2|dAEg@%Al3i316y;&IhQL^8fw_nwS>f60M_-m+!5)S_6EPM7Y)(Nq^8gL7(3 zOiot`6Wy6%vw~a_H?1hLVzIT^i1;HedHgW9-P#)}Y6vF%C=P70X0Tk^z9Te@kPILI z_(gk!k+0%CG)%!WnBjjw*kAKs_lf#=5HXC00s-}oM-Q1aXYLj)(1d!_a7 z*Gg4Fe6F$*ujVjI|79Z5+Pr`us%zW@ln++2l+0hsngv<{mJ%?OfSo_3HJXOCys{Ug z00*YR-(fv<=&%Q!j%b-_ppA$JsTm^_L4x`$k{VpfLI(FMCap%LFAyq;#ns5bR7V+x zO!o;c5y~DyBPqdVQX)8G^G&jWkBy2|oWTw>)?5u}SAsI$RjT#)lTV&Rf8;>u*qXnb z8F%Xb=7#$m)83z%`E;49)t3fHInhtc#kx4wSLLms!*~Z$V?bTyUGiS&m>1P(952(H zuHdv=;o*{;5#X-uAyon`hP}d#U{uDlV?W?_5UjJvf%11hKwe&(&9_~{W)*y1nR5f_ z!N(R74nNK`y8>B!0Bt_Vr!;nc3W>~RiKtGSBkNlsR#-t^&;$W#)f9tTlZz>n*+Fjz z3zXZ;jf(sTM(oDzJt4FJS*8c&;PLTW(IQDFs_5QPy+7yhi1syPCarvqrHFcf&yTy)^O<1EBx;Ir`5W{TIM>{8w&PB>ro4;YD<5LF^TjTb0!zAP|QijA+1Vg>{Afv^% zmrkc4o6rvBI;Q8rj4*=AZacy*n8B{&G3VJc)so4$XUoie0)vr;qzPZVbb<#Fc=j+8CGBWe$n|3K& z_@%?{l|TzKSlUEO{U{{%Fz_pVDxs7i9H#bnbCw7@4DR=}r_qV!Zo~CvD4ZI*+j3kO zW6_=|S`)(*gM0Z;;}nj`73OigF4p6_NPZQ-Od~e$c_);;4-7sR>+2u$6m$Gf%T{aq zle>e3(*Rt(TPD}03n5)!Ca8Pu!V}m6v0o1;5<1h$*|7z|^(3$Y&;KHKTT}hV056wuF0Xo@mK-52~r=6^SI1NC%c~CC?n>yX6wPTgiWYVz!Sx^atLby9YNn1Rk{g?|pJaxD4|9cUf|V1_I*w zzxK)hRh9%zOl=*$?XUjly5z8?jPMy%vEN)f%T*|WO|bp5NWv@B(K3D6LMl!-6dQg0 zXNE&O>Oyf%K@`ngCvbGPR>HRg5!1IV$_}m@3dWB7x3t&KFyOJn9pxRXCAzFr&%37wXG;z^xaO$ekR=LJG ztIHpY8F5xBP{mtQidqNRoz= z@){+N3(VO5bD+VrmS^YjG@+JO{EOIW)9=F4v_$Ed8rZtHvjpiEp{r^c4F6Ic#ChlC zJX^DtSK+v(YdCW)^EFcs=XP7S>Y!4=xgmv>{S$~@h=xW-G4FF9?I@zYN$e5oF9g$# zb!eVU#J+NjLyX;yb)%SY)xJdvGhsnE*JEkuOVo^k5PyS=o#vq!KD46UTW_%R=Y&0G zFj6bV{`Y6)YoKgqnir2&+sl+i6foAn-**Zd1{_;Zb7Ki=u394C5J{l^H@XN`_6XTKY%X1AgQM6KycJ+= zYO=&t#5oSKB^pYhNdzPgH~aEGW2=ec1O#s-KG z71}LOg@4UEFtp3GY1PBemXpNs6UK-ax*)#$J^pC_me;Z$Je(OqLoh|ZrW*mAMBFn< zHttjwC&fkVfMnQeen8`Rvy^$pNRFVaiEN4Pih*Y3@jo!T0nsClN)pdrr9AYLcZxZ| zJ5Wlj+4q~($hbtuY zVQ7hl>4-+@6g1i`1a)rvtp-;b0>^`Dloy(#{z~ytgv=j4q^Kl}wD>K_Y!l~ zp(_&7sh`vfO(1*MO!B%<6E_bx1)&s+Ae`O)a|X=J9y~XDa@UB`m)`tSG4AUhoM=5& znWoHlA-(z@3n0=l{E)R-p8sB9XkV zZ#D8wietfHL?J5X0%&fGg@MH~(rNS2`GHS4xTo7L$>TPme+Is~!|79=^}QbPF>m%J zFMkGzSndiPO|E~hrhCeo@&Ea{M(ieIgRWMf)E}qeTxT8Q#g-!Lu*x$v8W^M^>?-g= zwMJ$dThI|~M06rG$Sv@C@tWR>_YgaG&!BAbkGggVQa#KdtDB)lMLNVLN|51C@F^y8 zCRvMB^{GO@j=cHfmy}_pCGbP%xb{pNN>? z?7tBz$1^zVaP|uaatYaIN+#xEN4jBzwZ|YI_)p(4CUAz1ZEbDk>J~Y|63SZaak~#0 zoYKruYsWHoOlC1(MhTnsdUOwQfz5p6-D0}4;DO$B;7#M{3lSE^jnTT;ns`>!G%i*F?@pR1JO{QTuD0U+~SlZxcc8~>IB{)@8p`P&+nDxNj`*gh|u?yrv$phpQcW)Us)bi`kT%qLj(fi{dWRZ%Es2!=3mI~UxiW0$-v3vUl?#g{p6eF zMEUAqo5-L0Ar(s{VlR9g=j7+lt!gP!UN2ICMokAZ5(Agd>})#gkA2w|5+<%-CuEP# zqgcM}u@3(QIC^Gx<2dbLj?cFSws_f3e%f4jeR?4M^M3cx1f+Qr6ydQ>n)kz1s##2w zk}UyQc+Z5G-d-1}{WzjkLXgS-2P7auWSJ%pSnD|Uivj5u!xk0 z_^-N9r9o;(rFDt~q1PvE#iJZ_f>J3gcP$)SOqhE~pD2|$=GvpL^d!r z6u=sp-CrMoF7;)}Zd7XO4XihC4ji?>V&(t^?@3Q&t9Mx=qex6C9d%{FE6dvU6%d94 zIE;hJ1J)cCqjv?F``7I*6bc#X)JW2b4f$L^>j{*$R`%5VHFi*+Q$2;nyieduE}qdS{L8y8F08yLs?w}{>8>$3236T-VMh@B zq-nujsb_1aUv_7g#)*rf9h%sFj*^mIcImRV*k~Vmw;%;YH(&ylYpy!&UjUVqqtfG` zox3esju?`unJJA_zKXRJP)rA3nXc$m^{S&-p|v|-0x9LHJm;XIww7C#R$?00l&Yyj z=e}gKUOpsImwW?N)+E(awoF@HyP^EhL+GlNB#k?R<2>95hz!h9sF@U20DHSB3~WMa zk90+858r@-+vWwkawJ)8ougd(i#1m3GLN{iSTylYz$brAsP%=&m$mQQrH$g%3-^VR zE%B`Vi&m8f3T~&myTEK28BDWCVzfWir1I?03;pX))|kY5ClO^+bae z*7E?g=3g7EiisYOrE+lA)2?Ln6q2*HLNpZEWMB|O-JI_oaHZB%CvYB(%=tU= zE*OY%QY58fW#RG5=gm0NR#iMB=EuNF@)%oZJ}nmm=tsJ?eGjia{e{yuU0l3{d^D@)kVDt=1PE)&tf_hHC%0MB znL|CRCPC}SeuVTdf>-QV70`0(EHizc21s^sU>y%hW0t!0&y<7}Wi-wGy>m%(-jsDj zP?mF|>p_K>liZ6ZP(w5(|9Ga%>tLgb$|doDDfkdW>Z z`)>V2XC?NJT26mL^@ zf+IKr27TfM!UbZ@?zRddC7#6ss1sw%CXJ4FWC+t3lHZupzM77m^=9 z&(a?-LxIq}*nvv)y?27lZ{j zifdl9hyJudyP2LpU$-kXctshbJDKS{WfulP5Dk~xU4Le4c#h^(YjJit4#R8_khheS z|8(>2ibaHES4+J|DBM7I#QF5u-*EdN{n=Kt@4Zt?@Tv{JZA{`4 zU#kYOv{#A&gGPwT+$Ud}AXlK3K7hYzo$(fBSFjrP{QQ zeaKg--L&jh$9N}`pu{Bs>?eDFPaWY4|9|foN%}i;3%;@4{dc+iw>m}{3rELqH21G! z`8@;w-zsJ1H(N3%|1B@#ioLOjib)j`EiJqPQVSbPSPVHCj6t5J&(NcWzBrzCiDt{4 zdlPAUKldz%6x5II1H_+jv)(xVL+a;P+-1hv_pM>gMRr%04@k;DTokASSKKhU1Qms| zrWh3a!b(J3n0>-tipg{a?UaKsP7?+|@A+1WPDiQIW1Sf@qDU~M_P65_s}7(gjTn0X zucyEm)o;f8UyshMy&>^SC3I|C6jR*R_GFwGranWZe*I>K+0k}pBuET&M~ z;Odo*ZcT?ZpduHyrf8E%IBFtv;JQ!N_m>!sV6ly$_1D{(&nO~w)G~Y`7sD3#hQk%^ zp}ucDF_$!6DAz*PM8yE(&~;%|=+h(Rn-=1Wykas_-@d&z#=S}rDf`4w(rVlcF&lF! z=1)M3YVz7orwk^BXhslJ8jR);sh^knJW(Qmm(QdSgIAIdlN4Te5KJisifjr?eB{FjAX1a0AB>d?qY4Wx>BZ8&}5K0fA+d{l8 z?^s&l8#j7pR&ijD?0b%;lL9l$P_mi2^*_OL+b}4kuLR$GAf85sOo02?Y#90}CCDiS zZ%rbCw>=H~CBO=C_JVV=xgDe%b4FaEFtuS7Q1##y686r%F6I)s-~2(}PWK|Z8M+Gu zl$y~5@#0Ka%$M<&Cv%L`a8X^@tY&T7<0|(6dNT=EsRe0%kp1Qyq!^43VAKYnr*A5~ zsI%lK1ewqO;0TpLrT9v}!@vJK{QoVa_+N4FYT#h?Y8rS1S&-G+m$FNMP?(8N`MZP zels(*?kK{{^g9DOzkuZXJ2;SrOQsp9T$hwRB1(phw1c7`!Q!by?Q#YsSM#I12RhU{$Q+{xj83axHcftEc$mNJ8_T7A-BQc*k(sZ+~NsO~xAA zxnbb%dam_fZlHvW7fKXrB~F&jS<4FD2FqY?VG?ix*r~MDXCE^WQ|W|WM;gsIA4lQP zJ2hAK@CF*3*VqPr2eeg6GzWFlICi8S>nO>5HvWzyZTE)hlkdC_>pBej*>o0EOHR|) z$?};&I4+_?wvL*g#PJ9)!bc#9BJu1(*RdNEn>#Oxta(VWeM40ola<0aOe2kSS~{^P zDJBd}0L-P#O-CzX*%+$#v;(x%<*SPgAje=F{Zh-@ucd2DA(yC|N_|ocs*|-!H%wEw z@Q!>siv2W;C^^j^59OAX03&}&D*W4EjCvfi(ygcL#~t8XGa#|NPO+*M@Y-)ctFA@I z-p7npT1#5zOLo>7q?aZpCZ=iecn3QYklP;gF0bq@>oyBq94f6C=;Csw3PkZ|5q=(c zfs`aw?II0e(h=|7o&T+hq&m$; zBrE09Twxd9BJ2P+QPN}*OdZ-JZV7%av@OM7v!!NL8R;%WFq*?{9T3{ct@2EKgc8h) zMxoM$SaF#p<`65BwIDfmXG6+OiK0e)`I=!A3E`+K@61f}0e z!2a*FOaDrOe>U`q%K!QN`&=&0C~)CaL3R4VY(NDt{Xz(Xpqru5=r#uQN1L$Je1*dkdqQ*=lofQaN%lO!<5z9ZlHgxt|`THd>2 zsWfU$9=p;yLyJyM^t zS2w9w?Bpto`@H^xJpZDKR1@~^30Il6oFGfk5%g6w*C+VM)+%R@gfIwNprOV5{F^M2 zO?n3DEzpT+EoSV-%OdvZvNF+pDd-ZVZ&d8 zKeIyrrfPN=EcFRCPEDCVflX#3-)Ik_HCkL(ejmY8vzcf-MTA{oHk!R2*36`O68$7J zf}zJC+bbQk--9Xm!u#lgLvx8TXx2J258E5^*IZ(FXMpq$2LUUvhWQPs((z1+2{Op% z?J}9k5^N=z;7ja~zi8a_-exIqWUBJwohe#4QJ`|FF*$C{lM18z^#hX6!5B8KAkLUX ziP=oti-gpV(BsLD{0(3*dw}4JxK23Y7M{BeFPucw!sHpY&l%Ws4pSm`+~V7;bZ%Dx zeI)MK=4vC&5#;2MT7fS?^ch9?2;%<8Jlu-IB&N~gg8t;6S-#C@!NU{`p7M8@2iGc& zg|JPg%@gCoCQ&s6JvDU&`X2S<57f(k8nJ1wvBu{8r?;q3_kpZZ${?|( z+^)UvR33sjSd)aT!UPkA;ylO6{aE3MQa{g%Mcf$1KONcjO@&g5zPHWtzM1rYC{_K> zgQNcs<{&X{OA=cEWw5JGqpr0O>x*Tfak2PE9?FuWtz^DDNI}rwAaT0(bdo-<+SJ6A z&}S%boGMWIS0L}=S>|-#kRX;e^sUsotry(MjE|3_9duvfc|nwF#NHuM-w7ZU!5ei8 z6Mkf>2)WunY2eU@C-Uj-A zG(z0Tz2YoBk>zCz_9-)4a>T46$(~kF+Y{#sA9MWH%5z#zNoz)sdXq7ZR_+`RZ%0(q zC7&GyS_|BGHNFl8Xa%@>iWh%Gr?=J5<(!OEjauj5jyrA-QXBjn0OAhJJ9+v=!LK`` z@g(`^*84Q4jcDL`OA&ZV60djgwG`|bcD*i50O}Q{9_noRg|~?dj%VtKOnyRs$Uzqg z191aWoR^rDX#@iSq0n z?9Sg$WSRPqSeI<}&n1T3!6%Wj@5iw5`*`Btni~G=&;J+4`7g#OQTa>u`{4ZZ(c@s$ zK0y;ySOGD-UTjREKbru{QaS>HjN<2)R%Nn-TZiQ(Twe4p@-saNa3~p{?^V9Nixz@a zykPv~<@lu6-Ng9i$Lrk(xi2Tri3q=RW`BJYOPC;S0Yly%77c727Yj-d1vF!Fuk{Xh z)lMbA69y7*5ufET>P*gXQrxsW+ zz)*MbHZv*eJPEXYE<6g6_M7N%#%mR{#awV3i^PafNv(zyI)&bH?F}2s8_rR(6%!V4SOWlup`TKAb@ee>!9JKPM=&8g#BeYRH9FpFybxBXQI2|g}FGJfJ+ zY-*2hB?o{TVL;Wt_ek;AP5PBqfDR4@Z->_182W z{P@Mc27j6jE*9xG{R$>6_;i=y{qf(c`5w9fa*`rEzX6t!KJ(p1H|>J1pC-2zqWENF zmm=Z5B4u{cY2XYl(PfrInB*~WGWik3@1oRhiMOS|D;acnf-Bs(QCm#wR;@Vf!hOPJ zgjhDCfDj$HcyVLJ=AaTbQ{@vIv14LWWF$=i-BDoC11}V;2V8A`S>_x)vIq44-VB-v z*w-d}$G+Ql?En8j!~ZkCpQ$|cA0|+rrY>tiCeWxkRGPoarxlGU2?7%k#F693RHT24 z-?JsiXlT2PTqZqNb&sSc>$d;O4V@|b6VKSWQb~bUaWn1Cf0+K%`Q&Wc<>mQ>*iEGB zbZ;aYOotBZ{vH3y<0A*L0QVM|#rf*LIsGx(O*-7)r@yyBIzJnBFSKBUSl1e|8lxU* zzFL+YDVVkIuzFWeJ8AbgN&w(4-7zbiaMn{5!JQXu)SELk*CNL+Fro|2v|YO)1l15t zs(0^&EB6DPMyaqvY>=KL>)tEpsn;N5Q#yJj<9}ImL((SqErWN3Q=;tBO~ExTCs9hB z2E$7eN#5wX4<3m^5pdjm#5o>s#eS_Q^P)tm$@SawTqF*1dj_i#)3};JslbLKHXl_N z)Fxzf>FN)EK&Rz&*|6&%Hs-^f{V|+_vL1S;-1K-l$5xiC@}%uDuwHYhmsV?YcOUlk zOYkG5v2+`+UWqpn0aaaqrD3lYdh0*!L`3FAsNKu=Q!vJu?Yc8n|CoYyDo_`r0mPoo z8>XCo$W4>l(==h?2~PoRR*kEe)&IH{1sM41mO#-36`02m#nTX{r*r`Q5rZ2-sE|nA zhnn5T#s#v`52T5|?GNS`%HgS2;R(*|^egNPDzzH_z^W)-Q98~$#YAe)cEZ%vge965AS_am#DK#pjPRr-!^za8>`kksCAUj(Xr*1NW5~e zpypt_eJpD&4_bl_y?G%>^L}=>xAaV>KR6;^aBytqpiHe%!j;&MzI_>Sx7O%F%D*8s zSN}cS^<{iiK)=Ji`FpO#^zY!_|D)qeRNAtgmH)m;qC|mq^j(|hL`7uBz+ULUj37gj zksdbnU+LSVo35riSX_4z{UX=%n&}7s0{WuZYoSfwAP`8aKN9P@%e=~1`~1ASL-z%# zw>DO&ixr}c9%4InGc*_y42bdEk)ZdG7-mTu0bD@_vGAr*NcFoMW;@r?@LUhRI zCUJgHb`O?M3!w)|CPu~ej%fddw20lod?Ufp8Dmt0PbnA0J%KE^2~AIcnKP()025V> zG>noSM3$5Btmc$GZoyP^v1@Poz0FD(6YSTH@aD0}BXva?LphAiSz9f&Y(aDAzBnUh z?d2m``~{z;{}kZJ>a^wYI?ry(V9hIoh;|EFc0*-#*`$T0DRQ1;WsqInG;YPS+I4{g zJGpKk%%Sdc5xBa$Q^_I~(F97eqDO7AN3EN0u)PNBAb+n+ zWBTxQx^;O9o0`=g+Zrt_{lP!sgWZHW?8bLYS$;1a@&7w9rD9|Ge;Gb?sEjFoF9-6v z#!2)t{DMHZ2@0W*fCx;62d#;jouz`R5Y(t{BT=$N4yr^^o$ON8d{PQ=!O zX17^CrdM~7D-;ZrC!||<+FEOxI_WI3CA<35va%4v>gc zEX-@h8esj=a4szW7x{0g$hwoWRQG$yK{@3mqd-jYiVofJE!Wok1* znV7Gm&Ssq#hFuvj1sRyHg(6PFA5U*Q8Rx>-blOs=lb`qa{zFy&n4xY;sd$fE+<3EI z##W$P9M{B3c3Si9gw^jlPU-JqD~Cye;wr=XkV7BSv#6}DrsXWFJ3eUNrc%7{=^sP> zrp)BWKA9<}^R9g!0q7yWlh;gr_TEOD|#BmGq<@IV;ueg+D2}cjpp+dPf&Q(36sFU&K8}hA85U61faW&{ zlB`9HUl-WWCG|<1XANN3JVAkRYvr5U4q6;!G*MTdSUt*Mi=z_y3B1A9j-@aK{lNvx zK%p23>M&=KTCgR!Ee8c?DAO2_R?B zkaqr6^BSP!8dHXxj%N1l+V$_%vzHjqvu7p@%Nl6;>y*S}M!B=pz=aqUV#`;h%M0rU zHfcog>kv3UZAEB*g7Er@t6CF8kHDmKTjO@rejA^ULqn!`LwrEwOVmHx^;g|5PHm#B zZ+jjWgjJ!043F+&#_;D*mz%Q60=L9Ove|$gU&~As5^uz@2-BfQ!bW)Khn}G+Wyjw- z19qI#oB(RSNydn0t~;tAmK!P-d{b-@@E5|cdgOS#!>%#Rj6ynkMvaW@37E>@hJP^8 z2zk8VXx|>#R^JCcWdBCy{0nPmYFOxN55#^-rlqobe0#L6)bi?E?SPymF*a5oDDeSd zO0gx?#KMoOd&G(2O@*W)HgX6y_aa6iMCl^~`{@UR`nMQE`>n_{_aY5nA}vqU8mt8H z`oa=g0SyiLd~BxAj2~l$zRSDHxvDs;I4>+M$W`HbJ|g&P+$!U7-PHX4RAcR0szJ*( ze-417=bO2q{492SWrqDK+L3#ChUHtz*@MP)e^%@>_&#Yk^1|tv@j4%3T)diEX zATx4K*hcO`sY$jk#jN5WD<=C3nvuVsRh||qDHnc~;Kf59zr0;c7VkVSUPD%NnnJC_ zl3F^#f_rDu8l}l8qcAz0FFa)EAt32IUy_JLIhU_J^l~FRH&6-ivSpG2PRqzDdMWft>Zc(c)#tb%wgmWN%>IOPm zZi-noqS!^Ftb81pRcQi`X#UhWK70hy4tGW1mz|+vI8c*h@ zfFGJtW3r>qV>1Z0r|L>7I3un^gcep$AAWfZHRvB|E*kktY$qQP_$YG60C@X~tTQjB3%@`uz!qxtxF+LE!+=nrS^07hn` zEgAp!h|r03h7B!$#OZW#ACD+M;-5J!W+{h|6I;5cNnE(Y863%1(oH}_FTW})8zYb$7czP zg~Szk1+_NTm6SJ0MS_|oSz%e(S~P-&SFp;!k?uFayytV$8HPwuyELSXOs^27XvK-D zOx-Dl!P|28DK6iX>p#Yb%3`A&CG0X2S43FjN%IB}q(!hC$fG}yl1y9W&W&I@KTg6@ zK^kpH8=yFuP+vI^+59|3%Zqnb5lTDAykf z9S#X`3N(X^SpdMyWQGOQRjhiwlj!0W-yD<3aEj^&X%=?`6lCy~?`&WSWt z?U~EKFcCG_RJ(Qp7j=$I%H8t)Z@6VjA#>1f@EYiS8MRHZphp zMA_5`znM=pzUpBPO)pXGYpQ6gkine{6u_o!P@Q+NKJ}k!_X7u|qfpAyIJb$_#3@wJ z<1SE2Edkfk9C!0t%}8Yio09^F`YGzpaJHGk*-ffsn85@)%4@`;Fv^8q(-Wk7r=Q8p zT&hD`5(f?M{gfzGbbwh8(}G#|#fDuk7v1W)5H9wkorE0ZZjL0Q1=NRGY>zwgfm81DdoaVwNH;or{{eSyybt)m<=zXoA^RALYG-2t zouH|L*BLvmm9cdMmn+KGopyR@4*=&0&4g|FLoreZOhRmh=)R0bg~ zT2(8V_q7~42-zvb)+y959OAv!V$u(O3)%Es0M@CRFmG{5sovIq4%8Ahjk#*5w{+)+ zMWQoJI_r$HxL5km1#6(e@{lK3Udc~n0@g`g$s?VrnQJ$!oPnb?IHh-1qA`Rz$)Ai< z6w$-MJW-gKNvOhL+XMbE7&mFt`x1KY>k4(!KbbpZ`>`K@1J<(#vVbjx@Z@(6Q}MF# zMnbr-f55(cTa^q4+#)=s+ThMaV~E`B8V=|W_fZWDwiso8tNMTNse)RNBGi=gVwgg% zbOg8>mbRN%7^Um-7oj4=6`$|(K7!+t^90a{$18Z>}<#!bm%ZEFQ{X(yBZMc>lCz0f1I2w9Sq zuGh<9<=AO&g6BZte6hn>Qmvv;Rt)*cJfTr2=~EnGD8P$v3R|&1RCl&7)b+`=QGapi zPbLg_pxm`+HZurtFZ;wZ=`Vk*do~$wB zxoW&=j0OTbQ=Q%S8XJ%~qoa3Ea|au5o}_(P;=!y-AjFrERh%8la!z6Fn@lR?^E~H12D?8#ht=1F;7@o4$Q8GDj;sSC%Jfn01xgL&%F2 zwG1|5ikb^qHv&9hT8w83+yv&BQXOQyMVJSBL(Ky~p)gU3#%|blG?IR9rP^zUbs7rOA0X52Ao=GRt@C&zlyjNLv-} z9?*x{y(`509qhCV*B47f2hLrGl^<@SuRGR!KwHei?!CM10Tq*YDIoBNyRuO*>3FU? zHjipIE#B~y3FSfOsMfj~F9PNr*H?0oHyYB^G(YyNh{SxcE(Y-`x5jFMKb~HO*m+R% zrq|ic4fzJ#USpTm;X7K+E%xsT_3VHKe?*uc4-FsILUH;kL>_okY(w`VU*8+l>o>Jm ziU#?2^`>arnsl#)*R&nf_%>A+qwl%o{l(u)M?DK1^mf260_oteV3#E_>6Y4!_hhVD zM8AI6MM2V*^_M^sQ0dmHu11fy^kOqXqzpr?K$`}BKWG`=Es(9&S@K@)ZjA{lj3ea7_MBP zk(|hBFRjHVMN!sNUkrB;(cTP)T97M$0Dtc&UXSec<+q?y>5=)}S~{Z@ua;1xt@=T5 zI7{`Z=z_X*no8s>mY;>BvEXK%b`a6(DTS6t&b!vf_z#HM{Uoy_5fiB(zpkF{})ruka$iX*~pq1ZxD?q68dIo zIZSVls9kFGsTwvr4{T_LidcWtt$u{kJlW7moRaH6+A5hW&;;2O#$oKyEN8kx`LmG)Wfq4ykh+q{I3|RfVpkR&QH_x;t41Uw z`P+tft^E2B$domKT@|nNW`EHwyj>&}K;eDpe z1bNOh=fvIfk`&B61+S8ND<(KC%>y&?>opCnY*r5M+!UrWKxv0_QvTlJc>X#AaI^xo zaRXL}t5Ej_Z$y*|w*$6D+A?Lw-CO-$itm^{2Ct82-<0IW)0KMNvJHgBrdsIR0v~=H z?n6^}l{D``Me90`^o|q!olsF?UX3YSq^6Vu>Ijm>>PaZI8G@<^NGw{Cx&%|PwYrfw zR!gX_%AR=L3BFsf8LxI|K^J}deh0ZdV?$3r--FEX`#INxsOG6_=!v)DI>0q|BxT)z z-G6kzA01M?rba+G_mwNMQD1mbVbNTWmBi*{s_v_Ft9m2Avg!^78(QFu&n6mbRJ2bA zv!b;%yo{g*9l2)>tsZJOOp}U~8VUH`}$ z8p_}t*XIOehezolNa-a2x0BS})Y9}&*TPgua{Ewn-=wVrmJUeU39EKx+%w%=ixQWK zDLpwaNJs65#6o7Ln7~~X+p_o2BR1g~VCfxLzxA{HlWAI6^H;`juI=&r1jQrUv_q0Z z1Ja-tjdktrrP>GOC*#p?*xfQU5MqjMsBe!9lh(u8)w$e@Z|>aUHI5o;MGw*|Myiz3 z-f0;pHg~Q#%*Kx8MxH%AluVXjG2C$)WL-K63@Q`#y9_k_+}eR(x4~dp7oV-ek0H>I zgy8p#i4GN{>#v=pFYUQT(g&b$OeTy-X_#FDgNF8XyfGY6R!>inYn8IR2RDa&O!(6< znXs{W!bkP|s_YI*Yx%4stI`=ZO45IK6rBs`g7sP40ic}GZ58s?Mc$&i`kq_tfci>N zIHrC0H+Qpam1bNa=(`SRKjixBTtm&e`j9porEci!zdlg1RI0Jw#b(_Tb@RQK1Zxr_ z%7SUeH6=TrXt3J@js`4iDD0=IoHhK~I7^W8^Rcp~Yaf>2wVe|Hh1bUpX9ATD#moByY57-f2Ef1TP^lBi&p5_s7WGG9|0T}dlfxOx zXvScJO1Cnq`c`~{Dp;{;l<-KkCDE+pmexJkd}zCgE{eF=)K``-qC~IT6GcRog_)!X z?fK^F8UDz$(zFUrwuR$qro5>qqn>+Z%<5>;_*3pZ8QM|yv9CAtrAx;($>4l^_$_-L z*&?(77!-=zvnCVW&kUcZMb6;2!83si518Y%R*A3JZ8Is|kUCMu`!vxDgaWjs7^0j( ziTaS4HhQ)ldR=r)_7vYFUr%THE}cPF{0H45FJ5MQW^+W>P+eEX2kLp3zzFe*-pFVA zdDZRybv?H|>`9f$AKVjFWJ=wegO7hOOIYCtd?Vj{EYLT*^gl35|HQ`R=ti+ADm{jyQE7K@kdjuqJhWVSks>b^ zxha88-h3s;%3_5b1TqFCPTxVjvuB5U>v=HyZ$?JSk+&I%)M7KE*wOg<)1-Iy)8-K! z^XpIt|0ibmk9RtMmlUd7#Ap3Q!q9N4atQy)TmrhrFhfx1DAN`^vq@Q_SRl|V z#lU<~n67$mT)NvHh`%als+G-)x1`Y%4Bp*6Un5Ri9h=_Db zA-AdP!f>f0m@~>7X#uBM?diI@)Egjuz@jXKvm zJo+==juc9_<;CqeRaU9_Mz@;3e=E4=6TK+c`|uu#pIqhSyNm`G(X)&)B`8q0RBv#> z`gGlw(Q=1Xmf55VHj%C#^1lpc>LY8kfA@|rlC1EA<1#`iuyNO z(=;irt{_&K=i4)^x%;U(Xv<)+o=dczC5H3W~+e|f~{*ucxj@{Yi-cw^MqYr3fN zF5D+~!wd$#al?UfMnz(@K#wn`_5na@rRr8XqN@&M&FGEC@`+OEv}sI1hw>Up0qAWf zL#e4~&oM;TVfjRE+10B_gFlLEP9?Q-dARr3xi6nQqnw>k-S;~b z;!0s2VS4}W8b&pGuK=7im+t(`nz@FnT#VD|!)eQNp-W6)@>aA+j~K*H{$G`y2|QHY z|Hmy+CR@#jWY4~)lr1qBJB_RfHJFfP<}pK5(#ZZGSqcpyS&}01LnTWk5fzmXMGHkJ zTP6L^B+uj;lmB_W<~4=${+v0>z31M!-_O@o-O9GyW)j_mjx}!0@br_LE-7SIuPP84 z;5=O(U*g_um0tyG|61N@d9lEuOeiRd+#NY^{nd5;-CVlw&Ap7J?qwM^?E29wvS}2d zbzar4Fz&RSR(-|s!Z6+za&Z zY#D<5q_JUktIzvL0)yq_kLWG6DO{ri=?c!y!f(Dk%G{8)k`Gym%j#!OgXVDD3;$&v@qy#ISJfp=Vm>pls@9-mapVQChAHHd-x+OGx)(*Yr zC1qDUTZ6mM(b_hi!TuFF2k#8uI2;kD70AQ&di$L*4P*Y-@p`jdm%_c3f)XhYD^6M8&#Y$ZpzQMcR|6nsH>b=*R_Von!$BTRj7yGCXokoAQ z&ANvx0-Epw`QIEPgI(^cS2f(Y85yV@ygI{ewyv5Frng)e}KCZF7JbR(&W618_dcEh(#+^zZFY;o<815<5sOHQdeax9_!PyM&;{P zkBa5xymca0#)c#tke@3KNEM8a_mT&1gm;p&&JlMGH(cL(b)BckgMQ^9&vRwj!~3@l zY?L5}=Jzr080OGKb|y`ee(+`flQg|!lo6>=H)X4`$Gz~hLmu2a%kYW_Uu8x09Pa0J zKZ`E$BKJ=2GPj_3l*TEcZ*uYRr<*J^#5pILTT;k_cgto1ZL-%slyc16J~OH-(RgDA z%;EjEnoUkZ&acS{Q8`{i6T5^nywgqQI5bDIymoa7CSZG|WWVk>GM9)zy*bNih|QIm z%0+(Nnc*a_xo;$=!HQYaapLms>J1ToyjtFByY`C2H1wT#178#4+|{H0BBqtCdd$L% z_3Hc60j@{t9~MjM@LBalR&6@>B;9?r<7J~F+WXyYu*y3?px*=8MAK@EA+jRX8{CG?GI-< z54?Dc9CAh>QTAvyOEm0^+x;r2BWX|{3$Y7)L5l*qVE*y0`7J>l2wCmW zL1?|a`pJ-l{fb_N;R(Z9UMiSj6pQjOvQ^%DvhIJF!+Th7jO2~1f1N+(-TyCFYQZYw z4)>7caf^Ki_KJ^Zx2JUb z&$3zJy!*+rCV4%jqwyuNY3j1ZEiltS0xTzd+=itTb;IPYpaf?8Y+RSdVdpacB(bVQ zC(JupLfFp8y43%PMj2}T|VS@%LVp>hv4Y!RPMF?pp8U_$xCJ)S zQx!69>bphNTIb9yn*_yfj{N%bY)t{L1cs8<8|!f$;UQ*}IN=2<6lA;x^(`8t?;+ST zh)z4qeYYgZkIy{$4x28O-pugO&gauRh3;lti9)9Pvw+^)0!h~%m&8Q!AKX%urEMnl z?yEz?g#ODn$UM`+Q#$Q!6|zsq_`dLO5YK-6bJM6ya>}H+vnW^h?o$z;V&wvuM$dR& zeEq;uUUh$XR`TWeC$$c&Jjau2it3#%J-y}Qm>nW*s?En?R&6w@sDXMEr#8~$=b(gk zwDC3)NtAP;M2BW_lL^5ShpK$D%@|BnD{=!Tq)o(5@z3i7Z){} zGr}Exom_qDO{kAVkZ*MbLNHE666Kina#D{&>Jy%~w7yX$oj;cYCd^p9zy z8*+wgSEcj$4{WxKmCF(5o7U4jqwEvO&dm1H#7z}%VXAbW&W24v-tS6N3}qrm1OnE)fUkoE8yMMn9S$?IswS88tQWm4#Oid#ckgr6 zRtHm!mfNl-`d>O*1~d7%;~n+{Rph6BBy^95zqI{K((E!iFQ+h*C3EsbxNo_aRm5gj zKYug($r*Q#W9`p%Bf{bi6;IY0v`pB^^qu)gbg9QHQ7 zWBj(a1YSu)~2RK8Pi#C>{DMlrqFb9e_RehEHyI{n?e3vL_}L>kYJC z_ly$$)zFi*SFyNrnOt(B*7E$??s67EO%DgoZL2XNk8iVx~X_)o++4oaK1M|ou73vA0K^503j@uuVmLcHH4ya-kOIDfM%5%(E z+Xpt~#7y2!KB&)PoyCA+$~DXqxPxxALy!g-O?<9+9KTk4Pgq4AIdUkl`1<1#j^cJg zgU3`0hkHj_jxV>`Y~%LAZl^3o0}`Sm@iw7kwff{M%VwtN)|~!p{AsfA6vB5UolF~d zHWS%*uBDt<9y!9v2Xe|au&1j&iR1HXCdyCjxSgG*L{wmTD4(NQ=mFjpa~xooc6kju z`~+d{j7$h-;HAB04H!Zscu^hZffL#9!p$)9>sRI|Yovm)g@F>ZnosF2EgkU3ln0bR zTA}|+E(tt)!SG)-bEJi_0m{l+(cAz^pi}`9=~n?y&;2eG;d9{M6nj>BHGn(KA2n|O zt}$=FPq!j`p&kQ8>cirSzkU0c08%8{^Qyqi-w2LoO8)^E7;;I1;HQ6B$u0nNaX2CY zSmfi)F`m94zL8>#zu;8|{aBui@RzRKBlP1&mfFxEC@%cjl?NBs`cr^nm){>;$g?rhKr$AO&6qV_Wbn^}5tfFBry^e1`%du2~o zs$~dN;S_#%iwwA_QvmMjh%Qo?0?rR~6liyN5Xmej8(*V9ym*T`xAhHih-v$7U}8=dfXi2i*aAB!xM(Xekg*ix@r|ymDw*{*s0?dlVys2e)z62u1 z+k3esbJE=-P5S$&KdFp+2H7_2e=}OKDrf( z9-207?6$@f4m4B+9E*e((Y89!q?zH|mz_vM>kp*HGXldO0Hg#!EtFhRuOm$u8e~a9 z5(roy7m$Kh+zjW6@zw{&20u?1f2uP&boD}$#Zy)4o&T;vyBoqFiF2t;*g=|1=)PxB z8eM3Mp=l_obbc?I^xyLz?4Y1YDWPa+nm;O<$Cn;@ane616`J9OO2r=rZr{I_Kizyc zP#^^WCdIEp*()rRT+*YZK>V@^Zs=ht32x>Kwe zab)@ZEffz;VM4{XA6e421^h~`ji5r%)B{wZu#hD}f3$y@L0JV9f3g{-RK!A?vBUA}${YF(vO4)@`6f1 z-A|}e#LN{)(eXloDnX4Vs7eH|<@{r#LodP@Nz--$Dg_Par%DCpu2>2jUnqy~|J?eZ zBG4FVsz_A+ibdwv>mLp>P!(t}E>$JGaK$R~;fb{O3($y1ssQQo|5M;^JqC?7qe|hg zu0ZOqeFcp?qVn&Qu7FQJ4hcFi&|nR!*j)MF#b}QO^lN%5)4p*D^H+B){n8%VPUzi! zDihoGcP71a6!ab`l^hK&*dYrVYzJ0)#}xVrp!e;lI!+x+bfCN0KXwUAPU9@#l7@0& QuEJmfE|#`Dqx|px0L@K;Y5)KL literal 0 HcmV?d00001 diff --git a/appsec/tests/integration/gradle/wrapper/gradle-wrapper.properties b/appsec/tests/integration/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 00000000000..e750102e092 --- /dev/null +++ b/appsec/tests/integration/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.3-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/appsec/tests/integration/gradlew b/appsec/tests/integration/gradlew new file mode 100755 index 00000000000..1b6c787337f --- /dev/null +++ b/appsec/tests/integration/gradlew @@ -0,0 +1,234 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit + +APP_NAME="Gradle" +APP_BASE_NAME=${0##*/} + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/appsec/tests/integration/gradlew.bat b/appsec/tests/integration/gradlew.bat new file mode 100644 index 00000000000..107acd32c4e --- /dev/null +++ b/appsec/tests/integration/gradlew.bat @@ -0,0 +1,89 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/appsec/tests/integration/settings.gradle b/appsec/tests/integration/settings.gradle new file mode 100644 index 00000000000..ef2aaa86a0b --- /dev/null +++ b/appsec/tests/integration/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'dd-appsec-php-integration' diff --git a/appsec/tests/integration/src/docker/apache2-fpm/Dockerfile b/appsec/tests/integration/src/docker/apache2-fpm/Dockerfile new file mode 100644 index 00000000000..dbf502e5662 --- /dev/null +++ b/appsec/tests/integration/src/docker/apache2-fpm/Dockerfile @@ -0,0 +1,27 @@ +ARG PHP_VERSION +ARG VARIANT +FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT + +RUN apt-get update && apt-get install -y \ + apache2 \ + && rm -rf /var/lib/apt/lists/* + +RUN rm -rf /var/www/html +RUN sed -i '//,/<\/Directory>/s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf +RUN a2enmod rewrite + +ADD apache2-fpm/entrypoint.sh / + +ADD apache2-fpm/php-site.conf /etc/apache2/sites-available/ +ADD fpm-common/php-fpm.conf /etc/ +RUN mkdir /etc/php-fpm.d/ +ADD fpm-common/www.conf /etc/php-fpm.d/ +RUN a2enmod proxy_fcgi +RUN a2dissite 000-default +RUN a2ensite php-site + +RUN chmod a+rx /root + +EXPOSE 80 +ENTRYPOINT ["/entrypoint.sh"] + diff --git a/appsec/tests/integration/src/docker/apache2-fpm/entrypoint.sh b/appsec/tests/integration/src/docker/apache2-fpm/entrypoint.sh new file mode 100755 index 00000000000..f3f74335557 --- /dev/null +++ b/appsec/tests/integration/src/docker/apache2-fpm/entrypoint.sh @@ -0,0 +1,23 @@ +#!/bin/bash -e + +set -x + +mkdir -p /tmp/logs/apache2 +LOGS_PHP=(/tmp/logs/appsec.log /tmp/logs/helper.log /tmp/logs/php_error.log /tmp/logs/php_fpm_error.log) +touch "${LOGS_PHP[@]}" +chown www-data:www-data "${LOGS_PHP[@]}" + +LOGS_APACHE=(/tmp/logs/apache2/{access.log,error.log}) +touch "${LOGS_APACHE[@]}" +chown root:adm "${LOGS_APACHE[@]}" + +env | sed 's/^/export /' >> /etc/apache2/envvars +sed -i 's@APACHE_LOG_DIR=.*@APACHE_LOG_DIR=/tmp/logs/apache2@' /etc/apache2/envvars +#sed -i 's/\$HTTPD \${APACHE_ARGUMENTS} -k "\$ARGV"/\0 -X \&/' /usr/sbin/apache2ctl + +enable_extensions.sh + +php-fpm -y /etc/php-fpm.conf -c /etc/php/php.ini +service apache2 start + +exec tail -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}" diff --git a/appsec/tests/integration/src/docker/apache2-fpm/php-site.conf b/appsec/tests/integration/src/docker/apache2-fpm/php-site.conf new file mode 100644 index 00000000000..a2889d01014 --- /dev/null +++ b/appsec/tests/integration/src/docker/apache2-fpm/php-site.conf @@ -0,0 +1,16 @@ + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/public + + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + DirectoryIndex index.html + ProxyPassMatch "^/(.*\\.php(/.*)?)$" "fcgi://127.0.0.1:9000/var/www/public + + +Mutex posixsem + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/appsec/tests/integration/src/docker/apache2-mod/Dockerfile b/appsec/tests/integration/src/docker/apache2-mod/Dockerfile new file mode 100644 index 00000000000..9d9e1ae252c --- /dev/null +++ b/appsec/tests/integration/src/docker/apache2-mod/Dockerfile @@ -0,0 +1,33 @@ +ARG PHP_VERSION +ARG VARIANT +FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT + +RUN apt-get update && apt-get install -y \ + apache2 \ + && rm -rf /var/lib/apt/lists/* + +RUN rm -rf /var/www/html +RUN sed -i 's@/var/www/html@/var/www/public@' /etc/apache2/sites-available/000-default.conf +RUN sed -i '//,/<\/Directory>/s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf +RUN a2enmod rewrite + +ADD apache2-mod/entrypoint.sh / + +ARG PHP_VERSION +ARG VARIANT +ADD apache2-mod/php.conf /etc/apache2/mods-available/ +ADD apache2-mod/php.load /etc/apache2/mods-available/ +RUN /bin/bash -c 'if [[ "${PHP_VERSION:0:1}" -ge 8 ]]; then sed -i "s/%PHP_MAJOR_VERSION//g" /etc/apache2/mods-available/php.{conf,load}; else \ + sed -i "s/%PHP_MAJOR_VERSION/${PHP_VERSION:0:1}/g" /etc/apache2/mods-available/php.{conf,load}; fi' +RUN if echo $VARIANT | grep -q zts; \ + then sed -i "s/%MPM/event/" /etc/apache2/mods-available/php.load; \ + else sed -i "s/%MPM/prefork/" /etc/apache2/mods-available/php.load; \ + fi +RUN if ! { echo $VARIANT | grep -q zts; }; then a2dismod mpm_event; a2enmod mpm_prefork; fi +RUN a2enmod php + +RUN chmod a+rx /root + +EXPOSE 80 +ENTRYPOINT ["/entrypoint.sh"] + diff --git a/appsec/tests/integration/src/docker/apache2-mod/entrypoint.sh b/appsec/tests/integration/src/docker/apache2-mod/entrypoint.sh new file mode 100755 index 00000000000..df94b70c57e --- /dev/null +++ b/appsec/tests/integration/src/docker/apache2-mod/entrypoint.sh @@ -0,0 +1,22 @@ +#!/bin/bash -e + +set -x + +mkdir -p /tmp/logs/apache2 +LOGS_PHP=(/tmp/logs/appsec.log /tmp/logs/helper.log /tmp/logs/php_error.log) +touch "${LOGS_PHP[@]}" +chown www-data:www-data "${LOGS_PHP[@]}" + +LOGS_APACHE=(/tmp/logs/apache2/{access.log,error.log}) +touch "${LOGS_APACHE[@]}" +chown root:adm "${LOGS_APACHE[@]}" + +env | sed 's/^/export /' >> /etc/apache2/envvars +sed -i 's@APACHE_LOG_DIR=.*@APACHE_LOG_DIR=/tmp/logs/apache2@' /etc/apache2/envvars +#sed -i 's/\$HTTPD \${APACHE_ARGUMENTS} -k "\$ARGV"/\0 -X \&/' /usr/sbin/apache2ctl + +enable_extensions.sh + +service apache2 start + +exec tail -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}" diff --git a/appsec/tests/integration/src/docker/apache2-mod/php.conf b/appsec/tests/integration/src/docker/apache2-mod/php.conf new file mode 100644 index 00000000000..acc8bfdf54d --- /dev/null +++ b/appsec/tests/integration/src/docker/apache2-mod/php.conf @@ -0,0 +1,11 @@ + + + SetHandler application/x-httpd-php + Require all granted + + + SetHandler application/x-httpd-php-source + Require all denied + + PHPIniDir "/etc/php/php.ini" + diff --git a/appsec/tests/integration/src/docker/apache2-mod/php.load b/appsec/tests/integration/src/docker/apache2-mod/php.load new file mode 100644 index 00000000000..00bb9224d7b --- /dev/null +++ b/appsec/tests/integration/src/docker/apache2-mod/php.load @@ -0,0 +1,2 @@ +# Depends: mpm_%MPM +LoadModule php%PHP_MAJOR_VERSION_module /usr/lib/apache2/modules/libphp%PHP_MAJOR_VERSION.so diff --git a/appsec/tests/integration/src/docker/fpm-common/php-fpm.conf b/appsec/tests/integration/src/docker/fpm-common/php-fpm.conf new file mode 100644 index 00000000000..5867d7bef5e --- /dev/null +++ b/appsec/tests/integration/src/docker/fpm-common/php-fpm.conf @@ -0,0 +1,4 @@ +[global] +error_log = /tmp/logs/php_fpm_error.log + +include=/etc/php-fpm.d/*.conf diff --git a/appsec/tests/integration/src/docker/fpm-common/www.conf b/appsec/tests/integration/src/docker/fpm-common/www.conf new file mode 100644 index 00000000000..6d68fb2c775 --- /dev/null +++ b/appsec/tests/integration/src/docker/fpm-common/www.conf @@ -0,0 +1,26 @@ +[www] + +user = www-data +group = www-data + +listen = 127.0.0.1:9000 +listen.allowed_clients = 127.0.0.1 + +pm = static +pm.max_children = 1 +pm.max_requests = 50 +pm.status_path = /status +ping.path = /ping +ping.response = pong + +rlimit_core = unlimited + +clear_env = no +security.limit_extensions = .php + +php_admin_value[error_log] = /tmp/logs/php_error.log +php_admin_flag[log_errors] = on + +;Default is 10000 so lets give it 1 more +;in order to test pool envs +env[DD_APPSEC_WAF_TIMEOUT] = "10001" diff --git a/appsec/tests/integration/src/docker/nginx-fpm/Dockerfile b/appsec/tests/integration/src/docker/nginx-fpm/Dockerfile new file mode 100644 index 00000000000..f9475e2b4ea --- /dev/null +++ b/appsec/tests/integration/src/docker/nginx-fpm/Dockerfile @@ -0,0 +1,21 @@ +ARG PHP_VERSION +ARG VARIANT + +FROM datadog/dd-appsec-php-ci:php-$PHP_VERSION-$VARIANT + +RUN apt-get update && apt-get install -y \ + nginx \ + && rm -rf /var/lib/apt/lists/* + +RUN rm -rf /var/www/html + +ADD nginx-fpm/entrypoint.sh / +ADD nginx-fpm/default /etc/nginx/sites-available/default + +ADD fpm-common/php-fpm.conf /etc/ +RUN mkdir /etc/php-fpm.d/ +ADD fpm-common/www.conf /etc/php-fpm.d/ + +EXPOSE 80 +ENTRYPOINT ["/entrypoint.sh"] + diff --git a/appsec/tests/integration/src/docker/nginx-fpm/default b/appsec/tests/integration/src/docker/nginx-fpm/default new file mode 100644 index 00000000000..798a99ce400 --- /dev/null +++ b/appsec/tests/integration/src/docker/nginx-fpm/default @@ -0,0 +1,19 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + index index.php index.html; + server_name phpfpm.local; + error_log /var/log/nginx/error.log; + access_log /var/log/nginx/access.log; + root /var/www/public; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_param HTTP_PROXY ""; + fastcgi_param DD_SERVICE_NAME "some-name"; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi.conf; + } +} diff --git a/appsec/tests/integration/src/docker/nginx-fpm/entrypoint.sh b/appsec/tests/integration/src/docker/nginx-fpm/entrypoint.sh new file mode 100755 index 00000000000..a3068651e92 --- /dev/null +++ b/appsec/tests/integration/src/docker/nginx-fpm/entrypoint.sh @@ -0,0 +1,19 @@ +#!/bin/bash -e + +set -x +mkdir -p /tmp/logs/nginx + +LOGS_PHP=(/tmp/logs/appsec.log /tmp/logs/helper.log /tmp/logs/php_error.log /tmp/logs/php_fpm_error.log) +touch "${LOGS_PHP[@]}" +chown www-data "${LOGS_PHP[@]}" + +LOGS_NGINX=(/var/log/nginx/{access.log,error.log}) +touch "${LOGS_NGINX[@]}" +chown root:adm "${LOGS_NGINX[@]}" + +enable_extensions.sh + +php-fpm -y /etc/php-fpm.conf -c /etc/php/php.ini +service nginx start + +exec tail -F "${LOGS_PHP[@]}" "${LOGS_NGINX[@]}" diff --git a/appsec/tests/integration/src/docker/php/Dockerfile b/appsec/tests/integration/src/docker/php/Dockerfile new file mode 100644 index 00000000000..c5fe969ce23 --- /dev/null +++ b/appsec/tests/integration/src/docker/php/Dockerfile @@ -0,0 +1,37 @@ +FROM datadog/dd-appsec-php-ci:php-deps + +RUN apt-get update && apt-get install -y \ + pkg-config \ + libxml2-dev \ + zlib1g-dev \ + libzip-dev \ + libcurl4-gnutls-dev \ + libgmp-dev \ + libonig-dev \ + libpq-dev \ + apache2-dev \ + libsqlite3-dev \ + gdb \ + vim \ + && rm -rf /var/lib/apt/lists/* +ADD build_dev_php.sh /build/php/ +ADD php_patches/ /build/php/php_patches/ +RUN mkdir -p /etc/php && ln -s /root/php/php.ini /etc/php/ +ARG PHP_VERSION +ARG VARIANT + +ENV NO_APX_WRAPPER=1 + +RUN USER=root /build/php/build_dev_php.sh "$PHP_VERSION" "$VARIANT" +ADD php.ini /root/php/php.ini +ENV PHPRC=/root/php/php.ini + +RUN chmod +x /root + +ENV PATH=/root/php/$PHP_VERSION-$VARIANT/bin/:/root/php/$PHP_VERSION-$VARIANT/sbin/:$PATH +ENV HUNTER_ROOT=/root/.hunter +ENV CARGO_HOME=/root/.cargo +ENV RUSTUP_HOME=/root/.rustup +ENV LD_LIBRARY_PATH=/root/php/icu-60/lib + +ENTRYPOINT ["php"] diff --git a/appsec/tests/integration/src/docker/php/Dockerfile-php-deps b/appsec/tests/integration/src/docker/php/Dockerfile-php-deps new file mode 100644 index 00000000000..6ecb4c55243 --- /dev/null +++ b/appsec/tests/integration/src/docker/php/Dockerfile-php-deps @@ -0,0 +1,25 @@ +FROM datadog/dd-appsec-php-ci:toolchain + +RUN apt-get update && apt-get install -y \ + pkg-config \ + libxml2-dev \ + libzip-dev \ + zlib1g-dev \ + libcurl4-gnutls-dev \ + libgmp-dev \ + libpng-dev \ + libonig-dev \ + libpq-dev \ + apache2-dev \ + libsqlite3-dev \ + netcat-openbsd \ + gdb \ + procps \ + vim \ + && rm -rf /var/lib/apt/lists/* +ADD build_dev_php.sh /build/php/ + +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain 1.73.0 -y +ENV PATH="/root/.cargo/bin:${PATH}" + +RUN USER=root /build/php/build_dev_php.sh deps diff --git a/appsec/tests/integration/src/docker/php/build_dev_php.sh b/appsec/tests/integration/src/docker/php/build_dev_php.sh new file mode 100755 index 00000000000..d6124fd01fd --- /dev/null +++ b/appsec/tests/integration/src/docker/php/build_dev_php.sh @@ -0,0 +1,439 @@ +#!/usr/bin/env bash + +set -euo pipefail + +cd "$(dirname "$(readlink -f "$0")" )" +export REPO_ROOT="$PWD" +: "${PHP_HOMEDIR:=$(echo ~/php)}" + +# If you want to customize installation directory, copy/hack this script. +mkdir -p "$PHP_HOMEDIR" +cd "$PHP_HOMEDIR" + +# See https://php.net/downloads.php to know version numbers of recent PHP releases. + +function php_version_id { + local readonly version=$(echo $1 | sed 's/\(beta\|alpha\|RC\).\+//') + local readonly major=$(echo $version | cut -d. -f1) \ + minor=$(echo $version | cut -d. -f2) \ + patch=$(echo $version | cut -d. -f3) + + patch=${patch:=0} + + echo $(($major * 10000 + $minor * 100 + $patch)) +} + +function download_php { + local readonly version=$1 + local readonly download_dir="$PHP_HOMEDIR/sources/$version" + local readonly version_id=$(php_version_id $version) + + mkdir -p "$download_dir" + if [[ -f $download_dir/.download_success ]]; then + return + fi + + local download_url + if [[ $version_id -lt 50400 ]]; then + download_url="http://museum.php.net/php5/php-${version}.tar.gz" + else + download_url="https://www.php.net/distributions/php-${version}.tar.gz" + fi + + cd "$download_dir" + curl -L -f -v "$download_url" | tar --strip-components=1 -xzf - + + touch "$download_dir"/.download_success +} + +function contains_element { + local el match="$1" + shift + for el; do [[ "$el" == "$match" ]] && return 0; done + return 1 +} + +function has_apxs { + if [[ -v APXS ]]; then + return 0 + fi + if which apxs > /dev/null; then + return 0; + fi + return 1; +} + +function prepare_apxs { + cat > /tmp/apxs_wrapper </dev/null | head -1) + if [[ -n $libpq_dir ]]; then + #export LDFLAGS="${LDFLAGS:-} -L$libpq_dir/lib" + #export CPPFLAGS="${CPPFLAGS:-} -I$libpq_dir/include" + #export PATH="$libpq_dir/bin:$PATH" + options+=( + "--with-pgsql=shared,$libpq_dir/bin" + "--with-pdo-pgsql=shared,$libpq_dir/bin") + else + options+=( + --with-pgsql=shared + --with-pdo-pgsql=shared) + fi + + + options+=( + --enable-gd=shared + --with-openssl=shared + --with-zlib=shared + --enable-dom=shared + --enable-fileinfo=shared + --enable-filter + --with-gmp=shared + --enable-intl=shared + --enable-mbstring=shared + --enable-opcache=shared + --enable-pdo=shared + --enable-phar=shared + --with-libxml + --enable-xml + --enable-simplexml=shared + --enable-xmlreader=shared + --enable-xmlwriter=shared + $([[ $version_id -ge 70400 ]] && echo --with-zip=shared || echo --enable-zip=shared) + --enable-ctype=shared + --enable-session=shared + --enable-tokenizer=shared + --with-pdo-sqlite=shared,/usr + --with-curl=shared) + fi + + if has_apxs; then + if [[ ${NO_APX_WRAPPER-} -eq 1 ]]; then + options+=(--with-apxs2=$(which apxs2)) + else + prepare_apxs + options+=(--with-apxs2=/tmp/apxs_wrapper) + fi + fi + + if [[ $version_id -lt 80000 ]]; then + options+=(--enable-json) # not shared to make it consistent with php 8 + fi + + if [[ $minimal -eq 0 ]]; then + local mysql_config= mysql_prefix= + if contains_element nomysqlnd "${variants[@]}"; then + echo "You may need to symlink libmysql client:" + echo "> ln -s /usr/lib/x86_64-linux-gnu/libmysqlclient.a /usr/lib/x86_64-linux-gnu/libmysqlclient_r.a" + echo "> ln -s /usr/lib/x86_64-linux-gnu/libmysqlclient.so /usr/lib/x86_64-linux-gnu/libmysqlclient_r.so" + mysql_config=/usr/bin/mysql_config + mysql_prefix=/usr + else + mysql_config=mysqlnd + mysql_prefix=mysqlnd + options+=(--enable-mysqlnd=shared) + fi + + if [[ $version_id -lt 70000 ]]; then + options+=(--with-mysql=shared,$mysql_prefix) + fi + + options+=( + --with-mysqli=shared,$mysql_config + --with-pdo-mysql=shared,$mysql_prefix + ) + fi # minimal + + if ! contains_element release "${variants[@]}"; then + options+=(--enable-debug) + fi + if contains_element zts "${variants[@]}"; then + if [[ $version_id -ge 80000 ]]; then + options+=(--enable-zts) + else + options+=(--enable-maintainer-zts) + fi + fi + if [[ $version_id -lt 70400 ]]; then + options+=(--enable-hash --enable-libxml=shared) + else + # 7.4+ + options+=(--with-libxml=shared) + fi + + echo "Build options: ${options[@]}" + + cd "$download_dir" + if [[ $version_id -lt 50400 && ! -f .patch_applied ]]; then + patch -p0 < "$REPO_ROOT"/php_patches/newish_libxml.patch + touch .patch_applied + fi + if [[ $version_id -lt 70000 && $version_id -ge 50500 && ! -f .patch_applied ]]; then + patch -p0 < "$REPO_ROOT"/php_patches/opcache_num_var.patch + touch .patch_applied + fi + if [[ $version_id -lt 70016 && $version_id -ge 50600 && ! -f .patch_conf_applied ]]; then + patch -p0 < "$REPO_ROOT"/php_patches/configure_gmp.patch + touch .patch_conf_applied + fi + if [[ $version_id -lt 70100 && $version_id -ge 70000 && ! -f .patch_conf_icu ]]; then + patch -p0 < "$REPO_ROOT"/php_patches/configure_icu.patch + touch .patch_conf_icu + fi + if [[ $version_id -lt 70200 && ! -f .patch_conf_curl ]]; then + patch -r - -p0 < "$REPO_ROOT"/php_patches/configure_curl.patch || \ + patch -p0 < "$REPO_ROOT"/php_patches/configure_curl_old.patch + touch .patch_conf_curl + fi + if [[ $version_id -lt 70300 && $version_id -ge 70000 && ! -f .patch_ns_icu ]]; then + patch -p1 < "$REPO_ROOT"/php_patches/recent_icu.patch + touch .patch_ns_icu + fi + + rm -rf "$build_dir" + mkdir -p "$build_dir" + cd "$build_dir" + + "$download_dir/configure" "${options[@]}" + make -j $(nproc) + make install-sapi || true + make install-binaries install-headers install-modules install-programs install-build + + rm -rf "$build_dir" + cd - +} + +function download_and_extract_openssl { + local -r openssl_version=$1 major=$2 + local url= + if [[ $major != 1.0.2 ]]; then + url="https://www.openssl.org/source/openssl-${openssl_version}.tar.gz" + else + url="https://www.openssl.org/source/old/$major/openssl-${openssl_version}.tar.gz" + fi + + local openssl_source_dir="$HOME/php/sources/openssl-${openssl_version}" + + if [[ ! -f $openssl_source_dir/.extracted ]]; then + mkdir -p "$openssl_source_dir" + curl -Lf "$url" -o - | tar -xz -C "$openssl_source_dir" --strip-components=1 + touch "$openssl_source_dir/.extracted" + fi + echo "$openssl_source_dir" +} + +function install_openssl { + local -r version=$1 major=$(echo $1 | cut -d. -f 1-2) + local -r install_dir="$HOME/php/openssl$major" + if [[ -f $install_dir/.installed ]]; then + return + fi + + local -r source_dir="$(download_and_extract_openssl $version $major)" + local -r build_dir="$HOME/php/build/openssl$major" + + mkdir -p "$build_dir" + cd "$build_dir" + if [[ $major = 1.0 ]]; then + cp -a "$source_dir/." "$build_dir" + fi + "$source_dir/config" --prefix="$install_dir" --openssldir="$install_dir" shared zlib no-tests + + make -j && make install_sw + touch "$install_dir/.installed" + cd - + rm -rf "$build_dir" + + echo "Installed OpenSSL $version in $install_dir" +} +function openssl_pkg_config { + local -r php_version=$1 + local -r php_version_id=$(php_version_id $php_version) + if [[ $php_version_id -lt 70100 ]]; then + echo "$HOME/php/openssl1.0/lib/pkgconfig" + else + echo "$HOME/php/openssl1.1/lib/pkgconfig" + fi +} + +function download_and_extract_icu { + local -r icu_version="60.3" + local -r url="https://github.com/unicode-org/icu/releases/download/release-${icu_version//./-}/icu4c-${icu_version//./_}-src.tgz" + local icu_source_dir="$HOME/php/sources/icu-${icu_version}" + + if [[ ! -f $icu_source_dir/.extracted ]]; then + mkdir -p "$icu_source_dir" + curl -Lf "$url" -o - | tar -xz -C "$icu_source_dir" --strip-components=1 + touch "$icu_source_dir/.extracted" + fi + echo "$icu_source_dir" +} + +# Function to install ICU +function install_icu { + local -r install_dir="$HOME/php/icu-60" + if [[ -f $install_dir/.installed ]]; then + return + fi + + local -r source_dir="$(download_and_extract_icu)" + local -r build_dir="$HOME/php/build/icu-60" + + mkdir -p "$build_dir" + cd "$build_dir" + "$source_dir/source/configure" --prefix="$install_dir" + + make -j && make install + touch "$install_dir/.installed" + cd - + rm -rf "$build_dir" + + echo "Installed ICU in $install_dir" +} + +function download_and_extract_xdebug { + local -r xdebug_version="$1" + local url + local -r xdebug_source_dir="$HOME/php/sources/xdebug-${xdebug_version}" + + if [[ -f $xdebug_source_dir/.extracted ]]; then + return + fi + set -x + + mkdir -p "$xdebug_source_dir" + if [[ $xdebug_version == *.* ]]; then + url=https://github.com/xdebug/xdebug/archive/refs/tags/${xdebug_version}.tar.gz + curl -Lf "$url" -o - | tar -xz -C "$xdebug_source_dir" --strip-components=1 + else + git clone -b master https://github.com/xdebug/xdebug.git "$xdebug_source_dir" + git -C "$xdebug_source_dir" checkout "$xdebug_version" + fi + + touch "$xdebug_source_dir/.extracted" +} +function install_xdebug { + local -r xdebug_version=$1 php_prefix=$2 + local -r xdebug_source_dir="$HOME/php/sources/xdebug-${xdebug_version}" + local -r build_dir="$HOME/php/build/xdebug-${xdebug_version}" + local -r xdebug_so=$(find "$php_prefix/lib" -name xdebug.so) + + if [[ -n $xdebug_so ]]; then + return + fi + + cd "$xdebug_source_dir" + "$php_prefix/bin/phpize" + mkdir -p "$build_dir" + cd "$build_dir" + "$xdebug_source_dir/configure" "--with-php-config=$php_prefix/bin/php-config" + make -j + make install + cd - + + rm -rf "$build_dir" +} + +if [[ "$#" == 0 ]] +then + echo Usage: $0 '' '[variant1-variant2-...]' + echo + echo "$0 7.2.17 zts-release" + echo + echo "Available variants: zts, release, nomysqlnd, minimal" + echo "CC, CFLAGS, etc. are picked up" + exit 0 +fi + +if [[ -d /opt/homebrew/lib ]]; then + export LDFLAGS="${LDFLAGS:-} -L/opt/homebrew/lib" + export CPPFLAGS="${CPPFLAGS:-} -I/opt/homebrew/include" +fi + +install_openssl 1.0.2u +install_openssl 1.1.1w +install_icu + +if [[ $1 == deps ]]; then + exit 0 +fi + +download_php "$1" + +export PKG_CONFIG_PATH=$(openssl_pkg_config "$1"):$HOME/php/icu-60/lib/pkgconfig +PATH=$HOME/php/icu-60/bin:$PATH +CXXFLAGS='-g -ggdb' build_php "$1" "${2:-}" PREFIX + +xdebug_version=$(get_xdebug_version "$1") +download_and_extract_xdebug "$xdebug_version" +install_xdebug "$xdebug_version" "$PREFIX" diff --git a/appsec/tests/integration/src/docker/php/php.ini b/appsec/tests/integration/src/docker/php/php.ini new file mode 100644 index 00000000000..01ca7f8d7f8 --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php.ini @@ -0,0 +1,27 @@ +extension=ctype.so +extension=dom.so +extension=iconv.so +extension=mbstring.so +extension=mysqlnd.so +extension=openssl.so +extension=pdo.so +extension=pdo_pgsql.so +extension=pgsql.so +extension=posix.so +extension=simplexml.so +extension=tokenizer.so +extension=xmlwriter.so +extension=curl.so +extension=fileinfo.so +extension=gmp.so +extension=intl.so +extension=mysqli.so +extension=pcntl.so +extension=pdo_mysql.so +extension=pdo_sqlite.so +extension=phar.so +extension=session.so +extension=sockets.so +extension=xmlreader.so +extension=zlib.so +extension=zip.so diff --git a/appsec/tests/integration/src/docker/php/php_patches/configure_curl.patch b/appsec/tests/integration/src/docker/php/php_patches/configure_curl.patch new file mode 100644 index 00000000000..ed9f18d3fb4 --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php_patches/configure_curl.patch @@ -0,0 +1,14 @@ +--- configure 2020-11-04 19:41:03.253862846 +0000 ++++ configure.new 2020-11-04 19:40:56.937530722 +0000 +@@ -29607,6 +29607,11 @@ + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for cURL in default path" >&5 + $as_echo_n "checking for cURL in default path... " >&6; } ++ if pkg-config libcurl; then ++ CURL_DIR=`pkg-config --variable=prefix libcurl` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: prefix in $CURL_DIR" >&5 ++$as_echo "prefix in $CURL_DIR" >&6; } ++ fi + for i in /usr/local /usr; do + if test -r $i/include/curl/easy.h; then + CURL_DIR=$i diff --git a/appsec/tests/integration/src/docker/php/php_patches/configure_curl_old.patch b/appsec/tests/integration/src/docker/php/php_patches/configure_curl_old.patch new file mode 100644 index 00000000000..3163dbe50ae --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php_patches/configure_curl_old.patch @@ -0,0 +1,14 @@ +--- configure 2010-07-21 11:53:06.000000000 +0100 ++++ configure 2020-11-06 14:03:16.054125290 +0000 +@@ -27945,6 +27945,11 @@ + else + echo $ac_n "checking for cURL in default path""... $ac_c" 1>&6 + echo "configure:27948: checking for cURL in default path" >&5 ++ if pkg-config libcurl; then ++ CURL_DIR=`pkg-config --variable=prefix libcurl` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: prefix in $CURL_DIR" >&5 ++$as_echo "prefix in $CURL_DIR" >&6; } ++ fi + for i in /usr/local /usr; do + if test -r $i/include/curl/easy.h; then + CURL_DIR=$i diff --git a/appsec/tests/integration/src/docker/php/php_patches/configure_gmp.patch b/appsec/tests/integration/src/docker/php/php_patches/configure_gmp.patch new file mode 100644 index 00000000000..d3b0e2d70bc --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php_patches/configure_gmp.patch @@ -0,0 +1,13 @@ +--- ./configure 2017-07-05 23:57:38.000000000 +0000 ++++ ./configure 2019-12-10 18:09:16.951302032 +0000 +@@ -45161,8 +45161,8 @@ + + if test "$PHP_GMP" != "no"; then + +- for i in $PHP_GMP /usr/local /usr; do +- test -f $i/include/gmp.h && GMP_DIR=$i && break ++ for i in $PHP_GMP /usr/local/include /usr/include /usr/include/x86_64-linux-gnu; do ++ test -f $i/gmp.h && GMP_DIR=$i && break + done + + if test -z "$GMP_DIR"; then diff --git a/appsec/tests/integration/src/docker/php/php_patches/configure_icu.patch b/appsec/tests/integration/src/docker/php/php_patches/configure_icu.patch new file mode 100644 index 00000000000..48fc8ff9ad3 --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php_patches/configure_icu.patch @@ -0,0 +1,232 @@ +--- configure 2021-10-22 15:34:45.016504348 +0100 ++++ configure 2021-11-16 18:08:54.941056099 +0000 +@@ -44706,6 +44701,208 @@ + PHP_ICU_DIR=DEFAULT + fi + ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for location of ICU headers and libraries" >&5 ++$as_echo_n "checking for location of ICU headers and libraries... " >&6; } ++ found_icu=no ++ ++ if test -z "$PKG_CONFIG"; then ++ # Extract the first word of "pkg-config", so it can be a program name with args. ++set dummy pkg-config; ac_word=$2 ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 ++$as_echo_n "checking for $ac_word... " >&6; } ++if ${ac_cv_path_PKG_CONFIG+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ case $PKG_CONFIG in ++ [\\/]* | ?:[\\/]*) ++ ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. ++ ;; ++ *) ++ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++for as_dir in $PATH ++do ++ IFS=$as_save_IFS ++ test -z "$as_dir" && as_dir=. ++ for ac_exec_ext in '' $ac_executable_extensions; do ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ++ ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" ++ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 ++ break 2 ++ fi ++done ++ done ++IFS=$as_save_IFS ++ ++ test -z "$ac_cv_path_PKG_CONFIG" && ac_cv_path_PKG_CONFIG="no" ++ ;; ++esac ++fi ++PKG_CONFIG=$ac_cv_path_PKG_CONFIG ++if test -n "$PKG_CONFIG"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 ++$as_echo "$PKG_CONFIG" >&6; } ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++fi ++ ++ ++ fi ++ ++ if test "$PHP_ICU_DIR" = "DEFAULT" && test -x "$PKG_CONFIG" && $PKG_CONFIG --exists icu-uc icu-io icu-i18n; then ++ if $PKG_CONFIG --atleast-version=40 icu-uc; then ++ found_icu=yes ++ icu_version_full=`$PKG_CONFIG --modversion icu-uc` ++ ac_IFS=$IFS ++ IFS="." ++ set $icu_version_full ++ IFS=$ac_IFS ++ icu_version=`expr $1 \* 1000 + $2` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: found $icu_version_full" >&5 ++$as_echo "found $icu_version_full" >&6; } ++ ++ ICU_LIBS=`$PKG_CONFIG --libs icu-uc icu-io icu-i18n` ++ ICU_INCS=`$PKG_CONFIG --cflags-only-I icu-uc icu-io icu-i18n` ++ ICU_CXXFLAGS="-DU_USING_ICU_NAMESPACE=1" ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: found $ICU_VERSION" >&5 ++$as_echo "found $ICU_VERSION" >&6; } ++ ++ ++ for ac_i in $ICU_LIBS; do ++ case $ac_i in ++ -pthread) ++ if test "$ext_shared" = "yes"; then ++ INTL_SHARED_LIBADD="$INTL_SHARED_LIBADD -pthread" ++ else ++ ++ ++ unique=`echo $ac_i|$SED 's/[^a-zA-Z0-9]/_/g'` ++ ++ cmd="echo $ac_n \"\$EXTRA_LDFLAGS$unique$ac_c\"" ++ if test -n "$unique" && test "`eval $cmd`" = "" ; then ++ eval "EXTRA_LDFLAGS$unique=set" ++ EXTRA_LDFLAGS="$EXTRA_LDFLAGS $ac_i" ++ fi ++ ++ fi ++ ;; ++ -l*) ++ ac_ii=`echo $ac_i|cut -c 3-` ++ ++ ++ case $ac_ii in ++ c|c_r|pthread*) ;; ++ *) ++ if test "$ext_shared" = "yes"; then ++ INTL_SHARED_LIBADD="$INTL_SHARED_LIBADD -l$ac_ii" ++ else ++ ++ ++ case $ac_ii in ++ c|c_r|pthread*) ;; ++ *) ++ LIBS="$LIBS -l$ac_ii" ++ ;; ++ esac ++ ++ ++ fi ++ ;; ++ esac ++ ++ ++ ;; ++ -L*) ++ ac_ii=`echo $ac_i|cut -c 3-` ++ ++ if test "$ac_ii" != "/usr/$PHP_LIBDIR" && test "$ac_ii" != "/usr/lib"; then ++ ++ if test -z "$ac_ii" || echo "$ac_ii" | grep '^/' >/dev/null ; then ++ ai_p=$ac_ii ++ else ++ ++ ep_dir=`echo $ac_ii|$SED 's%/*[^/][^/]*/*$%%'` ++ ++ ep_realdir=`(cd "$ep_dir" && pwd)` ++ ai_p="$ep_realdir"/`basename "$ac_ii"` ++ fi ++ ++ ++ if test "$ext_shared" = "yes"; then ++ INTL_SHARED_LIBADD="-L$ai_p $INTL_SHARED_LIBADD" ++ test -n "$ld_runpath_switch" && INTL_SHARED_LIBADD="$ld_runpath_switch$ai_p $INTL_SHARED_LIBADD" ++ else ++ ++ ++ ++ unique=`echo $ai_p|$SED 's/[^a-zA-Z0-9]/_/g'` ++ ++ cmd="echo $ac_n \"\$LIBPATH$unique$ac_c\"" ++ if test -n "$unique" && test "`eval $cmd`" = "" ; then ++ eval "LIBPATH$unique=set" ++ ++ test -n "$ld_runpath_switch" && LDFLAGS="$LDFLAGS $ld_runpath_switch$ai_p" ++ LDFLAGS="$LDFLAGS -L$ai_p" ++ PHP_RPATHS="$PHP_RPATHS $ai_p" ++ ++ fi ++ ++ ++ fi ++ ++ fi ++ ++ ;; ++ esac ++ done ++ ++ ++ for ac_i in $ICU_INCS; do ++ case $ac_i in ++ -I*) ++ ac_ii=`echo $ac_i|cut -c 3-` ++ ++ if test "$ac_ii" != "/usr/include"; then ++ ++ if test -z "$ac_ii" || echo "$ac_ii" | grep '^/' >/dev/null ; then ++ ai_p=$ac_ii ++ else ++ ++ ep_dir=`echo $ac_ii|$SED 's%/*[^/][^/]*/*$%%'` ++ ++ ep_realdir=`(cd "$ep_dir" && pwd)` ++ ai_p="$ep_realdir"/`basename "$ac_ii"` ++ fi ++ ++ ++ ++ unique=`echo $ai_p|$SED 's/[^a-zA-Z0-9]/_/g'` ++ ++ cmd="echo $ac_n \"\$INCLUDEPATH$unique$ac_c\"" ++ if test -n "$unique" && test "`eval $cmd`" = "" ; then ++ eval "INCLUDEPATH$unique=set" ++ ++ if test ""; then ++ INCLUDES="-I$ai_p $INCLUDES" ++ else ++ INCLUDES="$INCLUDES -I$ai_p" ++ fi ++ ++ fi ++ ++ fi ++ ++ ;; ++ esac ++ done ++ ++ else ++ as_fn_error $? "ICU version 4.0 or later required." "$LINENO" 5 ++ fi ++ fi ++ ++ if test "$found_icu" = "no"; then + if test "$PHP_ICU_DIR" = "DEFAULT"; then + # Extract the first word of "icu-config", so it can be a program name with args. + set dummy icu-config; ac_word=$2 +@@ -44753,9 +44950,6 @@ + ICU_CONFIG="$PHP_ICU_DIR/bin/icu-config" + fi + +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for location of ICU headers and libraries" >&5 +-$as_echo_n "checking for location of ICU headers and libraries... " >&6; } +- + icu_install_prefix=`$ICU_CONFIG --prefix 2> /dev/null` + if test "$?" != "0" || test -z "$icu_install_prefix"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +@@ -44912,6 +45106,10 @@ + esac + done + ++ ++ ICU_CXXFLAGS=`$ICU_CONFIG --cxxflags` ++ ICU_CXXFLAGS="$ICU_CXXFLAGS -DU_USING_ICU_NAMESPACE=1" ++ fi + fi + + diff --git a/appsec/tests/integration/src/docker/php/php_patches/newish_libxml.patch b/appsec/tests/integration/src/docker/php/php_patches/newish_libxml.patch new file mode 100644 index 00000000000..e5dbab7972b --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php_patches/newish_libxml.patch @@ -0,0 +1,51 @@ +--- ext/dom/node.c 2012-08-06 17:49:48.826716692 +0800 ++++ ext/dom/node.c 2012-08-06 17:52:47.633484660 +0800 +@@ -1895,9 +1895,17 @@ static void dom_canonicalization(INTERNA + RETVAL_FALSE; + } else { + if (mode == 0) { ++#ifdef LIBXML2_NEW_BUFFER ++ ret = xmlOutputBufferGetSize(buf); ++#else + ret = buf->buffer->use; ++#endif + if (ret > 0) { ++#ifdef LIBXML2_NEW_BUFFER ++ RETVAL_STRINGL((char *) xmlOutputBufferGetContent(buf), ret, 1); ++#else + RETVAL_STRINGL((char *) buf->buffer->content, ret, 1); ++#endif + } else { + RETVAL_EMPTY_STRING(); + } +--- ext/dom/documenttype.c 2012-08-06 18:02:16.019640870 +0800 ++++ ext/dom/documenttype.c 2012-08-06 18:06:16.612228905 +0800 +@@ -205,7 +205,13 @@ int dom_documenttype_internal_subset_rea + if (buff != NULL) { + xmlNodeDumpOutput (buff, NULL, (xmlNodePtr) intsubset, 0, 0, NULL); + xmlOutputBufferFlush(buff); ++ ++#ifdef LIBXML2_NEW_BUFFER ++ ZVAL_STRINGL(*retval, xmlOutputBufferGetContent(buff), ++ xmlOutputBufferGetSize(buff), 1); ++#else + ZVAL_STRINGL(*retval, buff->buffer->content, buff->buffer->use, 1); ++#endif + (void)xmlOutputBufferClose(buff); + return SUCCESS; + } +--- ext/simplexml/simplexml.c 2012-08-06 18:10:44.621017026 +0800 ++++ ext/simplexml/simplexml.c 2012-08-06 18:12:48.016270419 +0800 +@@ -1417,7 +1417,12 @@ SXE_METHOD(asXML) + + xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, ((xmlDocPtr) sxe->document->ptr)->encoding); + xmlOutputBufferFlush(outbuf); ++#ifdef LIBXML2_NEW_BUFFER ++ RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), ++ xmlOutputBufferGetSize(outbuf), 1); ++#else + RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use, 1); ++#endif + xmlOutputBufferClose(outbuf); + } + } else { diff --git a/appsec/tests/integration/src/docker/php/php_patches/opcache_num_var.patch b/appsec/tests/integration/src/docker/php/php_patches/opcache_num_var.patch new file mode 100644 index 00000000000..a3ffcf718bd --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php_patches/opcache_num_var.patch @@ -0,0 +1,11 @@ +--- ext/opcache/Optimizer/zend_optimizer_internal-old.h 2019-12-10 17:53:44.594305810 +0000 ++++ ext/opcache/Optimizer/zend_optimizer_internal.h 2019-12-10 17:54:33.230531129 +0000 +@@ -25,7 +25,7 @@ + #include "ZendAccelerator.h" + + #if ZEND_EXTENSION_API_NO > PHP_5_4_X_API_NO +-# define VAR_NUM(v) ((zend_uint)(EX_TMP_VAR_NUM(0, 0) - EX_TMP_VAR(0, v))) ++# define VAR_NUM(v) ( (zend_uint) (-1U + (-v) / sizeof(temp_variable)) ) + # define NUM_VAR(v) ((zend_uint)(zend_uintptr_t)EX_TMP_VAR_NUM(0, v)) + #elif ZEND_EXTENSION_API_NO > PHP_5_2_X_API_NO + # define VAR_NUM(v) ((v)/ZEND_MM_ALIGNED_SIZE(sizeof(temp_variable))) diff --git a/appsec/tests/integration/src/docker/php/php_patches/recent_icu.patch b/appsec/tests/integration/src/docker/php/php_patches/recent_icu.patch new file mode 100644 index 00000000000..91ae4fe2dae --- /dev/null +++ b/appsec/tests/integration/src/docker/php/php_patches/recent_icu.patch @@ -0,0 +1,107 @@ +diff --git a/ext/intl/breakiterator/breakiterator_class.h b/ext/intl/breakiterator/breakiterator_class.h +index d1b5ebb2c8..a856b7c7e0 100644 +--- a/ext/intl/breakiterator/breakiterator_class.h ++++ b/ext/intl/breakiterator/breakiterator_class.h +@@ -26,6 +26,8 @@ + + #ifndef USE_BREAKITERATOR_POINTER + typedef void BreakIterator; ++#else ++using icu::BreakIterator; + #endif + + typedef struct { +diff --git a/ext/intl/breakiterator/codepointiterator_internal.h b/ext/intl/breakiterator/codepointiterator_internal.h +index d34fc0a2c2..16c5d6aed6 100644 +--- a/ext/intl/breakiterator/codepointiterator_internal.h ++++ b/ext/intl/breakiterator/codepointiterator_internal.h +@@ -19,6 +19,7 @@ + + #include + ++using namespace icu; + using U_ICU_NAMESPACE::BreakIterator; + + namespace PHP { +diff --git a/ext/intl/calendar/calendar_class.h b/ext/intl/calendar/calendar_class.h +index a884580a9a..066708e781 100644 +--- a/ext/intl/calendar/calendar_class.h ++++ b/ext/intl/calendar/calendar_class.h +@@ -24,8 +24,11 @@ + #include "intl_error.h" + #include "intl_data.h" + ++ + #ifndef USE_CALENDAR_POINTER + typedef void Calendar; ++#else ++using namespace icu; + #endif + + typedef struct { +diff --git a/ext/intl/common/common_date.cpp b/ext/intl/common/common_date.cpp +index f1bf75ab0f..8f8cb64673 100644 +--- a/ext/intl/common/common_date.cpp ++++ b/ext/intl/common/common_date.cpp +@@ -17,6 +17,7 @@ + #include "../intl_cppshims.h" + + #include ++using namespace icu; + + extern "C" { + #include "../php_intl.h" +diff --git a/ext/intl/common/common_enum.h b/ext/intl/common/common_enum.h +index b9b87c17e0..d21713012b 100644 +--- a/ext/intl/common/common_enum.h ++++ b/ext/intl/common/common_enum.h +@@ -29,8 +29,10 @@ extern "C" { + #include "../intl_data.h" + #ifdef __cplusplus + } ++using namespace icu; + #endif + ++ + #define INTLITERATOR_ERROR(ii) (ii)->err + #define INTLITERATOR_ERROR_P(ii) &(INTLITERATOR_ERROR(ii)) + +diff --git a/ext/intl/dateformat/dateformat_helpers.h b/ext/intl/dateformat/dateformat_helpers.h +index eb90c99169..f0163291f7 100644 +--- a/ext/intl/dateformat/dateformat_helpers.h ++++ b/ext/intl/dateformat/dateformat_helpers.h +@@ -27,6 +27,8 @@ extern "C" { + #include "../php_intl.h" + } + ++using namespace icu; ++ + int datefmt_process_calendar_arg(zval* calendar_zv, + Locale const& locale, + const char *func_name, +diff --git a/ext/intl/intl_convertcpp.h b/ext/intl/intl_convertcpp.h +index eab5f149c8..08d89828ab 100644 +--- a/ext/intl/intl_convertcpp.h ++++ b/ext/intl/intl_convertcpp.h +@@ -26,6 +26,8 @@ + #include + #include + ++using namespace icu; ++ + int intl_stringFromChar(UnicodeString &ret, char *str, size_t str_len, UErrorCode *status); + + zend_string* intl_charFromString(const UnicodeString &from, UErrorCode *status); +diff --git a/ext/intl/timezone/timezone_class.h b/ext/intl/timezone/timezone_class.h +index 0667c78994..99e9b56dae 100644 +--- a/ext/intl/timezone/timezone_class.h ++++ b/ext/intl/timezone/timezone_class.h +@@ -29,6 +29,8 @@ + + #ifndef USE_TIMEZONE_POINTER + typedef void TimeZone; ++#else ++using icu::TimeZone; + #endif + + typedef struct { diff --git a/appsec/tests/integration/src/docker/toolchain/CHECKSUMS b/appsec/tests/integration/src/docker/toolchain/CHECKSUMS new file mode 100644 index 00000000000..362c2a99e1c --- /dev/null +++ b/appsec/tests/integration/src/docker/toolchain/CHECKSUMS @@ -0,0 +1,9 @@ +9b0b259cc43d5e4d20200676be153de81b485b3fdf065623ff71c7e1894ec5c8ed9d99c1416f70246ab0f417cbba6d1d4af9f3769e2e6577400681a791346231 compiler-rt-11.1.0.src.tar.xz +a1d2e3f5ad529a04f87059903b31fc3c9803cd86f44aed1aebd87ce7e423d8dd2b6776be12e85a0374a6215f581420438d224c130aad5e6355920af32c02aa7b compiler-rt-10.0.1.src.tar.xz +d77145858cda538127b631a8072fafc3fa01a5a9648d4ca1cb6d563009061c56f93ca606f4f7f9e706d5cc0dd8f4e0895f496439ca173f175a1c8ee740b5d30a gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu.tar.xz +af5333da5b90f4a46a5184532164f4c6522e3c03a580131627c0f167ab98fb3e71b3e15518d6e22414141484ec5ab0d184294ae7f10034ebfed28e7072836b28 libcxx-11.1.0.src.tar.xz +0bf3806fd9382ca6790ca2a8e991424caf64e81415386875243565034243f2ac7442c596e3c55ece80932c2ec59b71801e3e415dedc9db4dd4c3f66b6a893558 libcxxabi-11.1.0.src.tar.xz +507f29cf1a318d9761fe6306b2e9b57c02a342f138b47ec5420dce527132a33f7affcd386913792c472ceeb9fb1c1b105bba3234a1575aae0f68024e94c8d596 libunwind-11.1.0.src.tar.xz +07bf9973384151a18d5cc2892103e5f28a88c632e8e49662fde56d123632f2ed1b3710fa7a87b6b821955d0ec44160ff36f2aa4f233e389e14d628e9bf8dc764 llvm-11.1.0.src.tar.xz +5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82 musl-1.2.2.tar.gz +9591360672ba6192c606404caf70101538728a1cd5d548efcbb952f663f182bd1954d63743ffc9dd18f5c649a62a042c5e36d1ff423634dfd074f672dd1f4af9 cmake-3.28.0-linux-x86_64.tar.gz diff --git a/appsec/tests/integration/src/docker/toolchain/Dockerfile b/appsec/tests/integration/src/docker/toolchain/Dockerfile new file mode 100644 index 00000000000..21aff0c288d --- /dev/null +++ b/appsec/tests/integration/src/docker/toolchain/Dockerfile @@ -0,0 +1,14 @@ +FROM debian@sha256:08db48d59c0a91afb802ebafc921be3154e200c452e4d0b19634b426b03e0e25 AS toolchain +RUN apt-get update && \ + apt-get install -y curl xz-utils make file lld clang git patchelf gcc libgcc-s1 sed autoconf wget libssl-dev wget libxml2 + +RUN ln -s /bin/sed /usr/bin/sed +RUN mkdir /build +ADD . /build/ + +RUN wget https://github.com/Kitware/CMake/releases/download/v3.28.0/cmake-3.28.0-linux-x86_64.tar.gz && \ + grep -F "cmake-3.28.0-linux-x86_64.tar.gz" ./build/CHECKSUMS | sha512sum --check && \ + tar --strip-components=1 -C /usr/local -xvzf cmake-3.28.0-linux-x86_64.tar.gz && \ + rm cmake-3.28.0-linux-x86_64.tar.gz + +RUN cd /build && make install && make clean diff --git a/appsec/tests/integration/src/docker/toolchain/Makefile b/appsec/tests/integration/src/docker/toolchain/Makefile new file mode 100644 index 00000000000..0334c4d3650 --- /dev/null +++ b/appsec/tests/integration/src/docker/toolchain/Makefile @@ -0,0 +1,161 @@ +MUSL_VERSION := 1.2.2 +LLVM_VERSION := 11.1.0 +LLVM_SUFFIX := 11 +SHELL := /bin/bash +RELTYPE := RelWithDebInfo + +# need to be in sync with Toolchain*.cmake files +MUSL_SYSROOT := $(CURDIR)/muslsysroot + +TARGET_ARCH := x86_64 +TARGET := $(TARGET_ARCH)-none-linux-musl + + +install: .libcxx-installed .libcxxabi-installed +clean: + rm -rf src/ build/ *.tar.xz *.tar.gz \ + .compiler-rt-installed .gcc-toolchain-installed .libcxxabi-installed \ + .libcxx-installed .libunwind-installed .musl-installed +.PHONY: install clean + +CC_TOOLCHAIN := /usr +GCC_TOOL_PREFIX := /usr/bin/ +GCC_TOOLCHAIN_SYSROOT := / + +.gcc-toolchain-installed: + cp -v /lib/x86_64-linux-gnu/libgcc_s.so.1 /usr/lib/gcc/x86_64-linux-gnu/10/libgcc_s.so.1 + touch $@ + +musl-$(MUSL_VERSION).tar.gz: + curl -o $@ -Lf https://musl.libc.org/releases/musl-1.2.2.tar.gz + grep -F $@ CHECKSUMS | sha512sum --check + +libcxx-$(LLVM_VERSION).src.tar.xz \ + libcxxabi-$(LLVM_VERSION).src.tar.xz \ + libunwind-$(LLVM_VERSION).src.tar.xz \ + llvm-$(LLVM_VERSION).src.tar.xz \ + compiler-rt-$(LLVM_VERSION).src.tar.xz: + curl -o $@ -Lf https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLVM_VERSION)/$@ + grep -F $@ CHECKSUMS | sha512sum --check + + +src/musl/.finger: musl-$(MUSL_VERSION).tar.gz + mkdir -p src/musl && \ + tar -xzf musl-$(MUSL_VERSION).tar.gz --strip-components=1 -C src/musl && \ + touch src/musl/.finger + +src/%/.finger: %-$(LLVM_VERSION).src.tar.xz + mkdir -p $(subst /.finger,,$@) && \ + tar -xJf $< --strip-components=1 -C $(subst /.finger,,$@) && \ + touch $@ + +.musl-installed: src/musl/.finger .gcc-toolchain-installed + mkdir -p build/musl && \ + pushd build/musl && \ + CC=$(GCC_TOOL_PREFIX)gcc \ + AR=$(GCC_TOOL_PREFIX)ar \ + RANLIB=$(GCC_TOOL_PREFIX)ranlib \ + ../../src/musl/configure --prefix=$(MUSL_SYSROOT) && \ + $(MAKE) -j $(shell nproc) && \ + $(MAKE) install && \ + popd && \ + touch $@ + +VERBOSE := 1 +export VERBOSE +COMMON_CXX_FLAGS := -DCMAKE_CXX_FLAGS="-resource-dir $(MUSL_SYSROOT)" +COMMON_CMAKE_OPTIONS := -DCMAKE_BUILD_TYPE=$(RELTYPE) \ + -DCMAKE_INSTALL_PREFIX=$(MUSL_SYSROOT) \ + -DCMAKE_SYSROOT=$(MUSL_SYSROOT) \ + -DCMAKE_AR=/usr/bin/llvm-ar-${LLVM_SUFFIX} \ + -DCMAKE_ASM_COMPILER_TARGET=$(TARGET) \ + -DCMAKE_C_COMPILER=/usr/bin/clang-${LLVM_SUFFIX} \ + -DCMAKE_C_COMPILER_TARGET=$(TARGET) \ + -DCMAKE_C_COMPILER_EXTERNAL_TOOLCHAIN=$(GCC_TOOLCHAIN) \ + -DCMAKE_C_FLAGS="-resource-dir $(MUSL_SYSROOT)" \ + -DCMAKE_CXX_COMPILER=/usr/bin/clang++-${LLVM_SUFFIX} \ + -DCMAKE_CXX_COMPILER_TARGET=$(TARGET) \ + -DCMAKE_CXX_COMPILER_EXTERNAL_TOOLCHAIN=$(GCC_TOOLCHAIN) \ + -DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \ + -DCMAKE_SHARED_LINKER_FLAGS="-v -fuse-ld=lld" \ + -DCMAKE_NM=/usr/bin/llvm-nm-${LLVM_SUFFIX} \ + -DCMAKE_RANLIB=/usr/bin/llvm-ranlib-${LLVM_SUFFIX} + +.compiler-rt-installed: src/compiler-rt/.finger .musl-installed + mkdir -p build/compiler-rt && \ + pushd build/compiler-rt && \ + cmake $(COMMON_CMAKE_OPTIONS) $(COMMON_CXX_FLAGS) \ + -DCOMPILER_RT_BUILD_BUILTINS=ON \ + -DCOMPILER_RT_BUILD_LIBFUZZER=OFF \ + -DCOMPILER_RT_BUILD_MEMPROF=OFF \ + -DCOMPILER_RT_BUILD_PROFILE=OFF \ + -DCOMPILER_RT_BUILD_SANITIZERS=OFF \ + -DCOMPILER_RT_BUILD_XRAY=OFF \ + -DCOMPILER_RT_DEFAULT_TARGET_ONLY=ON \ + -DCOMPILER_RT_BUILD_CRT=ON \ + ../../src/compiler-rt && \ + $(MAKE) -j $(shell nproc) && $(MAKE) install && \ + popd && \ + touch $@ + +.libunwind-installed: src/libunwind/.finger src/libcxx/.finger .compiler-rt-installed + mkdir -p build/libunwind && \ + pushd build/libunwind && \ + cmake $(COMMON_CMAKE_OPTIONS) \ + -DCMAKE_CXX_FLAGS="-resource-dir $(MUSL_SYSROOT) -nostdinc++ -isystem $(realpath .)/src/libcxx/include/" \ + -DLLVM_PATH=../../src/llvm \ + -DLIBUNWIND_USE_COMPILER_RT=ON \ + ../../src/libunwind && \ + $(MAKE) -j $(shell nproc) && $(MAKE) install && \ + popd && \ + touch $@ + +.libcxxabi-installed: src/libcxxabi/.finger src/libcxx/.finger src/llvm/.finger src/libunwind/.finger .compiler-rt-installed .libunwind-installed + mkdir -p build/libcxxabi && \ + pushd build/libcxxabi && \ + cmake $(COMMON_CMAKE_OPTIONS) $(COMMON_CXX_FLAGS) \ + -DLIBCXXABI_USE_LLVM_UNWINDER=ON \ + -DLIBCXXABI_INCLUDE_TESTS=OFF \ + -DLIBCXXABI_USE_COMPILER_RT=ON \ + -DLLVM_PATH=../../src/llvm \ + -DLIBCXXABI_LIBUNWIND_PATH=../../src/libunwind \ + -DLIBCXXABI_LIBCXX_INCLUDES=../../src/libcxx/include \ + ../../src/libcxxabi && \ + $(MAKE) -j $(shell nproc) && $(MAKE) install && \ + popd && \ + touch $@ + +.orig-sysroot-copied: .musl-installed + for dir in $(GCC_TOOLCHAIN_SYSROOT)usr/include/{linux,asm,asm-generic,$$($(GCC_TOOL_PREFIX)gcc -print-multiarch)/asm}; do \ + test ! -d "$$dir" || cp -av "$$dir" $(MUSL_SYSROOT)/include/; done && \ + cp $$(dirname $$($(GCC_TOOL_PREFIX)gcc -print-libgcc-file-name))/crtbegin{,S,T}.o $(MUSL_SYSROOT)/lib && \ + cp $$(dirname $$($(GCC_TOOL_PREFIX)gcc -print-libgcc-file-name))/crtend{,S}.o $(MUSL_SYSROOT)/lib && \ + cp $(GCC_TOOLCHAIN_SYSROOT)usr/include/$$($(GCC_TOOL_PREFIX)gcc -print-multiarch)/fpu_control.h $(MUSL_SYSROOT)/include/ && \ + touch $@ + + +.libcxx-installed: src/libcxx/.finger src/llvm/.finger src/libunwind/.finger .orig-sysroot-copied .compiler-rt-installed .libunwind-installed .libcxxabi-installed + mkdir -p build/libcxx && \ + pushd build/libcxx && \ + cmake $(COMMON_CMAKE_OPTIONS) $(COMMON_CXX_FLAGS) \ + -DLIBCXX_HAS_MUSL_LIBC=ON \ + -DLIBCXX_CXX_ABI=libcxxabi \ + -DLIBCXX_CXX_ABI_INCLUDE_PATHS=../../src/libcxxabi/include \ + -DLIBCXX_USE_COMPILER_RT=ON \ + -DLIBCXX_ENABLE_FILESYSTEM=ON \ + -DLIBCXX_ENABLE_EXPERIMENTAL_LIBRARY=0 \ + ../../src/libcxx && \ + $(MAKE) -j $(shell nproc) && $(MAKE) install && \ + popd && \ + touch $@ + +libddwaf: + mkdir -p build/libddwaf && \ + pushd build/libddwaf && \ + cmake -DCMAKE_BUILD_TYPE=$(RELTYPE) -DCMAKE_TOOLCHAIN_FILE="$(realpath .)/Toolchain.cmake" \ + -DCMAKE_GTEST_DISCOVER_TESTS_DISCOVERY_MODE=PRE_TEST \ + -DLIBDDWAF_TEST_COVERAGE=OFF \ + ../../src/libddwaf && \ + make -j && make -j testPowerWAF && patchelf --remove-needed libc.so libddwaf.so && make package + +.PHONY: libddwaf diff --git a/appsec/tests/integration/src/docker/toolchain/Toolchain.cmake b/appsec/tests/integration/src/docker/toolchain/Toolchain.cmake new file mode 100644 index 00000000000..2c6397706ad --- /dev/null +++ b/appsec/tests/integration/src/docker/toolchain/Toolchain.cmake @@ -0,0 +1,19 @@ +set(CMAKE_SYSTEM_NAME Linux) +set(CMAKE_SYSTEM_PROCESSOR x86_64) +set(CMAKE_SYSROOT /build/muslsysroot) +set(CMAKE_AR /usr/bin/llvm-ar-11) +set(triple x86_64-none-linux-musl) +set(CMAKE_ASM_COMPILER_TARGET ${triple}) +set(CMAKE_C_COMPILER /usr/bin/clang-11) +set(CMAKE_C_COMPILER_TARGET ${triple}) +set(c_cxx_flags "-nostdinc -isystem${CMAKE_SYSROOT}/include -isystem/usr/lib/llvm-11/lib/clang/11.0.1/include -resource-dir ${CMAKE_SYSROOT} -Qunused-arguments -rtlib=compiler-rt -unwindlib=libunwind -static-libgcc") +set(CMAKE_C_FLAGS ${c_cxx_flags}) +set(CMAKE_CXX_COMPILER /usr/bin/clang++-11) +set(CMAKE_CXX_COMPILER_TARGET ${triple}) +set(CMAKE_CXX_FLAGS "-stdlib=libc++ -isystem${CMAKE_SYSROOT}/include/c++/v1 ${c_cxx_flags}") +set(CMAKE_EXE_LINKER_FLAGS_INIT "-v -fuse-ld=lld -static -nodefaultlibs -lc++ -lc++abi ${CMAKE_SYSROOT}/lib/linux/libclang_rt.builtins-x86_64.a -lunwind -lc ${CMAKE_SYSROOT}/lib/linux/libclang_rt.builtins-x86_64.a") +set(CMAKE_SHARED_LINKER_FLAGS_INIT "-v -fuse-ld=lld -nodefaultlibs -Wl,-Bstatic -lc++ -lc++abi ${CMAKE_SYSROOT}/lib/linux/libclang_rt.builtins-x86_64.a -lunwind -Wl,-Bdynamic -lc ${CMAKE_SYSROOT}/lib/linux/libclang_rt.builtins-x86_64.a") + +set(CMAKE_NM /usr/bin/llvm-nm-11) +set(CMAKE_RANLIB /usr/bin/llvm-ranlib-11) +set(CMAKE_STRIP /usr/bin/strip) # llvm-strip doesn't seem to work correctly diff --git a/appsec/tests/integration/src/docker/toolchain/Toolchain.env b/appsec/tests/integration/src/docker/toolchain/Toolchain.env new file mode 100644 index 00000000000..7403fda0d32 --- /dev/null +++ b/appsec/tests/integration/src/docker/toolchain/Toolchain.env @@ -0,0 +1,8 @@ +export CXXFLAGS="-stdlib=libc++ -isystem/build/muslsysroot/include/c++/v1 -nostdinc -isystem/build/muslsysroot/include -isystem/usr/lib/llvm-11/lib/clang/11.0.1/include -resource-dir /build/muslsysroot -Qunused-arguments -rtlib=compiler-rt -unwindlib=libunwind -static-libgcc" +export CFLAGS="-nostdinc -isystem/build/muslsysroot/include -isystem/usr/lib/llvm-11/lib/clang/11.0.1/include -resource-dir /build/muslsysroot -Qunused-arguments -rtlib=compiler-rt -unwindlib=libunwind -static-libgcc" +export LDFLAGS="-v -fuse-ld=lld -static -nodefaultlibs -lc++ -lc++abi /build/muslsysroot/lib/linux/libclang_rt.builtins-x86_64.a -lunwind -lc /build/muslsysroot/lib/linux/libclang_rt.builtins-x86_64.a" +export CC="/usr/bin/clang-11" +export CXX="/usr/bin/clang++-11" +export AR="/usr/bin/llvm-ar-11" +export NM="/usr/bin/llvm-nm-11" +export RANLIB="/usr/bin/llvm-ranlib-11" diff --git a/appsec/tests/integration/src/docker/toolchain/ToolchainGCC.cmake b/appsec/tests/integration/src/docker/toolchain/ToolchainGCC.cmake new file mode 100644 index 00000000000..d147056712d --- /dev/null +++ b/appsec/tests/integration/src/docker/toolchain/ToolchainGCC.cmake @@ -0,0 +1,14 @@ +set(target x86_64-none-linux-gnu) +set(tool_prefix "") +set(CMAKE_SYSROOT /) +set(CMAKE_AR ${tool_prefix}ar) +set(CMAKE_ASM_COMPILER_TARGET ${target}) +set(CMAKE_C_COMPILER ${tool_prefix}gcc) +set(CMAKE_C_COMPILER_TARGET ${target}) +set(CMAKE_C_COMPILER_EXTERNAL_TOOLCHAIN /usr) +set(CMAKE_CXX_COMPILER ${tool_prefix}g++) +set(CMAKE_CXX_COMPILER_TARGET ${target}) +set(CMAKE_CXX_COMPILER_EXTERNAL_TOOLCHAIN /usr) +set(CMAKE_NM ${tool_prefix}nm) +set(CMAKE_RANLIB ${tool_prefix}ranlib) + diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy new file mode 100644 index 00000000000..e549483c622 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy @@ -0,0 +1,311 @@ +package com.datadog.appsec.php.docker + +import com.datadog.appsec.php.mock_agent.MockDatadogAgent +import com.datadog.appsec.php.model.Span +import com.datadog.appsec.php.model.Trace +import com.github.dockerjava.api.command.CreateContainerCmd +import com.github.dockerjava.api.command.ExecCreateCmdResponse +import com.github.dockerjava.api.exception.NotFoundException +import com.github.dockerjava.api.model.Bind +import com.github.dockerjava.api.model.Volume +import com.google.common.util.concurrent.SettableFuture +import groovy.transform.CompileStatic +import groovy.transform.TypeCheckingMode +import groovy.transform.stc.ClosureParams +import groovy.transform.stc.FromAbstractTypeMethods +import groovy.transform.stc.FromString +import groovy.util.logging.Slf4j +import org.slf4j.Logger +import org.slf4j.LoggerFactory +import org.testcontainers.Testcontainers +import org.testcontainers.containers.BindMode +import org.testcontainers.containers.GenericContainer +import org.testcontainers.containers.output.FrameConsumerResultCallback +import org.testcontainers.containers.output.OutputFrame +import org.testcontainers.containers.output.Slf4jLogConsumer + +import java.net.http.HttpClient +import java.net.http.HttpRequest +import java.net.http.HttpResponse +import java.time.Duration +import java.util.concurrent.Future +import java.util.function.Consumer + +@CompileStatic +@Slf4j +class AppSecContainer> extends GenericContainer { + private final static Logger DOCKER_OUTPUT_LOGGER = LoggerFactory.getLogger('docker') + private String imageName + private Slf4jLogConsumer logConsumer + private File logsDir + public final HttpClient httpClient = HttpClient.newBuilder() + .followRedirects(HttpClient.Redirect.NEVER) + .connectTimeout(Duration.ofSeconds(5)) + .build() + + private MockDatadogAgent mockDatadogAgent = new MockDatadogAgent() + + AppSecContainer(Map options) { + super(imageNameFuture(options)) + processOptions(options) + dependsOn mockDatadogAgent + withCreateContainerCmdModifier(cmd -> { + cmd.hostConfig.withInit(true) + }) + withExposedPorts(80) + } + + private static Future imageNameFuture(Map options) { + var ret = SettableFuture.create() + options['imageNameFuture'] = ret + (Future)ret + } + + @Override + protected void configure() { + Testcontainers.exposeHostPorts(mockDatadogAgent.port) + withEnv 'DD_AGENT_HOST', 'host.testcontainers.internal' + withEnv 'DD_TRACE_AGENT_PORT', mockDatadogAgent.port as String + withEnv 'DD_TRACE_GENERATE_ROOT_SPAN', '1' + withEnv 'DD_TRACE_ENABLED', '1' + withEnv 'DD_SERVICE', 'appsec_int_tests' + withEnv 'DD_ENV', 'integration' + withEnv 'DD_TRACE_AGENT_FLUSH_AFTER_N_REQUESTS', '0' + withEnv 'DD_TRACE_DEBUG', '1' + withEnv 'DD_AUTOLOAD_NO_COMPILE', 'true' // must be exactly 'true' + if (System.getProperty('XDEBUG') == '1') { + Testcontainers.exposeHostPorts(9003) + withEnv 'XDEBUG', '1' + withEnv 'PHP_IDE_CONFIG', "serverName=appsec_int_tests" + } + } + + @Override + protected void doStart() { + super.doStart() + this.logConsumer = new Slf4jLogConsumer(DOCKER_OUTPUT_LOGGER) + followOutput(logConsumer) + overlayWww() + runInitialize() + } + + Object nextCapturedTrace() { + mockDatadogAgent.nextTrace(15000) + } + + void assertNoTraces() { + List traces = mockDatadogAgent.drainTraces() + if (traces.size() > 0) { + throw new AssertionError((Object)"Got traces that were not fetched: $traces") + } + } + + void clearTraces() { + mockDatadogAgent.drainTraces() + } + + void close() { + copyLogs() + super.close() + } + + private static final Random RAND = new Random() + + URI buildURI(String path) { + URI.create("http://${host}:${firstMappedPort}$path") + } + + HttpRequest.Builder buildReq(String path) { + BigInteger traceId = new BigInteger(64, RAND) + + HttpRequest.newBuilder(buildURI(path)) + .header('x-datadog-trace-id', traceId.toString()) + } + + Trace traceFromRequest(String path, + @ClosureParams(value = FromAbstractTypeMethods, + options = ['java.net.http.HttpResponse']) + Closure doWithConn = null) { + HttpRequest req = buildReq(path).GET().build() + traceFromRequest(req, HttpResponse.BodyHandlers.ofInputStream(), doWithConn) + } + + @CompileStatic(TypeCheckingMode.SKIP) + Trace traceFromRequest(HttpRequest req, + HttpResponse.BodyHandler bodyHandler, + @ClosureParams(value = FromString, + options = 'java.net.http.HttpResponse') + Closure doWithResp = null) { + + String traceId = req.headers().map().get('x-datadog-trace-id').first() + if (!traceId) { + throw new IllegalArgumentException("use createReq to create the request") + } + + log.info "New request to {} with trace id {}", req.uri(), traceId + + HttpResponse resp = httpClient.send(req, bodyHandler) + Throwable savedThrowable + try { + if (doWithResp) { + doWithResp.call(resp) + } + } catch (Throwable t) { + // don't throw right now. Give an opportunity for a trace to be sent + // so that this trace doesn't show up on the next test + savedThrowable = t + } + + if (resp.body() instanceof InputStream) { + ((InputStream)resp.body()).close() + } + + Trace trace + if (savedThrowable) { + try { + nextCapturedTrace() + } finally { + throw savedThrowable + } + } else { + trace = nextCapturedTrace() + } + assert trace.size() >= 1 + + BigInteger gottenTraceId = trace.traceId + BigInteger expectedTraceId = new BigInteger(traceId, 10) + if (gottenTraceId != expectedTraceId) { + throw new AssertionError("Mismatched trace id gotten after request to ${req.uri()}: " + + "expected ${expectedTraceId}, but got ${gottenTraceId}") + } + trace + } + + private void processOptions(Map options) { + String workVolume = options['workVolume'] + String baseTag = options['baseTag'] + String phpVersion = options['phpVersion'] + String phpVariant = options['phpVariant'] + + if (!workVolume || !baseTag || !phpVersion || !phpVariant) { + throw new RuntimeException('one of workVolume, baseTag, phpVersion, phpVariant is missing') + } + + String tag = "$baseTag-$phpVersion-$phpVariant" + this.imageName = "datadog/dd-appsec-php-ci:$tag" + + privilegedMode = true + + String wwwDir ="src/test/www/${options.get('www', 'base')}" + + withFileSystemBind('../../..', '/project', BindMode.READ_ONLY) + withFileSystemBind(wwwDir, '/test-resources', BindMode.READ_ONLY) + withFileSystemBind('src/test/waf/recommended.json', + '/etc/recommended.json', BindMode.READ_ONLY) + withFileSystemBind('src/test/bin/enable_extensions.sh', + '/usr/local/bin/enable_extensions.sh', BindMode.READ_ONLY) + addVolumeMount("php-appsec-$phpVersion-$phpVariant", '/appsec') + addVolumeMount("php-tracer-$phpVersion-$phpVariant", '/project/tmp') + + String fullWorkVolume = "php-workvol-$workVolume-$phpVersion-$phpVariant" + + ensureVolume(fullWorkVolume) + addVolumeMount(fullWorkVolume, '/overlay') + + ensureVolume('php-composer-cache') + addVolumeMount('php-composer-cache', '/root/.composer/cache') + + File composerFile + if (phpVersion in ['7.0', '7.1']) { + composerFile = new File('build/composer-2.2.x.phar') + } else { + composerFile = new File('build/composer-2.6.6.phar') + } + withFileSystemBind(composerFile.absolutePath, '/usr/local/bin/composer', BindMode.READ_ONLY) + + this.logsDir = new File("build/test-logs/$workVolume-$phpVersion-$phpVariant") + + if (new File(wwwDir, 'run.sh').exists()) { + withCreateContainerCmdModifier { it.withEntrypoint('/bin/bash') } + withCommand '-e', '-c', 'while [[ ! -f /var/www/run.sh ]]; do sleep 0.3; done; /var/www/run.sh' + } + + ((SettableFuture)options['imageNameFuture']).set(this.imageName) + } + + private void ensureVolume(String volumeName) { + try { + dockerClient.inspectVolumeCmd(volumeName).exec() + } catch (NotFoundException e) { + dockerClient.createVolumeCmd().withName(volumeName).exec() + } + } + + private void addVolumeMount(String volumeName, String mountPoint) { + Consumer volumeModifier = { CreateContainerCmd cmd -> + Bind[] binds = cmd.hostConfig.binds + Bind[] newBinds = new Bind[binds.length + 1] + System.arraycopy(binds, 0, newBinds, 0, binds.length) + newBinds[binds.length] = new Bind(volumeName, new Volume(mountPoint)) + cmd.hostConfig.withBinds(newBinds) + } + withCreateContainerCmdModifier(volumeModifier) + } + + private void overlayWww() { + ExecResult res = execInContainer('mkdir', '-p', '/var/www', '/overlay/www_upperdir', '/overlay/www_workdir') + if (res.exitCode != 0) { + throw new RuntimeException('failed creating directories: ' + res.stderr) + } + + res = execInContainer('mount', '-t', 'overlay', '-o', + 'lowerdir=/test-resources,upperdir=/overlay/www_upperdir,workdir=/overlay/www_workdir', + 'overlay', '/var/www') + if (res.exitCode != 0) { + throw new RuntimeException('failed mounting overlay: ' + res.stderr) + } + } + + private void runInitialize() { + execInContainerWithOutput('/bin/bash', '-c', ''' + if [[ -f /var/www/initialize.sh ]]; then + /var/www/initialize.sh + fi + ''') + } + + private void execInContainerWithOutput(String... cmd) { + ExecCreateCmdResponse exec = dockerClient.execCreateCmd(containerId) + .withAttachStdout(true).withAttachStderr(true).withCmd(cmd).exec() + + try (FrameConsumerResultCallback callback = new FrameConsumerResultCallback()) { + callback.addConsumer(OutputFrame.OutputType.STDOUT, logConsumer) + callback.addConsumer(OutputFrame.OutputType.STDERR, logConsumer) + + dockerClient.execStartCmd(exec.id).exec(callback).awaitCompletion() + } + + Long exitCode = dockerClient.inspectExecCmd(exec.id).exec().exitCodeLong + + if (exitCode != 0) { + throw new RuntimeException("Failed to execute command ${cmd.join(' ')}") + } + } + + private void copyLogs() { + ExecResult res = execInContainer('find', '/tmp/logs', '-type', 'f') + if (res.exitCode != 0) { + log.error("Could not find logs to copy: $res.stderr") + return + } + + logsDir.mkdirs() + + res.stdout.eachLine { + it = it.trim() + if (it) { + copyFileFromContainer(it, new File(logsDir, new File(it).name).absolutePath) + } + } + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTraces.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTraces.groovy new file mode 100644 index 00000000000..c1ccfe70253 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTraces.groovy @@ -0,0 +1,14 @@ +package com.datadog.appsec.php.docker + +import org.junit.jupiter.api.extension.ExtendWith + +import java.lang.annotation.ElementType +import java.lang.annotation.Retention +import java.lang.annotation.RetentionPolicy +import java.lang.annotation.Target + +@Target(ElementType.FIELD) +@Retention(RetentionPolicy.RUNTIME) +@ExtendWith(FailOnUnmatchedTracesExtension) +@interface FailOnUnmatchedTraces { +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTracesExtension.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTracesExtension.groovy new file mode 100644 index 00000000000..5701e520fb3 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/FailOnUnmatchedTracesExtension.groovy @@ -0,0 +1,29 @@ +package com.datadog.appsec.php.docker + +import org.junit.jupiter.api.extension.AfterEachCallback +import org.junit.jupiter.api.extension.ExtensionContext +import org.junit.platform.commons.support.AnnotationSupport + +import java.lang.reflect.Field + +class FailOnUnmatchedTracesExtension implements AfterEachCallback { + @Override + void afterEach(ExtensionContext context) throws Exception { + context.getTestInstance().ifPresent(testInstance -> { + List containerFields = + AnnotationSupport.findAnnotatedFields(testInstance.getClass(), FailOnUnmatchedTraces) + containerFields.each {f -> + def container = f.get(testInstance) + if (!(container instanceof AppSecContainer)) { + throw new RuntimeException( + '@FailOnUnmatchedTraces can only be applied to AppSecContainer fields') + } + if (context.executionException.present) { + container.clearTraces() + } else { + container.assertNoTraces() + } + } + }); + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/InspectContainerHelper.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/InspectContainerHelper.groovy new file mode 100644 index 00000000000..231b6bed473 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/InspectContainerHelper.groovy @@ -0,0 +1,18 @@ +package com.datadog.appsec.php.docker + +import com.datadog.appsec.php.mock_agent.MockDatadogAgent + +class InspectContainerHelper { + static run(AppSecContainer container) { + MockDatadogAgent agent = new MockDatadogAgent() + agent.start() + container.start() + System.sleep 1_000 // so our output more likely shows at the bottom + System.out.println "Server available at ${container.buildURI('/')}" + System.out.println "Inspect container with docker exec -it ${container.getContainerId()} /bin/bash" + System.out.println "Press ENTER to stop container" + System.in.read() + container.stop() + agent.stop() + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/InfoHandler.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/InfoHandler.groovy new file mode 100644 index 00000000000..3ef291b2957 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/InfoHandler.groovy @@ -0,0 +1,22 @@ +package com.datadog.appsec.php.mock_agent + +import io.javalin.http.Context +import io.javalin.http.Handler +import org.jetbrains.annotations.NotNull + +@Singleton +class InfoHandler implements Handler { + @Override + void handle(@NotNull Context ctx) throws Exception { + ctx.json(InfoResponse.instance) + } + + @Singleton + static class InfoResponse { + String version = '7.49.0' + List endpoints = [ + '/v0.4/traces' + ] + } + +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MockDatadogAgent.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MockDatadogAgent.groovy new file mode 100644 index 00000000000..aa869535fbe --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MockDatadogAgent.groovy @@ -0,0 +1,63 @@ +package com.datadog.appsec.php.mock_agent + + +import com.datadog.appsec.php.model.Trace +import groovy.transform.CompileStatic +import groovy.util.logging.Slf4j +import io.javalin.Javalin +import org.testcontainers.lifecycle.Startable + +@Slf4j +@CompileStatic +class MockDatadogAgent implements Startable { + boolean started + Javalin httpServer + + TracesV04Handler tracesHandler = TracesV04Handler.instance + + @Override + void start() { + this.httpServer = Javalin.create(config -> { + config.showJavalinBanner = false + }) + started = true + + this.httpServer.post('v0.4/traces', tracesHandler) + this.httpServer.put('v0.4/traces', tracesHandler) + this.httpServer.get('info', InfoHandler.instance) + + this.httpServer.start(0) + } + + int getPort() { + this.httpServer.port() + } + + @Override + void stop() { + // some problem here. It seems jetty threads are still live after stop() is called + this.httpServer.stop() + started = false + } + + static void main(String[] args) { + def ddAgent = new MockDatadogAgent() + ddAgent.start() + try { + while (true) { + println ddAgent.nextTrace(3600000) + } + } catch (InterruptedException ie) { + System.err.println 'Exiting' + ddAgent.stop() + } + } + + Trace nextTrace(int timeoutInMs) { + tracesHandler.nextTrace(timeoutInMs) + } + + List drainTraces() { + tracesHandler.drainTraces() + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MsgpackHelper.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MsgpackHelper.groovy new file mode 100644 index 00000000000..789a806c6b2 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/MsgpackHelper.groovy @@ -0,0 +1,62 @@ +package com.datadog.appsec.php.mock_agent + +import com.google.common.collect.Lists +import com.google.common.collect.Maps +import org.msgpack.core.MessageFormat +import org.msgpack.core.MessageUnpacker +import org.msgpack.value.ValueType + +class MsgpackHelper { + + static Object unpackSingle(MessageUnpacker unpacker) { + MessageFormat format = unpacker.nextFormat + ValueType type = format.valueType + switch (type) { + case ValueType.NIL: + unpacker.unpackNil() + return null + case ValueType.BOOLEAN: + return unpacker.unpackBoolean(); + case ValueType.INTEGER: + switch (format) { + case MessageFormat.UINT64: + return unpacker.unpackBigInteger() + case MessageFormat.INT64: + case MessageFormat.UINT32: + return unpacker.unpackLong() + default: + return unpacker.unpackInt() + } + case ValueType.FLOAT: + return unpacker.unpackDouble() + case ValueType.STRING: + return unpacker.unpackString() + case ValueType.BINARY: { + int length = unpacker.unpackBinaryHeader() + byte[] data = new byte[length] + unpacker.readPayload(data) + return data + } + case ValueType.ARRAY: { + int length = unpacker.unpackArrayHeader() + def ret = Lists.newArrayListWithCapacity(length) + for (int i = 0; i < length; i++) { + ret << unpackSingle(unpacker) + } + return ret + } + case ValueType.MAP: { + int length = unpacker.unpackMapHeader() + def ret = Maps.newHashMapWithExpectedSize(length) + for (int i = 0; i < length; i++) { + def key = unpackSingle(unpacker) + def value = unpackSingle(unpacker) + ret[key] = value + } + return ret + } + case ValueType.EXTENSION: + return null + } + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/TracesV04Handler.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/TracesV04Handler.groovy new file mode 100644 index 00000000000..72026e36146 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/mock_agent/TracesV04Handler.groovy @@ -0,0 +1,109 @@ +package com.datadog.appsec.php.mock_agent + +import com.datadog.appsec.php.model.Mapper +import com.datadog.appsec.php.model.Span +import com.datadog.appsec.php.model.Trace +import groovy.transform.CompileStatic +import groovy.util.logging.Slf4j +import io.javalin.http.BadRequestResponse +import io.javalin.http.Context +import io.javalin.http.Handler +import org.jetbrains.annotations.NotNull +import org.msgpack.core.MessagePack +import org.msgpack.core.MessageUnpacker + +@Slf4j +@CompileStatic +@Singleton +class TracesV04Handler implements Handler { + private final static String PUT_TRACES_RESPONSE = + '{"rate_by_service":{"service:appsec_int_tests,env:integration":1}}' + + final List capturedTraces = [] + AssertionError savedError + + @Override + void handle(@NotNull Context ctx) { + if (ctx.header('x-datadog-diagnostic-check') == '1') { + // we could check the validity of the input + log.info("Diagnostic check with body: ${ctx.body()}") + return + } + + List traces + AssertionError error + try { + ctx.bodyInputStream().withCloseable { + traces = readTraces(it) + } + } catch (AssertionError e) { + log.error("Error reading traces: $e.message") + error = e + } + + // response + ctx.contentType('application/json') + .result(PUT_TRACES_RESPONSE) + + if (traces) { + synchronized (capturedTraces) { + capturedTraces.addAll traces + capturedTraces.notify() + } + } + if (error) { + synchronized (capturedTraces) { + savedError = error + capturedTraces.notify() + throw new BadRequestResponse(error.message) + } + } + + } + + Trace nextTrace(long timeoutInMs) { + def traceUntyped + synchronized (capturedTraces) { + if (savedError) { + throw savedError + } + if (capturedTraces.size() == 0) { + log.info("Waiting up to $timeoutInMs ms for a trace") + capturedTraces.wait(timeoutInMs) + if (savedError) { + throw new AssertionError('Error in mock agent http thread', savedError) + } + if (capturedTraces.size() == 0) { + throw new AssertionError("No trace gotten within $timeoutInMs ms" as Object) + } else { + log.info('Wait finished. Last gotten: {}', capturedTraces.last()) + if (capturedTraces.size() > 1) { + log.info("There are a total of ${capturedTraces.size()} traces stored") + } + } + } + traceUntyped = capturedTraces.pop() + } + Mapper.INSTANCE.convertValue(traceUntyped, Trace) + } + + List drainTraces() { + List traces = [] + synchronized (capturedTraces) { + while (!capturedTraces.empty) { + traces.push(capturedTraces.pop()) + } + } + traces + } + + private static List readTraces(InputStream is) { + List traces = [] + MessageUnpacker unpacker = MessagePack.newDefaultUnpacker(is) + while (unpacker.hasNext()) { + traces << MsgpackHelper.unpackSingle(unpacker) + } + + traces.first() as List ?: [] + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Mapper.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Mapper.groovy new file mode 100644 index 00000000000..e86177ef8c8 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Mapper.groovy @@ -0,0 +1,18 @@ +package com.datadog.appsec.php.model + +import com.fasterxml.jackson.core.JsonParser +import com.fasterxml.jackson.databind.DeserializationContext +import com.fasterxml.jackson.databind.JsonDeserializer +import com.fasterxml.jackson.databind.ObjectMapper +import com.fasterxml.jackson.databind.module.SimpleModule + +class Mapper { + public static final ObjectMapper INSTANCE = createMapper() + + private static ObjectMapper createMapper() { + ObjectMapper mapper = new ObjectMapper() + SimpleModule module = new SimpleModule() + module.addDeserializer(Trace, new Trace.TraceDeserializer()) + mapper.registerModule(module) + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Span.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Span.groovy new file mode 100644 index 00000000000..3c43efd2d4f --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Span.groovy @@ -0,0 +1,25 @@ +package com.datadog.appsec.php.model + +import com.fasterxml.jackson.annotation.JsonProperty + +class Span { + @JsonProperty("trace_id") + BigInteger traceId + + @JsonProperty("span_id") + BigInteger spanId + + @JsonProperty("parent_id") + BigInteger parentId + + boolean error + + Long start + Long duration + String name + String resource + String service + String type + Map meta + Map metrics +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Trace.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Trace.groovy new file mode 100644 index 00000000000..58e16acc955 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/model/Trace.groovy @@ -0,0 +1,25 @@ +package com.datadog.appsec.php.model + +import com.fasterxml.jackson.core.JsonParser +import com.fasterxml.jackson.core.type.TypeReference +import com.fasterxml.jackson.databind.DeserializationContext +import com.fasterxml.jackson.databind.JsonDeserializer +import com.fasterxml.jackson.databind.ObjectMapper + +class Trace implements List { + BigInteger getTraceId() { + spans.first().traceId + } + + @Delegate + List spans + + static class TraceDeserializer extends JsonDeserializer { + @Override + Trace deserialize(JsonParser jp, DeserializationContext ctxt) { + ObjectMapper mapper = (ObjectMapper) jp.getCodec() + List spans = mapper.readValue(jp, new TypeReference>() {}) + new Trace(spans: spans) + } + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/JsonMatcher.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/JsonMatcher.groovy new file mode 100644 index 00000000000..d584091dab3 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/JsonMatcher.groovy @@ -0,0 +1,181 @@ +package com.datadog.appsec.php.test + +import com.fasterxml.jackson.databind.JsonNode +import com.fasterxml.jackson.databind.ObjectMapper +import com.fasterxml.jackson.databind.ObjectReader +import com.fasterxml.jackson.databind.node.ArrayNode +import com.flipkart.zjsonpatch.DiffFlags +import com.flipkart.zjsonpatch.JsonDiff +import org.hamcrest.BaseMatcher +import org.hamcrest.Description +import org.hamcrest.Matcher + +/** + * Adapted from WireMock's EqualToJsonPattern: + * + * LICENSE: https://github.com/tomakehurst/wiremock/blob/28c5e6737caa7887e2070033bd361501e12ea3ee/LICENSE.txt + * Original: https://github.com/tomakehurst/wiremock/blob/28c5e6737caa7887e2070033bd361501e12ea3ee/src/main/java/com/github/tomakehurst/wiremock/matching/EqualToJsonPattern.java + * + */ +class JsonMatcher extends BaseMatcher { + + private final static ObjectReader READER = new ObjectMapper().readerFor(JsonNode) + private final JsonNode expected + private final boolean ignoreArrayOrder + boolean ignoreExtraElements + + private JsonMatcher(String expectedJson, boolean ignoreArrayOrder, boolean ignoreExtraElements) { + this.expected = READER.readTree(expectedJson) + this.ignoreArrayOrder = ignoreArrayOrder + this.ignoreExtraElements = ignoreExtraElements + } + + static Matcher matchesJson(String expectedJson) { + return new JsonMatcher(expectedJson, false, false) + } + + static Matcher matchesJson(String expectedJson, + boolean ignoreArrayOrder, + boolean ignoreExtraElements) { + return new JsonMatcher(expectedJson, ignoreArrayOrder, ignoreExtraElements) + } + + @Override + boolean matches(Object value) { + final JsonNode actual = READER.readTree(value as String) + + + if (!ignoreArrayOrder && !ignoreExtraElements) { + return Objects.equals(actual, expected) + } + + getDistance(actual) == 0.0 + } + + + private double getDistance(JsonNode actual) { + EnumSet flags = EnumSet.of(com.flipkart.zjsonpatch.DiffFlags.OMIT_COPY_OPERATION) + ArrayNode diff = JsonDiff.asJson(expected, actual, flags) + + double maxNodes = maxDeepSize(expected, actual) + return diffSize(diff) / maxNodes + } + + + private static int maxDeepSize(JsonNode one, JsonNode two) { + Math.max(deepSize(one), deepSize(two)) + } + + private static int deepSize(JsonNode node) { + if (node == null) { + return 0 + } + + int acc = 1 + if (node.isContainerNode()) { + for (JsonNode child : node) { + acc++ + if (child.isContainerNode()) { + acc += deepSize(child) + } + } + } + + acc + } + + + private int diffSize(ArrayNode diff) { + int acc = 0 + for (JsonNode child: diff) { + String operation = child.findValue('op').textValue() + JsonNode pathString = getFromPathString(operation, child) + List path = getPath(pathString.textValue()) + if (!arrayOrderIgnoredAndIsArrayMove(operation, path) && !extraElementsIgnoredAndIsAddition(operation)) { + JsonNode valueNode = operation == 'remove' ? null : child.findValue('value') + JsonNode referencedExpectedNode = getNodeAtPath(expected, pathString) + if (valueNode == null) { + acc += deepSize(referencedExpectedNode) + } else { + acc += maxDeepSize(referencedExpectedNode, valueNode) + } + } + } + + acc + } + + private static JsonNode getFromPathString(String operation, JsonNode node) { + if (operation == 'move') { + return node.findValue('from') + } + + node.findValue('path') + } + + + private static JsonNode getNodeAtPath(JsonNode rootNode, JsonNode path) { + String pathString = path.toString() == '"/"' ? '""' : path.toString() + getNode(rootNode, getPath(pathString), 1) + } + + + private static JsonNode getNode(JsonNode ret, List path, int pos) { + if (pos >= path.size()) { + return ret + } + + if (ret == null) { + return null + } + + String key = path.get(pos) + if (ret.isArray()) { + int keyInt = Integer.parseInt(key.replaceAll('"', '')) + return getNode(ret.get(keyInt), path, ++pos) + } else if (ret.isObject()) { + if (ret.has(key)) { + return getNode(ret.get(key), path, ++pos) + } + null + } else { + ret + } + } + + private boolean arrayOrderIgnoredAndIsArrayMove(String operation, List path) { + operation == 'move' && path[-1].isNumber() && ignoreArrayOrder + } + + private boolean extraElementsIgnoredAndIsAddition(String operation) { + operation == 'add' && ignoreExtraElements + } + + private static List getPath(String path) { + List paths = path.replaceAll('"', '').split('/') as List + paths.collect { + it.replaceAll('~1', '/').replaceAll('~0', '~') + } + } + + @Override + void describeTo(Description description) { + description.appendText(expected.toPrettyString()) + if (ignoreArrayOrder) { + description.appendText(' ignoring array order') + } + if (ignoreExtraElements) { + description.appendText(' ignoring extra elements') + } + } + + @Override + void describeMismatch(Object item, Description description) { + JsonNode actual = READER.readTree item.toString() + String actualPrinted = actual.toPrettyString() + description.appendText('was ').appendText(actualPrinted) + description.appendText('\n\ndiff is ') + ArrayNode diff = JsonDiff.asJson(this.expected, actual) + description.appendText(diff.toPrettyString()) + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/NotifyTestLifecycle.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/NotifyTestLifecycle.groovy new file mode 100644 index 00000000000..6aabaa55544 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/NotifyTestLifecycle.groovy @@ -0,0 +1,25 @@ +package com.datadog.appsec.php.test + +import groovy.util.logging.Slf4j +import org.junit.jupiter.api.extension.AfterEachCallback +import org.junit.jupiter.api.extension.BeforeEachCallback +import org.junit.jupiter.api.extension.ExtensionContext + +@Slf4j +class NotifyTestLifecycle implements BeforeEachCallback, AfterEachCallback { + @Override + void beforeEach(ExtensionContext context) throws Exception { + log.info("Starting test ${context.displayName}") + } + + @Override + void afterEach(ExtensionContext context) throws Exception { + if (context.executionException.present) { + def e = context.executionException.get() + log.error("Finished test ${context.displayName} (failed with exception: ${e.message})") + } else { + log.info("Finished test ${context.displayName} (success)") + } + + } +} diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/StopContainerExtension.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/StopContainerExtension.groovy new file mode 100644 index 00000000000..bcf4f04c5c1 --- /dev/null +++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/test/StopContainerExtension.groovy @@ -0,0 +1,22 @@ +package com.datadog.appsec.php.test + +import org.junit.jupiter.api.extension.AfterAllCallback +import org.junit.jupiter.api.extension.ExtensionContext + +class StopContainerExtension implements AfterAllCallback { + @Override + void afterAll(ExtensionContext context) { + Class testClass = context.requiredTestClass + try { + def containerField = testClass.getDeclaredField('CONTAINER') + containerField.accessible = true + + def container = containerField.get(null) // Assuming the field is static + container?.close() + } catch (NoSuchFieldException ignored) { + // No action needed if the field does not exist + } catch (Exception e) { + throw new RuntimeException("Error stopping the container", e) + } + } +} diff --git a/appsec/tests/integration/src/main/resources/META-INF/services/org.junit.jupiter.api.extension.Extension b/appsec/tests/integration/src/main/resources/META-INF/services/org.junit.jupiter.api.extension.Extension new file mode 100644 index 00000000000..28a76b597a2 --- /dev/null +++ b/appsec/tests/integration/src/main/resources/META-INF/services/org.junit.jupiter.api.extension.Extension @@ -0,0 +1,2 @@ +com.datadog.appsec.php.test.NotifyTestLifecycle +com.datadog.appsec.php.test.StopContainerExtension diff --git a/appsec/tests/integration/src/main/resources/junit-platform.properties b/appsec/tests/integration/src/main/resources/junit-platform.properties new file mode 100644 index 00000000000..6efc0d5e85c --- /dev/null +++ b/appsec/tests/integration/src/main/resources/junit-platform.properties @@ -0,0 +1 @@ +junit.jupiter.extensions.autodetection.enabled=true diff --git a/appsec/tests/integration/src/main/resources/logback.xml b/appsec/tests/integration/src/main/resources/logback.xml new file mode 100644 index 00000000000..7fa772099e2 --- /dev/null +++ b/appsec/tests/integration/src/main/resources/logback.xml @@ -0,0 +1,15 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger - %msg%n + + + + + + + + + + + diff --git a/appsec/tests/integration/src/test/bin/enable_extensions.sh b/appsec/tests/integration/src/test/bin/enable_extensions.sh new file mode 100755 index 00000000000..cb14649c552 --- /dev/null +++ b/appsec/tests/integration/src/test/bin/enable_extensions.sh @@ -0,0 +1,54 @@ +#!/bin/bash -e + +{ + echo error_log=/tmp/logs/php_error.log + echo display_errors=0 + echo error_reporting=-1 + echo max_execution_time=1800 +} >> /etc/php/php.ini + +if [[ -f /project/tmp/build_extension/modules/ddtrace.so ]]; then + echo "Enabling ddtrace" >&2 + { + echo extension=/project/tmp/build_extension/modules/ddtrace.so + echo datadog.trace.request_init_hook=/project/bridge/dd_wrap_autoloader.php + echo datadog.trace.generate_root_span=true + } >> /etc/php/php.ini +fi + +if [[ -f /appsec/ddappsec.so && -d /project ]]; then + echo "Enabling ddappsec" >&2 + { + echo extension=/appsec/ddappsec.so + echo datadog.appsec.enabled=true + echo datadog.appsec.helper_extra_args=--log_level info + echo datadog.appsec.helper_path=/appsec/ddappsec-helper + echo datadog.appsec.helper_log_file=/tmp/logs/helper.log + echo datadog.appsec.rules=/etc/recommended.json + echo datadog.appsec.log_file=/tmp/logs/appsec.log + echo datadog.appsec.log_level=debug + } >> /etc/php/php.ini +fi + +if [[ -n $XDEBUG ]]; then + echo "Enabling Xdebug" >&2 + { + echo zend_extension = xdebug.so + echo xdebug.mode = debug + echo xdebug.start_with_request = yes + echo xdebug.client_host = host.testcontainers.internal + echo xdebug.client_port = 9003 + echo xdebug.log = /tmp/logs/xdebug.log + # for xdebug 2 + echo xdebug.remote_enable = 1 + echo xdebug.remote_host = host.testcontainers.internal + echo xdebug.remote_port = 9003 + echo xdebug.remote_autostart = 1 + echo xdebug.remote_mode = req + echo xdebug.default_enable = 0 + echo xdebug.profiler_enable = 0 + echo xdebug.auto_trace = 0 + echo xdebug.coverage_enable = 0 + echo xdebug.remote_log = /tmp/logs/xdebug.log + } >> /etc/php/php.ini +fi diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/AlpineApache2FpmTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/AlpineApache2FpmTests.groovy new file mode 100644 index 00000000000..db445d31c6c --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/AlpineApache2FpmTests.groovy @@ -0,0 +1,29 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.docker.FailOnUnmatchedTraces +import groovy.util.logging.Slf4j +import org.junit.jupiter.api.condition.DisabledIf +import org.testcontainers.junit.jupiter.Container +import org.testcontainers.junit.jupiter.Testcontainers + +import static com.datadog.appsec.php.integration.TestParams.phpVersion +import static com.datadog.appsec.php.integration.TestParams.tracerVersion +import static com.datadog.appsec.php.integration.TestParams.variant + +@Testcontainers +@Slf4j +@DisabledIf('isZts') +class AlpineApache2FpmTests implements CommonTests { + static boolean zts = variant.contains('zts') + + @Container + @FailOnUnmatchedTraces + public static final AppSecContainer CONTAINER = + new AppSecContainer( + imageDir: 'alpine-apache2-fpm', + phpVersion: phpVersion, + phpVariant: variant, + tracerVersion: tracerVersion + ) +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2FpmTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2FpmTests.groovy new file mode 100644 index 00000000000..853ab1b90f6 --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2FpmTests.groovy @@ -0,0 +1,80 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.docker.FailOnUnmatchedTraces +import com.datadog.appsec.php.docker.InspectContainerHelper +import groovy.util.logging.Slf4j +import org.junit.jupiter.api.Test +import org.junit.jupiter.api.condition.DisabledIf +import org.testcontainers.junit.jupiter.Container +import org.testcontainers.junit.jupiter.Testcontainers + +import java.net.http.HttpResponse + +import static com.datadog.appsec.php.integration.TestParams.getPhpVersion +import static com.datadog.appsec.php.integration.TestParams.getTracerVersion +import static com.datadog.appsec.php.integration.TestParams.getVariant +import static org.testcontainers.containers.Container.ExecResult + +@Testcontainers +@Slf4j +@DisabledIf('isZts') +class Apache2FpmTests implements CommonTests { + static boolean zts = variant.contains('zts') + + @Container + @FailOnUnmatchedTraces + public static final AppSecContainer CONTAINER = + new AppSecContainer( + workVolume: this.name, + baseTag: 'apache2-fpm-php', + phpVersion: phpVersion, + phpVariant: variant, + www: 'base', + ) + + static void main(String[] args) { + InspectContainerHelper.run(CONTAINER) + } + + @Test + void 'php-fpm -i does not launch helper'() { + ExecResult res = CONTAINER.execInContainer('mkdir', '/tmp/cli/') + + res = CONTAINER.execInContainer( + 'bash', '-c', + 'php-fpm -d extension=ddtrace.so -d extension=ddappsec.so ' + + '-d datadog.appsec.enabled=0 ' + + '-d datadog.appsec.helper_runtime_path=/tmp/cli ' + + '-i') + if (res.exitCode != 0) { + throw new AssertionError("Failed executing php-fpm -i: $res.stderr") + } + res = CONTAINER.execInContainer('/bin/bash', '-c', + 'test $(find /tmp/cli/ -maxdepth 1 -type s -name \'ddappsec_*_*.sock\' | wc -l) -eq 0') + assert res.exitCode == 0 + + res = CONTAINER.execInContainer( + 'bash', '-c', + 'php-fpm -d extension=ddtrace.so -d extension=ddappsec.so ' + + '-d datadog.appsec.enabled=1 ' + + '-d datadog.appsec.helper_runtime_path=/tmp/cli ' + + '-i') + if (res.exitCode != 0) { + throw new AssertionError("Failed executing php-fpm -i: $res.stderr") + } + res = CONTAINER.execInContainer('/bin/bash', '-c', + 'test $(find /tmp/cli/ -maxdepth 1 -type s -name \'ddappsec_*_*.sock\' | wc -l) -eq 0') + assert res.exitCode == 0 + } + + @Test + void 'Pool environment'() { + container.traceFromRequest('/poolenv.php') { HttpResponse resp -> + assert resp.statusCode() == 200 + def content = resp.body().text + + assert content.contains('Value of pool env is 10001') + } + } +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2ModTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2ModTests.groovy new file mode 100644 index 00000000000..d0b56d9304a --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Apache2ModTests.groovy @@ -0,0 +1,53 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.docker.FailOnUnmatchedTraces +import com.datadog.appsec.php.docker.InspectContainerHelper +import com.datadog.appsec.php.model.Trace +import groovy.util.logging.Slf4j +import org.junit.jupiter.api.condition.DisabledIf +import org.junit.jupiter.api.Test +import org.testcontainers.junit.jupiter.Container +import org.testcontainers.junit.jupiter.Testcontainers + +import java.net.http.HttpResponse + +import static com.datadog.appsec.php.integration.TestParams.getPhpVersion +import static com.datadog.appsec.php.integration.TestParams.getTracerVersion +import static com.datadog.appsec.php.integration.TestParams.getVariant +import static org.testcontainers.containers.Container.ExecResult + +@Testcontainers +@Slf4j +class Apache2ModTests implements CommonTests { + static boolean zts = variant.contains('zts') + + @Container + @FailOnUnmatchedTraces + public static final AppSecContainer CONTAINER = + new AppSecContainer( + workVolume: this.name, + baseTag: 'apache2-mod-php', + phpVersion: phpVersion, + phpVariant: variant, + www: 'base', + ) + + static void main(String[] args) { + InspectContainerHelper.run(CONTAINER) + } + + @Test + void 'trace without attack after soft restart'() { + ExecResult res = CONTAINER.execInContainer('service', 'apache2', 'reload') + if (res.exitCode != 0) { + throw new AssertionError("Failed reloading apache2: $res.stderr") + } + log.info "Result of restart: STDOUT: $res.stdout , STDERR: $res.stderr" + + Trace trace = CONTAINER.traceFromRequest('/hello.php') { HttpResponse it -> + assert it.body().text == 'Hello world!' + } + assert trace.first().metrics."_dd.appsec.enabled" == 1.0d + } +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy new file mode 100644 index 00000000000..5a95ea34e69 --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy @@ -0,0 +1,249 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.model.Span +import com.datadog.appsec.php.model.Trace +import org.junit.jupiter.api.Test +import org.testcontainers.containers.Container + +import java.net.http.HttpRequest +import java.net.http.HttpResponse + +import static com.datadog.appsec.php.test.JsonMatcher.matchesJson +import static java.net.http.HttpResponse.BodyHandlers.ofString +import static org.hamcrest.MatcherAssert.assertThat + +trait CommonTests { + + AppSecContainer getContainer() { + getClass().CONTAINER + } + + @Test + void 'user tracking'() { + def trace = container.traceFromRequest('/user_id.php') { HttpResponse resp -> + assert resp.statusCode() == 200 + } + + Span span = trace.first() + assert span.meta."usr.id" == '123456789' + assert span.meta."usr.name" == 'Jean Example' + assert span.meta."usr.email" == 'jean.example@example.com' + assert span.meta."usr.session_id" == '987654321' + assert span.meta."usr.role" == 'admin' + assert span.meta."usr.scope" == 'read:message, write:files' + } + + @Test + void 'user login success event'() { + Trace trace = container.traceFromRequest('/user_login_success.php') { HttpResponse resp -> + assert resp.statusCode() == 200 + } + + Span span = trace.first() + assert span.metrics._sampling_priority_v1 == 2.0d + assert span.meta."usr.id" == 'Admin' + assert span.meta."appsec.events.users.login.success.track" == 'true' + assert span.meta."appsec.events.users.login.success.email" == 'jean.example@example.com' + assert span.meta."appsec.events.users.login.success.session_id" == '987654321' + assert span.meta."appsec.events.users.login.success.role" == 'admin' + } + + @Test + void 'user login failure event'() { + def trace = container.traceFromRequest('/user_login_failure.php') { HttpResponse resp -> + assert resp.statusCode() == 200 + } + + Span span = trace.first() + assert span.metrics._sampling_priority_v1 == 2.0d + assert span.meta."appsec.events.users.login.failure.usr.id" == 'Admin' + assert span.meta."appsec.events.users.login.failure.usr.exists" == 'false' + assert span.meta."appsec.events.users.login.failure.track" == 'true' + assert span.meta."appsec.events.users.login.failure.email" == 'jean.example@example.com' + assert span.meta."appsec.events.users.login.failure.session_id" == '987654321' + assert span.meta."appsec.events.users.login.failure.role" == 'admin' + } + + + @Test + void 'custom event'() { + def trace = container.traceFromRequest('/custom_event.php') { resp -> + assert resp.statusCode() == 200 + } + + Span span = trace.first() + assert span.metrics._sampling_priority_v1 == 2.0d + assert span.meta."appsec.events.custom_event.track" == 'true' + assert span.meta."appsec.events.custom_event.metadata0" == 'value0' + assert span.meta."appsec.events.custom_event.metadata1" == 'value1' + assert span.meta."appsec.events.custom_event.metadata2" == 'value2' + } + + @Test + void 'sanity check against non PHP endpoint'() { + HttpRequest req = container.buildReq('/example.html').GET().build() + HttpResponse res = container.httpClient.send(req, ofString()) + assert res.statusCode() == 200 + } + + @Test + void 'trace without attack'() { + def trace = container.traceFromRequest('/phpinfo.php') { HttpResponse resp -> + assert resp.statusCode() == 200 + def content = resp.body().text + assert content.contains('module_ddtrace') + assert content.contains('module_ddappsec') + } + + Span span = trace.first() + assert span.metrics."_dd.appsec.enabled" == 1.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.appsec.event_rules.version" != '' + } + + + @Test + void 'trace with an attack'() { + HttpRequest req = container.buildReq('/hello.php') + .header('User-Agent', 'Arachni/v1').GET().build() + def trace = container.traceFromRequest(req, ofString()) { HttpResponse resp -> + resp.body() == 'Hello world!' + } + + Span span = trace.first() + + assert span.metrics._sampling_priority_v1 == 2.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.runtime_family" == 'php' + assert span.meta."http.useragent" == 'Arachni/v1' + def appsecJson = span.meta."_dd.appsec.json" + def expJson = '''{ + "triggers" : [ + { + "rule_matches" : [ + { + "parameters" : [ + { + "highlight" : [ + "Arachni/v" + ], + "value" : "Arachni/v1", + "address" : "server.request.headers.no_cookies", + "key_path" : [ + "user-agent" + ] + } + ], + "operator" : "match_regex", + "operator_value" : "^Arachni\\\\/v" + } + ], + "rule" : { + "name" : "Arachni" + } + } + ] + }''' + assertThat appsecJson, matchesJson(expJson, false, true) + } + + @Test + void 'test blocking'() { + // Set ip which is blocked + HttpRequest req = container.buildReq('/phpinfo.php') + .header('X-Forwarded-For', '80.80.80.80').GET().build() + def trace = container.traceFromRequest(req, ofString()) { HttpResponse re -> + assert re.statusCode() == 403 + assert re.body().contains('blocked') + } + + Span span = trace.first() + assert span.metrics."_dd.appsec.enabled" == 1.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.appsec.event_rules.version" != '' + assert span.meta."appsec.blocked" == "true" + } + + @Test + void 'user blocking'() { + def trace = container.traceFromRequest('/user_id.php?id=user2020') { HttpResponse resp -> + assert resp.statusCode() == 403 + + def content = resp.body().text + assert content.contains('blocked') + } + + Span span = trace.first() + assert span.meta."appsec.blocked" == "true" + assert span.metrics."_dd.appsec.enabled" == 1.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.appsec.event_rules.version" != '' + } + + @Test + void 'user login success blocking'() { + def trace = container.traceFromRequest('/user_login_success.php?id=user2020') { HttpResponse resp -> + assert resp.statusCode() == 403 + assert resp.body().text.contains('blocked') + } + + Span span = trace.first() + assert span.meta."appsec.blocked" == "true" + assert span.metrics."_dd.appsec.enabled" == 1.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.appsec.event_rules.version" != '' + } + + @Test + void 'user redirecting'() { + def trace = container.traceFromRequest('/user_id.php?id=user2023') { HttpResponse conn -> + assert conn.statusCode() == 303 + } + + Span span = trace.first() + assert span.meta."appsec.blocked" == "true" + assert span.metrics."_dd.appsec.enabled" == 1.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.appsec.event_rules.version" != '' + } + + @Test + void 'user login success redirecting'() { + def trace = container.traceFromRequest('/user_login_success.php?id=user2023') { HttpResponse conn -> + assert conn.statusCode() == 303 + } + + Span span = trace.first() + assert span.meta."appsec.blocked" == "true" + assert span.metrics."_dd.appsec.enabled" == 1.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.appsec.event_rules.version" != '' + } + + @Test + void 'test redirecting'() { + // Set ip which is set to be redirected + def req = container.buildReq('/phpinfo.php') + .header('X-Forwarded-For', '80.80.80.81').GET().build() + def trace = container.traceFromRequest(req, ofString()) { HttpResponse conn -> + assert conn.statusCode() == 303 + } + + Span span = trace.first() + assert span.metrics."_dd.appsec.enabled" == 1.0d + assert span.metrics."_dd.appsec.waf.duration" > 0.0d + assert span.meta."_dd.appsec.event_rules.version" != '' + assert span.meta."appsec.blocked" == "true" + } + + @Test + void 'module does not have STATIC_TLS flag'() { + Container.ExecResult res = container.execInContainer( + 'bash', '-c', + '''! { readelf -d "$(php -r 'echo ini_get("extension_dir");')"/ddappsec.so | grep STATIC_TLS; }''') + if (res.exitCode != 0) { + throw new AssertionError("Module has STATIC_TLS flag: $res.stdout") + } + } +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Laravel8xTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Laravel8xTests.groovy new file mode 100644 index 00000000000..14bbfd5f079 --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Laravel8xTests.groovy @@ -0,0 +1,87 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.docker.FailOnUnmatchedTraces +import com.datadog.appsec.php.docker.InspectContainerHelper +import com.datadog.appsec.php.model.Span +import com.datadog.appsec.php.model.Trace +import org.junit.jupiter.api.Test +import org.junit.jupiter.api.condition.EnabledIf +import org.testcontainers.junit.jupiter.Container +import org.testcontainers.junit.jupiter.Testcontainers + +import java.net.http.HttpResponse + +import static com.datadog.appsec.php.integration.TestParams.getPhpVersion +import static com.datadog.appsec.php.integration.TestParams.getVariant + +@Testcontainers +@EnabledIf('isExpectedVersion') +class Laravel8xTests { + static boolean expectedVersion = phpVersion.contains('7.4') && !variant.contains('zts') + + AppSecContainer getContainer() { + getClass().CONTAINER + } + + @Container + @FailOnUnmatchedTraces + public static final AppSecContainer CONTAINER = + new AppSecContainer( + workVolume: this.name, + baseTag: 'apache2-mod-php', + phpVersion: phpVersion, + phpVariant: variant, + www: 'laravel8x', + ) + + static void main(String[] args) { + InspectContainerHelper.run(CONTAINER) + } + + @Test + void 'Login failure automated event'() { + Trace trace = container.traceFromRequest('/authenticate?email=nonExisiting@email.com') { + HttpResponse resp -> + assert resp.statusCode() == 403 + } + + Span span = trace.first() + assert span.meta."appsec.events.users.login.failure.track" == "true" + assert span.meta."_dd.appsec.events.users.login.failure.auto.mode" == "safe" + assert span.meta."appsec.events.users.login.failure.usr.exists" == "false" + assert span.metrics._sampling_priority_v1 == 2.0d + } + + @Test + void 'Login success automated event'() { + //The user ciuser@example.com is already on the DB + def trace = container.traceFromRequest('/authenticate?email=ciuser@example.com') { + HttpResponse resp -> + assert resp.statusCode() == 200 + } + + //ciuser@example.com user id is 1 + Span span = trace.first() + assert span.meta."usr.id" == "1" + assert span.meta."_dd.appsec.events.users.login.success.auto.mode" == "safe" + assert span.meta."appsec.events.users.login.success.track" == "true" + assert span.metrics._sampling_priority_v1 == 2.0d + } + + + @Test + void 'Sign up automated event'() { + def trace = container.traceFromRequest( + '/register?email=test-user-new@email.coms&name=somename&password=somepassword' + ) { HttpResponse resp -> + assert resp.statusCode() == 200 + } + + Span span = trace.first() + assert span.meta."usr.id" == "2" + assert span.meta."_dd.appsec.events.users.signup.auto.mode" == "safe" + assert span.meta."appsec.events.users.signup.track" == "true" + assert span.metrics._sampling_priority_v1 == 2.0d + } +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/NginxFpmTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/NginxFpmTests.groovy new file mode 100644 index 00000000000..f679392c455 --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/NginxFpmTests.groovy @@ -0,0 +1,50 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.docker.FailOnUnmatchedTraces +import com.datadog.appsec.php.docker.InspectContainerHelper +import groovy.util.logging.Slf4j +import org.junit.jupiter.api.Test +import org.junit.jupiter.api.condition.DisabledIf +import org.testcontainers.junit.jupiter.Container +import org.testcontainers.junit.jupiter.Testcontainers + +import java.net.http.HttpResponse + +import static com.datadog.appsec.php.integration.TestParams.getPhpVersion +import static com.datadog.appsec.php.integration.TestParams.getTracerVersion +import static com.datadog.appsec.php.integration.TestParams.getVariant +import static org.testcontainers.containers.Container.ExecResult + +@Testcontainers +@Slf4j +@DisabledIf('isZts') +class NginxFpmTests implements CommonTests { + static boolean zts = variant.contains('zts') + + @Container + @FailOnUnmatchedTraces + public static final AppSecContainer CONTAINER = + new AppSecContainer( + workVolume: this.name, + baseTag: 'nginx-fpm-php', + phpVersion: phpVersion, + phpVariant: variant, + www: 'base', + ) + + static void main(String[] args) { + InspectContainerHelper.run(CONTAINER) + } + + @Test + void 'Pool environment'() { + container.traceFromRequest('/poolenv.php') { HttpResponse resp -> + assert resp.statusCode() == 200 + def content = resp.body().text + + assert content.contains('Value of pool env is 10001') + } + } + +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/RoadRunnerTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/RoadRunnerTests.groovy new file mode 100644 index 00000000000..3e6c75f332a --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/RoadRunnerTests.groovy @@ -0,0 +1,163 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.docker.FailOnUnmatchedTraces +import com.datadog.appsec.php.docker.InspectContainerHelper +import com.datadog.appsec.php.model.Mapper +import com.datadog.appsec.php.model.Span +import org.junit.jupiter.api.BeforeAll +import org.junit.jupiter.api.Test +import org.junit.jupiter.api.condition.EnabledIf +import org.testcontainers.containers.wait.strategy.HostPortWaitStrategy +import org.testcontainers.containers.wait.strategy.WaitStrategy +import org.testcontainers.containers.wait.strategy.WaitStrategyTarget +import org.testcontainers.junit.jupiter.Container +import org.testcontainers.junit.jupiter.Testcontainers + +import java.net.http.HttpRequest +import java.net.http.HttpResponse +import java.time.Duration + +import static com.datadog.appsec.php.integration.TestParams.getPhpVersion +import static com.datadog.appsec.php.integration.TestParams.getVariant +import static com.datadog.appsec.php.integration.TestParams.phpVersionAtLeast +import static java.net.http.HttpResponse.BodyHandlers.ofString +import static java.time.temporal.ChronoUnit.SECONDS + +@Testcontainers +@EnabledIf('isExpectedVersion') +class RoadRunnerTests { + static boolean expectedVersion = phpVersionAtLeast('7.4') && !variant.contains('zts') + + static void main(String[] args) { + InspectContainerHelper.run(CONTAINER) + } + + @Container + @FailOnUnmatchedTraces + public static final AppSecContainer CONTAINER = + new AppSecContainer( + workVolume: this.name, + baseTag: 'php', + phpVersion: phpVersion, + phpVariant: variant, + www: 'roadrunner', + ).with { + // we only start listening on http after run.sh has finished + setWaitStrategy(new WaitStrategy() { + @Override + void waitUntilReady(WaitStrategyTarget waitStrategyTarget) { + // we're good. Allow run.sh to run + } + + @Override + WaitStrategy withStartupTimeout(Duration startupTimeout) { + this + } + }) + it + } + + @BeforeAll + static void beforeAll() { + new HostPortWaitStrategy().withStartupTimeout(Duration.of(300, SECONDS) ).waitUntilReady(CONTAINER) + } + + @Test + void 'produces two traces for two requests'() { + def trace1 = CONTAINER.traceFromRequest('/') { HttpResponse it -> + assert it.statusCode() == 200 + assert it.headers().firstValue('Content-type').get() == 'text/plain' + assert it.body().text == 'Hello world!' + } + def trace2 = CONTAINER.traceFromRequest('/') + assert trace1.size() == 1 + assert trace2.size() == 1 + + assert trace1[0].meta['component'] == 'roadrunner' + assert trace1[0].meta['http.client_ip'] instanceof String + assert trace1[0].meta['_dd.appsec.event_rules.version'] =~ /\d+\.\d+\.\d+/ + assert trace1[0].metrics['_dd.appsec.enabled'] == 1.0d + } + + @Test + void 'blocking json on request start'() { + HttpRequest req = CONTAINER.buildReq('/') + .header('X-Forwarded-For', '80.80.80.80').GET().build() + def trace = CONTAINER.traceFromRequest(req, ofString()) { HttpResponse re -> + assert re.body().contains('"title": "You\'ve been blocked"') + assert re.statusCode() == 403 + assert re.headers().firstValue('Content-type').get() == 'application/json' + } + + Span span = trace.first() + assert span.meta."appsec.blocked" == "true" + assert span.meta."_dd.appsec.json" != null + assert span.meta.'http.status_code' == '403' + def triggers = Mapper.INSTANCE.readerFor(Map).readValue(span.meta."_dd.appsec.json") + assert triggers['triggers'][0]['rule']['name'] == 'Block IP Addresses' + } + + @Test + void 'blocking html on request start'() { + HttpRequest req = CONTAINER.buildReq('/') + .header('X-Forwarded-For', '80.80.80.80') + .header('Accept', 'text/html') + .GET().build() + def trace = CONTAINER.traceFromRequest(req, ofString()) { HttpResponse re -> + assert re.body().contains('You\'ve been blocked') + assert re.statusCode() == 403 + assert re.headers().firstValue('Content-type').get().contains('text/html') + } + + Span span = trace.first() + assert span.meta."appsec.blocked" == "true" + } + + @Test + void 'blocking forward on request start'() { + HttpRequest req = CONTAINER.buildReq('/') + .header('X-Forwarded-For', '80.80.80.81').GET().build() + def trace = CONTAINER.traceFromRequest(req, ofString()) { HttpResponse re -> + assert re.statusCode() == 303 + assert re.headers().firstValue('Location').get() == 'datadoghq.com' + } + + Span span = trace.first() + assert span.meta."appsec.blocked" == "true" + } + + @Test + void 'blocking user with html response'() { + HttpRequest req = CONTAINER.buildReq('/?user=user2020') + .header('Accept', 'text/html').GET().build() + def trace = CONTAINER.traceFromRequest(req, ofString()) { HttpResponse it -> + assert it.body().contains('You\'ve been blocked') + assert it.statusCode() == 403 + assert it.headers().firstValue('Content-type').get().contains('text/html') + } + assert trace.first().meta."appsec.blocked" == "true" + } + + @Test + void 'blocking user with redirect'() { + HttpRequest req = CONTAINER.buildReq('/?user=user2023').GET().build() + def trace = CONTAINER.traceFromRequest(req, ofString()) { HttpResponse it -> + assert it.statusCode() == 303 + assert it.headers().firstValue('Location').get() == 'datadoghq.com' + } + assert trace.first().meta."appsec.blocked" == "true" + } + + @Test + void 'blocking on response with html'() { + HttpRequest req = CONTAINER.buildReq('/?status=418') + .header('Accept', 'text/html').GET().build() + def trace = CONTAINER.traceFromRequest(req, ofString()) { HttpResponse it -> + assert it.body().contains('You\'ve been blocked') + assert it.statusCode() == 403 + assert it.headers().firstValue('Content-type').get().contains('text/html') + } + assert trace.first().meta."appsec.blocked" == "true" + } +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Symfony62Tests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Symfony62Tests.groovy new file mode 100644 index 00000000000..c5ac1f6dca4 --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/Symfony62Tests.groovy @@ -0,0 +1,91 @@ +package com.datadog.appsec.php.integration + +import com.datadog.appsec.php.docker.AppSecContainer +import com.datadog.appsec.php.docker.FailOnUnmatchedTraces +import com.datadog.appsec.php.docker.InspectContainerHelper +import com.datadog.appsec.php.model.Span +import com.datadog.appsec.php.model.Trace +import groovy.util.logging.Slf4j +import org.junit.jupiter.api.Test +import org.junit.jupiter.api.condition.EnabledIf +import org.testcontainers.junit.jupiter.Container +import org.testcontainers.junit.jupiter.Testcontainers + +import java.net.http.HttpRequest +import java.net.http.HttpResponse + +import static com.datadog.appsec.php.integration.TestParams.getPhpVersion +import static com.datadog.appsec.php.integration.TestParams.getVariant +import static java.net.http.HttpResponse.BodyHandlers.ofString + +@Testcontainers +@EnabledIf('isExpectedVersion') +class Symfony62Tests { + static boolean expectedVersion = phpVersion.contains('8.1') && !variant.contains('zts') + + AppSecContainer getContainer() { + getClass().CONTAINER + } + + static void main(String[] args) { + InspectContainerHelper.run(CONTAINER) + } + + @Container + @FailOnUnmatchedTraces + public static final AppSecContainer CONTAINER = + new AppSecContainer( + workVolume: this.name, + baseTag: 'apache2-mod-php', + phpVersion: phpVersion, + phpVariant: variant, + www: 'symfony62', + ) + + @Test + void 'login success automated event'() { + //The user ciuser@example.com is already on the DB + String body = '_username=test-user%40email.com&_password=test' + HttpRequest req = container.buildReq('/login') + .header('Content-Type', 'application/x-www-form-urlencoded') + .POST(HttpRequest.BodyPublishers.ofString(body)).build() + def trace = container.traceFromRequest(req, ofString()) { HttpResponse resp -> + assert resp.statusCode() == 302 + } + Span span = trace.first() + assert span.meta."_dd.appsec.events.users.login.success.auto.mode" == "safe" + assert span.meta."appsec.events.users.login.success.track" == "true" + assert span.metrics._sampling_priority_v1 == 2.0d + } + + @Test + void 'login failure automated event'() { + String body = '_username=aa&_password=ee' + HttpRequest req = container.buildReq('/login') + .header('Content-Type', 'application/x-www-form-urlencoded') + .POST(HttpRequest.BodyPublishers.ofString(body)).build() + Trace trace = container.traceFromRequest(req, ofString()) { HttpResponse resp -> + assert resp.statusCode() == 302 + } + Span span = trace.first() + assert span.meta."appsec.events.users.login.failure.track" == 'true' + assert span.meta."_dd.appsec.events.users.login.failure.auto.mode" == 'safe' + assert span.meta."appsec.events.users.login.failure.usr.exists" == 'false' + assert span.metrics._sampling_priority_v1 == 2.0d + } + + @Test + void 'sign up automated event'() { + String body = 'registration_form[email]=some@email.com®istration_form[plainPassword]=somepassword®istration_form[agreeTerms]=1' + HttpRequest req = container.buildReq('/register') + .header('Content-Type', 'application/x-www-form-urlencoded') + .POST(HttpRequest.BodyPublishers.ofString(body)).build() + def trace = container.traceFromRequest(req, ofString()) { HttpResponse resp -> + assert resp.statusCode() == 302 + } + Span span = trace.first() + assert span.meta."_dd.appsec.events.users.signup.auto.mode" == "safe" + assert span.meta."appsec.events.users.signup.track" == "true" + assert span.metrics._sampling_priority_v1 == 2.0d + } +} diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/TestParams.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/TestParams.groovy new file mode 100644 index 00000000000..4d40ede94cf --- /dev/null +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/TestParams.groovy @@ -0,0 +1,26 @@ +package com.datadog.appsec.php.integration + +class TestParams { + static String getPhpVersion() { + System.getProperty('PHP_VERSION') ?: '' + } + static boolean phpVersionAtLeast(String requiredVersion) { + String version = System.getProperty('PHP_VERSION') + if (!version) { + return false + } + int versionI = version.split('\\.').collect { it.toInteger() }.inject(0) { + acc, it -> acc * 100 + it + } + int requiredVersionI = requiredVersion.split('\\.').collect { it.toInteger() }.inject(0) { + acc, it -> acc * 100 + it + } + versionI >= requiredVersionI + } + static String getVariant() { + System.getProperty('VARIANT') ?: '' + } + static String getTracerVersion() { + System.getProperty('TRACER_VERSION') ?: '' + } +} diff --git a/appsec/tests/integration/src/test/waf/recommended.json b/appsec/tests/integration/src/test/waf/recommended.json new file mode 100644 index 00000000000..00d2c4069cf --- /dev/null +++ b/appsec/tests/integration/src/test/waf/recommended.json @@ -0,0 +1,6743 @@ +{ + "version": "2.2", + "metadata": { + "rules_version": "1.4.3" + }, + "rules": [ + { + "id": "blk-001-001", + "name": "Block IP Addresses", + "tags": { + "type": "block_ip", + "category": "security_response" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "http.client_ip" + } + ], + "data": "blocked_ips" + }, + "operator": "ip_match" + } + ], + "transformers": [], + "on_match": [ + "block" + ] + }, + { + "id": "blk-001-002", + "name": "Block User Addresses", + "tags": { + "type": "block_user", + "category": "security_response" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "usr.id" + } + ], + "data": "blocked_users" + }, + "operator": "exact_match" + } + ], + "transformers": [], + "on_match": [ + "block" + ] + }, + { + "id": "redirect-001-001", + "name": "Redirected IP Addresses", + "tags": { + "type": "redirected_ip", + "category": "security_response" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "http.client_ip" + } + ], + "data": "redirected_ips" + }, + "operator": "ip_match" + } + ], + "transformers": [], + "on_match": [ + "redirect" + ] + }, + { + "id": "redirect-001-002", + "name": "Redirect User Addresses", + "tags": { + "type": "redirect_user", + "category": "security_response" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "usr.id" + } + ], + "data": "redirected_users" + }, + "operator": "exact_match" + } + ], + "transformers": [], + "on_match": [ + "redirect" + ] + }, + { + "id": "block-response", + "name": "Block on I'm a teapot response", + "tags": { + "type": "block_response", + "category": "security_response" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^418$", + "options": { + "case_sensitive": true + } + } + } + ], + "transformers": [], + "on_match": [ + "block" + ] + }, + { + "id": "crs-913-110", + "name": "Acunetix", + "tags": { + "type": "security_scanner", + "crs_id": "913110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "list": [ + "acunetix-product", + "(acunetix web vulnerability scanner", + "acunetix-scanning-agreement", + "acunetix-user-agreement", + "md5(acunetix_wvs_security_test)" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-913-120", + "name": "Known security scanner filename/argument", + "tags": { + "type": "security_scanner", + "crs_id": "913120", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "list": [ + "/.adsensepostnottherenonobook", + "/hello.html", + "/actsensepostnottherenonotive", + "/acunetix-wvs-test-for-some-inexistent-file", + "/antidisestablishmentarianism", + "/appscan_fingerprint/mac_address", + "/arachni-", + "/cybercop", + "/nessus_is_probing_you_", + "/nessustest", + "/netsparker-", + "/rfiinc.txt", + "/thereisnowaythat-you-canbethere", + "/w3af/remotefileinclude.html", + "appscan_fingerprint", + "w00tw00t.at.isc.sans.dfind", + "w00tw00t.at.blackhats.romanian.anti-sec" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-920-260", + "name": "Unicode Full/Half Width Abuse Attack Attempt", + "tags": { + "type": "http_protocol_violation", + "crs_id": "920260", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "\\%u[fF]{2}[0-9a-fA-F]{2}", + "options": { + "case_sensitive": true, + "min_length": 6 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-921-110", + "name": "HTTP Request Smuggling Attack", + "tags": { + "type": "http_protocol_violation", + "crs_id": "921110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", + "options": { + "case_sensitive": true, + "min_length": 12 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-921-140", + "name": "HTTP Header Injection Attack via headers", + "tags": { + "type": "http_protocol_violation", + "crs_id": "921140", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "regex": "[\\n\\r]", + "options": { + "case_sensitive": true, + "min_length": 1 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-921-160", + "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)", + "tags": { + "type": "http_protocol_violation", + "crs_id": "921160", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:", + "options": { + "case_sensitive": true, + "min_length": 3 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-930-100", + "name": "Obfuscated Path Traversal Attack (/../)", + "tags": { + "type": "lfi", + "crs_id": "930100", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + }, + { + "address": "server.request.headers.no_cookies" + } + ], + "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)", + "options": { + "min_length": 4 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "normalizePath" + ] + }, + { + "id": "crs-930-110", + "name": "Simple Path Traversal Attack (/../)", + "tags": { + "type": "lfi", + "crs_id": "930110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + }, + { + "address": "server.request.headers.no_cookies" + } + ], + "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))", + "options": { + "case_sensitive": true, + "min_length": 3 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-930-120", + "name": "OS File Access Attempt", + "tags": { + "type": "lfi", + "crs_id": "930120", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "list": [ + "/.htaccess", + "/.htdigest", + "/.htpasswd", + "/.addressbook", + "/.aptitude/config", + ".aws/config", + ".aws/credentials", + "/.bash_config", + "/.bash_history", + "/.bash_logout", + "/.bash_profile", + "/.bashrc", + ".cache/notify-osd.log", + ".config/odesk/odesk team.conf", + "/.cshrc", + "/.dockerignore", + ".drush/", + "/.eslintignore", + "/.fbcindex", + "/.forward", + "/.git", + ".git/", + "/.gitattributes", + "/.gitconfig", + ".gnupg/", + ".hplip/hplip.conf", + "/.ksh_history", + "/.lesshst", + ".lftp/", + "/.lhistory", + "/.lldb-history", + ".local/share/mc/", + "/.lynx_cookies", + "/.my.cnf", + "/.mysql_history", + "/.nano_history", + "/.node_repl_history", + "/.pearrc", + "/.pgpass", + "/.php_history", + "/.pinerc", + ".pki/", + "/.proclog", + "/.procmailrc", + "/.psql_history", + "/.python_history", + "/.rediscli_history", + "/.rhistory", + "/.rhosts", + "/.sh_history", + "/.sqlite_history", + ".ssh/authorized_keys", + ".ssh/config", + ".ssh/id_dsa", + ".ssh/id_dsa.pub", + ".ssh/id_rsa", + ".ssh/id_rsa.pub", + ".ssh/identity", + ".ssh/identity.pub", + ".ssh/id_ecdsa", + ".ssh/id_ecdsa.pub", + ".ssh/known_hosts", + ".subversion/auth", + ".subversion/config", + ".subversion/servers", + ".tconn/tconn.conf", + "/.tcshrc", + ".vidalia/vidalia.conf", + "/.viminfo", + "/.vimrc", + "/.www_acl", + "/.wwwacl", + "/.xauthority", + "/.zhistory", + "/.zshrc", + "/.zsh_history", + "/.nsconfig", + "data/elasticsearch", + "data/kafka", + "etc/ansible", + "etc/bind", + "etc/centos-release", + "etc/centos-release-upstream", + "etc/clam.d", + "etc/elasticsearch", + "etc/freshclam.conf", + "etc/gshadow", + "etc/gshadow-", + "etc/httpd", + "etc/kafka", + "etc/kibana", + "etc/logstash", + "etc/lvm", + "etc/mongod.conf", + "etc/my.cnf", + "etc/nuxeo.conf", + "etc/pki", + "etc/postfix", + "etc/scw-release", + "etc/subgid", + "etc/subgid-", + "etc/sudoers.d", + "etc/sysconfig", + "etc/system-release-cpe", + "opt/nuxeo", + "opt/tomcat", + "tmp/kafka-logs", + "usr/lib/rpm/rpm.log", + "var/data/elasticsearch", + "var/lib/elasticsearch", + "etc/.java", + "etc/acpi", + "etc/alsa", + "etc/alternatives", + "etc/apache2", + "etc/apm", + "etc/apparmor", + "etc/apparmor.d", + "etc/apport", + "etc/apt", + "etc/asciidoc", + "etc/avahi", + "etc/bash_completion.d", + "etc/binfmt.d", + "etc/bluetooth", + "etc/bonobo-activation", + "etc/brltty", + "etc/ca-certificates", + "etc/calendar", + "etc/chatscripts", + "etc/chromium-browser", + "etc/clamav", + "etc/cni", + "etc/console-setup", + "etc/coraza-waf", + "etc/cracklib", + "etc/cron.d", + "etc/cron.daily", + "etc/cron.hourly", + "etc/cron.monthly", + "etc/cron.weekly", + "etc/cups", + "etc/cups.save", + "etc/cupshelpers", + "etc/dbus-1", + "etc/dconf", + "etc/default", + "etc/depmod.d", + "etc/dhcp", + "etc/dictionaries-common", + "etc/dkms", + "etc/dnsmasq.d", + "etc/dockeretc/dpkg", + "etc/emacs", + "etc/environment.d", + "etc/fail2ban", + "etc/firebird", + "etc/firefox", + "etc/fonts", + "etc/fwupd", + "etc/gconf", + "etc/gdb", + "etc/gdm3", + "etc/geoclue", + "etc/ghostscript", + "etc/gimp", + "etc/glvnd", + "etc/gnome", + "etc/gnome-vfs-2.0", + "etc/gnucash", + "etc/gnustep", + "etc/groff", + "etc/grub.d", + "etc/gss", + "etc/gtk-2.0", + "etc/gtk-3.0", + "etc/hp", + "etc/ifplugd", + "etc/imagemagick-6", + "etc/init", + "etc/init.d", + "etc/initramfs-tools", + "etc/insserv.conf.d", + "etc/iproute2", + "etc/iptables", + "etc/java", + "etc/java-11-openjdk", + "etc/java-17-oracle", + "etc/java-8-openjdk", + "etc/kernel", + "etc/ld.so.conf.d", + "etc/ldap", + "etc/libblockdev", + "etc/libibverbs.d", + "etc/libnl-3", + "etc/libpaper.d", + "etc/libreoffice", + "etc/lighttpd", + "etc/logcheck", + "etc/logrotate.d", + "etc/lynx", + "etc/mail", + "etc/mc", + "etc/menu", + "etc/menu-methods", + "etc/modprobe.d", + "etc/modsecurity", + "etc/modules-load.d", + "etc/monit", + "etc/mono", + "etc/mplayer", + "etc/mpv", + "etc/muttrc.d", + "etc/mysql", + "etc/netplan", + "etc/network", + "etc/networkd-dispatcher", + "etc/networkmanager", + "etc/newt", + "etc/nghttpx", + "etc/nikto", + "etc/odbcdatasources", + "etc/openal", + "etc/openmpi", + "etc/opt", + "etc/osync", + "etc/packagekit", + "etc/pam.d", + "etc/pcmcia", + "etc/perl", + "etc/php", + "etc/pki", + "etc/pm", + "etc/polkit-1", + "etc/postfix", + "etc/ppp", + "etc/profile.d", + "etc/proftpd", + "etc/pulse", + "etc/python", + "etc/rc0.d", + "etc/rc1.d", + "etc/rc2.d", + "etc/rc3.d", + "etc/rc4.d", + "etc/rc5.d", + "etc/rc6.d", + "etc/rcs.d", + "etc/resolvconf", + "etc/rsyslog.d", + "etc/samba", + "etc/sane.d", + "etc/security", + "etc/selinux", + "etc/sensors.d", + "etc/sgml", + "etc/signon-ui", + "etc/skel", + "etc/snmp", + "etc/sound", + "etc/spamassassin", + "etc/speech-dispatcher", + "etc/ssh", + "etc/ssl", + "etc/sudoers.d", + "etc/sysctl.d", + "etc/sysstat", + "etc/systemd", + "etc/terminfo", + "etc/texmf", + "etc/thermald", + "etc/thnuclnt", + "etc/thunderbird", + "etc/timidity", + "etc/tmpfiles.d", + "etc/ubuntu-advantage", + "etc/udev", + "etc/udisks2", + "etc/ufw", + "etc/update-manager", + "etc/update-motd.d", + "etc/update-notifier", + "etc/upower", + "etc/urlview", + "etc/usb_modeswitch.d", + "etc/vim", + "etc/vmware", + "etc/vmware-installer", + "etc/vmware-vix", + "etc/vulkan", + "etc/w3m", + "etc/wireshark", + "etc/wpa_supplicant", + "etc/x11", + "etc/xdg", + "etc/xml", + "etc/redis.conf", + "etc/redis-sentinel.conf", + "etc/php.ini", + "bin/php.ini", + "etc/httpd/php.ini", + "usr/lib/php.ini", + "usr/lib/php/php.ini", + "usr/local/etc/php.ini", + "usr/local/lib/php.ini", + "usr/local/php/lib/php.ini", + "usr/local/php4/lib/php.ini", + "usr/local/php5/lib/php.ini", + "usr/local/apache/conf/php.ini", + "etc/php4.4/fcgi/php.ini", + "etc/php4/apache/php.ini", + "etc/php4/apache2/php.ini", + "etc/php5/apache/php.ini", + "etc/php5/apache2/php.ini", + "etc/php/php.ini", + "etc/php/php4/php.ini", + "etc/php/apache/php.ini", + "etc/php/apache2/php.ini", + "web/conf/php.ini", + "usr/local/zend/etc/php.ini", + "opt/xampp/etc/php.ini", + "var/local/www/conf/php.ini", + "etc/php/cgi/php.ini", + "etc/php4/cgi/php.ini", + "etc/php5/cgi/php.ini", + "home2/bin/stable/apache/php.ini", + "home/bin/stable/apache/php.ini", + "etc/httpd/conf.d/php.conf", + "php5/php.ini", + "php4/php.ini", + "php/php.ini", + "windows/php.ini", + "winnt/php.ini", + "apache/php/php.ini", + "xampp/apache/bin/php.ini", + "netserver/bin/stable/apache/php.ini", + "volumes/macintosh_hd1/usr/local/php/lib/php.ini", + "etc/mono/1.0/machine.config", + "etc/mono/2.0/machine.config", + "etc/mono/2.0/web.config", + "etc/mono/config", + "usr/local/cpanel/logs/stats_log", + "usr/local/cpanel/logs/access_log", + "usr/local/cpanel/logs/error_log", + "usr/local/cpanel/logs/license_log", + "usr/local/cpanel/logs/login_log", + "var/cpanel/cpanel.config", + "usr/local/psa/admin/logs/httpsd_access_log", + "usr/local/psa/admin/logs/panel.log", + "usr/local/psa/admin/conf/php.ini", + "etc/sw-cp-server/applications.d/plesk.conf", + "usr/local/psa/admin/conf/site_isolation_settings.ini", + "usr/local/sb/config", + "etc/sw-cp-server/applications.d/00-sso-cpserver.conf", + "etc/sso/sso_config.ini", + "etc/mysql/conf.d/old_passwords.cnf", + "var/mysql.log", + "var/mysql-bin.index", + "var/data/mysql-bin.index", + "program files/mysql/mysql server 5.0/data/{host}.err", + "program files/mysql/mysql server 5.0/data/mysql.log", + "program files/mysql/mysql server 5.0/data/mysql.err", + "program files/mysql/mysql server 5.0/data/mysql-bin.log", + "program files/mysql/mysql server 5.0/data/mysql-bin.index", + "program files/mysql/data/{host}.err", + "program files/mysql/data/mysql.log", + "program files/mysql/data/mysql.err", + "program files/mysql/data/mysql-bin.log", + "program files/mysql/data/mysql-bin.index", + "mysql/data/{host}.err", + "mysql/data/mysql.log", + "mysql/data/mysql.err", + "mysql/data/mysql-bin.log", + "mysql/data/mysql-bin.index", + "usr/local/mysql/data/mysql.log", + "usr/local/mysql/data/mysql.err", + "usr/local/mysql/data/mysql-bin.log", + "usr/local/mysql/data/mysql-slow.log", + "usr/local/mysql/data/mysqlderror.log", + "usr/local/mysql/data/{host}.err", + "usr/local/mysql/data/mysql-bin.index", + "var/lib/mysql/my.cnf", + "etc/mysql/my.cnf", + "etc/my.cnf", + "program files/mysql/mysql server 5.0/my.ini", + "program files/mysql/mysql server 5.0/my.cnf", + "program files/mysql/my.ini", + "program files/mysql/my.cnf", + "mysql/my.ini", + "mysql/my.cnf", + "mysql/bin/my.ini", + "var/postgresql/log/postgresql.log", + "usr/internet/pgsql/data/postmaster.log", + "usr/local/pgsql/data/postgresql.log", + "usr/local/pgsql/data/pg_log", + "postgresql/log/pgadmin.log", + "var/lib/pgsql/data/postgresql.conf", + "var/postgresql/db/postgresql.conf", + "var/nm2/postgresql.conf", + "usr/local/pgsql/data/postgresql.conf", + "usr/local/pgsql/data/pg_hba.conf", + "usr/internet/pgsql/data/pg_hba.conf", + "usr/local/pgsql/data/passwd", + "usr/local/pgsql/bin/pg_passwd", + "etc/postgresql/postgresql.conf", + "etc/postgresql/pg_hba.conf", + "home/postgres/data/postgresql.conf", + "home/postgres/data/pg_version", + "home/postgres/data/pg_ident.conf", + "home/postgres/data/pg_hba.conf", + "program files/postgresql/8.3/data/pg_hba.conf", + "program files/postgresql/8.3/data/pg_ident.conf", + "program files/postgresql/8.3/data/postgresql.conf", + "program files/postgresql/8.4/data/pg_hba.conf", + "program files/postgresql/8.4/data/pg_ident.conf", + "program files/postgresql/8.4/data/postgresql.conf", + "program files/postgresql/9.0/data/pg_hba.conf", + "program files/postgresql/9.0/data/pg_ident.conf", + "program files/postgresql/9.0/data/postgresql.conf", + "program files/postgresql/9.1/data/pg_hba.conf", + "program files/postgresql/9.1/data/pg_ident.conf", + "program files/postgresql/9.1/data/postgresql.conf", + "wamp/logs/access.log", + "wamp/logs/apache_error.log", + "wamp/logs/genquery.log", + "wamp/logs/mysql.log", + "wamp/logs/slowquery.log", + "wamp/bin/apache/apache2.2.22/logs/access.log", + "wamp/bin/apache/apache2.2.22/logs/error.log", + "wamp/bin/apache/apache2.2.21/logs/access.log", + "wamp/bin/apache/apache2.2.21/logs/error.log", + "wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index", + "wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index", + "wamp/bin/apache/apache2.2.21/conf/httpd.conf", + "wamp/bin/apache/apache2.2.22/conf/httpd.conf", + "wamp/bin/apache/apache2.2.21/wampserver.conf", + "wamp/bin/apache/apache2.2.22/wampserver.conf", + "wamp/bin/apache/apache2.2.22/conf/wampserver.conf", + "wamp/bin/mysql/mysql5.5.24/my.ini", + "wamp/bin/mysql/mysql5.5.24/wampserver.conf", + "wamp/bin/mysql/mysql5.5.16/my.ini", + "wamp/bin/mysql/mysql5.5.16/wampserver.conf", + "wamp/bin/php/php5.3.8/php.ini", + "wamp/bin/php/php5.4.3/php.ini", + "xampp/apache/logs/access.log", + "xampp/apache/logs/error.log", + "xampp/mysql/data/mysql-bin.index", + "xampp/mysql/data/mysql.err", + "xampp/mysql/data/{host}.err", + "xampp/sendmail/sendmail.log", + "xampp/apache/conf/httpd.conf", + "xampp/filezillaftp/filezilla server.xml", + "xampp/mercurymail/mercury.ini", + "xampp/php/php.ini", + "xampp/phpmyadmin/config.inc.php", + "xampp/sendmail/sendmail.ini", + "xampp/webalizer/webalizer.conf", + "opt/lampp/etc/httpd.conf", + "xampp/htdocs/aca.txt", + "xampp/htdocs/admin.php", + "xampp/htdocs/leer.txt", + "usr/local/apache/logs/audit_log", + "usr/local/apache2/logs/audit_log", + "logs/security_debug_log", + "logs/security_log", + "usr/local/apache/conf/modsec.conf", + "usr/local/apache2/conf/modsec.conf", + "winnt/system32/logfiles/msftpsvc", + "winnt/system32/logfiles/msftpsvc1", + "winnt/system32/logfiles/msftpsvc2", + "windows/system32/logfiles/msftpsvc", + "windows/system32/logfiles/msftpsvc1", + "windows/system32/logfiles/msftpsvc2", + "etc/logrotate.d/proftpd", + "www/logs/proftpd.system.log", + "etc/pam.d/proftpd", + "etc/proftp.conf", + "etc/protpd/proftpd.conf", + "etc/vhcs2/proftpd/proftpd.conf", + "etc/proftpd/modules.conf", + "etc/vsftpd.chroot_list", + "etc/logrotate.d/vsftpd.log", + "etc/vsftpd/vsftpd.conf", + "etc/vsftpd.conf", + "etc/chrootusers", + "var/adm/log/xferlog", + "etc/wu-ftpd/ftpaccess", + "etc/wu-ftpd/ftphosts", + "etc/wu-ftpd/ftpusers", + "logs/pure-ftpd.log", + "usr/sbin/pure-config.pl", + "usr/etc/pure-ftpd.conf", + "etc/pure-ftpd/pure-ftpd.conf", + "usr/local/etc/pure-ftpd.conf", + "usr/local/etc/pureftpd.pdb", + "usr/local/pureftpd/etc/pureftpd.pdb", + "usr/local/pureftpd/sbin/pure-config.pl", + "usr/local/pureftpd/etc/pure-ftpd.conf", + "etc/pure-ftpd.conf", + "etc/pure-ftpd/pure-ftpd.pdb", + "etc/pureftpd.pdb", + "etc/pureftpd.passwd", + "etc/pure-ftpd/pureftpd.pdb", + "usr/ports/ftp/pure-ftpd/pure-ftpd.conf", + "usr/ports/ftp/pure-ftpd/pureftpd.pdb", + "usr/ports/ftp/pure-ftpd/pureftpd.passwd", + "usr/ports/net/pure-ftpd/pure-ftpd.conf", + "usr/ports/net/pure-ftpd/pureftpd.pdb", + "usr/ports/net/pure-ftpd/pureftpd.passwd", + "usr/pkgsrc/net/pureftpd/pure-ftpd.conf", + "usr/pkgsrc/net/pureftpd/pureftpd.pdb", + "usr/pkgsrc/net/pureftpd/pureftpd.passwd", + "usr/ports/contrib/pure-ftpd/pure-ftpd.conf", + "usr/ports/contrib/pure-ftpd/pureftpd.pdb", + "usr/ports/contrib/pure-ftpd/pureftpd.passwd", + "usr/sbin/mudlogd", + "etc/muddleftpd/mudlog", + "etc/muddleftpd.com", + "etc/muddleftpd/mudlogd.conf", + "etc/muddleftpd/muddleftpd.conf", + "usr/sbin/mudpasswd", + "etc/muddleftpd/muddleftpd.passwd", + "etc/muddleftpd/passwd", + "etc/logrotate.d/ftp", + "etc/ftpchroot", + "etc/ftphosts", + "etc/ftpusers", + "winnt/system32/logfiles/smtpsvc", + "winnt/system32/logfiles/smtpsvc1", + "winnt/system32/logfiles/smtpsvc2", + "winnt/system32/logfiles/smtpsvc3", + "winnt/system32/logfiles/smtpsvc4", + "winnt/system32/logfiles/smtpsvc5", + "windows/system32/logfiles/smtpsvc", + "windows/system32/logfiles/smtpsvc1", + "windows/system32/logfiles/smtpsvc2", + "windows/system32/logfiles/smtpsvc3", + "windows/system32/logfiles/smtpsvc4", + "windows/system32/logfiles/smtpsvc5", + "etc/osxhttpd/osxhttpd.conf", + "system/library/webobjects/adaptors/apache2.2/apache.conf", + "etc/apache2/sites-available/default", + "etc/apache2/sites-available/default-ssl", + "etc/apache2/sites-enabled/000-default", + "etc/apache2/sites-enabled/default", + "etc/apache2/apache2.conf", + "etc/apache2/ports.conf", + "usr/local/etc/apache/httpd.conf", + "usr/pkg/etc/httpd/httpd.conf", + "usr/pkg/etc/httpd/httpd-default.conf", + "usr/pkg/etc/httpd/httpd-vhosts.conf", + "etc/httpd/mod_php.conf", + "etc/httpd/extra/httpd-ssl.conf", + "etc/rc.d/rc.httpd", + "usr/local/apache/conf/httpd.conf.default", + "usr/local/apache/conf/access.conf", + "usr/local/apache22/conf/httpd.conf", + "usr/local/apache22/httpd.conf", + "usr/local/etc/apache22/conf/httpd.conf", + "usr/local/apps/apache22/conf/httpd.conf", + "etc/apache22/conf/httpd.conf", + "etc/apache22/httpd.conf", + "opt/apache22/conf/httpd.conf", + "usr/local/etc/apache2/vhosts.conf", + "usr/local/apache/conf/vhosts.conf", + "usr/local/apache2/conf/vhosts.conf", + "usr/local/apache/conf/vhosts-custom.conf", + "usr/local/apache2/conf/vhosts-custom.conf", + "etc/apache/default-server.conf", + "etc/apache2/default-server.conf", + "usr/local/apache2/conf/extra/httpd-ssl.conf", + "usr/local/apache2/conf/ssl.conf", + "etc/httpd/conf.d", + "usr/local/etc/apache22/httpd.conf", + "usr/local/etc/apache2/httpd.conf", + "etc/apache2/httpd2.conf", + "etc/apache2/ssl-global.conf", + "etc/apache2/vhosts.d/00_default_vhost.conf", + "apache/conf/httpd.conf", + "etc/apache/httpd.conf", + "etc/httpd/conf", + "http/httpd.conf", + "usr/local/apache1.3/conf/httpd.conf", + "usr/local/etc/httpd/conf", + "var/apache/conf/httpd.conf", + "var/www/conf", + "www/apache/conf/httpd.conf", + "www/conf/httpd.conf", + "etc/init.d", + "etc/apache/access.conf", + "etc/rc.conf", + "www/logs/freebsddiary-error.log", + "www/logs/freebsddiary-access_log", + "library/webserver/documents/index.html", + "library/webserver/documents/index.htm", + "library/webserver/documents/default.html", + "library/webserver/documents/default.htm", + "library/webserver/documents/index.php", + "library/webserver/documents/default.php", + "usr/local/etc/webmin/miniserv.conf", + "etc/webmin/miniserv.conf", + "usr/local/etc/webmin/miniserv.users", + "etc/webmin/miniserv.users", + "winnt/system32/logfiles/w3svc/inetsvn1.log", + "winnt/system32/logfiles/w3svc1/inetsvn1.log", + "winnt/system32/logfiles/w3svc2/inetsvn1.log", + "winnt/system32/logfiles/w3svc3/inetsvn1.log", + "windows/system32/logfiles/w3svc/inetsvn1.log", + "windows/system32/logfiles/w3svc1/inetsvn1.log", + "windows/system32/logfiles/w3svc2/inetsvn1.log", + "windows/system32/logfiles/w3svc3/inetsvn1.log", + "apache/logs/error.log", + "apache/logs/access.log", + "apache2/logs/error.log", + "apache2/logs/access.log", + "logs/error.log", + "logs/access.log", + "etc/httpd/logs/access_log", + "etc/httpd/logs/access.log", + "etc/httpd/logs/error_log", + "etc/httpd/logs/error.log", + "usr/local/apache/logs/access_log", + "usr/local/apache/logs/access.log", + "usr/local/apache/logs/error_log", + "usr/local/apache/logs/error.log", + "usr/local/apache2/logs/access_log", + "usr/local/apache2/logs/access.log", + "usr/local/apache2/logs/error_log", + "usr/local/apache2/logs/error.log", + "var/www/logs/access_log", + "var/www/logs/access.log", + "var/www/logs/error_log", + "var/www/logs/error.log", + "opt/lampp/logs/access_log", + "opt/lampp/logs/error_log", + "opt/xampp/logs/access_log", + "opt/xampp/logs/error_log", + "opt/lampp/logs/access.log", + "opt/lampp/logs/error.log", + "opt/xampp/logs/access.log", + "opt/xampp/logs/error.log", + "program files/apache group/apache/logs/access.log", + "program files/apache group/apache/logs/error.log", + "program files/apache software foundation/apache2.2/logs/error.log", + "program files/apache software foundation/apache2.2/logs/access.log", + "opt/apache/apache.conf", + "opt/apache/conf/apache.conf", + "opt/apache2/apache.conf", + "opt/apache2/conf/apache.conf", + "opt/httpd/apache.conf", + "opt/httpd/conf/apache.conf", + "etc/httpd/apache.conf", + "etc/apache2/apache.conf", + "etc/httpd/conf/apache.conf", + "usr/local/apache/apache.conf", + "usr/local/apache/conf/apache.conf", + "usr/local/apache2/apache.conf", + "usr/local/apache2/conf/apache.conf", + "usr/local/php/apache.conf.php", + "usr/local/php4/apache.conf.php", + "usr/local/php5/apache.conf.php", + "usr/local/php/apache.conf", + "usr/local/php4/apache.conf", + "usr/local/php5/apache.conf", + "private/etc/httpd/apache.conf", + "opt/apache/apache2.conf", + "opt/apache/conf/apache2.conf", + "opt/apache2/apache2.conf", + "opt/apache2/conf/apache2.conf", + "opt/httpd/apache2.conf", + "opt/httpd/conf/apache2.conf", + "etc/httpd/apache2.conf", + "etc/httpd/conf/apache2.conf", + "usr/local/apache/apache2.conf", + "usr/local/apache/conf/apache2.conf", + "usr/local/apache2/apache2.conf", + "usr/local/apache2/conf/apache2.conf", + "usr/local/php/apache2.conf.php", + "usr/local/php4/apache2.conf.php", + "usr/local/php5/apache2.conf.php", + "usr/local/php/apache2.conf", + "usr/local/php4/apache2.conf", + "usr/local/php5/apache2.conf", + "private/etc/httpd/apache2.conf", + "usr/local/apache/conf/httpd.conf", + "usr/local/apache2/conf/httpd.conf", + "etc/httpd/conf/httpd.conf", + "etc/apache/apache.conf", + "etc/apache/conf/httpd.conf", + "etc/apache2/httpd.conf", + "usr/apache2/conf/httpd.conf", + "usr/apache/conf/httpd.conf", + "usr/local/etc/apache/conf/httpd.conf", + "usr/local/apache/httpd.conf", + "usr/local/apache2/httpd.conf", + "usr/local/httpd/conf/httpd.conf", + "usr/local/etc/apache2/conf/httpd.conf", + "usr/local/etc/httpd/conf/httpd.conf", + "usr/local/apps/apache2/conf/httpd.conf", + "usr/local/apps/apache/conf/httpd.conf", + "usr/local/php/httpd.conf.php", + "usr/local/php4/httpd.conf.php", + "usr/local/php5/httpd.conf.php", + "usr/local/php/httpd.conf", + "usr/local/php4/httpd.conf", + "usr/local/php5/httpd.conf", + "etc/apache2/conf/httpd.conf", + "etc/http/conf/httpd.conf", + "etc/httpd/httpd.conf", + "etc/http/httpd.conf", + "etc/httpd.conf", + "opt/apache/conf/httpd.conf", + "opt/apache2/conf/httpd.conf", + "var/www/conf/httpd.conf", + "private/etc/httpd/httpd.conf", + "private/etc/httpd/httpd.conf.default", + "etc/apache2/vhosts.d/default_vhost.include", + "etc/apache2/conf.d/charset", + "etc/apache2/conf.d/security", + "etc/apache2/envvars", + "etc/apache2/mods-available/autoindex.conf", + "etc/apache2/mods-available/deflate.conf", + "etc/apache2/mods-available/dir.conf", + "etc/apache2/mods-available/mem_cache.conf", + "etc/apache2/mods-available/mime.conf", + "etc/apache2/mods-available/proxy.conf", + "etc/apache2/mods-available/setenvif.conf", + "etc/apache2/mods-available/ssl.conf", + "etc/apache2/mods-enabled/alias.conf", + "etc/apache2/mods-enabled/deflate.conf", + "etc/apache2/mods-enabled/dir.conf", + "etc/apache2/mods-enabled/mime.conf", + "etc/apache2/mods-enabled/negotiation.conf", + "etc/apache2/mods-enabled/php5.conf", + "etc/apache2/mods-enabled/status.conf", + "program files/apache group/apache/conf/httpd.conf", + "program files/apache group/apache2/conf/httpd.conf", + "program files/xampp/apache/conf/apache.conf", + "program files/xampp/apache/conf/apache2.conf", + "program files/xampp/apache/conf/httpd.conf", + "program files/apache group/apache/apache.conf", + "program files/apache group/apache/conf/apache.conf", + "program files/apache group/apache2/conf/apache.conf", + "program files/apache group/apache/apache2.conf", + "program files/apache group/apache/conf/apache2.conf", + "program files/apache group/apache2/conf/apache2.conf", + "program files/apache software foundation/apache2.2/conf/httpd.conf", + "volumes/macintosh_hd1/opt/httpd/conf/httpd.conf", + "volumes/macintosh_hd1/opt/apache/conf/httpd.conf", + "volumes/macintosh_hd1/opt/apache2/conf/httpd.conf", + "volumes/macintosh_hd1/usr/local/php/httpd.conf.php", + "volumes/macintosh_hd1/usr/local/php4/httpd.conf.php", + "volumes/macintosh_hd1/usr/local/php5/httpd.conf.php", + "volumes/webbackup/opt/apache2/conf/httpd.conf", + "volumes/webbackup/private/etc/httpd/httpd.conf", + "volumes/webbackup/private/etc/httpd/httpd.conf.default", + "usr/local/etc/apache/vhosts.conf", + "usr/local/jakarta/tomcat/conf/jakarta.conf", + "usr/local/jakarta/tomcat/conf/server.xml", + "usr/local/jakarta/tomcat/conf/context.xml", + "usr/local/jakarta/tomcat/conf/workers.properties", + "usr/local/jakarta/tomcat/conf/logging.properties", + "usr/local/jakarta/dist/tomcat/conf/jakarta.conf", + "usr/local/jakarta/dist/tomcat/conf/server.xml", + "usr/local/jakarta/dist/tomcat/conf/context.xml", + "usr/local/jakarta/dist/tomcat/conf/workers.properties", + "usr/local/jakarta/dist/tomcat/conf/logging.properties", + "usr/share/tomcat6/conf/server.xml", + "usr/share/tomcat6/conf/context.xml", + "usr/share/tomcat6/conf/workers.properties", + "usr/share/tomcat6/conf/logging.properties", + "var/cpanel/tomcat.options", + "usr/local/jakarta/tomcat/logs/catalina.out", + "usr/local/jakarta/tomcat/logs/catalina.err", + "opt/tomcat/logs/catalina.out", + "opt/tomcat/logs/catalina.err", + "usr/share/logs/catalina.out", + "usr/share/logs/catalina.err", + "usr/share/tomcat/logs/catalina.out", + "usr/share/tomcat/logs/catalina.err", + "usr/share/tomcat6/logs/catalina.out", + "usr/share/tomcat6/logs/catalina.err", + "usr/local/apache/logs/mod_jk.log", + "usr/local/jakarta/tomcat/logs/mod_jk.log", + "usr/local/jakarta/dist/tomcat/logs/mod_jk.log", + "opt/[jboss]/server/default/conf/jboss-minimal.xml", + "opt/[jboss]/server/default/conf/jboss-service.xml", + "opt/[jboss]/server/default/conf/jndi.properties", + "opt/[jboss]/server/default/conf/log4j.xml", + "opt/[jboss]/server/default/conf/login-config.xml", + "opt/[jboss]/server/default/conf/standardjaws.xml", + "opt/[jboss]/server/default/conf/standardjboss.xml", + "opt/[jboss]/server/default/conf/server.log.properties", + "opt/[jboss]/server/default/deploy/jboss-logging.xml", + "usr/local/[jboss]/server/default/conf/jboss-minimal.xml", + "usr/local/[jboss]/server/default/conf/jboss-service.xml", + "usr/local/[jboss]/server/default/conf/jndi.properties", + "usr/local/[jboss]/server/default/conf/log4j.xml", + "usr/local/[jboss]/server/default/conf/login-config.xml", + "usr/local/[jboss]/server/default/conf/standardjaws.xml", + "usr/local/[jboss]/server/default/conf/standardjboss.xml", + "usr/local/[jboss]/server/default/conf/server.log.properties", + "usr/local/[jboss]/server/default/deploy/jboss-logging.xml", + "private/tmp/[jboss]/server/default/conf/jboss-minimal.xml", + "private/tmp/[jboss]/server/default/conf/jboss-service.xml", + "private/tmp/[jboss]/server/default/conf/jndi.properties", + "private/tmp/[jboss]/server/default/conf/log4j.xml", + "private/tmp/[jboss]/server/default/conf/login-config.xml", + "private/tmp/[jboss]/server/default/conf/standardjaws.xml", + "private/tmp/[jboss]/server/default/conf/standardjboss.xml", + "private/tmp/[jboss]/server/default/conf/server.log.properties", + "private/tmp/[jboss]/server/default/deploy/jboss-logging.xml", + "tmp/[jboss]/server/default/conf/jboss-minimal.xml", + "tmp/[jboss]/server/default/conf/jboss-service.xml", + "tmp/[jboss]/server/default/conf/jndi.properties", + "tmp/[jboss]/server/default/conf/log4j.xml", + "tmp/[jboss]/server/default/conf/login-config.xml", + "tmp/[jboss]/server/default/conf/standardjaws.xml", + "tmp/[jboss]/server/default/conf/standardjboss.xml", + "tmp/[jboss]/server/default/conf/server.log.properties", + "tmp/[jboss]/server/default/deploy/jboss-logging.xml", + "program files/[jboss]/server/default/conf/jboss-minimal.xml", + "program files/[jboss]/server/default/conf/jboss-service.xml", + "program files/[jboss]/server/default/conf/jndi.properties", + "program files/[jboss]/server/default/conf/log4j.xml", + "program files/[jboss]/server/default/conf/login-config.xml", + "program files/[jboss]/server/default/conf/standardjaws.xml", + "program files/[jboss]/server/default/conf/standardjboss.xml", + "program files/[jboss]/server/default/conf/server.log.properties", + "program files/[jboss]/server/default/deploy/jboss-logging.xml", + "[jboss]/server/default/conf/jboss-minimal.xml", + "[jboss]/server/default/conf/jboss-service.xml", + "[jboss]/server/default/conf/jndi.properties", + "[jboss]/server/default/conf/log4j.xml", + "[jboss]/server/default/conf/login-config.xml", + "[jboss]/server/default/conf/standardjaws.xml", + "[jboss]/server/default/conf/standardjboss.xml", + "[jboss]/server/default/conf/server.log.properties", + "[jboss]/server/default/deploy/jboss-logging.xml", + "opt/[jboss]/server/default/log/server.log", + "opt/[jboss]/server/default/log/boot.log", + "usr/local/[jboss]/server/default/log/server.log", + "usr/local/[jboss]/server/default/log/boot.log", + "private/tmp/[jboss]/server/default/log/server.log", + "private/tmp/[jboss]/server/default/log/boot.log", + "tmp/[jboss]/server/default/log/server.log", + "tmp/[jboss]/server/default/log/boot.log", + "program files/[jboss]/server/default/log/server.log", + "program files/[jboss]/server/default/log/boot.log", + "[jboss]/server/default/log/server.log", + "[jboss]/server/default/log/boot.log", + "var/lighttpd.log", + "var/logs/access.log", + "usr/local/apache2/logs/lighttpd.error.log", + "usr/local/apache2/logs/lighttpd.log", + "usr/local/apache/logs/lighttpd.error.log", + "usr/local/apache/logs/lighttpd.log", + "usr/local/lighttpd/log/lighttpd.error.log", + "usr/local/lighttpd/log/access.log", + "usr/home/user/var/log/lighttpd.error.log", + "usr/home/user/var/log/apache.log", + "home/user/lighttpd/lighttpd.conf", + "usr/home/user/lighttpd/lighttpd.conf", + "etc/lighttpd/lighthttpd.conf", + "usr/local/etc/lighttpd.conf", + "usr/local/lighttpd/conf/lighttpd.conf", + "usr/local/etc/lighttpd.conf.new", + "var/www/.lighttpdpassword", + "logs/access_log", + "logs/error_log", + "etc/nginx/nginx.conf", + "usr/local/etc/nginx/nginx.conf", + "usr/local/nginx/conf/nginx.conf", + "usr/local/zeus/web/global.cfg", + "usr/local/zeus/web/log/errors", + "opt/lsws/conf/httpd_conf.xml", + "usr/local/lsws/conf/httpd_conf.xml", + "opt/lsws/logs/error.log", + "opt/lsws/logs/access.log", + "usr/local/lsws/logs/error.log", + "usr/local/logs/access.log", + "usr/local/samba/lib/log.user", + "usr/local/logs/samba.log", + "etc/samba/netlogon", + "etc/smbpasswd", + "etc/smb.conf", + "etc/samba/dhcp.conf", + "etc/samba/smb.conf", + "etc/samba/samba.conf", + "etc/samba/smb.conf.user", + "etc/samba/smbpasswd", + "etc/samba/smbusers", + "etc/samba/private/smbpasswd", + "usr/local/etc/smb.conf", + "usr/local/samba/lib/smb.conf.user", + "etc/dhcp3/dhclient.conf", + "etc/dhcp3/dhcpd.conf", + "etc/dhcp/dhclient.conf", + "program files/vidalia bundle/polipo/polipo.conf", + "etc/tor/tor-tsocks.conf", + "etc/stunnel/stunnel.conf", + "etc/tsocks.conf", + "etc/tinyproxy/tinyproxy.conf", + "etc/miredo-server.conf", + "etc/miredo.conf", + "etc/miredo/miredo-server.conf", + "etc/miredo/miredo.conf", + "etc/wicd/dhclient.conf.template.default", + "etc/wicd/manager-settings.conf", + "etc/wicd/wired-settings.conf", + "etc/wicd/wireless-settings.conf", + "etc/ipfw.rules", + "etc/ipfw.conf", + "etc/firewall.rules", + "winnt/system32/logfiles/firewall/pfirewall.log", + "winnt/system32/logfiles/firewall/pfirewall.log.old", + "windows/system32/logfiles/firewall/pfirewall.log", + "windows/system32/logfiles/firewall/pfirewall.log.old", + "etc/clamav/clamd.conf", + "etc/clamav/freshclam.conf", + "etc/x11/xorg.conf", + "etc/x11/xorg.conf-vesa", + "etc/x11/xorg.conf-vmware", + "etc/x11/xorg.conf.beforevmwaretoolsinstall", + "etc/x11/xorg.conf.orig", + "etc/bluetooth/input.conf", + "etc/bluetooth/main.conf", + "etc/bluetooth/network.conf", + "etc/bluetooth/rfcomm.conf", + "etc/bash_completion.d/debconf", + "root/.bash_logout", + "root/.bash_history", + "root/.bash_config", + "root/.bashrc", + "etc/bash.bashrc", + "var/adm/syslog", + "var/adm/sulog", + "var/adm/utmp", + "var/adm/utmpx", + "var/adm/wtmp", + "var/adm/wtmpx", + "var/adm/lastlog/username", + "usr/spool/lp/log", + "var/adm/lp/lpd-errs", + "usr/lib/cron/log", + "var/adm/loginlog", + "var/adm/pacct", + "var/adm/dtmp", + "var/adm/acct/sum/loginlog", + "var/adm/x0msgs", + "var/adm/crash/vmcore", + "var/adm/crash/unix", + "etc/newsyslog.conf", + "var/adm/qacct", + "var/adm/ras/errlog", + "var/adm/ras/bootlog", + "var/adm/cron/log", + "etc/utmp", + "etc/security/lastlog", + "etc/security/failedlogin", + "usr/spool/mqueue/syslog", + "var/adm/messages", + "var/adm/aculogs", + "var/adm/aculog", + "var/adm/vold.log", + "var/adm/log/asppp.log", + "var/lp/logs/lpsched", + "var/lp/logs/lpnet", + "var/lp/logs/requests", + "var/cron/log", + "var/saf/_log", + "var/saf/port/log", + "tmp/access.log", + "etc/sensors.conf", + "etc/sensors3.conf", + "etc/host.conf", + "etc/pam.conf", + "etc/resolv.conf", + "etc/apt/apt.conf", + "etc/inetd.conf", + "etc/syslog.conf", + "etc/sysctl.conf", + "etc/sysctl.d/10-console-messages.conf", + "etc/sysctl.d/10-network-security.conf", + "etc/sysctl.d/10-process-security.conf", + "etc/sysctl.d/wine.sysctl.conf", + "etc/security/access.conf", + "etc/security/group.conf", + "etc/security/limits.conf", + "etc/security/namespace.conf", + "etc/security/pam_env.conf", + "etc/security/sepermit.conf", + "etc/security/time.conf", + "etc/ssh/sshd_config", + "etc/adduser.conf", + "etc/deluser.conf", + "etc/avahi/avahi-daemon.conf", + "etc/ca-certificates.conf", + "etc/ca-certificates.conf.dpkg-old", + "etc/casper.conf", + "etc/chkrootkit.conf", + "etc/debconf.conf", + "etc/dns2tcpd.conf", + "etc/e2fsck.conf", + "etc/esound/esd.conf", + "etc/etter.conf", + "etc/fuse.conf", + "etc/foremost.conf", + "etc/hdparm.conf", + "etc/kernel-img.conf", + "etc/kernel-pkg.conf", + "etc/ld.so.conf", + "etc/ltrace.conf", + "etc/mail/sendmail.conf", + "etc/manpath.config", + "etc/kbd/config", + "etc/ldap/ldap.conf", + "etc/logrotate.conf", + "etc/mtools.conf", + "etc/smi.conf", + "etc/updatedb.conf", + "etc/pulse/client.conf", + "usr/share/adduser/adduser.conf", + "etc/hostname", + "etc/networks", + "etc/timezone", + "etc/modules", + "etc/passwd", + "etc/passwd~", + "etc/passwd-", + "etc/shadow", + "etc/shadow~", + "etc/shadow-", + "etc/fstab", + "etc/motd", + "etc/hosts", + "etc/group", + "etc/group-", + "etc/alias", + "etc/crontab", + "etc/crypttab", + "etc/exports", + "etc/mtab", + "etc/hosts.allow", + "etc/hosts.deny", + "etc/os-release", + "etc/password.master", + "etc/profile", + "etc/default/grub", + "etc/resolvconf/update-libc.d/sendmail", + "etc/inittab", + "etc/issue", + "etc/issue.net", + "etc/login.defs", + "etc/sudoers", + "etc/sysconfig/network-scripts/ifcfg-eth0", + "etc/redhat-release", + "etc/scw-release", + "etc/system-release-cpe", + "etc/debian_version", + "etc/fedora-release", + "etc/mandrake-release", + "etc/slackware-release", + "etc/suse-release", + "etc/security/group", + "etc/security/passwd", + "etc/security/user", + "etc/security/environ", + "etc/security/limits", + "etc/security/opasswd", + "boot/grub/grub.cfg", + "boot/grub/menu.lst", + "root/.ksh_history", + "root/.xauthority", + "usr/lib/security/mkuser.default", + "var/lib/squirrelmail/prefs/squirrelmail.log", + "etc/squirrelmail/apache.conf", + "etc/squirrelmail/config_local.php", + "etc/squirrelmail/default_pref", + "etc/squirrelmail/index.php", + "etc/squirrelmail/config_default.php", + "etc/squirrelmail/config.php", + "etc/squirrelmail/filters_setup.php", + "etc/squirrelmail/sqspell_config.php", + "etc/squirrelmail/config/config.php", + "etc/httpd/conf.d/squirrelmail.conf", + "usr/share/squirrelmail/config/config.php", + "private/etc/squirrelmail/config/config.php", + "srv/www/htdos/squirrelmail/config/config.php", + "var/www/squirrelmail/config/config.php", + "var/www/html/squirrelmail/config/config.php", + "var/www/html/squirrelmail-1.2.9/config/config.php", + "usr/share/squirrelmail/plugins/squirrel_logger/setup.php", + "usr/local/squirrelmail/www/readme", + "windows/system32/drivers/etc/hosts", + "windows/system32/drivers/etc/lmhosts.sam", + "windows/system32/drivers/etc/networks", + "windows/system32/drivers/etc/protocol", + "windows/system32/drivers/etc/services", + "/boot.ini", + "windows/debug/netsetup.log", + "windows/comsetup.log", + "windows/repair/setup.log", + "windows/setupact.log", + "windows/setupapi.log", + "windows/setuperr.log", + "windows/updspapi.log", + "windows/wmsetup.log", + "windows/windowsupdate.log", + "windows/odbc.ini", + "usr/local/psa/admin/htdocs/domains/databases/phpmyadmin/libraries/config.default.php", + "etc/apache2/conf.d/phpmyadmin.conf", + "etc/phpmyadmin/config.inc.php", + "etc/openldap/ldap.conf", + "etc/cups/acroread.conf", + "etc/cups/cupsd.conf", + "etc/cups/cupsd.conf.default", + "etc/cups/pdftops.conf", + "etc/cups/printers.conf", + "windows/system32/macromed/flash/flashinstall.log", + "windows/system32/macromed/flash/install.log", + "etc/cvs-cron.conf", + "etc/cvs-pserver.conf", + "etc/subversion/config", + "etc/modprobe.d/vmware-tools.conf", + "etc/updatedb.conf.beforevmwaretoolsinstall", + "etc/vmware-tools/config", + "etc/vmware-tools/tpvmlp.conf", + "etc/vmware-tools/vmware-tools-libraries.conf", + "var/log", + "var/log/sw-cp-server/error_log", + "var/log/sso/sso.log", + "var/log/dpkg.log", + "var/log/btmp", + "var/log/utmp", + "var/log/wtmp", + "var/log/mysql/mysql-bin.log", + "var/log/mysql/mysql-bin.index", + "var/log/mysql/data/mysql-bin.index", + "var/log/mysql.log", + "var/log/mysql.err", + "var/log/mysqlderror.log", + "var/log/mysql/mysql.log", + "var/log/mysql/mysql-slow.log", + "var/log/mysql-bin.index", + "var/log/data/mysql-bin.index", + "var/log/postgresql/postgresql.log", + "var/log/postgres/pg_backup.log", + "var/log/postgres/postgres.log", + "var/log/postgresql.log", + "var/log/pgsql/pgsql.log", + "var/log/postgresql/postgresql-8.1-main.log", + "var/log/postgresql/postgresql-8.3-main.log", + "var/log/postgresql/postgresql-8.4-main.log", + "var/log/postgresql/postgresql-9.0-main.log", + "var/log/postgresql/postgresql-9.1-main.log", + "var/log/pgsql8.log", + "var/log/postgresql/postgres.log", + "var/log/pgsql_log", + "var/log/postgresql/main.log", + "var/log/cron", + "var/log/postgres.log", + "var/log/proftpd", + "var/log/proftpd/xferlog.legacy", + "var/log/proftpd.access_log", + "var/log/proftpd.xferlog", + "var/log/vsftpd.log", + "var/log/xferlog", + "var/log/pure-ftpd/pure-ftpd.log", + "var/log/pureftpd.log", + "var/log/muddleftpd", + "var/log/muddleftpd.conf", + "var/log/ftp-proxy/ftp-proxy.log", + "var/log/ftp-proxy", + "var/log/ftplog", + "var/log/exim_mainlog", + "var/log/exim/mainlog", + "var/log/maillog", + "var/log/exim_paniclog", + "var/log/exim/paniclog", + "var/log/exim/rejectlog", + "var/log/exim_rejectlog", + "var/log/webmin/miniserv.log", + "var/log/httpd/access_log", + "var/log/httpd/error_log", + "var/log/httpd/access.log", + "var/log/httpd/error.log", + "var/log/apache/access_log", + "var/log/apache/access.log", + "var/log/apache/error_log", + "var/log/apache/error.log", + "var/log/apache2/access_log", + "var/log/apache2/access.log", + "var/log/apache2/error_log", + "var/log/apache2/error.log", + "var/log/access_log", + "var/log/access.log", + "var/log/error_log", + "var/log/error.log", + "var/log/tomcat6/catalina.out", + "var/log/lighttpd.error.log", + "var/log/lighttpd.access.log", + "var/logs/access.log", + "var/log/lighttpd/", + "var/log/lighttpd/error.log", + "var/log/lighttpd/access.www.log", + "var/log/lighttpd/error.www.log", + "var/log/lighttpd/access.log", + "var/log/lighttpd/{domain}/access.log", + "var/log/lighttpd/{domain}/error.log", + "var/log/nginx/access_log", + "var/log/nginx/error_log", + "var/log/nginx/access.log", + "var/log/nginx/error.log", + "var/log/nginx.access_log", + "var/log/nginx.error_log", + "var/log/samba/log.smbd", + "var/log/samba/log.nmbd", + "var/log/samba.log", + "var/log/samba.log1", + "var/log/samba.log2", + "var/log/log.smb", + "var/log/ipfw.log", + "var/log/ipfw", + "var/log/ipfw/ipfw.log", + "var/log/ipfw.today", + "var/log/poplog", + "var/log/authlog", + "var/log/news.all", + "var/log/news/news.all", + "var/log/news/news.crit", + "var/log/news/news.err", + "var/log/news/news.notice", + "var/log/news/suck.err", + "var/log/news/suck.notice", + "var/log/messages", + "var/log/messages.1", + "var/log/user.log", + "var/log/user.log.1", + "var/log/auth.log", + "var/log/pm-powersave.log", + "var/log/xorg.0.log", + "var/log/daemon.log", + "var/log/daemon.log.1", + "var/log/kern.log", + "var/log/kern.log.1", + "var/log/mail.err", + "var/log/mail.info", + "var/log/mail.warn", + "var/log/ufw.log", + "var/log/boot.log", + "var/log/syslog", + "var/log/syslog.1", + "var/log/squirrelmail.log", + "var/log/apache2/squirrelmail.log", + "var/log/apache2/squirrelmail.err.log", + "var/log/mail.log", + "var/log/vmware/hostd.log", + "var/log/vmware/hostd-1.log", + "/wp-config.php", + "/wp-config.bak", + "/wp-config.old", + "/wp-config.temp", + "/wp-config.tmp", + "/wp-config.txt", + "/config.yml", + "/config_dev.yml", + "/config_prod.yml", + "/config_test.yml", + "/parameters.yml", + "/routing.yml", + "/security.yml", + "/services.yml", + "sites/default/default.settings.php", + "sites/default/settings.php", + "sites/default/settings.local.php", + "app/etc/local.xml", + "/sftp-config.json", + "/web.config", + "includes/config.php", + "includes/configure.php", + "/config.inc.php", + "/localsettings.php", + "inc/config.php", + "typo3conf/localconf.php", + "config/app.php", + "config/custom.php", + "config/database.php", + "/configuration.php", + "/config.php", + "var/mail/www-data", + "etc/network/", + "etc/init/", + "inetpub/wwwroot/global.asa", + "system32/inetsrv/config/applicationhost.config", + "system32/inetsrv/config/administration.config", + "system32/inetsrv/config/redirection.config", + "system32/config/default", + "system32/config/sam", + "system32/config/system", + "system32/config/software", + "winnt/repair/sam._", + "/package.json", + "/package-lock.json", + "/gruntfile.js", + "/npm-debug.log", + "/ormconfig.json", + "/tsconfig.json", + "/webpack.config.js", + "/yarn.lock", + "proc/0", + "proc/1", + "proc/2", + "proc/3", + "proc/4", + "proc/5", + "proc/6", + "proc/7", + "proc/8", + "proc/9", + "proc/acpi", + "proc/asound", + "proc/bootconfig", + "proc/buddyinfo", + "proc/bus", + "proc/cgroups", + "proc/cmdline", + "proc/config.gz", + "proc/consoles", + "proc/cpuinfo", + "proc/crypto", + "proc/devices", + "proc/diskstats", + "proc/dma", + "proc/docker", + "proc/driver", + "proc/dynamic_debug", + "proc/execdomains", + "proc/fb", + "proc/filesystems", + "proc/fs", + "proc/interrupts", + "proc/iomem", + "proc/ioports", + "proc/ipmi", + "proc/irq", + "proc/kallsyms", + "proc/kcore", + "proc/keys", + "proc/keys", + "proc/key-users", + "proc/kmsg", + "proc/kpagecgroup", + "proc/kpagecount", + "proc/kpageflags", + "proc/latency_stats", + "proc/loadavg", + "proc/locks", + "proc/mdstat", + "proc/meminfo", + "proc/misc", + "proc/modules", + "proc/mounts", + "proc/mpt", + "proc/mtd", + "proc/mtrr", + "proc/net", + "proc/net/tcp", + "proc/net/udp", + "proc/pagetypeinfo", + "proc/partitions", + "proc/pressure", + "proc/sched_debug", + "proc/schedstat", + "proc/scsi", + "proc/self", + "proc/self/cmdline", + "proc/self/environ", + "proc/self/fd/0", + "proc/self/fd/1", + "proc/self/fd/10", + "proc/self/fd/11", + "proc/self/fd/12", + "proc/self/fd/13", + "proc/self/fd/14", + "proc/self/fd/15", + "proc/self/fd/2", + "proc/self/fd/3", + "proc/self/fd/4", + "proc/self/fd/5", + "proc/self/fd/6", + "proc/self/fd/7", + "proc/self/fd/8", + "proc/self/fd/9", + "proc/self/mounts", + "proc/self/stat", + "proc/self/status", + "proc/slabinfo", + "proc/softirqs", + "proc/stat", + "proc/swaps", + "proc/sys", + "proc/sysrq-trigger", + "proc/sysvipc", + "proc/thread-self", + "proc/timer_list", + "proc/timer_stats", + "proc/tty", + "proc/uptime", + "proc/version", + "proc/version_signature", + "proc/vmallocinfo", + "proc/vmstat", + "proc/zoneinfo", + "sys/block", + "sys/bus", + "sys/class", + "sys/dev", + "sys/devices", + "sys/firmware", + "sys/fs", + "sys/hypervisor", + "sys/kernel", + "sys/module", + "sys/power" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase", + "normalizePath" + ] + }, + { + "id": "crs-931-110", + "name": "RFI: Common RFI Vulnerable Parameter Name used w/ URL Payload", + "tags": { + "type": "rfi", + "crs_id": "931110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + } + ], + "regex": "(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://", + "options": { + "min_length": 15 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-931-120", + "name": "RFI: URL Payload Used w/Trailing Question Mark Character (?)", + "tags": { + "type": "rfi", + "crs_id": "931120", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "^(?i:file|ftps?|http)://.*?\\?+$", + "options": { + "case_sensitive": true, + "min_length": 4 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-932-160", + "name": "Remote Command Execution: Unix Shell Code Found", + "tags": { + "type": "command_injection", + "crs_id": "932160", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "list": [ + "${cdpath}", + "${dirstack}", + "${home}", + "${hostname}", + "${ifs}", + "${oldpwd}", + "${ostype}", + "${path}", + "${pwd}", + "$cdpath", + "$dirstack", + "$home", + "$hostname", + "$ifs", + "$oldpwd", + "$ostype", + "$path", + "$pwd", + "dev/fd/", + "dev/null", + "dev/stderr", + "dev/stdin", + "dev/stdout", + "dev/tcp/", + "dev/udp/", + "dev/zero", + "etc/group", + "etc/master.passwd", + "etc/passwd", + "etc/pwd.db", + "etc/shadow", + "etc/shells", + "etc/spwd.db", + "proc/self/", + "bin/7z", + "bin/7za", + "bin/7zr", + "bin/ab", + "bin/agetty", + "bin/ansible-playbook", + "bin/apt", + "bin/apt-get", + "bin/ar", + "bin/aria2c", + "bin/arj", + "bin/arp", + "bin/as", + "bin/ascii-xfr", + "bin/ascii85", + "bin/ash", + "bin/aspell", + "bin/at", + "bin/atobm", + "bin/awk", + "bin/base32", + "bin/base64", + "bin/basenc", + "bin/bash", + "bin/bpftrace", + "bin/bridge", + "bin/bundler", + "bin/bunzip2", + "bin/busctl", + "bin/busybox", + "bin/byebug", + "bin/bzcat", + "bin/bzcmp", + "bin/bzdiff", + "bin/bzegrep", + "bin/bzexe", + "bin/bzfgrep", + "bin/bzgrep", + "bin/bzip2", + "bin/bzip2recover", + "bin/bzless", + "bin/bzmore", + "bin/bzz", + "bin/c89", + "bin/c99", + "bin/cancel", + "bin/capsh", + "bin/cat", + "bin/cc", + "bin/certbot", + "bin/check_by_ssh", + "bin/check_cups", + "bin/check_log", + "bin/check_memory", + "bin/check_raid", + "bin/check_ssl_cert", + "bin/check_statusfile", + "bin/chmod", + "bin/choom", + "bin/chown", + "bin/chroot", + "bin/clang", + "bin/clang++", + "bin/cmp", + "bin/cobc", + "bin/column", + "bin/comm", + "bin/composer", + "bin/core_perl/zipdetails", + "bin/cowsay", + "bin/cowthink", + "bin/cp", + "bin/cpan", + "bin/cpio", + "bin/cpulimit", + "bin/crash", + "bin/crontab", + "bin/csh", + "bin/csplit", + "bin/csvtool", + "bin/cupsfilter", + "bin/curl", + "bin/cut", + "bin/dash", + "bin/date", + "bin/dd", + "bin/dev/fd/", + "bin/dev/null", + "bin/dev/stderr", + "bin/dev/stdin", + "bin/dev/stdout", + "bin/dev/tcp/", + "bin/dev/udp/", + "bin/dev/zero", + "bin/dialog", + "bin/diff", + "bin/dig", + "bin/dmesg", + "bin/dmidecode", + "bin/dmsetup", + "bin/dnf", + "bin/docker", + "bin/dosbox", + "bin/dpkg", + "bin/du", + "bin/dvips", + "bin/easy_install", + "bin/eb", + "bin/echo", + "bin/ed", + "bin/efax", + "bin/emacs", + "bin/env", + "bin/eqn", + "bin/es", + "bin/esh", + "bin/etc/group", + "bin/etc/master.passwd", + "bin/etc/passwd", + "bin/etc/pwd.db", + "bin/etc/shadow", + "bin/etc/shells", + "bin/etc/spwd.db", + "bin/ex", + "bin/exiftool", + "bin/expand", + "bin/expect", + "bin/expr", + "bin/facter", + "bin/fetch", + "bin/file", + "bin/find", + "bin/finger", + "bin/fish", + "bin/flock", + "bin/fmt", + "bin/fold", + "bin/fping", + "bin/ftp", + "bin/gawk", + "bin/gcc", + "bin/gcore", + "bin/gdb", + "bin/gem", + "bin/genie", + "bin/genisoimage", + "bin/ghc", + "bin/ghci", + "bin/gimp", + "bin/ginsh", + "bin/git", + "bin/grc", + "bin/grep", + "bin/gtester", + "bin/gunzip", + "bin/gzexe", + "bin/gzip", + "bin/hd", + "bin/head", + "bin/hexdump", + "bin/highlight", + "bin/hping3", + "bin/iconv", + "bin/id", + "bin/iftop", + "bin/install", + "bin/ionice", + "bin/ip", + "bin/irb", + "bin/ispell", + "bin/jjs", + "bin/join", + "bin/journalctl", + "bin/jq", + "bin/jrunscript", + "bin/knife", + "bin/ksh", + "bin/ksshell", + "bin/latex", + "bin/ld", + "bin/ldconfig", + "bin/less", + "bin/lftp", + "bin/ln", + "bin/loginctl", + "bin/logsave", + "bin/look", + "bin/lp", + "bin/ls", + "bin/ltrace", + "bin/lua", + "bin/lualatex", + "bin/luatex", + "bin/lwp-download", + "bin/lwp-request", + "bin/lz", + "bin/lz4", + "bin/lz4c", + "bin/lz4cat", + "bin/lzcat", + "bin/lzcmp", + "bin/lzdiff", + "bin/lzegrep", + "bin/lzfgrep", + "bin/lzgrep", + "bin/lzless", + "bin/lzma", + "bin/lzmadec", + "bin/lzmainfo", + "bin/lzmore", + "bin/mail", + "bin/make", + "bin/man", + "bin/mawk", + "bin/mkfifo", + "bin/mknod", + "bin/more", + "bin/mosquitto", + "bin/mount", + "bin/msgattrib", + "bin/msgcat", + "bin/msgconv", + "bin/msgfilter", + "bin/msgmerge", + "bin/msguniq", + "bin/mtr", + "bin/mv", + "bin/mysql", + "bin/nano", + "bin/nasm", + "bin/nawk", + "bin/nc", + "bin/ncat", + "bin/neofetch", + "bin/nice", + "bin/nl", + "bin/nm", + "bin/nmap", + "bin/node", + "bin/nohup", + "bin/npm", + "bin/nroff", + "bin/nsenter", + "bin/octave", + "bin/od", + "bin/openssl", + "bin/openvpn", + "bin/openvt", + "bin/opkg", + "bin/paste", + "bin/pax", + "bin/pdb", + "bin/pdflatex", + "bin/pdftex", + "bin/pdksh", + "bin/perf", + "bin/perl", + "bin/pg", + "bin/php", + "bin/php-cgi", + "bin/php5", + "bin/php7", + "bin/pic", + "bin/pico", + "bin/pidstat", + "bin/pigz", + "bin/pip", + "bin/pkexec", + "bin/pkg", + "bin/pr", + "bin/printf", + "bin/proc/self/", + "bin/pry", + "bin/ps", + "bin/psed", + "bin/psftp", + "bin/psql", + "bin/ptx", + "bin/puppet", + "bin/pxz", + "bin/python", + "bin/python2", + "bin/python3", + "bin/rake", + "bin/rbash", + "bin/rc", + "bin/readelf", + "bin/red", + "bin/redcarpet", + "bin/restic", + "bin/rev", + "bin/rlogin", + "bin/rlwrap", + "bin/rpm", + "bin/rpmquery", + "bin/rsync", + "bin/ruby", + "bin/run-mailcap", + "bin/run-parts", + "bin/rview", + "bin/rvim", + "bin/sash", + "bin/sbin/capsh", + "bin/sbin/logsave", + "bin/sbin/service", + "bin/sbin/start-stop-daemon", + "bin/scp", + "bin/screen", + "bin/script", + "bin/sed", + "bin/service", + "bin/setarch", + "bin/sftp", + "bin/sg", + "bin/sh", + "bin/shuf", + "bin/sleep", + "bin/slsh", + "bin/smbclient", + "bin/snap", + "bin/socat", + "bin/soelim", + "bin/sort", + "bin/split", + "bin/sqlite3", + "bin/ss", + "bin/ssh", + "bin/ssh-keygen", + "bin/ssh-keyscan", + "bin/sshpass", + "bin/start-stop-daemon", + "bin/stdbuf", + "bin/strace", + "bin/strings", + "bin/su", + "bin/sysctl", + "bin/systemctl", + "bin/systemd-resolve", + "bin/tac", + "bin/tail", + "bin/tar", + "bin/task", + "bin/taskset", + "bin/tbl", + "bin/tclsh", + "bin/tcpdump", + "bin/tcsh", + "bin/tee", + "bin/telnet", + "bin/tex", + "bin/tftp", + "bin/tic", + "bin/time", + "bin/timedatectl", + "bin/timeout", + "bin/tmux", + "bin/top", + "bin/troff", + "bin/tshark", + "bin/ul", + "bin/uname", + "bin/uncompress", + "bin/unexpand", + "bin/uniq", + "bin/unlz4", + "bin/unlzma", + "bin/unpigz", + "bin/unrar", + "bin/unshare", + "bin/unxz", + "bin/unzip", + "bin/unzstd", + "bin/update-alternatives", + "bin/uudecode", + "bin/uuencode", + "bin/valgrind", + "bin/vi", + "bin/view", + "bin/vigr", + "bin/vim", + "bin/vimdiff", + "bin/vipw", + "bin/virsh", + "bin/volatility", + "bin/wall", + "bin/watch", + "bin/wc", + "bin/wget", + "bin/whiptail", + "bin/who", + "bin/whoami", + "bin/whois", + "bin/wireshark", + "bin/wish", + "bin/xargs", + "bin/xelatex", + "bin/xetex", + "bin/xmodmap", + "bin/xmore", + "bin/xpad", + "bin/xxd", + "bin/xz", + "bin/xzcat", + "bin/xzcmp", + "bin/xzdec", + "bin/xzdiff", + "bin/xzegrep", + "bin/xzfgrep", + "bin/xzgrep", + "bin/xzless", + "bin/xzmore", + "bin/yarn", + "bin/yelp", + "bin/yes", + "bin/yum", + "bin/zathura", + "bin/zip", + "bin/zipcloak", + "bin/zipcmp", + "bin/zipdetails", + "bin/zipgrep", + "bin/zipinfo", + "bin/zipmerge", + "bin/zipnote", + "bin/zipsplit", + "bin/ziptool", + "bin/zsh", + "bin/zsoelim", + "bin/zstd", + "bin/zstdcat", + "bin/zstdgrep", + "bin/zstdless", + "bin/zstdmt", + "bin/zypper" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-932-171", + "name": "Remote Command Execution: Shellshock (CVE-2014-6271)", + "tags": { + "type": "command_injection", + "crs_id": "932171", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "^\\(\\s*\\)\\s+{", + "options": { + "case_sensitive": true, + "min_length": 4 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-932-180", + "name": "Restricted File Upload Attempt", + "tags": { + "type": "command_injection", + "crs_id": "932180", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x_filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-file-name" + ] + } + ], + "list": [ + ".htaccess", + ".htdigest", + ".htpasswd", + "wp-config.php", + "config.yml", + "config_dev.yml", + "config_prod.yml", + "config_test.yml", + "parameters.yml", + "routing.yml", + "security.yml", + "services.yml", + "default.settings.php", + "settings.php", + "settings.local.php", + "local.xml", + ".env" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-933-111", + "name": "PHP Injection Attack: PHP Script File Upload Found", + "tags": { + "type": "unrestricted_file_upload", + "crs_id": "933111", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x_filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x.filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-file-name" + ] + } + ], + "regex": ".*\\.(?:php\\d*|phtml)\\..*$", + "options": { + "case_sensitive": true, + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-933-130", + "name": "PHP Injection Attack: Global Variables Found", + "tags": { + "type": "php_code_injection", + "crs_id": "933130", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "list": [ + "$globals", + "$_cookie", + "$_env", + "$_files", + "$_get", + "$_post", + "$_request", + "$_server", + "$_session", + "$argc", + "$argv", + "$http_\\u200bresponse_\\u200bheader", + "$php_\\u200berrormsg", + "$http_cookie_vars", + "$http_env_vars", + "$http_get_vars", + "$http_post_files", + "$http_post_vars", + "$http_raw_post_data", + "$http_request_vars", + "$http_server_vars" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-933-131", + "name": "PHP Injection Attack: HTTP Headers Values Found", + "tags": { + "type": "php_code_injection", + "crs_id": "933131", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)", + "options": { + "case_sensitive": true, + "min_length": 9 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-933-140", + "name": "PHP Injection Attack: I/O Stream Found", + "tags": { + "type": "php_code_injection", + "crs_id": "933140", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)", + "options": { + "min_length": 8 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-933-150", + "name": "PHP Injection Attack: High-Risk PHP Function Name Found", + "tags": { + "type": "php_code_injection", + "crs_id": "933150", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "list": [ + "__halt_compiler", + "apache_child_terminate", + "base64_decode", + "bzdecompress", + "call_user_func", + "call_user_func_array", + "call_user_method", + "call_user_method_array", + "convert_uudecode", + "file_get_contents", + "file_put_contents", + "fsockopen", + "get_class_methods", + "get_class_vars", + "get_defined_constants", + "get_defined_functions", + "get_defined_vars", + "gzdecode", + "gzinflate", + "gzuncompress", + "include_once", + "invokeargs", + "pcntl_exec", + "pcntl_fork", + "pfsockopen", + "posix_getcwd", + "posix_getpwuid", + "posix_getuid", + "posix_uname", + "reflectionfunction", + "require_once", + "shell_exec", + "str_rot13", + "sys_get_temp_dir", + "wp_remote_fopen", + "wp_remote_get", + "wp_remote_head", + "wp_remote_post", + "wp_remote_request", + "wp_safe_remote_get", + "wp_safe_remote_head", + "wp_safe_remote_post", + "wp_safe_remote_request", + "zlib_decode" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-933-160", + "name": "PHP Injection Attack: High-Risk PHP Function Call Found", + "tags": { + "type": "php_code_injection", + "crs_id": "933160", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)", + "options": { + "case_sensitive": true, + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-933-170", + "name": "PHP Injection Attack: Serialized Object Injection", + "tags": { + "type": "php_code_injection", + "crs_id": "933170", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "[oOcC]:\\d+:\\\".+?\\\":\\d+:{[\\W\\w]*}", + "options": { + "case_sensitive": true, + "min_length": 12 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-933-200", + "name": "PHP Injection Attack: Wrapper scheme detected", + "tags": { + "type": "php_code_injection", + "crs_id": "933200", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://", + "options": { + "case_sensitive": true, + "min_length": 6 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-934-100", + "name": "Node.js Injection Attack 1/2", + "tags": { + "type": "js_code_injection", + "crs_id": "934100", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)", + "options": { + "case_sensitive": true, + "min_length": 3 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-934-101", + "name": "Node.js Injection Attack 2/2", + "tags": { + "type": "js_code_injection", + "crs_id": "934101", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(", + "options": { + "case_sensitive": true, + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-941-110", + "name": "XSS Filter - Category 1: Script Tag Vector", + "tags": { + "type": "xss", + "crs_id": "941110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "referer" + ] + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "]*>[\\s\\S]*?", + "options": { + "min_length": 8 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-941-120", + "name": "XSS Filter - Category 2: Event Handler Vector", + "tags": { + "type": "xss", + "crs_id": "941120", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "referer" + ] + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]", + "options": { + "min_length": 8 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-941-140", + "name": "XSS Filter - Category 4: Javascript URI Vector", + "tags": { + "type": "xss", + "crs_id": "941140", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "referer" + ] + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript", + "options": { + "min_length": 18 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-941-170", + "name": "NoScript XSS InjectionChecker: Attribute Injection", + "tags": { + "type": "xss", + "crs_id": "941170", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "referer" + ] + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(", + "options": { + "min_length": 6 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-941-180", + "name": "Node-Validator Deny List Keywords", + "tags": { + "type": "xss", + "crs_id": "941180", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "list": [ + "document.cookie", + "document.write", + ".parentnode", + ".innerhtml", + "window.location", + "-moz-binding", + "]", + "options": { + "min_length": 8 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-941-300", + "name": "IE XSS Filters - Attack Detected via object tag", + "tags": { + "type": "xss", + "crs_id": "941300", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": ")|<.*\\+AD4-", + "options": { + "case_sensitive": true, + "min_length": 6 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-941-360", + "name": "JSFuck / Hieroglyphy obfuscation detected", + "tags": { + "type": "xss", + "crs_id": "941360", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "![!+ ]\\[\\]", + "options": { + "case_sensitive": true, + "min_length": 4 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-941-390", + "name": "Javascript method detected", + "tags": { + "type": "xss", + "crs_id": "941390", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]", + "options": { + "case_sensitive": true, + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-942-100", + "name": "SQL Injection Attack Detected via libinjection", + "tags": { + "type": "sql_injection", + "crs_id": "942100", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ] + }, + "operator": "is_sqli" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "crs-942-160", + "name": "Detects blind sqli tests using sleep() or benchmark()", + "tags": { + "type": "sql_injection", + "crs_id": "942160", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))", + "options": { + "case_sensitive": true, + "min_length": 7 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-942-240", + "name": "Detects MySQL charset switch and MSSQL DoS attempts", + "tags": { + "type": "sql_injection", + "crs_id": "942240", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:[\\\"'`](?:;*?\\s*?waitfor\\s+(?:delay|time)\\s+[\\\"'`]|;.*?:\\s*?goto)|alter\\s*?\\w+.*?cha(?:racte)?r\\s+set\\s+\\w+)", + "options": { + "min_length": 7 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-942-250", + "name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections", + "tags": { + "type": "sql_injection", + "crs_id": "942250", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(?:),+-]+\\s*?against\\s*?\\()", + "options": { + "case_sensitive": true, + "min_length": 11 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-942-270", + "name": "Basic SQL injection", + "tags": { + "type": "sql_injection", + "crs_id": "942270", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "union.*?select.*?from", + "options": { + "min_length": 15 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-942-280", + "name": "SQL Injection with delay functions", + "tags": { + "type": "sql_injection", + "crs_id": "942280", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:;\\s*?shutdown\\s*?(?:[#;{]|\\/\\*|--)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?pg_sleep)", + "options": { + "min_length": 10 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-942-290", + "name": "Finds basic MongoDB SQL injection attempts", + "tags": { + "type": "nosql_injection", + "crs_id": "942290", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)", + "options": { + "case_sensitive": true, + "min_length": 3 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "keys_only" + ] + }, + { + "id": "crs-942-360", + "name": "Detects concatenated basic SQL injection and SQLLFI attempts", + "tags": { + "type": "sql_injection", + "crs_id": "942360", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)", + "options": { + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-942-500", + "name": "MySQL in-line comment detected", + "tags": { + "type": "sql_injection", + "crs_id": "942500", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i:/\\*[!+](?:[\\w\\s=_\\-(?:)]+)?\\*/)", + "options": { + "case_sensitive": true, + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-943-100", + "name": "Possible Session Fixation Attack: Setting Cookie Values in HTML", + "tags": { + "type": "http_protocol_violation", + "crs_id": "943100", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)", + "options": { + "case_sensitive": true, + "min_length": 15 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-944-100", + "name": "Remote Command Execution: Suspicious Java class detected", + "tags": { + "type": "java_code_injection", + "crs_id": "944100", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "java\\.lang\\.(?:runtime|processbuilder)", + "options": { + "case_sensitive": true, + "min_length": 17 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-944-110", + "name": "Remote Command Execution: Java process spawn (CVE-2017-9805)", + "tags": { + "type": "java_code_injection", + "crs_id": "944110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:runtime|processbuilder)", + "options": { + "case_sensitive": true, + "min_length": 7 + } + }, + "operator": "match_regex" + }, + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:unmarshaller|base64data|java\\.)", + "options": { + "case_sensitive": true, + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-944-130", + "name": "Suspicious Java class detected", + "tags": { + "type": "java_code_injection", + "crs_id": "944130", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "list": [ + "com.opensymphony.xwork2", + "com.sun.org.apache", + "java.io.bufferedinputstream", + "java.io.bufferedreader", + "java.io.bytearrayinputstream", + "java.io.bytearrayoutputstream", + "java.io.chararrayreader", + "java.io.datainputstream", + "java.io.file", + "java.io.fileoutputstream", + "java.io.filepermission", + "java.io.filewriter", + "java.io.filterinputstream", + "java.io.filteroutputstream", + "java.io.filterreader", + "java.io.inputstream", + "java.io.inputstreamreader", + "java.io.linenumberreader", + "java.io.objectoutputstream", + "java.io.outputstream", + "java.io.pipedoutputstream", + "java.io.pipedreader", + "java.io.printstream", + "java.io.pushbackinputstream", + "java.io.reader", + "java.io.stringreader", + "java.lang.class", + "java.lang.integer", + "java.lang.number", + "java.lang.object", + "java.lang.process", + "java.lang.processbuilder", + "java.lang.reflect", + "java.lang.runtime", + "java.lang.string", + "java.lang.stringbuilder", + "java.lang.system", + "javax.script.scriptenginemanager", + "org.apache.commons", + "org.apache.struts", + "org.apache.struts2", + "org.omg.corba", + "java.beans.xmldecode" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-944-260", + "name": "Remote Command Execution: Malicious class-loading payload", + "tags": { + "type": "java_code_injection", + "crs_id": "944260", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)", + "options": { + "case_sensitive": true, + "min_length": 58 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "dog-000-001", + "name": "Look for Cassandra injections", + "tags": { + "type": "nosql_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + } + ], + "regex": "\\ballow\\s+filtering\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeComments" + ] + }, + { + "id": "dog-000-002", + "name": "OGNL - Look for formatting injection patterns", + "tags": { + "type": "java_code_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}", + "options": { + "case_sensitive": true + } + } + } + ], + "transformers": [] + }, + { + "id": "dog-000-003", + "name": "OGNL - Detect OGNL exploitation primitives", + "tags": { + "type": "java_code_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "[@#]ognl", + "options": { + "case_sensitive": true + } + } + } + ], + "transformers": [] + }, + { + "id": "dog-000-004", + "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability", + "tags": { + "type": "exploit_detection", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.body" + } + ], + "regex": "^class\\.module\\.classLoader\\.", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [ + "keys_only" + ] + }, + { + "id": "dog-000-005", + "name": "Node.js: Prototype pollution through __proto__", + "tags": { + "type": "js_code_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + } + ], + "regex": "^__proto__$" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "keys_only" + ] + }, + { + "id": "dog-000-006", + "name": "Node.js: Prototype pollution through constructor.prototype", + "tags": { + "type": "js_code_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + } + ], + "regex": "^constructor$" + }, + "operator": "match_regex" + }, + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + } + ], + "regex": "^prototype$" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "keys_only" + ] + }, + { + "id": "dog-000-007", + "name": "Server side template injection: Velocity & Freemarker", + "tags": { + "type": "java_code_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "#(?:set|foreach|macro|parse|if)\\(.*\\)|<#assign.*>" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "dog-931-001", + "name": "RFI: URL Payload to well known RFI target", + "tags": { + "type": "rfi", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$", + "options": { + "case_sensitive": true, + "min_length": 17 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "nfd-000-001", + "name": "Detect common directory discovery scans", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "phrase_match", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "list": [ + "/wordpress/", + "/etc/", + "/login.php", + "/install.php", + "/administrator", + "/admin.php", + "/wp-config", + "/phpmyadmin", + "/fckeditor", + "/mysql", + "/manager/html", + ".htaccess", + "/config.php", + "/configuration", + "/cgi-bin/php", + "/search.php", + "/tinymce", + "/tiny_mce", + "/settings.php", + "../../..", + "/install/", + "/download.php", + "/webdav", + "/forum.php", + "/user.php", + "/style.php", + "/jmx-console", + "/modules.php", + "/include.php", + "/default.asp", + "/help.php", + "/database.yml", + "/database.yml.pgsql", + "/database.yml.sqlite3", + "/database.yml.sqlite", + "/database.yml.mysql", + ".%2e/", + "/view.php", + "/header.php", + "/search.asp", + "%5c%5c", + "/server/php/", + "/invoker/jmxinvokerservlet", + "/phpmyadmin/index.php", + "/data/admin/allowurl.txt", + "/verify.php", + "/misc/ajax.js", + "/.idea", + "/module.php", + "/backup.rar", + "/backup.tar", + "/backup.zip", + "/backup.7z", + "/backup.gz", + "/backup.tgz", + "/backup.tar.gz", + "waitfor%20delay", + "/calendar.php", + "/news.php", + "/dompdf.php", + "))))))))))))))))", + "/web.config", + "tree.php", + "/cgi-bin-sdb/printenv", + "/comments.php", + "/detail.asp", + "/license.txt", + "/admin.asp", + "/auth.php", + "/list.php", + "/content.php", + "/mod.php", + "/mini.php", + "/install.pgsql", + "/install.mysql", + "/install.sqlite", + "/install.sqlite3", + "/install.txt", + "/install.md", + "/doku.php", + "/main.asp", + "/myadmin", + "/force-download.php", + "/iisprotect/admin", + "/.gitignore", + "/print.php", + "/common.php", + "/mainfile.php", + "/functions.php", + "/scripts/setup.php", + "/faq.php", + "/op/op.login.php", + "/home.php", + "/includes/hnmain.inc.php3", + "/preview.php", + "/dump.rar", + "/dump.tar", + "/dump.zip", + "/dump.7z", + "/dump.gz", + "/dump.tgz", + "/dump.tar.gz", + "/thumbnail.php", + "/sendcard.php", + "/global.asax", + "/directory.php", + "/footer.php", + "/error.asp", + "/forum.asp", + "/save.php", + "/htmlsax3.php", + "/adm/krgourl.php", + "/includes/converter.inc.php", + "/nucleus/libs/pluginadmin.php", + "/base_qry_common.php", + "/fileadmin", + "/bitrix/admin/", + "/adm.php", + "/util/barcode.php", + "/action.php", + "/rss.asp", + "/downloads.php", + "/page.php", + "/snarf_ajax.php", + "/fck/editor", + "/sendmail.php", + "/detail.php", + "/iframe.php", + "/swfupload.swf", + "/jenkins/login", + "/phpmyadmin/main.php", + "/phpmyadmin/scripts/setup.php", + "/user/index.php", + "/checkout.php", + "/process.php", + "/ks_inc/ajax.js", + "/export.php", + "/register.php", + "/cart.php", + "/console.php", + "/friend.php", + "/readmsg.php", + "/install.asp", + "/dagent/downloadreport.asp", + "/system/index.php", + "/core/changelog.txt", + "/js/util.js", + "/interna.php", + "/gallery.php", + "/links.php", + "/data/admin/ver.txt", + "/language/zh-cn.xml", + "/productdetails.asp", + "/admin/template/article_more/config.htm", + "/components/com_moofaq/includes/file_includer.php", + "/licence.txt", + "/rss.xsl", + "/vtigerservice.php", + "/mysql/main.php", + "/passwiki.php", + "/scr/soustab.php", + "/global.php", + "/email.php", + "/user.asp", + "/msd", + "/products.php", + "/cultbooking.php", + "/cron.php", + "/static/js/admincp.js", + "/comment.php", + "/maintainers", + "/modules/plain/adminpart/addplain.php", + "/wp-content/plugins/ungallery/source_vuln.php", + "/upgrade.txt", + "/category.php", + "/index_logged.php", + "/members.asp", + "/script/html.js", + "/images/ad.js", + "/awstats/awstats.pl", + "/includes/esqueletos/skel_null.php", + "/modules/profile/user.php", + "/window_top.php", + "/openbrowser.php", + "/thread.php", + "tinfoil_xss", + "/includes/include.php", + "/urheber.php", + "/header.inc.php", + "/mysqldumper", + "/display.php", + "/website.php", + "/stats.php", + "/assets/plugins/mp3_id/mp3_id.php", + "/siteminderagent/forms/smpwservices.fcc" + ] + } + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "nfd-000-002", + "name": "Detect failed attempt to fetch readme files", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "readme\\.[\\.a-z0-9]+$", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "nfd-000-003", + "name": "Detect failed attempt to fetch Java EE resource files", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "^(?:.*web\\-inf)(?:.*web\\.xml).*$", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "nfd-000-004", + "name": "Detect failed attempt to fetch code files", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "\\.(java|pyc?|rb|class)\\b", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "nfd-000-005", + "name": "Detect failed attempt to fetch source code archives", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "\\.(sql|log|ndb|gz|zip|tar\\.gz|tar|regVV|reg|conf|bz2|ini|db|war|bat|inc|btr|server|ds|conf|config|admin|master|sln|bak)\\b(?:[^.]|$)", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "nfd-000-006", + "name": "Detect failed attempt to fetch sensitive files", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "\\.(cgi|bat|dll|exe|key|cert|crt|pem|der|pkcs|pkcs|pkcs[0-9]*|nsf|jsa|war|java|class|vb|vba|so|git|svn|hg|cvs)([^a-zA-Z0-9_]|$)", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "nfd-000-007", + "name": "Detect failed attempt to fetch archives", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "/[\\d\\-_]*\\.(rar|tar|zip|7z|gz|tgz|tar.gz)", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "nfd-000-008", + "name": "Detect failed attempt to trigger incorrect application behavior", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "(/(administrator/components/com.*\\.php|response\\.write\\(.+\\))|select\\(.+\\)from|\\(.*sleep\\(.+\\)|(%[a-zA-Z0-9]{2}[a-zA-Z]{0,1})+\\))", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "nfd-000-009", + "name": "Detect failed attempt to leak the structure of the application", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.response.status" + } + ], + "regex": "^404$", + "options": { + "case_sensitive": true + } + } + }, + { + "operator": "match_regex", + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "/(login\\.rol|LICENSE|[\\w-]+\\.(plx|pwd))$", + "options": { + "case_sensitive": false + } + } + } + ], + "transformers": [] + }, + { + "id": "sqr-000-001", + "name": "SSRF: Try to access the credential manager of the main cloud services", + "tags": { + "type": "ssrf", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i)^\\W*((http|ftp)s?://)?\\W*((::f{4}:)?(169|(0x)?0*a9|0+251)\\.?(254|(0x)?0*fe|0+376)[0-9a-fx\\.:]+|metadata\\.google\\.internal|metadata\\.goog)\\W*/", + "options": { + "min_length": 4 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "sqr-000-002", + "name": "Server-side Javascript injection: Try to detect obvious JS injection", + "tags": { + "type": "js_code_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "require\\(['\"][\\w\\.]+['\"]\\)|process\\.\\w+\\([\\w\\.]*\\)|\\.toString\\(\\)", + "options": { + "min_length": 4 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls" + ] + }, + { + "id": "sqr-000-007", + "name": "NoSQL: Detect common exploitation strategy", + "tags": { + "type": "nosql_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "keys_only" + ] + }, + { + "id": "sqr-000-008", + "name": "Windows: Detect attempts to exfiltrate .ini files", + "tags": { + "type": "command_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i)[&|]\\s*type\\s+%\\w+%\\\\+\\w+\\.ini\\s*[&|]" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "sqr-000-009", + "name": "Linux: Detect attempts to exfiltrate passwd files", + "tags": { + "type": "command_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i)[&|]\\s*cat\\s+\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "sqr-000-010", + "name": "Windows: Detect attempts to timeout a shell", + "tags": { + "type": "command_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(?i)[&|]\\s*timeout\\s+/t\\s+\\d+\\s*[&|]" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "sqr-000-011", + "name": "SSRF: Try to access internal OMI service (CVE-2021-38647)", + "tags": { + "type": "ssrf", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "http(s?):\\/\\/([A-Za-z0-9\\.\\-\\_]+|\\[[A-Fa-f0-9\\:]+\\]|):5986\\/wsman", + "options": { + "min_length": 4 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "sqr-000-012", + "name": "SSRF: Detect SSRF attempt on internal service", + "tags": { + "type": "ssrf", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/.*|)$" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "sqr-000-013", + "name": "SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation", + "tags": { + "type": "ssrf", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "sqr-000-014", + "name": "SSRF: Detect SSRF domain redirection bypass", + "tags": { + "type": "ssrf", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "sqr-000-015", + "name": "SSRF: Detect SSRF attempt using non HTTP protocol", + "tags": { + "type": "ssrf", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "^(jar:)?((file|netdoc):\\/\\/[\\\\\\/]+|(dict|gopher|ldap|sftp|tftp):\\/\\/.*:[0-9]{1,5})" + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "sqr-000-017", + "name": "Log4shell: Attempt to exploit log4j CVE-2021-44228", + "tags": { + "type": "exploit_detection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "\\${[^j]*j[^n]*n[^d]*d[^i]*i[^:]*:[^}]*}" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-0xx", + "name": "Joomla exploitation tool", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "JDatabaseDriverMysqli" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-10x", + "name": "Nessus", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "(?i)^Nessus(/|([ :]+SOAP))" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-12x", + "name": "Arachni", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "^Arachni\\/v" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-13x", + "name": "Jorgee", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "(?i)\\bJorgee\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-14x", + "name": "Probely", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "(?i)\\bProbely\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-15x", + "name": "Metis", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "(?i)\\bmetis\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-16x", + "name": "SQL power injector", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "sql power injector" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-18x", + "name": "N-Stealth", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "(?i)\\bn-stealth\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-19x", + "name": "Brutus", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "(?i)\\bbrutus\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-1xx", + "name": "Shellshock exploitation tool", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "\\(\\) \\{ :; *\\}" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-20x", + "name": "Netsparker", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "(?i)( + +This is an html + + \ No newline at end of file diff --git a/appsec/tests/integration/src/test/www/base/public/hello.php b/appsec/tests/integration/src/test/www/base/public/hello.php new file mode 100644 index 00000000000..9d6845781f8 --- /dev/null +++ b/appsec/tests/integration/src/test/www/base/public/hello.php @@ -0,0 +1,2 @@ + 'Jean Example', + 'email' => 'jean.example@example.com', + 'session_id' => '987654321', + 'role' => 'admin', + 'scope' => 'read:message, write:files' +]); +echo "User Tracking"; diff --git a/appsec/tests/integration/src/test/www/base/public/user_login_failure.php b/appsec/tests/integration/src/test/www/base/public/user_login_failure.php new file mode 100644 index 00000000000..8724453e84d --- /dev/null +++ b/appsec/tests/integration/src/test/www/base/public/user_login_failure.php @@ -0,0 +1,9 @@ + 'jean.example@example.com', + 'session_id' => '987654321', + 'role' => 'admin' +]); + +echo "User Login Failure"; diff --git a/appsec/tests/integration/src/test/www/base/public/user_login_success.php b/appsec/tests/integration/src/test/www/base/public/user_login_success.php new file mode 100644 index 00000000000..f3aa2ef00b8 --- /dev/null +++ b/appsec/tests/integration/src/test/www/base/public/user_login_success.php @@ -0,0 +1,10 @@ + 'jean.example@example.com', + 'session_id' => '987654321', + 'role' => 'admin' +]); + +echo "User Login Success"; diff --git a/appsec/tests/integration/src/test/www/laravel8x/.editorconfig b/appsec/tests/integration/src/test/www/laravel8x/.editorconfig new file mode 100644 index 00000000000..1671c9b9d94 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/.editorconfig @@ -0,0 +1,18 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +indent_style = space +indent_size = 4 +trim_trailing_whitespace = true + +[*.md] +trim_trailing_whitespace = false + +[*.{yml,yaml}] +indent_size = 2 + +[docker-compose.yml] +indent_size = 4 diff --git a/appsec/tests/integration/src/test/www/laravel8x/.env.example b/appsec/tests/integration/src/test/www/laravel8x/.env.example new file mode 100644 index 00000000000..d06ab0478ad --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/.env.example @@ -0,0 +1,8 @@ +APP_NAME=Laravel +APP_ENV=local +APP_KEY= +APP_DEBUG=true +APP_URL=http://localhost + +DB_CONNECTION=sqlite +DB_DATABASE=/tmp/database.sqlite diff --git a/appsec/tests/integration/src/test/www/laravel8x/.gitattributes b/appsec/tests/integration/src/test/www/laravel8x/.gitattributes new file mode 100644 index 00000000000..510d9961f10 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/.gitattributes @@ -0,0 +1,10 @@ +* text=auto + +*.blade.php diff=html +*.css diff=css +*.html diff=html +*.md diff=markdown +*.php diff=php + +/.github export-ignore +CHANGELOG.md export-ignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/.gitignore new file mode 100644 index 00000000000..eb003b01a1d --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/.gitignore @@ -0,0 +1,15 @@ +/node_modules +/public/hot +/public/storage +/storage/*.key +/vendor +.env +.env.backup +.phpunit.result.cache +docker-compose.override.yml +Homestead.json +Homestead.yaml +npm-debug.log +yarn-error.log +/.idea +/.vscode diff --git a/appsec/tests/integration/src/test/www/laravel8x/.styleci.yml b/appsec/tests/integration/src/test/www/laravel8x/.styleci.yml new file mode 100644 index 00000000000..877ea701dbf --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/.styleci.yml @@ -0,0 +1,14 @@ +php: + preset: laravel + version: 8 + disabled: + - no_unused_imports + finder: + not-name: + - index.php + - server.php +js: + finder: + not-name: + - webpack.mix.js +css: true diff --git a/appsec/tests/integration/src/test/www/laravel8x/README.md b/appsec/tests/integration/src/test/www/laravel8x/README.md new file mode 100644 index 00000000000..1b6397ce32f --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/README.md @@ -0,0 +1,64 @@ +

+ +

+Build Status +Total Downloads +Latest Stable Version +License +

+ +## About Laravel + +Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as: + +- [Simple, fast routing engine](https://laravel.com/docs/routing). +- [Powerful dependency injection container](https://laravel.com/docs/container). +- Multiple back-ends for [session](https://laravel.com/docs/session) and [cache](https://laravel.com/docs/cache) storage. +- Expressive, intuitive [database ORM](https://laravel.com/docs/eloquent). +- Database agnostic [schema migrations](https://laravel.com/docs/migrations). +- [Robust background job processing](https://laravel.com/docs/queues). +- [Real-time event broadcasting](https://laravel.com/docs/broadcasting). + +Laravel is accessible, powerful, and provides tools required for large, robust applications. + +## Learning Laravel + +Laravel has the most extensive and thorough [documentation](https://laravel.com/docs) and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework. + +If you don't feel like reading, [Laracasts](https://laracasts.com) can help. Laracasts contains over 1500 video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost your skills by digging into our comprehensive video library. + +## Laravel Sponsors + +We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the Laravel [Patreon page](https://patreon.com/taylorotwell). + +### Premium Partners + +- **[Vehikl](https://vehikl.com/)** +- **[Tighten Co.](https://tighten.co)** +- **[Kirschbaum Development Group](https://kirschbaumdevelopment.com)** +- **[64 Robots](https://64robots.com)** +- **[Cubet Techno Labs](https://cubettech.com)** +- **[Cyber-Duck](https://cyber-duck.co.uk)** +- **[Many](https://www.many.co.uk)** +- **[Webdock, Fast VPS Hosting](https://www.webdock.io/en)** +- **[DevSquad](https://devsquad.com)** +- **[Curotec](https://www.curotec.com/services/technologies/laravel/)** +- **[OP.GG](https://op.gg)** +- **[WebReinvent](https://webreinvent.com/?utm_source=laravel&utm_medium=github&utm_campaign=patreon-sponsors)** +- **[Lendio](https://lendio.com)** + +## Contributing + +Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the [Laravel documentation](https://laravel.com/docs/contributions). + +## Code of Conduct + +In order to ensure that the Laravel community is welcoming to all, please review and abide by the [Code of Conduct](https://laravel.com/docs/contributions#code-of-conduct). + +## Security Vulnerabilities + +If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via [taylor@laravel.com](mailto:taylor@laravel.com). All security vulnerabilities will be promptly addressed. + +## License + +The Laravel framework is open-sourced software licensed under the [MIT license](https://opensource.org/licenses/MIT). diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Console/Kernel.php b/appsec/tests/integration/src/test/www/laravel8x/app/Console/Kernel.php new file mode 100644 index 00000000000..d8bc1d29f0c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Console/Kernel.php @@ -0,0 +1,32 @@ +command('inspire')->hourly(); + } + + /** + * Register the commands for the application. + * + * @return void + */ + protected function commands() + { + $this->load(__DIR__.'/Commands'); + + require base_path('routes/console.php'); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Exceptions/Handler.php b/appsec/tests/integration/src/test/www/laravel8x/app/Exceptions/Handler.php new file mode 100644 index 00000000000..8e7fbd1be9c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Exceptions/Handler.php @@ -0,0 +1,41 @@ +> + */ + protected $dontReport = [ + // + ]; + + /** + * A list of the inputs that are never flashed for validation exceptions. + * + * @var array + */ + protected $dontFlash = [ + 'current_password', + 'password', + 'password_confirmation', + ]; + + /** + * Register the exception handling callbacks for the application. + * + * @return void + */ + public function register() + { + $this->reportable(function (Throwable $e) { + // + }); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Controllers/Controller.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Controllers/Controller.php new file mode 100644 index 00000000000..a0a2a8a34a6 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Controllers/Controller.php @@ -0,0 +1,13 @@ + $request->get('email') ?? 'ciuser@example.com', + 'password' => 'password', + ]; + + if (Auth::attempt($credentials)) { + $request->session()->regenerate(); + + return response('Login successful', 200); + } + + return response('Invalid credentials', 403); + } + + public function register(Request $request): Response + { + $request->validate([ + 'name' => ['required'], + 'email' => ['required'], + 'password' => ['required'], + ]); + + $user = User::create([ + 'name' => $request->name, + 'email' => $request->email, + 'password' => Hash::make($request->password), + ]); + + event(new Registered($user)); + + Auth::login($user); + + return response('User created', 200); + } +} \ No newline at end of file diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Kernel.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Kernel.php new file mode 100644 index 00000000000..c18d13212cc --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Kernel.php @@ -0,0 +1,67 @@ + + */ + protected $middleware = [ + // \App\Http\Middleware\TrustHosts::class, + \App\Http\Middleware\TrustProxies::class, + \Fruitcake\Cors\HandleCors::class, + \App\Http\Middleware\PreventRequestsDuringMaintenance::class, + \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class, + \App\Http\Middleware\TrimStrings::class, + \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class, + ]; + + /** + * The application's route middleware groups. + * + * @var array> + */ + protected $middlewareGroups = [ + 'web' => [ + \App\Http\Middleware\EncryptCookies::class, + \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, + \Illuminate\Session\Middleware\StartSession::class, + // \Illuminate\Session\Middleware\AuthenticateSession::class, + \Illuminate\View\Middleware\ShareErrorsFromSession::class, + //\App\Http\Middleware\VerifyCsrfToken::class, + \Illuminate\Routing\Middleware\SubstituteBindings::class, + ], + + 'api' => [ + // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class, + 'throttle:api', + \Illuminate\Routing\Middleware\SubstituteBindings::class, + ], + ]; + + /** + * The application's route middleware. + * + * These middleware may be assigned to groups or used individually. + * + * @var array + */ + protected $routeMiddleware = [ + 'auth' => \App\Http\Middleware\Authenticate::class, + 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, + 'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class, + 'can' => \Illuminate\Auth\Middleware\Authorize::class, + 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, + 'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class, + 'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class, + 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, + 'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class, + ]; +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/Authenticate.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/Authenticate.php new file mode 100644 index 00000000000..704089a7fe7 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/Authenticate.php @@ -0,0 +1,21 @@ +expectsJson()) { + return route('login'); + } + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/EncryptCookies.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/EncryptCookies.php new file mode 100644 index 00000000000..867695bdcff --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/EncryptCookies.php @@ -0,0 +1,17 @@ + + */ + protected $except = [ + // + ]; +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/PreventRequestsDuringMaintenance.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/PreventRequestsDuringMaintenance.php new file mode 100644 index 00000000000..74cbd9a9eaa --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/PreventRequestsDuringMaintenance.php @@ -0,0 +1,17 @@ + + */ + protected $except = [ + // + ]; +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/RedirectIfAuthenticated.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/RedirectIfAuthenticated.php new file mode 100644 index 00000000000..a2813a06489 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/RedirectIfAuthenticated.php @@ -0,0 +1,32 @@ +check()) { + return redirect(RouteServiceProvider::HOME); + } + } + + return $next($request); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrimStrings.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrimStrings.php new file mode 100644 index 00000000000..88cadcaaf28 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrimStrings.php @@ -0,0 +1,19 @@ + + */ + protected $except = [ + 'current_password', + 'password', + 'password_confirmation', + ]; +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustHosts.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustHosts.php new file mode 100644 index 00000000000..7186414c657 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustHosts.php @@ -0,0 +1,20 @@ + + */ + public function hosts() + { + return [ + $this->allSubdomainsOfApplicationUrl(), + ]; + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustProxies.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustProxies.php new file mode 100644 index 00000000000..3391630ecc9 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/TrustProxies.php @@ -0,0 +1,28 @@ +|string|null + */ + protected $proxies; + + /** + * The headers that should be used to detect proxies. + * + * @var int + */ + protected $headers = + Request::HEADER_X_FORWARDED_FOR | + Request::HEADER_X_FORWARDED_HOST | + Request::HEADER_X_FORWARDED_PORT | + Request::HEADER_X_FORWARDED_PROTO | + Request::HEADER_X_FORWARDED_AWS_ELB; +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/VerifyCsrfToken.php b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/VerifyCsrfToken.php new file mode 100644 index 00000000000..9e86521722b --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Http/Middleware/VerifyCsrfToken.php @@ -0,0 +1,17 @@ + + */ + protected $except = [ + // + ]; +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Models/User.php b/appsec/tests/integration/src/test/www/laravel8x/app/Models/User.php new file mode 100644 index 00000000000..89963686eb2 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Models/User.php @@ -0,0 +1,44 @@ + + */ + protected $fillable = [ + 'name', + 'email', + 'password', + ]; + + /** + * The attributes that should be hidden for serialization. + * + * @var array + */ + protected $hidden = [ + 'password', + 'remember_token', + ]; + + /** + * The attributes that should be cast. + * + * @var array + */ + protected $casts = [ + 'email_verified_at' => 'datetime', + ]; +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Providers/AppServiceProvider.php b/appsec/tests/integration/src/test/www/laravel8x/app/Providers/AppServiceProvider.php new file mode 100644 index 00000000000..ee8ca5bcd8f --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Providers/AppServiceProvider.php @@ -0,0 +1,28 @@ + + */ + protected $policies = [ + // 'App\Models\Model' => 'App\Policies\ModelPolicy', + ]; + + /** + * Register any authentication / authorization services. + * + * @return void + */ + public function boot() + { + $this->registerPolicies(); + + // + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Providers/BroadcastServiceProvider.php b/appsec/tests/integration/src/test/www/laravel8x/app/Providers/BroadcastServiceProvider.php new file mode 100644 index 00000000000..395c518bc47 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Providers/BroadcastServiceProvider.php @@ -0,0 +1,21 @@ +> + */ + protected $listen = [ + Registered::class => [ + SendEmailVerificationNotification::class, + ], + ]; + + /** + * Register any events for your application. + * + * @return void + */ + public function boot() + { + // + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/app/Providers/RouteServiceProvider.php b/appsec/tests/integration/src/test/www/laravel8x/app/Providers/RouteServiceProvider.php new file mode 100644 index 00000000000..3bd3c81eb2b --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/app/Providers/RouteServiceProvider.php @@ -0,0 +1,63 @@ +configureRateLimiting(); + + $this->routes(function () { + Route::prefix('api') + ->middleware('api') + ->namespace($this->namespace) + ->group(base_path('routes/api.php')); + + Route::middleware('web') + ->namespace($this->namespace) + ->group(base_path('routes/web.php')); + }); + } + + /** + * Configure the rate limiters for the application. + * + * @return void + */ + protected function configureRateLimiting() + { + RateLimiter::for('api', function (Request $request) { + return Limit::perMinute(60)->by(optional($request->user())->id ?: $request->ip()); + }); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/artisan b/appsec/tests/integration/src/test/www/laravel8x/artisan new file mode 100755 index 00000000000..67a3329b183 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/artisan @@ -0,0 +1,53 @@ +#!/usr/bin/env php +make(Illuminate\Contracts\Console\Kernel::class); + +$status = $kernel->handle( + $input = new Symfony\Component\Console\Input\ArgvInput, + new Symfony\Component\Console\Output\ConsoleOutput +); + +/* +|-------------------------------------------------------------------------- +| Shutdown The Application +|-------------------------------------------------------------------------- +| +| Once Artisan has finished running, we will fire off the shutdown events +| so that any final work may be done by the application before we shut +| down the process. This is the last thing to happen to the request. +| +*/ + +$kernel->terminate($input, $status); + +exit($status); diff --git a/appsec/tests/integration/src/test/www/laravel8x/bootstrap/app.php b/appsec/tests/integration/src/test/www/laravel8x/bootstrap/app.php new file mode 100644 index 00000000000..037e17df03b --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/bootstrap/app.php @@ -0,0 +1,55 @@ +singleton( + Illuminate\Contracts\Http\Kernel::class, + App\Http\Kernel::class +); + +$app->singleton( + Illuminate\Contracts\Console\Kernel::class, + App\Console\Kernel::class +); + +$app->singleton( + Illuminate\Contracts\Debug\ExceptionHandler::class, + App\Exceptions\Handler::class +); + +/* +|-------------------------------------------------------------------------- +| Return The Application +|-------------------------------------------------------------------------- +| +| This script returns the application instance. The instance is given to +| the calling script so we can separate the building of the instances +| from the actual running of the application and sending responses. +| +*/ + +return $app; diff --git a/appsec/tests/integration/src/test/www/laravel8x/bootstrap/cache/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/bootstrap/cache/.gitignore new file mode 100644 index 00000000000..c1aefd2012c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/bootstrap/cache/.gitignore @@ -0,0 +1,2 @@ +.gitignore +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/composer.json b/appsec/tests/integration/src/test/www/laravel8x/composer.json new file mode 100644 index 00000000000..2b0c1155095 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/composer.json @@ -0,0 +1,62 @@ +{ + "name": "laravel/laravel", + "type": "project", + "description": "The Laravel Framework.", + "keywords": ["framework", "laravel"], + "license": "MIT", + "require": { + "php": "^7.3|^8.0", + "fruitcake/laravel-cors": "^2.0", + "guzzlehttp/guzzle": "^7.0.1", + "laravel/framework": "^8.75", + "laravel/sanctum": "^2.11", + "laravel/tinker": "^2.5" + }, + "require-dev": { + "facade/ignition": "^2.5", + "fakerphp/faker": "^1.9.1", + "laravel/sail": "^1.0.1", + "mockery/mockery": "^1.4.4", + "nunomaduro/collision": "^5.10", + "phpunit/phpunit": "^9.5.10" + }, + "autoload": { + "psr-4": { + "App\\": "app/", + "Database\\Factories\\": "database/factories/", + "Database\\Seeders\\": "database/seeders/" + } + }, + "autoload-dev": { + "psr-4": { + "Tests\\": "tests/" + } + }, + "scripts": { + "post-autoload-dump": [ + "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump", + "@php artisan package:discover --ansi" + ], + "post-update-cmd": [ + "@php artisan vendor:publish --tag=laravel-assets --ansi --force" + ], + "post-root-package-install": [ + "@php -r \"file_exists('.env') || copy('.env.example', '.env');\"" + ], + "post-create-project-cmd": [ + "@php artisan key:generate --ansi" + ] + }, + "extra": { + "laravel": { + "dont-discover": [] + } + }, + "config": { + "optimize-autoloader": true, + "preferred-install": "dist", + "sort-packages": true + }, + "minimum-stability": "dev", + "prefer-stable": true +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/app.php b/appsec/tests/integration/src/test/www/laravel8x/config/app.php new file mode 100644 index 00000000000..a8d1a82e4ba --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/app.php @@ -0,0 +1,235 @@ + env('APP_NAME', 'Laravel'), + + /* + |-------------------------------------------------------------------------- + | Application Environment + |-------------------------------------------------------------------------- + | + | This value determines the "environment" your application is currently + | running in. This may determine how you prefer to configure various + | services the application utilizes. Set this in your ".env" file. + | + */ + + 'env' => env('APP_ENV', 'production'), + + /* + |-------------------------------------------------------------------------- + | Application Debug Mode + |-------------------------------------------------------------------------- + | + | When your application is in debug mode, detailed error messages with + | stack traces will be shown on every error that occurs within your + | application. If disabled, a simple generic error page is shown. + | + */ + + 'debug' => (bool) env('APP_DEBUG', false), + + /* + |-------------------------------------------------------------------------- + | Application URL + |-------------------------------------------------------------------------- + | + | This URL is used by the console to properly generate URLs when using + | the Artisan command line tool. You should set this to the root of + | your application so that it is used when running Artisan tasks. + | + */ + + 'url' => env('APP_URL', 'http://localhost'), + + 'asset_url' => env('ASSET_URL', null), + + /* + |-------------------------------------------------------------------------- + | Application Timezone + |-------------------------------------------------------------------------- + | + | Here you may specify the default timezone for your application, which + | will be used by the PHP date and date-time functions. We have gone + | ahead and set this to a sensible default for you out of the box. + | + */ + + 'timezone' => 'UTC', + + /* + |-------------------------------------------------------------------------- + | Application Locale Configuration + |-------------------------------------------------------------------------- + | + | The application locale determines the default locale that will be used + | by the translation service provider. You are free to set this value + | to any of the locales which will be supported by the application. + | + */ + + 'locale' => 'en', + + /* + |-------------------------------------------------------------------------- + | Application Fallback Locale + |-------------------------------------------------------------------------- + | + | The fallback locale determines the locale to use when the current one + | is not available. You may change the value to correspond to any of + | the language folders that are provided through your application. + | + */ + + 'fallback_locale' => 'en', + + /* + |-------------------------------------------------------------------------- + | Faker Locale + |-------------------------------------------------------------------------- + | + | This locale will be used by the Faker PHP library when generating fake + | data for your database seeds. For example, this will be used to get + | localized telephone numbers, street address information and more. + | + */ + + 'faker_locale' => 'en_US', + + /* + |-------------------------------------------------------------------------- + | Encryption Key + |-------------------------------------------------------------------------- + | + | This key is used by the Illuminate encrypter service and should be set + | to a random, 32 character string, otherwise these encrypted strings + | will not be safe. Please do this before deploying an application! + | + */ + + 'key' => env('APP_KEY'), + + 'cipher' => 'AES-256-CBC', + + /* + |-------------------------------------------------------------------------- + | Autoloaded Service Providers + |-------------------------------------------------------------------------- + | + | The service providers listed here will be automatically loaded on the + | request to your application. Feel free to add your own services to + | this array to grant expanded functionality to your applications. + | + */ + + 'providers' => [ + + /* + * Laravel Framework Service Providers... + */ + Illuminate\Auth\AuthServiceProvider::class, + Illuminate\Broadcasting\BroadcastServiceProvider::class, + Illuminate\Bus\BusServiceProvider::class, + Illuminate\Cache\CacheServiceProvider::class, + Illuminate\Foundation\Providers\ConsoleSupportServiceProvider::class, + Illuminate\Cookie\CookieServiceProvider::class, + Illuminate\Database\DatabaseServiceProvider::class, + Illuminate\Encryption\EncryptionServiceProvider::class, + Illuminate\Filesystem\FilesystemServiceProvider::class, + Illuminate\Foundation\Providers\FoundationServiceProvider::class, + Illuminate\Hashing\HashServiceProvider::class, + Illuminate\Mail\MailServiceProvider::class, + Illuminate\Notifications\NotificationServiceProvider::class, + Illuminate\Pagination\PaginationServiceProvider::class, + Illuminate\Pipeline\PipelineServiceProvider::class, + Illuminate\Queue\QueueServiceProvider::class, + Illuminate\Redis\RedisServiceProvider::class, + Illuminate\Auth\Passwords\PasswordResetServiceProvider::class, + Illuminate\Session\SessionServiceProvider::class, + Illuminate\Translation\TranslationServiceProvider::class, + Illuminate\Validation\ValidationServiceProvider::class, + Illuminate\View\ViewServiceProvider::class, + + /* + * Package Service Providers... + */ + + /* + * Application Service Providers... + */ + App\Providers\AppServiceProvider::class, + App\Providers\AuthServiceProvider::class, + // App\Providers\BroadcastServiceProvider::class, + App\Providers\EventServiceProvider::class, + App\Providers\RouteServiceProvider::class, + + ], + + /* + |-------------------------------------------------------------------------- + | Class Aliases + |-------------------------------------------------------------------------- + | + | This array of class aliases will be registered when this application + | is started. However, feel free to register as many as you wish as + | the aliases are "lazy" loaded so they don't hinder performance. + | + */ + + 'aliases' => [ + + 'App' => Illuminate\Support\Facades\App::class, + 'Arr' => Illuminate\Support\Arr::class, + 'Artisan' => Illuminate\Support\Facades\Artisan::class, + 'Auth' => Illuminate\Support\Facades\Auth::class, + 'Blade' => Illuminate\Support\Facades\Blade::class, + 'Broadcast' => Illuminate\Support\Facades\Broadcast::class, + 'Bus' => Illuminate\Support\Facades\Bus::class, + 'Cache' => Illuminate\Support\Facades\Cache::class, + 'Config' => Illuminate\Support\Facades\Config::class, + 'Cookie' => Illuminate\Support\Facades\Cookie::class, + 'Crypt' => Illuminate\Support\Facades\Crypt::class, + 'Date' => Illuminate\Support\Facades\Date::class, + 'DB' => Illuminate\Support\Facades\DB::class, + 'Eloquent' => Illuminate\Database\Eloquent\Model::class, + 'Event' => Illuminate\Support\Facades\Event::class, + 'File' => Illuminate\Support\Facades\File::class, + 'Gate' => Illuminate\Support\Facades\Gate::class, + 'Hash' => Illuminate\Support\Facades\Hash::class, + 'Http' => Illuminate\Support\Facades\Http::class, + 'Js' => Illuminate\Support\Js::class, + 'Lang' => Illuminate\Support\Facades\Lang::class, + 'Log' => Illuminate\Support\Facades\Log::class, + 'Mail' => Illuminate\Support\Facades\Mail::class, + 'Notification' => Illuminate\Support\Facades\Notification::class, + 'Password' => Illuminate\Support\Facades\Password::class, + 'Queue' => Illuminate\Support\Facades\Queue::class, + 'RateLimiter' => Illuminate\Support\Facades\RateLimiter::class, + 'Redirect' => Illuminate\Support\Facades\Redirect::class, + // 'Redis' => Illuminate\Support\Facades\Redis::class, + 'Request' => Illuminate\Support\Facades\Request::class, + 'Response' => Illuminate\Support\Facades\Response::class, + 'Route' => Illuminate\Support\Facades\Route::class, + 'Schema' => Illuminate\Support\Facades\Schema::class, + 'Session' => Illuminate\Support\Facades\Session::class, + 'Storage' => Illuminate\Support\Facades\Storage::class, + 'Str' => Illuminate\Support\Str::class, + 'URL' => Illuminate\Support\Facades\URL::class, + 'Validator' => Illuminate\Support\Facades\Validator::class, + 'View' => Illuminate\Support\Facades\View::class, + + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/auth.php b/appsec/tests/integration/src/test/www/laravel8x/config/auth.php new file mode 100644 index 00000000000..d8c6cee7c19 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/auth.php @@ -0,0 +1,111 @@ + [ + 'guard' => 'web', + 'passwords' => 'users', + ], + + /* + |-------------------------------------------------------------------------- + | Authentication Guards + |-------------------------------------------------------------------------- + | + | Next, you may define every authentication guard for your application. + | Of course, a great default configuration has been defined for you + | here which uses session storage and the Eloquent user provider. + | + | All authentication drivers have a user provider. This defines how the + | users are actually retrieved out of your database or other storage + | mechanisms used by this application to persist your user's data. + | + | Supported: "session" + | + */ + + 'guards' => [ + 'web' => [ + 'driver' => 'session', + 'provider' => 'users', + ], + ], + + /* + |-------------------------------------------------------------------------- + | User Providers + |-------------------------------------------------------------------------- + | + | All authentication drivers have a user provider. This defines how the + | users are actually retrieved out of your database or other storage + | mechanisms used by this application to persist your user's data. + | + | If you have multiple user tables or models you may configure multiple + | sources which represent each model / table. These sources may then + | be assigned to any extra authentication guards you have defined. + | + | Supported: "database", "eloquent" + | + */ + + 'providers' => [ + 'users' => [ + 'driver' => 'eloquent', + 'model' => App\Models\User::class, + ], + + // 'users' => [ + // 'driver' => 'database', + // 'table' => 'users', + // ], + ], + + /* + |-------------------------------------------------------------------------- + | Resetting Passwords + |-------------------------------------------------------------------------- + | + | You may specify multiple password reset configurations if you have more + | than one user table or model in the application and you want to have + | separate password reset settings based on the specific user types. + | + | The expire time is the number of minutes that each reset token will be + | considered valid. This security feature keeps tokens short-lived so + | they have less time to be guessed. You may change this as needed. + | + */ + + 'passwords' => [ + 'users' => [ + 'provider' => 'users', + 'table' => 'password_resets', + 'expire' => 60, + 'throttle' => 60, + ], + ], + + /* + |-------------------------------------------------------------------------- + | Password Confirmation Timeout + |-------------------------------------------------------------------------- + | + | Here you may define the amount of seconds before a password confirmation + | times out and the user is prompted to re-enter their password via the + | confirmation screen. By default, the timeout lasts for three hours. + | + */ + + 'password_timeout' => 10800, + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/broadcasting.php b/appsec/tests/integration/src/test/www/laravel8x/config/broadcasting.php new file mode 100644 index 00000000000..2d529820cc5 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/broadcasting.php @@ -0,0 +1,64 @@ + env('BROADCAST_DRIVER', 'null'), + + /* + |-------------------------------------------------------------------------- + | Broadcast Connections + |-------------------------------------------------------------------------- + | + | Here you may define all of the broadcast connections that will be used + | to broadcast events to other systems or over websockets. Samples of + | each available type of connection are provided inside this array. + | + */ + + 'connections' => [ + + 'pusher' => [ + 'driver' => 'pusher', + 'key' => env('PUSHER_APP_KEY'), + 'secret' => env('PUSHER_APP_SECRET'), + 'app_id' => env('PUSHER_APP_ID'), + 'options' => [ + 'cluster' => env('PUSHER_APP_CLUSTER'), + 'useTLS' => true, + ], + ], + + 'ably' => [ + 'driver' => 'ably', + 'key' => env('ABLY_KEY'), + ], + + 'redis' => [ + 'driver' => 'redis', + 'connection' => 'default', + ], + + 'log' => [ + 'driver' => 'log', + ], + + 'null' => [ + 'driver' => 'null', + ], + + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/cache.php b/appsec/tests/integration/src/test/www/laravel8x/config/cache.php new file mode 100644 index 00000000000..8736c7a7a38 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/cache.php @@ -0,0 +1,110 @@ + env('CACHE_DRIVER', 'file'), + + /* + |-------------------------------------------------------------------------- + | Cache Stores + |-------------------------------------------------------------------------- + | + | Here you may define all of the cache "stores" for your application as + | well as their drivers. You may even define multiple stores for the + | same cache driver to group types of items stored in your caches. + | + | Supported drivers: "apc", "array", "database", "file", + | "memcached", "redis", "dynamodb", "octane", "null" + | + */ + + 'stores' => [ + + 'apc' => [ + 'driver' => 'apc', + ], + + 'array' => [ + 'driver' => 'array', + 'serialize' => false, + ], + + 'database' => [ + 'driver' => 'database', + 'table' => 'cache', + 'connection' => null, + 'lock_connection' => null, + ], + + 'file' => [ + 'driver' => 'file', + 'path' => storage_path('framework/cache/data'), + ], + + 'memcached' => [ + 'driver' => 'memcached', + 'persistent_id' => env('MEMCACHED_PERSISTENT_ID'), + 'sasl' => [ + env('MEMCACHED_USERNAME'), + env('MEMCACHED_PASSWORD'), + ], + 'options' => [ + // Memcached::OPT_CONNECT_TIMEOUT => 2000, + ], + 'servers' => [ + [ + 'host' => env('MEMCACHED_HOST', '127.0.0.1'), + 'port' => env('MEMCACHED_PORT', 11211), + 'weight' => 100, + ], + ], + ], + + 'redis' => [ + 'driver' => 'redis', + 'connection' => 'cache', + 'lock_connection' => 'default', + ], + + 'dynamodb' => [ + 'driver' => 'dynamodb', + 'key' => env('AWS_ACCESS_KEY_ID'), + 'secret' => env('AWS_SECRET_ACCESS_KEY'), + 'region' => env('AWS_DEFAULT_REGION', 'us-east-1'), + 'table' => env('DYNAMODB_CACHE_TABLE', 'cache'), + 'endpoint' => env('DYNAMODB_ENDPOINT'), + ], + + 'octane' => [ + 'driver' => 'octane', + ], + + ], + + /* + |-------------------------------------------------------------------------- + | Cache Key Prefix + |-------------------------------------------------------------------------- + | + | When utilizing a RAM based store such as APC or Memcached, there might + | be other applications utilizing the same cache. So, we'll specify a + | value to get prefixed to all our keys so we can avoid collisions. + | + */ + + 'prefix' => env('CACHE_PREFIX', Str::slug(env('APP_NAME', 'laravel'), '_').'_cache'), + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/cors.php b/appsec/tests/integration/src/test/www/laravel8x/config/cors.php new file mode 100644 index 00000000000..8a39e6daa63 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/cors.php @@ -0,0 +1,34 @@ + ['api/*', 'sanctum/csrf-cookie'], + + 'allowed_methods' => ['*'], + + 'allowed_origins' => ['*'], + + 'allowed_origins_patterns' => [], + + 'allowed_headers' => ['*'], + + 'exposed_headers' => [], + + 'max_age' => 0, + + 'supports_credentials' => false, + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/database.php b/appsec/tests/integration/src/test/www/laravel8x/config/database.php new file mode 100644 index 00000000000..b42d9b30a54 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/database.php @@ -0,0 +1,147 @@ + env('DB_CONNECTION', 'mysql'), + + /* + |-------------------------------------------------------------------------- + | Database Connections + |-------------------------------------------------------------------------- + | + | Here are each of the database connections setup for your application. + | Of course, examples of configuring each database platform that is + | supported by Laravel is shown below to make development simple. + | + | + | All database work in Laravel is done through the PHP PDO facilities + | so make sure you have the driver for your particular database of + | choice installed on your machine before you begin development. + | + */ + + 'connections' => [ + + 'sqlite' => [ + 'driver' => 'sqlite', + 'url' => env('DATABASE_URL'), + 'database' => env('DB_DATABASE', database_path('database.sqlite')), + 'prefix' => '', + 'foreign_key_constraints' => env('DB_FOREIGN_KEYS', true), + ], + + 'mysql' => [ + 'driver' => 'mysql', + 'url' => env('DATABASE_URL'), + 'host' => env('DB_HOST', '127.0.0.1'), + 'port' => env('DB_PORT', '3306'), + 'database' => env('DB_DATABASE', 'forge'), + 'username' => env('DB_USERNAME', 'forge'), + 'password' => env('DB_PASSWORD', ''), + 'unix_socket' => env('DB_SOCKET', ''), + 'charset' => 'utf8mb4', + 'collation' => 'utf8mb4_unicode_ci', + 'prefix' => '', + 'prefix_indexes' => true, + 'strict' => true, + 'engine' => null, + 'options' => extension_loaded('pdo_mysql') ? array_filter([ + PDO::MYSQL_ATTR_SSL_CA => env('MYSQL_ATTR_SSL_CA'), + ]) : [], + ], + + 'pgsql' => [ + 'driver' => 'pgsql', + 'url' => env('DATABASE_URL'), + 'host' => env('DB_HOST', '127.0.0.1'), + 'port' => env('DB_PORT', '5432'), + 'database' => env('DB_DATABASE', 'forge'), + 'username' => env('DB_USERNAME', 'forge'), + 'password' => env('DB_PASSWORD', ''), + 'charset' => 'utf8', + 'prefix' => '', + 'prefix_indexes' => true, + 'schema' => 'public', + 'sslmode' => 'prefer', + ], + + 'sqlsrv' => [ + 'driver' => 'sqlsrv', + 'url' => env('DATABASE_URL'), + 'host' => env('DB_HOST', 'localhost'), + 'port' => env('DB_PORT', '1433'), + 'database' => env('DB_DATABASE', 'forge'), + 'username' => env('DB_USERNAME', 'forge'), + 'password' => env('DB_PASSWORD', ''), + 'charset' => 'utf8', + 'prefix' => '', + 'prefix_indexes' => true, + ], + + ], + + /* + |-------------------------------------------------------------------------- + | Migration Repository Table + |-------------------------------------------------------------------------- + | + | This table keeps track of all the migrations that have already run for + | your application. Using this information, we can determine which of + | the migrations on disk haven't actually been run in the database. + | + */ + + 'migrations' => 'migrations', + + /* + |-------------------------------------------------------------------------- + | Redis Databases + |-------------------------------------------------------------------------- + | + | Redis is an open source, fast, and advanced key-value store that also + | provides a richer body of commands than a typical key-value system + | such as APC or Memcached. Laravel makes it easy to dig right in. + | + */ + + 'redis' => [ + + 'client' => env('REDIS_CLIENT', 'phpredis'), + + 'options' => [ + 'cluster' => env('REDIS_CLUSTER', 'redis'), + 'prefix' => env('REDIS_PREFIX', Str::slug(env('APP_NAME', 'laravel'), '_').'_database_'), + ], + + 'default' => [ + 'url' => env('REDIS_URL'), + 'host' => env('REDIS_HOST', '127.0.0.1'), + 'password' => env('REDIS_PASSWORD', null), + 'port' => env('REDIS_PORT', '6379'), + 'database' => env('REDIS_DB', '0'), + ], + + 'cache' => [ + 'url' => env('REDIS_URL'), + 'host' => env('REDIS_HOST', '127.0.0.1'), + 'password' => env('REDIS_PASSWORD', null), + 'port' => env('REDIS_PORT', '6379'), + 'database' => env('REDIS_CACHE_DB', '1'), + ], + + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/filesystems.php b/appsec/tests/integration/src/test/www/laravel8x/config/filesystems.php new file mode 100644 index 00000000000..760ef9728b7 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/filesystems.php @@ -0,0 +1,73 @@ + env('FILESYSTEM_DRIVER', 'local'), + + /* + |-------------------------------------------------------------------------- + | Filesystem Disks + |-------------------------------------------------------------------------- + | + | Here you may configure as many filesystem "disks" as you wish, and you + | may even configure multiple disks of the same driver. Defaults have + | been setup for each driver as an example of the required options. + | + | Supported Drivers: "local", "ftp", "sftp", "s3" + | + */ + + 'disks' => [ + + 'local' => [ + 'driver' => 'local', + 'root' => storage_path('app'), + ], + + 'public' => [ + 'driver' => 'local', + 'root' => storage_path('app/public'), + 'url' => env('APP_URL').'/storage', + 'visibility' => 'public', + ], + + 's3' => [ + 'driver' => 's3', + 'key' => env('AWS_ACCESS_KEY_ID'), + 'secret' => env('AWS_SECRET_ACCESS_KEY'), + 'region' => env('AWS_DEFAULT_REGION'), + 'bucket' => env('AWS_BUCKET'), + 'url' => env('AWS_URL'), + 'endpoint' => env('AWS_ENDPOINT'), + 'use_path_style_endpoint' => env('AWS_USE_PATH_STYLE_ENDPOINT', false), + ], + + ], + + /* + |-------------------------------------------------------------------------- + | Symbolic Links + |-------------------------------------------------------------------------- + | + | Here you may configure the symbolic links that will be created when the + | `storage:link` Artisan command is executed. The array keys should be + | the locations of the links and the values should be their targets. + | + */ + + 'links' => [ + public_path('storage') => storage_path('app/public'), + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/hashing.php b/appsec/tests/integration/src/test/www/laravel8x/config/hashing.php new file mode 100644 index 00000000000..bcd3be4c28a --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/hashing.php @@ -0,0 +1,52 @@ + 'bcrypt', + + /* + |-------------------------------------------------------------------------- + | Bcrypt Options + |-------------------------------------------------------------------------- + | + | Here you may specify the configuration options that should be used when + | passwords are hashed using the Bcrypt algorithm. This will allow you + | to control the amount of time it takes to hash the given password. + | + */ + + 'bcrypt' => [ + 'rounds' => env('BCRYPT_ROUNDS', 10), + ], + + /* + |-------------------------------------------------------------------------- + | Argon Options + |-------------------------------------------------------------------------- + | + | Here you may specify the configuration options that should be used when + | passwords are hashed using the Argon algorithm. These will allow you + | to control the amount of time it takes to hash the given password. + | + */ + + 'argon' => [ + 'memory' => 65536, + 'threads' => 1, + 'time' => 4, + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/logging.php b/appsec/tests/integration/src/test/www/laravel8x/config/logging.php new file mode 100644 index 00000000000..4050d76eac3 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/logging.php @@ -0,0 +1,118 @@ + env('LOG_CHANNEL', 'stack'), + + /* + |-------------------------------------------------------------------------- + | Deprecations Log Channel + |-------------------------------------------------------------------------- + | + | This option controls the log channel that should be used to log warnings + | regarding deprecated PHP and library features. This allows you to get + | your application ready for upcoming major versions of dependencies. + | + */ + + 'deprecations' => env('LOG_DEPRECATIONS_CHANNEL', 'null'), + + /* + |-------------------------------------------------------------------------- + | Log Channels + |-------------------------------------------------------------------------- + | + | Here you may configure the log channels for your application. Out of + | the box, Laravel uses the Monolog PHP logging library. This gives + | you a variety of powerful log handlers / formatters to utilize. + | + | Available Drivers: "single", "daily", "slack", "syslog", + | "errorlog", "monolog", + | "custom", "stack" + | + */ + + 'channels' => [ + 'stack' => [ + 'driver' => 'stack', + 'channels' => ['single'], + 'ignore_exceptions' => false, + ], + + 'single' => [ + 'driver' => 'single', + 'path' => '/tmp/logs/laravel/laravel.log', + 'level' => env('LOG_LEVEL', 'debug'), + ], + + 'daily' => [ + 'driver' => 'daily', + 'path' => '/tmp/logs/laravel/laravel.log', + 'level' => env('LOG_LEVEL', 'debug'), + 'days' => 14, + ], + + 'slack' => [ + 'driver' => 'slack', + 'url' => env('LOG_SLACK_WEBHOOK_URL'), + 'username' => 'Laravel Log', + 'emoji' => ':boom:', + 'level' => env('LOG_LEVEL', 'critical'), + ], + + 'papertrail' => [ + 'driver' => 'monolog', + 'level' => env('LOG_LEVEL', 'debug'), + 'handler' => SyslogUdpHandler::class, + 'handler_with' => [ + 'host' => env('PAPERTRAIL_URL'), + 'port' => env('PAPERTRAIL_PORT'), + ], + ], + + 'stderr' => [ + 'driver' => 'monolog', + 'level' => env('LOG_LEVEL', 'debug'), + 'handler' => StreamHandler::class, + 'formatter' => env('LOG_STDERR_FORMATTER'), + 'with' => [ + 'stream' => 'php://stderr', + ], + ], + + 'syslog' => [ + 'driver' => 'syslog', + 'level' => env('LOG_LEVEL', 'debug'), + ], + + 'errorlog' => [ + 'driver' => 'errorlog', + 'level' => env('LOG_LEVEL', 'debug'), + ], + + 'null' => [ + 'driver' => 'monolog', + 'handler' => NullHandler::class, + ], + + 'emergency' => [ + 'path' => '/tmp/logs/laravel/laravel.log', + ], + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/mail.php b/appsec/tests/integration/src/test/www/laravel8x/config/mail.php new file mode 100644 index 00000000000..f96c6c7c355 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/mail.php @@ -0,0 +1,118 @@ + env('MAIL_MAILER', 'smtp'), + + /* + |-------------------------------------------------------------------------- + | Mailer Configurations + |-------------------------------------------------------------------------- + | + | Here you may configure all of the mailers used by your application plus + | their respective settings. Several examples have been configured for + | you and you are free to add your own as your application requires. + | + | Laravel supports a variety of mail "transport" drivers to be used while + | sending an e-mail. You will specify which one you are using for your + | mailers below. You are free to add additional mailers as required. + | + | Supported: "smtp", "sendmail", "mailgun", "ses", + | "postmark", "log", "array", "failover" + | + */ + + 'mailers' => [ + 'smtp' => [ + 'transport' => 'smtp', + 'host' => env('MAIL_HOST', 'smtp.mailgun.org'), + 'port' => env('MAIL_PORT', 587), + 'encryption' => env('MAIL_ENCRYPTION', 'tls'), + 'username' => env('MAIL_USERNAME'), + 'password' => env('MAIL_PASSWORD'), + 'timeout' => null, + 'auth_mode' => null, + ], + + 'ses' => [ + 'transport' => 'ses', + ], + + 'mailgun' => [ + 'transport' => 'mailgun', + ], + + 'postmark' => [ + 'transport' => 'postmark', + ], + + 'sendmail' => [ + 'transport' => 'sendmail', + 'path' => env('MAIL_SENDMAIL_PATH', '/usr/sbin/sendmail -t -i'), + ], + + 'log' => [ + 'transport' => 'log', + 'channel' => env('MAIL_LOG_CHANNEL'), + ], + + 'array' => [ + 'transport' => 'array', + ], + + 'failover' => [ + 'transport' => 'failover', + 'mailers' => [ + 'smtp', + 'log', + ], + ], + ], + + /* + |-------------------------------------------------------------------------- + | Global "From" Address + |-------------------------------------------------------------------------- + | + | You may wish for all e-mails sent by your application to be sent from + | the same address. Here, you may specify a name and address that is + | used globally for all e-mails that are sent by your application. + | + */ + + 'from' => [ + 'address' => env('MAIL_FROM_ADDRESS', 'hello@example.com'), + 'name' => env('MAIL_FROM_NAME', 'Example'), + ], + + /* + |-------------------------------------------------------------------------- + | Markdown Mail Settings + |-------------------------------------------------------------------------- + | + | If you are using Markdown based email rendering, you may configure your + | theme and component paths here, allowing you to customize the design + | of the emails. Or, you may simply stick with the Laravel defaults! + | + */ + + 'markdown' => [ + 'theme' => 'default', + + 'paths' => [ + resource_path('views/vendor/mail'), + ], + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/queue.php b/appsec/tests/integration/src/test/www/laravel8x/config/queue.php new file mode 100644 index 00000000000..25ea5a81935 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/queue.php @@ -0,0 +1,93 @@ + env('QUEUE_CONNECTION', 'sync'), + + /* + |-------------------------------------------------------------------------- + | Queue Connections + |-------------------------------------------------------------------------- + | + | Here you may configure the connection information for each server that + | is used by your application. A default configuration has been added + | for each back-end shipped with Laravel. You are free to add more. + | + | Drivers: "sync", "database", "beanstalkd", "sqs", "redis", "null" + | + */ + + 'connections' => [ + + 'sync' => [ + 'driver' => 'sync', + ], + + 'database' => [ + 'driver' => 'database', + 'table' => 'jobs', + 'queue' => 'default', + 'retry_after' => 90, + 'after_commit' => false, + ], + + 'beanstalkd' => [ + 'driver' => 'beanstalkd', + 'host' => 'localhost', + 'queue' => 'default', + 'retry_after' => 90, + 'block_for' => 0, + 'after_commit' => false, + ], + + 'sqs' => [ + 'driver' => 'sqs', + 'key' => env('AWS_ACCESS_KEY_ID'), + 'secret' => env('AWS_SECRET_ACCESS_KEY'), + 'prefix' => env('SQS_PREFIX', 'https://sqs.us-east-1.amazonaws.com/your-account-id'), + 'queue' => env('SQS_QUEUE', 'default'), + 'suffix' => env('SQS_SUFFIX'), + 'region' => env('AWS_DEFAULT_REGION', 'us-east-1'), + 'after_commit' => false, + ], + + 'redis' => [ + 'driver' => 'redis', + 'connection' => 'default', + 'queue' => env('REDIS_QUEUE', 'default'), + 'retry_after' => 90, + 'block_for' => null, + 'after_commit' => false, + ], + + ], + + /* + |-------------------------------------------------------------------------- + | Failed Queue Jobs + |-------------------------------------------------------------------------- + | + | These options configure the behavior of failed queue job logging so you + | can control which database and table are used to store the jobs that + | have failed. You may change them to any database / table you wish. + | + */ + + 'failed' => [ + 'driver' => env('QUEUE_FAILED_DRIVER', 'database-uuids'), + 'database' => env('DB_CONNECTION', 'mysql'), + 'table' => 'failed_jobs', + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/sanctum.php b/appsec/tests/integration/src/test/www/laravel8x/config/sanctum.php new file mode 100644 index 00000000000..9281c92db06 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/sanctum.php @@ -0,0 +1,65 @@ + explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf( + '%s%s', + 'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1', + env('APP_URL') ? ','.parse_url(env('APP_URL'), PHP_URL_HOST) : '' + ))), + + /* + |-------------------------------------------------------------------------- + | Sanctum Guards + |-------------------------------------------------------------------------- + | + | This array contains the authentication guards that will be checked when + | Sanctum is trying to authenticate a request. If none of these guards + | are able to authenticate the request, Sanctum will use the bearer + | token that's present on an incoming request for authentication. + | + */ + + 'guard' => ['web'], + + /* + |-------------------------------------------------------------------------- + | Expiration Minutes + |-------------------------------------------------------------------------- + | + | This value controls the number of minutes until an issued token will be + | considered expired. If this value is null, personal access tokens do + | not expire. This won't tweak the lifetime of first-party sessions. + | + */ + + 'expiration' => null, + + /* + |-------------------------------------------------------------------------- + | Sanctum Middleware + |-------------------------------------------------------------------------- + | + | When authenticating your first-party SPA with Sanctum you may need to + | customize some of the middleware Sanctum uses while processing the + | request. You may change the middleware listed below as required. + | + */ + + 'middleware' => [ + 'verify_csrf_token' => App\Http\Middleware\VerifyCsrfToken::class, + 'encrypt_cookies' => App\Http\Middleware\EncryptCookies::class, + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/services.php b/appsec/tests/integration/src/test/www/laravel8x/config/services.php new file mode 100644 index 00000000000..2a1d616c774 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/services.php @@ -0,0 +1,33 @@ + [ + 'domain' => env('MAILGUN_DOMAIN'), + 'secret' => env('MAILGUN_SECRET'), + 'endpoint' => env('MAILGUN_ENDPOINT', 'api.mailgun.net'), + ], + + 'postmark' => [ + 'token' => env('POSTMARK_TOKEN'), + ], + + 'ses' => [ + 'key' => env('AWS_ACCESS_KEY_ID'), + 'secret' => env('AWS_SECRET_ACCESS_KEY'), + 'region' => env('AWS_DEFAULT_REGION', 'us-east-1'), + ], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/session.php b/appsec/tests/integration/src/test/www/laravel8x/config/session.php new file mode 100644 index 00000000000..ac0802b19cc --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/session.php @@ -0,0 +1,201 @@ + env('SESSION_DRIVER', 'file'), + + /* + |-------------------------------------------------------------------------- + | Session Lifetime + |-------------------------------------------------------------------------- + | + | Here you may specify the number of minutes that you wish the session + | to be allowed to remain idle before it expires. If you want them + | to immediately expire on the browser closing, set that option. + | + */ + + 'lifetime' => env('SESSION_LIFETIME', 120), + + 'expire_on_close' => false, + + /* + |-------------------------------------------------------------------------- + | Session Encryption + |-------------------------------------------------------------------------- + | + | This option allows you to easily specify that all of your session data + | should be encrypted before it is stored. All encryption will be run + | automatically by Laravel and you can use the Session like normal. + | + */ + + 'encrypt' => false, + + /* + |-------------------------------------------------------------------------- + | Session File Location + |-------------------------------------------------------------------------- + | + | When using the native session driver, we need a location where session + | files may be stored. A default has been set for you but a different + | location may be specified. This is only needed for file sessions. + | + */ + + 'files' => storage_path('framework/sessions'), + + /* + |-------------------------------------------------------------------------- + | Session Database Connection + |-------------------------------------------------------------------------- + | + | When using the "database" or "redis" session drivers, you may specify a + | connection that should be used to manage these sessions. This should + | correspond to a connection in your database configuration options. + | + */ + + 'connection' => env('SESSION_CONNECTION', null), + + /* + |-------------------------------------------------------------------------- + | Session Database Table + |-------------------------------------------------------------------------- + | + | When using the "database" session driver, you may specify the table we + | should use to manage the sessions. Of course, a sensible default is + | provided for you; however, you are free to change this as needed. + | + */ + + 'table' => 'sessions', + + /* + |-------------------------------------------------------------------------- + | Session Cache Store + |-------------------------------------------------------------------------- + | + | While using one of the framework's cache driven session backends you may + | list a cache store that should be used for these sessions. This value + | must match with one of the application's configured cache "stores". + | + | Affects: "apc", "dynamodb", "memcached", "redis" + | + */ + + 'store' => env('SESSION_STORE', null), + + /* + |-------------------------------------------------------------------------- + | Session Sweeping Lottery + |-------------------------------------------------------------------------- + | + | Some session drivers must manually sweep their storage location to get + | rid of old sessions from storage. Here are the chances that it will + | happen on a given request. By default, the odds are 2 out of 100. + | + */ + + 'lottery' => [2, 100], + + /* + |-------------------------------------------------------------------------- + | Session Cookie Name + |-------------------------------------------------------------------------- + | + | Here you may change the name of the cookie used to identify a session + | instance by ID. The name specified here will get used every time a + | new session cookie is created by the framework for every driver. + | + */ + + 'cookie' => env( + 'SESSION_COOKIE', + Str::slug(env('APP_NAME', 'laravel'), '_').'_session' + ), + + /* + |-------------------------------------------------------------------------- + | Session Cookie Path + |-------------------------------------------------------------------------- + | + | The session cookie path determines the path for which the cookie will + | be regarded as available. Typically, this will be the root path of + | your application but you are free to change this when necessary. + | + */ + + 'path' => '/', + + /* + |-------------------------------------------------------------------------- + | Session Cookie Domain + |-------------------------------------------------------------------------- + | + | Here you may change the domain of the cookie used to identify a session + | in your application. This will determine which domains the cookie is + | available to in your application. A sensible default has been set. + | + */ + + 'domain' => env('SESSION_DOMAIN', null), + + /* + |-------------------------------------------------------------------------- + | HTTPS Only Cookies + |-------------------------------------------------------------------------- + | + | By setting this option to true, session cookies will only be sent back + | to the server if the browser has a HTTPS connection. This will keep + | the cookie from being sent to you when it can't be done securely. + | + */ + + 'secure' => env('SESSION_SECURE_COOKIE'), + + /* + |-------------------------------------------------------------------------- + | HTTP Access Only + |-------------------------------------------------------------------------- + | + | Setting this value to true will prevent JavaScript from accessing the + | value of the cookie and the cookie will only be accessible through + | the HTTP protocol. You are free to modify this option if needed. + | + */ + + 'http_only' => true, + + /* + |-------------------------------------------------------------------------- + | Same-Site Cookies + |-------------------------------------------------------------------------- + | + | This option determines how your cookies behave when cross-site requests + | take place, and can be used to mitigate CSRF attacks. By default, we + | will set this value to "lax" since this is a secure default value. + | + | Supported: "lax", "strict", "none", null + | + */ + + 'same_site' => 'lax', + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/config/view.php b/appsec/tests/integration/src/test/www/laravel8x/config/view.php new file mode 100644 index 00000000000..22b8a18d325 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/config/view.php @@ -0,0 +1,36 @@ + [ + resource_path('views'), + ], + + /* + |-------------------------------------------------------------------------- + | Compiled View Path + |-------------------------------------------------------------------------- + | + | This option determines where all the compiled Blade templates will be + | stored for your application. Typically, this is within the storage + | directory. However, as usual, you are free to change this value. + | + */ + + 'compiled' => env( + 'VIEW_COMPILED_PATH', + realpath(storage_path('framework/views')) + ), + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/database/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/database/.gitignore new file mode 100644 index 00000000000..9b19b93c9f1 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/database/.gitignore @@ -0,0 +1 @@ +*.sqlite* diff --git a/appsec/tests/integration/src/test/www/laravel8x/database/factories/UserFactory.php b/appsec/tests/integration/src/test/www/laravel8x/database/factories/UserFactory.php new file mode 100644 index 00000000000..a3eb239a946 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/database/factories/UserFactory.php @@ -0,0 +1,39 @@ + $this->faker->name(), + 'email' => $this->faker->unique()->safeEmail(), + 'email_verified_at' => now(), + 'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi', // password + 'remember_token' => Str::random(10), + ]; + } + + /** + * Indicate that the model's email address should be unverified. + * + * @return \Illuminate\Database\Eloquent\Factories\Factory + */ + public function unverified() + { + return $this->state(function (array $attributes) { + return [ + 'email_verified_at' => null, + ]; + }); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_000000_create_users_table.php b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_000000_create_users_table.php new file mode 100644 index 00000000000..621a24eb734 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_000000_create_users_table.php @@ -0,0 +1,36 @@ +id(); + $table->string('name'); + $table->string('email')->unique(); + $table->timestamp('email_verified_at')->nullable(); + $table->string('password'); + $table->rememberToken(); + $table->timestamps(); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::dropIfExists('users'); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_100000_create_password_resets_table.php b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_100000_create_password_resets_table.php new file mode 100644 index 00000000000..0ee0a36a4f8 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2014_10_12_100000_create_password_resets_table.php @@ -0,0 +1,32 @@ +string('email')->index(); + $table->string('token'); + $table->timestamp('created_at')->nullable(); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::dropIfExists('password_resets'); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_08_19_000000_create_failed_jobs_table.php b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_08_19_000000_create_failed_jobs_table.php new file mode 100644 index 00000000000..6aa6d743e9c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_08_19_000000_create_failed_jobs_table.php @@ -0,0 +1,36 @@ +id(); + $table->string('uuid')->unique(); + $table->text('connection'); + $table->text('queue'); + $table->longText('payload'); + $table->longText('exception'); + $table->timestamp('failed_at')->useCurrent(); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::dropIfExists('failed_jobs'); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_12_14_000001_create_personal_access_tokens_table.php b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_12_14_000001_create_personal_access_tokens_table.php new file mode 100644 index 00000000000..4315e16a85a --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/database/migrations/2019_12_14_000001_create_personal_access_tokens_table.php @@ -0,0 +1,36 @@ +id(); + $table->morphs('tokenable'); + $table->string('name'); + $table->string('token', 64)->unique(); + $table->text('abilities')->nullable(); + $table->timestamp('last_used_at')->nullable(); + $table->timestamps(); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::dropIfExists('personal_access_tokens'); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/database/seeders/DatabaseSeeder.php b/appsec/tests/integration/src/test/www/laravel8x/database/seeders/DatabaseSeeder.php new file mode 100644 index 00000000000..f67b8694166 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/database/seeders/DatabaseSeeder.php @@ -0,0 +1,24 @@ +insert([ + 'name' => 'ciuser', + 'email' => 'ciuser@example.com', + 'password' => Hash::make('password'), + ]); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/initialize.sh b/appsec/tests/integration/src/test/www/laravel8x/initialize.sh new file mode 100755 index 00000000000..778669352a9 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/initialize.sh @@ -0,0 +1,17 @@ +#!/bin/bash -e + +cd /var/www + +composer install --no-dev +chown -R www-data.www-data vendor + +cp .env.example .env +php artisan key:generate +php artisan config:cache +touch /tmp/database.sqlite +php artisan migrate +php artisan db:seed +chown www-data.www-data /tmp/database.sqlite +chown -R www-data.www-data /var/www/storage +mkdir -p /tmp/logs/laravel +chown www-data.www-data /tmp/logs/laravel diff --git a/appsec/tests/integration/src/test/www/laravel8x/package.json b/appsec/tests/integration/src/test/www/laravel8x/package.json new file mode 100644 index 00000000000..00c6506709b --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/package.json @@ -0,0 +1,18 @@ +{ + "private": true, + "scripts": { + "dev": "npm run development", + "development": "mix", + "watch": "mix watch", + "watch-poll": "mix watch -- --watch-options-poll=1000", + "hot": "mix watch --hot", + "prod": "npm run production", + "production": "mix --production" + }, + "devDependencies": { + "axios": "^0.21", + "laravel-mix": "^6.0.6", + "lodash": "^4.17.19", + "postcss": "^8.1.14" + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/phpunit.xml b/appsec/tests/integration/src/test/www/laravel8x/phpunit.xml new file mode 100644 index 00000000000..4ae4d979d1e --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/phpunit.xml @@ -0,0 +1,31 @@ + + + + + ./tests/Unit + + + ./tests/Feature + + + + + ./app + + + + + + + + + + + + + + diff --git a/appsec/tests/integration/src/test/www/laravel8x/public/.htaccess b/appsec/tests/integration/src/test/www/laravel8x/public/.htaccess new file mode 100644 index 00000000000..3aec5e27e5d --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/public/.htaccess @@ -0,0 +1,21 @@ + + + Options -MultiViews -Indexes + + + RewriteEngine On + + # Handle Authorization Header + RewriteCond %{HTTP:Authorization} . + RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + + # Redirect Trailing Slashes If Not A Folder... + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond %{REQUEST_URI} (.+)/$ + RewriteRule ^ %1 [L,R=301] + + # Send Requests To Front Controller... + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^ index.php [L] + diff --git a/appsec/tests/integration/src/test/www/laravel8x/public/favicon.ico b/appsec/tests/integration/src/test/www/laravel8x/public/favicon.ico new file mode 100644 index 00000000000..e69de29bb2d diff --git a/appsec/tests/integration/src/test/www/laravel8x/public/index.php b/appsec/tests/integration/src/test/www/laravel8x/public/index.php new file mode 100644 index 00000000000..1d69f3a2890 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/public/index.php @@ -0,0 +1,55 @@ +make(Kernel::class); + +$response = $kernel->handle( + $request = Request::capture() +)->send(); + +$kernel->terminate($request, $response); diff --git a/appsec/tests/integration/src/test/www/laravel8x/public/robots.txt b/appsec/tests/integration/src/test/www/laravel8x/public/robots.txt new file mode 100644 index 00000000000..eb0536286f3 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/public/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/css/app.css b/appsec/tests/integration/src/test/www/laravel8x/resources/css/app.css new file mode 100644 index 00000000000..e69de29bb2d diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/js/app.js b/appsec/tests/integration/src/test/www/laravel8x/resources/js/app.js new file mode 100644 index 00000000000..40c55f65c25 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/resources/js/app.js @@ -0,0 +1 @@ +require('./bootstrap'); diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/js/bootstrap.js b/appsec/tests/integration/src/test/www/laravel8x/resources/js/bootstrap.js new file mode 100644 index 00000000000..6922577695e --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/resources/js/bootstrap.js @@ -0,0 +1,28 @@ +window._ = require('lodash'); + +/** + * We'll load the axios HTTP library which allows us to easily issue requests + * to our Laravel back-end. This library automatically handles sending the + * CSRF token as a header based on the value of the "XSRF" token cookie. + */ + +window.axios = require('axios'); + +window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'; + +/** + * Echo exposes an expressive API for subscribing to channels and listening + * for events that are broadcast by Laravel. Echo and event broadcasting + * allows your team to easily build robust real-time web applications. + */ + +// import Echo from 'laravel-echo'; + +// window.Pusher = require('pusher-js'); + +// window.Echo = new Echo({ +// broadcaster: 'pusher', +// key: process.env.MIX_PUSHER_APP_KEY, +// cluster: process.env.MIX_PUSHER_APP_CLUSTER, +// forceTLS: true +// }); diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/auth.php b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/auth.php new file mode 100644 index 00000000000..6598e2c0607 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/auth.php @@ -0,0 +1,20 @@ + 'These credentials do not match our records.', + 'password' => 'The provided password is incorrect.', + 'throttle' => 'Too many login attempts. Please try again in :seconds seconds.', + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/pagination.php b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/pagination.php new file mode 100644 index 00000000000..d4814118778 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/pagination.php @@ -0,0 +1,19 @@ + '« Previous', + 'next' => 'Next »', + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/passwords.php b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/passwords.php new file mode 100644 index 00000000000..2345a56b5a6 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/passwords.php @@ -0,0 +1,22 @@ + 'Your password has been reset!', + 'sent' => 'We have emailed your password reset link!', + 'throttled' => 'Please wait before retrying.', + 'token' => 'This password reset token is invalid.', + 'user' => "We can't find a user with that email address.", + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/validation.php b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/validation.php new file mode 100644 index 00000000000..783003cfcca --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/resources/lang/en/validation.php @@ -0,0 +1,163 @@ + 'The :attribute must be accepted.', + 'accepted_if' => 'The :attribute must be accepted when :other is :value.', + 'active_url' => 'The :attribute is not a valid URL.', + 'after' => 'The :attribute must be a date after :date.', + 'after_or_equal' => 'The :attribute must be a date after or equal to :date.', + 'alpha' => 'The :attribute must only contain letters.', + 'alpha_dash' => 'The :attribute must only contain letters, numbers, dashes and underscores.', + 'alpha_num' => 'The :attribute must only contain letters and numbers.', + 'array' => 'The :attribute must be an array.', + 'before' => 'The :attribute must be a date before :date.', + 'before_or_equal' => 'The :attribute must be a date before or equal to :date.', + 'between' => [ + 'numeric' => 'The :attribute must be between :min and :max.', + 'file' => 'The :attribute must be between :min and :max kilobytes.', + 'string' => 'The :attribute must be between :min and :max characters.', + 'array' => 'The :attribute must have between :min and :max items.', + ], + 'boolean' => 'The :attribute field must be true or false.', + 'confirmed' => 'The :attribute confirmation does not match.', + 'current_password' => 'The password is incorrect.', + 'date' => 'The :attribute is not a valid date.', + 'date_equals' => 'The :attribute must be a date equal to :date.', + 'date_format' => 'The :attribute does not match the format :format.', + 'declined' => 'The :attribute must be declined.', + 'declined_if' => 'The :attribute must be declined when :other is :value.', + 'different' => 'The :attribute and :other must be different.', + 'digits' => 'The :attribute must be :digits digits.', + 'digits_between' => 'The :attribute must be between :min and :max digits.', + 'dimensions' => 'The :attribute has invalid image dimensions.', + 'distinct' => 'The :attribute field has a duplicate value.', + 'email' => 'The :attribute must be a valid email address.', + 'ends_with' => 'The :attribute must end with one of the following: :values.', + 'enum' => 'The selected :attribute is invalid.', + 'exists' => 'The selected :attribute is invalid.', + 'file' => 'The :attribute must be a file.', + 'filled' => 'The :attribute field must have a value.', + 'gt' => [ + 'numeric' => 'The :attribute must be greater than :value.', + 'file' => 'The :attribute must be greater than :value kilobytes.', + 'string' => 'The :attribute must be greater than :value characters.', + 'array' => 'The :attribute must have more than :value items.', + ], + 'gte' => [ + 'numeric' => 'The :attribute must be greater than or equal to :value.', + 'file' => 'The :attribute must be greater than or equal to :value kilobytes.', + 'string' => 'The :attribute must be greater than or equal to :value characters.', + 'array' => 'The :attribute must have :value items or more.', + ], + 'image' => 'The :attribute must be an image.', + 'in' => 'The selected :attribute is invalid.', + 'in_array' => 'The :attribute field does not exist in :other.', + 'integer' => 'The :attribute must be an integer.', + 'ip' => 'The :attribute must be a valid IP address.', + 'ipv4' => 'The :attribute must be a valid IPv4 address.', + 'ipv6' => 'The :attribute must be a valid IPv6 address.', + 'json' => 'The :attribute must be a valid JSON string.', + 'lt' => [ + 'numeric' => 'The :attribute must be less than :value.', + 'file' => 'The :attribute must be less than :value kilobytes.', + 'string' => 'The :attribute must be less than :value characters.', + 'array' => 'The :attribute must have less than :value items.', + ], + 'lte' => [ + 'numeric' => 'The :attribute must be less than or equal to :value.', + 'file' => 'The :attribute must be less than or equal to :value kilobytes.', + 'string' => 'The :attribute must be less than or equal to :value characters.', + 'array' => 'The :attribute must not have more than :value items.', + ], + 'mac_address' => 'The :attribute must be a valid MAC address.', + 'max' => [ + 'numeric' => 'The :attribute must not be greater than :max.', + 'file' => 'The :attribute must not be greater than :max kilobytes.', + 'string' => 'The :attribute must not be greater than :max characters.', + 'array' => 'The :attribute must not have more than :max items.', + ], + 'mimes' => 'The :attribute must be a file of type: :values.', + 'mimetypes' => 'The :attribute must be a file of type: :values.', + 'min' => [ + 'numeric' => 'The :attribute must be at least :min.', + 'file' => 'The :attribute must be at least :min kilobytes.', + 'string' => 'The :attribute must be at least :min characters.', + 'array' => 'The :attribute must have at least :min items.', + ], + 'multiple_of' => 'The :attribute must be a multiple of :value.', + 'not_in' => 'The selected :attribute is invalid.', + 'not_regex' => 'The :attribute format is invalid.', + 'numeric' => 'The :attribute must be a number.', + 'password' => 'The password is incorrect.', + 'present' => 'The :attribute field must be present.', + 'prohibited' => 'The :attribute field is prohibited.', + 'prohibited_if' => 'The :attribute field is prohibited when :other is :value.', + 'prohibited_unless' => 'The :attribute field is prohibited unless :other is in :values.', + 'prohibits' => 'The :attribute field prohibits :other from being present.', + 'regex' => 'The :attribute format is invalid.', + 'required' => 'The :attribute field is required.', + 'required_array_keys' => 'The :attribute field must contain entries for: :values.', + 'required_if' => 'The :attribute field is required when :other is :value.', + 'required_unless' => 'The :attribute field is required unless :other is in :values.', + 'required_with' => 'The :attribute field is required when :values is present.', + 'required_with_all' => 'The :attribute field is required when :values are present.', + 'required_without' => 'The :attribute field is required when :values is not present.', + 'required_without_all' => 'The :attribute field is required when none of :values are present.', + 'same' => 'The :attribute and :other must match.', + 'size' => [ + 'numeric' => 'The :attribute must be :size.', + 'file' => 'The :attribute must be :size kilobytes.', + 'string' => 'The :attribute must be :size characters.', + 'array' => 'The :attribute must contain :size items.', + ], + 'starts_with' => 'The :attribute must start with one of the following: :values.', + 'string' => 'The :attribute must be a string.', + 'timezone' => 'The :attribute must be a valid timezone.', + 'unique' => 'The :attribute has already been taken.', + 'uploaded' => 'The :attribute failed to upload.', + 'url' => 'The :attribute must be a valid URL.', + 'uuid' => 'The :attribute must be a valid UUID.', + + /* + |-------------------------------------------------------------------------- + | Custom Validation Language Lines + |-------------------------------------------------------------------------- + | + | Here you may specify custom validation messages for attributes using the + | convention "attribute.rule" to name the lines. This makes it quick to + | specify a specific custom language line for a given attribute rule. + | + */ + + 'custom' => [ + 'attribute-name' => [ + 'rule-name' => 'custom-message', + ], + ], + + /* + |-------------------------------------------------------------------------- + | Custom Validation Attributes + |-------------------------------------------------------------------------- + | + | The following language lines are used to swap our attribute placeholder + | with something more reader friendly such as "E-Mail Address" instead + | of "email". This simply helps us make our message more expressive. + | + */ + + 'attributes' => [], + +]; diff --git a/appsec/tests/integration/src/test/www/laravel8x/resources/views/welcome.blade.php b/appsec/tests/integration/src/test/www/laravel8x/resources/views/welcome.blade.php new file mode 100644 index 00000000000..dd6a45db766 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/resources/views/welcome.blade.php @@ -0,0 +1,132 @@ + + + + + + + Laravel + + + + + + + + + + +
+ @if (Route::has('login')) + + @endif + +
+
+ + + + + +
+ +
+
+
+
+ +
Documentation
+
+ +
+
+ Laravel has wonderful, thorough documentation covering every aspect of the framework. Whether you are new to the framework or have previous experience with Laravel, we recommend reading all of the documentation from beginning to end. +
+
+
+ +
+
+ +
Laracasts
+
+ +
+
+ Laracasts offers thousands of video tutorials on Laravel, PHP, and JavaScript development. Check them out, see for yourself, and massively level up your development skills in the process. +
+
+
+ +
+
+ +
Laravel News
+
+ +
+
+ Laravel News is a community driven portal and newsletter aggregating all of the latest and most important news in the Laravel ecosystem, including new package releases and tutorials. +
+
+
+ +
+
+ +
Vibrant Ecosystem
+
+ +
+
+ Laravel's robust library of first-party tools and libraries, such as Forge, Vapor, Nova, and Envoyer help you take your projects to the next level. Pair them with powerful open source libraries like Cashier, Dusk, Echo, Horizon, Sanctum, Telescope, and more. +
+
+
+
+
+ +
+
+
+ + + + + + Shop + + + + + + + + Sponsor + +
+
+ +
+ Laravel v{{ Illuminate\Foundation\Application::VERSION }} (PHP v{{ PHP_VERSION }}) +
+
+
+
+ + diff --git a/appsec/tests/integration/src/test/www/laravel8x/routes/api.php b/appsec/tests/integration/src/test/www/laravel8x/routes/api.php new file mode 100644 index 00000000000..eb6fa48c25d --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/routes/api.php @@ -0,0 +1,19 @@ +get('/user', function (Request $request) { + return $request->user(); +}); diff --git a/appsec/tests/integration/src/test/www/laravel8x/routes/channels.php b/appsec/tests/integration/src/test/www/laravel8x/routes/channels.php new file mode 100644 index 00000000000..5d451e1fae8 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/routes/channels.php @@ -0,0 +1,18 @@ +id === (int) $id; +}); diff --git a/appsec/tests/integration/src/test/www/laravel8x/routes/console.php b/appsec/tests/integration/src/test/www/laravel8x/routes/console.php new file mode 100644 index 00000000000..e05f4c9a1b2 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/routes/console.php @@ -0,0 +1,19 @@ +comment(Inspiring::quote()); +})->purpose('Display an inspiring quote'); diff --git a/appsec/tests/integration/src/test/www/laravel8x/routes/web.php b/appsec/tests/integration/src/test/www/laravel8x/routes/web.php new file mode 100644 index 00000000000..618f8113c9b --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/routes/web.php @@ -0,0 +1,22 @@ + + */ + +$uri = urldecode( + parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) ?? '' +); + +// This file allows us to emulate Apache's "mod_rewrite" functionality from the +// built-in PHP web server. This provides a convenient way to test a Laravel +// application without having installed a "real" web server software here. +if ($uri !== '/' && file_exists(__DIR__.'/public'.$uri)) { + return false; +} + +require_once __DIR__.'/public/index.php'; diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/app/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/app/.gitignore new file mode 100644 index 00000000000..ea2338ad8c2 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/app/.gitignore @@ -0,0 +1,3 @@ +public +!public/ +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/app/public/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/app/public/.gitignore new file mode 100644 index 00000000000..c1aefd2012c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/app/public/.gitignore @@ -0,0 +1,2 @@ +.gitignore +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/framework/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/.gitignore new file mode 100644 index 00000000000..05c4471f2b5 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/.gitignore @@ -0,0 +1,9 @@ +compiled.php +config.php +down +events.scanned.php +maintenance.php +routes.php +routes.scanned.php +schedule-* +services.json diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/.gitignore new file mode 100644 index 00000000000..08b0ba6048c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/.gitignore @@ -0,0 +1,3 @@ +data +!data/ +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/data/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/data/.gitignore new file mode 100644 index 00000000000..c1aefd2012c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/cache/data/.gitignore @@ -0,0 +1,2 @@ +.gitignore +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/framework/sessions/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/sessions/.gitignore new file mode 100644 index 00000000000..c1aefd2012c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/sessions/.gitignore @@ -0,0 +1,2 @@ +.gitignore +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/framework/testing/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/testing/.gitignore new file mode 100644 index 00000000000..c1aefd2012c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/testing/.gitignore @@ -0,0 +1,2 @@ +.gitignore +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/framework/views/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/views/.gitignore new file mode 100644 index 00000000000..c1aefd2012c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/framework/views/.gitignore @@ -0,0 +1,2 @@ +.gitignore +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/storage/logs/.gitignore b/appsec/tests/integration/src/test/www/laravel8x/storage/logs/.gitignore new file mode 100644 index 00000000000..c1aefd2012c --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/storage/logs/.gitignore @@ -0,0 +1,2 @@ +.gitignore +!.gitignore diff --git a/appsec/tests/integration/src/test/www/laravel8x/tests/CreatesApplication.php b/appsec/tests/integration/src/test/www/laravel8x/tests/CreatesApplication.php new file mode 100644 index 00000000000..547152f6a93 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/tests/CreatesApplication.php @@ -0,0 +1,22 @@ +make(Kernel::class)->bootstrap(); + + return $app; + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/tests/Feature/ExampleTest.php b/appsec/tests/integration/src/test/www/laravel8x/tests/Feature/ExampleTest.php new file mode 100644 index 00000000000..4ae02bc5172 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/tests/Feature/ExampleTest.php @@ -0,0 +1,21 @@ +get('/'); + + $response->assertStatus(200); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/tests/TestCase.php b/appsec/tests/integration/src/test/www/laravel8x/tests/TestCase.php new file mode 100644 index 00000000000..2932d4a69d6 --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/tests/TestCase.php @@ -0,0 +1,10 @@ +assertTrue(true); + } +} diff --git a/appsec/tests/integration/src/test/www/laravel8x/webpack.mix.js b/appsec/tests/integration/src/test/www/laravel8x/webpack.mix.js new file mode 100644 index 00000000000..2a22dc1206a --- /dev/null +++ b/appsec/tests/integration/src/test/www/laravel8x/webpack.mix.js @@ -0,0 +1,17 @@ +const mix = require('laravel-mix'); + +/* + |-------------------------------------------------------------------------- + | Mix Asset Management + |-------------------------------------------------------------------------- + | + | Mix provides a clean, fluent API for defining some Webpack build steps + | for your Laravel applications. By default, we are compiling the CSS + | file for the application as well as bundling up all the JS files. + | + */ + +mix.js('resources/js/app.js', 'public/js') + .postCss('resources/css/app.css', 'public/css', [ + // + ]); diff --git a/appsec/tests/integration/src/test/www/roadrunner/.gitignore b/appsec/tests/integration/src/test/www/roadrunner/.gitignore new file mode 100644 index 00000000000..7a2da31c01d --- /dev/null +++ b/appsec/tests/integration/src/test/www/roadrunner/.gitignore @@ -0,0 +1,3 @@ +/vendor +/rr +/composer.lock diff --git a/appsec/tests/integration/src/test/www/roadrunner/.rr.yaml b/appsec/tests/integration/src/test/www/roadrunner/.rr.yaml new file mode 100644 index 00000000000..afdef70341d --- /dev/null +++ b/appsec/tests/integration/src/test/www/roadrunner/.rr.yaml @@ -0,0 +1,18 @@ +server: + command: "php worker.php" + +http: + address: 0.0.0.0:80 + middleware: ["gzip"] + pool: + num_workers: 1 + max_jobs: 0 + allocate_timeout: 600s + destroy_timeout: 600s + +logs: + mode: production + level: debug + output: stdout + encoding: console + err_output: stderr diff --git a/appsec/tests/integration/src/test/www/roadrunner/composer.json b/appsec/tests/integration/src/test/www/roadrunner/composer.json new file mode 100644 index 00000000000..04b5e53182a --- /dev/null +++ b/appsec/tests/integration/src/test/www/roadrunner/composer.json @@ -0,0 +1,11 @@ +{ + "require": { + "spiral/roadrunner": "^2.0", + "nyholm/psr7": "^1.0" + }, + "autoload": { + "psr-4": { + "App\\": "src/" + } + } +} diff --git a/appsec/tests/integration/src/test/www/roadrunner/run.sh b/appsec/tests/integration/src/test/www/roadrunner/run.sh new file mode 100755 index 00000000000..a0e886fd77c --- /dev/null +++ b/appsec/tests/integration/src/test/www/roadrunner/run.sh @@ -0,0 +1,22 @@ +#!/bin/bash -e + +set -x + +cd /var/www + +composer install --no-dev +if [[ ! -f rr ]]; then + vendor/bin/rr get-binary +fi + +mkdir -p /tmp/logs/apache2 +LOGS_PHP=(/tmp/logs/appsec.log /tmp/logs/helper.log /tmp/logs/php_error.log /tmp/logs/rr.log) +touch "${LOGS_PHP[@]}" + +enable_extensions.sh +echo datadog.trace.cli_enabled=true >> /etc/php/php.ini + +./rr serve 2>&1 >> /tmp/logs/rr.log & + +tail -f "${LOGS_PHP[@]}" + diff --git a/appsec/tests/integration/src/test/www/roadrunner/src/HomePageHandler.php b/appsec/tests/integration/src/test/www/roadrunner/src/HomePageHandler.php new file mode 100644 index 00000000000..c51f3abb786 --- /dev/null +++ b/appsec/tests/integration/src/test/www/roadrunner/src/HomePageHandler.php @@ -0,0 +1,35 @@ +query['user']) && extension_loaded('ddappsec')) { + \datadog\appsec\track_user_login_success_event($req->query['user'], + [ + 'email' => 'jean.example@example.com', + 'session_id' => '987654321', + 'role' => 'admin' + ]); + } + + $status = 200; + if (isset($req->query['status'])) { + $status = (int) $req->query['status']; + } + return new Response( + $status, + ['Content-Type' => 'text/plain'], + "Hello world!" + ); + } +} diff --git a/appsec/tests/integration/src/test/www/roadrunner/src/Router.php b/appsec/tests/integration/src/test/www/roadrunner/src/Router.php new file mode 100644 index 00000000000..0286afb1738 --- /dev/null +++ b/appsec/tests/integration/src/test/www/roadrunner/src/Router.php @@ -0,0 +1,16 @@ +routes[$path] = $handler; + } + + public function getHandler($path) { + return $this->routes[$path] ?? null; + } +} diff --git a/appsec/tests/integration/src/test/www/roadrunner/worker.php b/appsec/tests/integration/src/test/www/roadrunner/worker.php new file mode 100644 index 00000000000..b3b6154b8fd --- /dev/null +++ b/appsec/tests/integration/src/test/www/roadrunner/worker.php @@ -0,0 +1,41 @@ +addRoute('/', new \App\HomePageHandler()); + +while ($req = $httpWorker->waitRequest()) { + /** @var \Spiral\RoadRunner\Http\Request $req */ + + // propagation for distributing tracing is not supported for Roadrunner, + // so propagate manually x-datadog-trace-id ourselves + if (isset($req->headers['X-Datadog-Trace-Id'])) { + $span = active_span(); + set_distributed_tracing_context($req->headers['X-Datadog-Trace-Id'][0], "0"); + } + try { + $handler = $router->getHandler(parse_url($req->uri, PHP_URL_PATH)); + if (!$handler) { + throw new \RuntimeException('No handler found for ' . parse_url($req->uri, PHP_URL_PATH)); + } + + /** @var \Nyholm\Psr7\Response $resp */ + $resp = $handler->handle($req); + + $httpWorker->respond($resp->getStatusCode(), $resp->getBody()->getContents(), $resp->getHeaders()); + } catch (\Throwable $e) { + $httpWorker->respond(500, "handling threw: " . $e->getMessage(), + ['Content-type' => ['text/plain; charset=UTF-8']]); + } +// \dd_trace_close_all_spans_and_flush(); +} diff --git a/appsec/tests/integration/src/test/www/symfony62/.env b/appsec/tests/integration/src/test/www/symfony62/.env new file mode 100644 index 00000000000..0fb400362eb --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/.env @@ -0,0 +1,29 @@ +# In all environments, the following files are loaded if they exist, +# the latter taking precedence over the former: +# +# * .env contains default values for the environment variables needed by the app +# * .env.local uncommitted file with local overrides +# * .env.$APP_ENV committed environment-specific defaults +# * .env.$APP_ENV.local uncommitted environment-specific overrides +# +# Real environment variables win over .env files. +# +# DO NOT DEFINE PRODUCTION SECRETS IN THIS FILE NOR IN ANY OTHER COMMITTED FILES. +# +# Run "composer dump-env prod" to compile .env files for production use (requires symfony/flex >=1.2). +# https://symfony.com/doc/current/best_practices.html#use-environment-variables-for-infrastructure-configuration + +###> symfony/framework-bundle ### +APP_ENV=dev +APP_SECRET=c8db676eda45ca0ed2cd13c0df87072e +###< symfony/framework-bundle ### + +###> doctrine/doctrine-bundle ### +# Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url +# IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml +# +# DATABASE_URL="sqlite:///%kernel.project_dir%/var/data.db" +# DATABASE_URL="mysql://app:!ChangeMe!@127.0.0.1:3306/app?serverVersion=8.0.32&charset=utf8mb4" +# DATABASE_URL="mysql://app:!ChangeMe!@127.0.0.1:3306/app?serverVersion=10.11.2-MariaDB&charset=utf8mb4" +DATABASE_URL="postgresql://app:!ChangeMe!@127.0.0.1:5432/app?serverVersion=15&charset=utf8" +###< doctrine/doctrine-bundle ### diff --git a/appsec/tests/integration/src/test/www/symfony62/.gitignore b/appsec/tests/integration/src/test/www/symfony62/.gitignore new file mode 100644 index 00000000000..a67f91e25c2 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/.gitignore @@ -0,0 +1,10 @@ + +###> symfony/framework-bundle ### +/.env.local +/.env.local.php +/.env.*.local +/config/secrets/prod/prod.decrypt.private.php +/public/bundles/ +/var/ +/vendor/ +###< symfony/framework-bundle ### diff --git a/appsec/tests/integration/src/test/www/symfony62/Dockerfile b/appsec/tests/integration/src/test/www/symfony62/Dockerfile new file mode 100644 index 00000000000..317aff1db11 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/Dockerfile @@ -0,0 +1,31 @@ +ARG PHP_VERSION +ARG VARIANT +ARG TRACER_VERSION + +FROM dd-appsec-php-apache2-fpm:$PHP_VERSION-$VARIANT-tracer$TRACER_VERSION +ARG TRACER_VERSION + +ADD tests/docker/symfony62/php.ini /etc/php/ +RUN AUTOLOADER_PATH=$(ls /opt/datadog/dd-library/*/dd-trace-sources/bridge/dd_wrap_autoloader.php) ; \ + echo "datadog.trace.request_init_hook=$AUTOLOADER_PATH" >> /etc/php/php.ini +RUN cp /etc/php/php.ini $(php-config --ini-path) + +RUN rm -rf /var/www/html +ADD --chown=www-data:www-data examples/symfony62/ /var/www/html/ + +RUN rm /etc/apache2/sites-available/* +ADD tests/docker/symfony62/php-site.conf /etc/apache2/sites-available/ + +COPY --from=composer:latest /usr/bin/composer /usr/bin/composer + +#Symfony 6.2 +RUN cd /var/www/html/ && php -d memory_limit=-1 /usr/bin/composer install && \ +php bin/console doctrine:database:drop --force && \ +php bin/console doctrine:database:create && \ +php bin/console doctrine:migrations:migrate -n && \ +php bin/console doctrine:fixtures:load -n && \ +chown www-data.www-data var/app.db + +ADD tests/docker/symfony62/entrypoint.sh / + +RUN a2enmod rewrite diff --git a/appsec/tests/integration/src/test/www/symfony62/bin/console b/appsec/tests/integration/src/test/www/symfony62/bin/console new file mode 100755 index 00000000000..8fe9d4948c7 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/bin/console @@ -0,0 +1,43 @@ +#!/usr/bin/env php +getParameterOption(['--env', '-e'], null, true)) { + putenv('APP_ENV='.$_SERVER['APP_ENV'] = $_ENV['APP_ENV'] = $env); +} + +if ($input->hasParameterOption('--no-debug', true)) { + putenv('APP_DEBUG='.$_SERVER['APP_DEBUG'] = $_ENV['APP_DEBUG'] = '0'); +} + +(new Dotenv())->bootEnv(dirname(__DIR__).'/.env'); + +if ($_SERVER['APP_DEBUG']) { + umask(0000); + + if (class_exists(Debug::class)) { + Debug::enable(); + } +} + +$kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); +$application = new Application($kernel); +$application->run($input); diff --git a/appsec/tests/integration/src/test/www/symfony62/composer.json b/appsec/tests/integration/src/test/www/symfony62/composer.json new file mode 100644 index 00000000000..49bbc03ac0a --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/composer.json @@ -0,0 +1,85 @@ +{ + "type": "project", + "license": "proprietary", + "minimum-stability": "dev", + "prefer-stable": true, + "require": { + "php": ">=8.0.2", + "ext-ctype": "*", + "ext-iconv": "*", + "doctrine/annotations": "^1.12", + "doctrine/doctrine-bundle": "^2.10", + "doctrine/doctrine-migrations-bundle": "^3.2", + "doctrine/orm": "^2.15", + "symfony/apache-pack": "^1.0", + "symfony/console": "6.2.*", + "symfony/dotenv": "6.2.*", + "symfony/flex": "^1.17.1", + "symfony/form": "6.2.*", + "symfony/framework-bundle": "6.2.*", + "symfony/monolog-bundle": "^3.8", + "symfony/security-bundle": "6.2.*", + "symfony/twig-bundle": "6.2.*", + "symfony/validator": "6.2.*", + "symfony/yaml": "6.2.*" + }, + "config": { + "optimize-autoloader": true, + "preferred-install": { + "*": "dist" + }, + "sort-packages": true, + "allow-plugins": { + "symfony/flex": true, + "symfony/runtime": true + } + }, + "autoload": { + "psr-4": { + "App\\": "src/" + } + }, + "autoload-dev": { + "psr-4": { + "App\\Tests\\": "tests/" + } + }, + "replace": { + "symfony/polyfill-ctype": "*", + "symfony/polyfill-iconv": "*", + "symfony/polyfill-php72": "*", + "symfony/polyfill-php73": "*", + "symfony/polyfill-php74": "*", + "symfony/polyfill-php80": "*", + "symfony/polyfill-php81": "*" + }, + "scripts": { + "auto-scripts": { + "cache:clear": "symfony-cmd", + "assets:install %PUBLIC_DIR%": "symfony-cmd" + }, + "post-install-cmd": [ + "@auto-scripts" + ], + "post-update-cmd": [ + "@auto-scripts" + ], + "post-autoload-dump": [ + "rm -rf var/cache/dev/*", + "rm -rf var/cache/prod/*" + ] + }, + "conflict": { + "symfony/symfony": "*" + }, + "extra": { + "symfony": { + "allow-contrib": true, + "require": "6.2.*" + } + }, + "require-dev": { + "doctrine/doctrine-fixtures-bundle": "^3.4", + "symfony/maker-bundle": "^1.49" + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/config/bundles.php b/appsec/tests/integration/src/test/www/symfony62/config/bundles.php new file mode 100644 index 00000000000..58388807d5d --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/bundles.php @@ -0,0 +1,12 @@ + ['all' => true], + Symfony\Bundle\TwigBundle\TwigBundle::class => ['all' => true], + Symfony\Bundle\MakerBundle\MakerBundle::class => ['dev' => true], + Symfony\Bundle\SecurityBundle\SecurityBundle::class => ['all' => true], + Doctrine\Bundle\DoctrineBundle\DoctrineBundle::class => ['all' => true], + Doctrine\Bundle\MigrationsBundle\DoctrineMigrationsBundle::class => ['all' => true], + Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true], + Doctrine\Bundle\FixturesBundle\DoctrineFixturesBundle::class => ['dev' => true, 'test' => true], +]; diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/cache.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/cache.yaml new file mode 100644 index 00000000000..6899b72003f --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/cache.yaml @@ -0,0 +1,19 @@ +framework: + cache: + # Unique name of your app: used to compute stable namespaces for cache keys. + #prefix_seed: your_vendor_name/app_name + + # The "app" cache stores to the filesystem by default. + # The data in this cache should persist between deploys. + # Other options include: + + # Redis + #app: cache.adapter.redis + #default_redis_provider: redis://localhost + + # APCu (not recommended with heavy random-write workloads as memory fragmentation can cause perf issues) + #app: cache.adapter.apcu + + # Namespaced pools use the above "app" backend by default + #pools: + #my.dedicated.cache: null diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine.yaml new file mode 100644 index 00000000000..e4ee00eda0d --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine.yaml @@ -0,0 +1,46 @@ +doctrine: + dbal: + url: 'sqlite:///%kernel.project_dir%/var/app.db' + + # IMPORTANT: You MUST configure your server version, + # either here or in the DATABASE_URL env var (see .env file) + #server_version: '15' + orm: + auto_generate_proxy_classes: true + enable_lazy_ghost_objects: true + report_fields_where_declared: true + validate_xml_mapping: true + naming_strategy: doctrine.orm.naming_strategy.underscore_number_aware + auto_mapping: true + mappings: + App: + is_bundle: false + dir: '%kernel.project_dir%/src/Entity' + prefix: 'App\Entity' + alias: App + +when@test: + doctrine: + dbal: + # "TEST_TOKEN" is typically set by ParaTest + dbname_suffix: '_test%env(default::TEST_TOKEN)%' + +when@prod: + doctrine: + orm: + auto_generate_proxy_classes: false + proxy_dir: '%kernel.build_dir%/doctrine/orm/Proxies' + query_cache_driver: + type: pool + pool: doctrine.system_cache_pool + result_cache_driver: + type: pool + pool: doctrine.result_cache_pool + + framework: + cache: + pools: + doctrine.result_cache_pool: + adapter: cache.app + doctrine.system_cache_pool: + adapter: cache.system diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine_migrations.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine_migrations.yaml new file mode 100644 index 00000000000..29231d94bd1 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/doctrine_migrations.yaml @@ -0,0 +1,6 @@ +doctrine_migrations: + migrations_paths: + # namespace is arbitrary but should be different from App\Migrations + # as migrations classes should NOT be autoloaded + 'DoctrineMigrations': '%kernel.project_dir%/migrations' + enable_profiler: false diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/framework.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/framework.yaml new file mode 100644 index 00000000000..7050f7d41c1 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/framework.yaml @@ -0,0 +1,17 @@ +# see https://symfony.com/doc/current/reference/configuration/framework.html +framework: + secret: '%env(APP_SECRET)%' + csrf_protection: false + #http_method_override: true + + # Enables session support. Note that the session will ONLY be started if you read or write from it. + # Remove or comment this section to explicitly disable session support. + session: + handler_id: null + cookie_secure: auto + cookie_samesite: lax + + #esi: true + #fragments: true + php_errors: + log: true diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/monolog.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/monolog.yaml new file mode 100644 index 00000000000..8c9efa91e02 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/monolog.yaml @@ -0,0 +1,61 @@ +monolog: + channels: + - deprecation # Deprecations are logged in the dedicated "deprecation" channel when it exists + +when@dev: + monolog: + handlers: + main: + type: stream + path: "%kernel.logs_dir%/%kernel.environment%.log" + level: debug + channels: ["!event"] + # uncomment to get logging in your browser + # you may have to allow bigger header sizes in your Web server configuration + #firephp: + # type: firephp + # level: info + #chromephp: + # type: chromephp + # level: info + console: + type: console + process_psr_3_messages: false + channels: ["!event", "!doctrine", "!console"] + +when@test: + monolog: + handlers: + main: + type: fingers_crossed + action_level: error + handler: nested + excluded_http_codes: [404, 405] + channels: ["!event"] + nested: + type: stream + path: "%kernel.logs_dir%/%kernel.environment%.log" + level: debug + +when@prod: + monolog: + handlers: + main: + type: fingers_crossed + action_level: error + handler: nested + excluded_http_codes: [404, 405] + buffer_size: 50 # How many messages should be saved? Prevent memory leaks + nested: + type: stream + path: php://stderr + level: debug + formatter: monolog.formatter.json + console: + type: console + process_psr_3_messages: false + channels: ["!event", "!doctrine"] + deprecation: + type: stream + channels: [deprecation] + path: php://stderr diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/prod/routing.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/prod/routing.yaml new file mode 100644 index 00000000000..b3e6a0af2f1 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/prod/routing.yaml @@ -0,0 +1,3 @@ +framework: + router: + strict_requirements: null diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/routing.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/routing.yaml new file mode 100644 index 00000000000..b45c1cec761 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/routing.yaml @@ -0,0 +1,7 @@ +framework: + router: + utf8: true + + # Configure how to generate URLs in non-HTTP contexts, such as CLI commands. + # See https://symfony.com/doc/current/routing.html#generating-urls-in-commands + #default_uri: http://localhost diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/security.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/security.yaml new file mode 100644 index 00000000000..e4087250cf2 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/security.yaml @@ -0,0 +1,46 @@ +security: + # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords + password_hashers: + Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto' + # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider + providers: + # used to reload user from session & other features (e.g. switch_user) + app_user_provider: + entity: + class: App\Entity\User + property: email + firewalls: + dev: + pattern: ^/(_(profiler|wdt)|css|images|js)/ + security: false + main: + lazy: true + provider: app_user_provider + + # activate different ways to authenticate + # https://symfony.com/doc/current/security.html#the-firewall + + # https://symfony.com/doc/current/security/impersonating_user.html + # switch_user: true + form_login: + # "app_login" is the name of the route created previously + login_path: app_login + check_path: app_login + # Easy way to control access for large sections of your site + # Note: Only the *first* access control that matches will be used + access_control: + # - { path: ^/admin, roles: ROLE_ADMIN } + # - { path: ^/profile, roles: ROLE_USER } + +when@test: + security: + password_hashers: + # By default, password hashers are resource intensive and take time. This is + # important to generate secure password hashes. In tests however, secure hashes + # are not important, waste resources and increase test times. The following + # reduces the work factor to the lowest possible values. + Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: + algorithm: auto + cost: 4 # Lowest possible value for bcrypt + time_cost: 3 # Lowest possible value for argon + memory_cost: 10 # Lowest possible value for argon diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/test/framework.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/test/framework.yaml new file mode 100644 index 00000000000..d051c840086 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/test/framework.yaml @@ -0,0 +1,4 @@ +framework: + test: true + session: + storage_id: session.storage.mock_file diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/test/twig.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/test/twig.yaml new file mode 100644 index 00000000000..8c6e0b401da --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/test/twig.yaml @@ -0,0 +1,2 @@ +twig: + strict_variables: true diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/twig.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/twig.yaml new file mode 100644 index 00000000000..b3cdf306498 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/twig.yaml @@ -0,0 +1,2 @@ +twig: + default_path: '%kernel.project_dir%/templates' diff --git a/appsec/tests/integration/src/test/www/symfony62/config/packages/validator.yaml b/appsec/tests/integration/src/test/www/symfony62/config/packages/validator.yaml new file mode 100644 index 00000000000..0201281d3cb --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/packages/validator.yaml @@ -0,0 +1,13 @@ +framework: + validation: + email_validation_mode: html5 + + # Enables validator auto-mapping support. + # For instance, basic validation constraints will be inferred from Doctrine's metadata. + #auto_mapping: + # App\Entity\: [] + +when@test: + framework: + validation: + not_compromised_password: false diff --git a/appsec/tests/integration/src/test/www/symfony62/config/preload.php b/appsec/tests/integration/src/test/www/symfony62/config/preload.php new file mode 100644 index 00000000000..5ebcdb2153c --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/config/preload.php @@ -0,0 +1,5 @@ +addSql('CREATE TABLE "user" (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, email VARCHAR(180) NOT NULL, roles CLOB NOT NULL --(DC2Type:json) + , password VARCHAR(255) NOT NULL)'); + $this->addSql('CREATE UNIQUE INDEX UNIQ_8D93D649E7927C74 ON "user" (email)'); + } + + public function down(Schema $schema): void + { + // this down() migration is auto-generated, please modify it to your needs + $this->addSql('DROP TABLE "user"'); + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/public/.htaccess b/appsec/tests/integration/src/test/www/symfony62/public/.htaccess new file mode 100644 index 00000000000..3853fa97776 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/public/.htaccess @@ -0,0 +1,70 @@ +# Use the front controller as index file. It serves as a fallback solution when +# every other rewrite/redirect fails (e.g. in an aliased environment without +# mod_rewrite). Additionally, this reduces the matching process for the +# start page (path "/") because otherwise Apache will apply the rewriting rules +# to each configured DirectoryIndex file (e.g. index.php, index.html, index.pl). +DirectoryIndex index.php + +# By default, Apache does not evaluate symbolic links if you did not enable this +# feature in your server configuration. Uncomment the following line if you +# install assets as symlinks or if you experience problems related to symlinks +# when compiling LESS/Sass/CoffeScript assets. +# Options +FollowSymlinks + +# Disabling MultiViews prevents unwanted negotiation, e.g. "/index" should not resolve +# to the front controller "/index.php" but be rewritten to "/index.php/index". + + Options -MultiViews + + + + # This Option needs to be enabled for RewriteRule, otherwise it will show an error like + # 'Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden' + Options +FollowSymlinks + + RewriteEngine On + + # Determine the RewriteBase automatically and set it as environment variable. + # If you are using Apache aliases to do mass virtual hosting or installed the + # project in a subdirectory, the base path will be prepended to allow proper + # resolution of the index.php file and to redirect to the correct URI. It will + # work in environments without path prefix as well, providing a safe, one-size + # fits all solution. But as you do not need it in this case, you can comment + # the following 2 lines to eliminate the overhead. + RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$ + RewriteRule .* - [E=BASE:%1] + + # Sets the HTTP_AUTHORIZATION header removed by Apache + RewriteCond %{HTTP:Authorization} .+ + RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0] + + # Redirect to URI without front controller to prevent duplicate content + # (with and without `/index.php`). Only do this redirect on the initial + # rewrite by Apache and not on subsequent cycles. Otherwise we would get an + # endless redirect loop (request -> rewrite to front controller -> + # redirect -> request -> ...). + # So in case you get a "too many redirects" error or you always get redirected + # to the start page because your Apache does not expose the REDIRECT_STATUS + # environment variable, you have 2 choices: + # - disable this feature by commenting the following 2 lines or + # - use Apache >= 2.3.9 and replace all L flags by END flags and remove the + # following RewriteCond (best solution) + RewriteCond %{ENV:REDIRECT_STATUS} ="" + RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] + + # If the requested filename exists, simply serve it. + # We only want to let Apache serve files and not directories. + # Rewrite all other queries to the front controller. + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^ %{ENV:BASE}/index.php [L] + + + + + # When mod_rewrite is not available, we instruct a temporary redirect of + # the start page to the front controller explicitly so that the website + # and the generated links can still be used. + RedirectMatch 307 ^/$ /index.php/ + # RedirectTemp cannot be used instead + + diff --git a/appsec/tests/integration/src/test/www/symfony62/public/index.php b/appsec/tests/integration/src/test/www/symfony62/public/index.php new file mode 100644 index 00000000000..3bcee0b19d3 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/public/index.php @@ -0,0 +1,22 @@ +bootEnv(dirname(__DIR__).'/.env'); + +if ($_SERVER['APP_DEBUG']) { + umask(0000); + + Debug::enable(); +} + +$kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); +$request = Request::createFromGlobals(); +$response = $kernel->handle($request); +$response->send(); +$kernel->terminate($request, $response); diff --git a/appsec/tests/integration/src/test/www/symfony62/src/Controller/HomeController.php b/appsec/tests/integration/src/test/www/symfony62/src/Controller/HomeController.php new file mode 100644 index 00000000000..7271540ccfe --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/src/Controller/HomeController.php @@ -0,0 +1,23 @@ +getLastAuthenticationError(); + + // last username entered by the user + $lastUsername = $authenticationUtils->getLastUsername(); + + return $this->render('login/index.html.twig', [ + 'last_username' => $lastUsername, + 'error' => $error, + ]); + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/src/Controller/RegistrationController.php b/appsec/tests/integration/src/test/www/symfony62/src/Controller/RegistrationController.php new file mode 100644 index 00000000000..32abe9f5c7f --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/src/Controller/RegistrationController.php @@ -0,0 +1,43 @@ +createForm(RegistrationFormType::class, $user); + $form->handleRequest($request); + + if ($form->isSubmitted() && $form->isValid()) { + // encode the plain password + $user->setPassword( + $userPasswordHasher->hashPassword( + $user, + $form->get('plainPassword')->getData() + ) + ); + + $entityManager->persist($user); + $entityManager->flush(); + // do anything else you need here, like send an email + + return $this->redirectToRoute('home'); + } + + return $this->render('registration/register.html.twig', [ + 'registrationForm' => $form->createView(), + ]); + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/src/DataFixtures/AppFixtures.php b/appsec/tests/integration/src/test/www/symfony62/src/DataFixtures/AppFixtures.php new file mode 100644 index 00000000000..44c821df1c9 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/src/DataFixtures/AppFixtures.php @@ -0,0 +1,20 @@ +setPassword('$2y$13$WNnAxSuifzgXGx9kYfFr.eMaXzE50MmrMnXxmrlZqxSa21oiMyy0i'); + $user->setEmail("test-user@email.com"); + $manager->persist($user); + + $manager->flush(); + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/src/Entity/User.php b/appsec/tests/integration/src/test/www/symfony62/src/Entity/User.php new file mode 100644 index 00000000000..f189feed996 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/src/Entity/User.php @@ -0,0 +1,102 @@ +id; + } + + public function getEmail(): ?string + { + return $this->email; + } + + public function setEmail(string $email): static + { + $this->email = $email; + + return $this; + } + + /** + * A visual identifier that represents this user. + * + * @see UserInterface + */ + public function getUserIdentifier(): string + { + return (string) $this->email; + } + + /** + * @see UserInterface + */ + public function getRoles(): array + { + $roles = $this->roles; + // guarantee every user at least has ROLE_USER + $roles[] = 'ROLE_USER'; + + return array_unique($roles); + } + + public function setRoles(array $roles): static + { + $this->roles = $roles; + + return $this; + } + + /** + * @see PasswordAuthenticatedUserInterface + */ + public function getPassword(): string + { + return $this->password; + } + + public function setPassword(string $password): static + { + $this->password = $password; + + return $this; + } + + /** + * @see UserInterface + */ + public function eraseCredentials(): void + { + // If you store any temporary, sensitive data on the user, clear it here + // $this->plainPassword = null; + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/src/Form/RegistrationFormType.php b/appsec/tests/integration/src/test/www/symfony62/src/Form/RegistrationFormType.php new file mode 100644 index 00000000000..957e588354e --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/src/Form/RegistrationFormType.php @@ -0,0 +1,55 @@ +add('email') + ->add('agreeTerms', CheckboxType::class, [ + 'mapped' => false, + 'constraints' => [ + new IsTrue([ + 'message' => 'You should agree to our terms.', + ]), + ], + ]) + ->add('plainPassword', PasswordType::class, [ + // instead of being set onto the object directly, + // this is read and encoded in the controller + 'mapped' => false, + 'attr' => ['autocomplete' => 'new-password'], + 'constraints' => [ + new NotBlank([ + 'message' => 'Please enter a password', + ]), + new Length([ + 'min' => 6, + 'minMessage' => 'Your password should be at least {{ limit }} characters', + // max length allowed by Symfony for security reasons + 'max' => 4096, + ]), + ], + ]) + ; + } + + public function configureOptions(OptionsResolver $resolver): void + { + $resolver->setDefaults([ + 'data_class' => User::class, + ]); + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/src/Kernel.php b/appsec/tests/integration/src/test/www/symfony62/src/Kernel.php new file mode 100644 index 00000000000..655e796658d --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/src/Kernel.php @@ -0,0 +1,38 @@ +import('../config/{packages}/*.yaml'); + $container->import('../config/{packages}/'.$this->environment.'/*.yaml'); + + if (is_file(\dirname(__DIR__).'/config/services.yaml')) { + $container->import('../config/services.yaml'); + $container->import('../config/{services}_'.$this->environment.'.yaml'); + } elseif (is_file($path = \dirname(__DIR__).'/config/services.php')) { + (require $path)($container->withPath($path), $this); + } + } + + protected function configureRoutes(RoutingConfigurator $routes): void + { + $routes->import('../config/{routes}/'.$this->environment.'/*.yaml'); + $routes->import('../config/{routes}/*.yaml'); + + if (is_file(\dirname(__DIR__).'/config/routes.yaml')) { + $routes->import('../config/routes.yaml'); + } elseif (is_file($path = \dirname(__DIR__).'/config/routes.php')) { + (require $path)($routes->withPath($path), $this); + } + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/src/Repository/UserRepository.php b/appsec/tests/integration/src/test/www/symfony62/src/Repository/UserRepository.php new file mode 100644 index 00000000000..4735f7c4adf --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/src/Repository/UserRepository.php @@ -0,0 +1,83 @@ + + * + * @method User|null find($id, $lockMode = null, $lockVersion = null) + * @method User|null findOneBy(array $criteria, array $orderBy = null) + * @method User[] findAll() + * @method User[] findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null) + */ +class UserRepository extends ServiceEntityRepository implements PasswordUpgraderInterface +{ + public function __construct(ManagerRegistry $registry) + { + parent::__construct($registry, User::class); + } + + public function save(User $entity, bool $flush = false): void + { + $this->getEntityManager()->persist($entity); + + if ($flush) { + $this->getEntityManager()->flush(); + } + } + + public function remove(User $entity, bool $flush = false): void + { + $this->getEntityManager()->remove($entity); + + if ($flush) { + $this->getEntityManager()->flush(); + } + } + + /** + * Used to upgrade (rehash) the user's password automatically over time. + */ + public function upgradePassword(PasswordAuthenticatedUserInterface $user, string $newHashedPassword): void + { + if (!$user instanceof User) { + throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', $user::class)); + } + + $user->setPassword($newHashedPassword); + + $this->save($user, true); + } + +// /** +// * @return User[] Returns an array of User objects +// */ +// public function findByExampleField($value): array +// { +// return $this->createQueryBuilder('u') +// ->andWhere('u.exampleField = :val') +// ->setParameter('val', $value) +// ->orderBy('u.id', 'ASC') +// ->setMaxResults(10) +// ->getQuery() +// ->getResult() +// ; +// } + +// public function findOneBySomeField($value): ?User +// { +// return $this->createQueryBuilder('u') +// ->andWhere('u.exampleField = :val') +// ->setParameter('val', $value) +// ->getQuery() +// ->getOneOrNullResult() +// ; +// } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/symfony.lock b/appsec/tests/integration/src/test/www/symfony62/symfony.lock new file mode 100644 index 00000000000..7a2cdbca894 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/symfony.lock @@ -0,0 +1,176 @@ +{ + "doctrine/annotations": { + "version": "1.14", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "1.10", + "ref": "64d8583af5ea57b7afa4aba4b159907f3a148b05" + } + }, + "doctrine/doctrine-bundle": { + "version": "2.10", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "2.10", + "ref": "e025a6cb69b195970543820b2f18ad21724473fa" + }, + "files": [ + "config/packages/doctrine.yaml", + "src/Entity/.gitignore", + "src/Repository/.gitignore" + ] + }, + "doctrine/doctrine-fixtures-bundle": { + "version": "3.4", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "3.0", + "ref": "1f5514cfa15b947298df4d771e694e578d4c204d" + }, + "files": [ + "src/DataFixtures/AppFixtures.php" + ] + }, + "doctrine/doctrine-migrations-bundle": { + "version": "3.2", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "3.1", + "ref": "1d01ec03c6ecbd67c3375c5478c9a423ae5d6a33" + }, + "files": [ + "config/packages/doctrine_migrations.yaml", + "migrations/.gitignore" + ] + }, + "symfony/apache-pack": { + "version": "1.0", + "recipe": { + "repo": "github.com/symfony/recipes-contrib", + "branch": "main", + "version": "1.0", + "ref": "efb318193e48384eb5c5aadff15396ed698f8ffc" + }, + "files": [ + "public/.htaccess" + ] + }, + "symfony/console": { + "version": "6.2", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "5.3", + "ref": "da0c8be8157600ad34f10ff0c9cc91232522e047" + }, + "files": [ + "bin/console" + ] + }, + "symfony/flex": { + "version": "1.20", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "1.0", + "ref": "146251ae39e06a95be0fe3d13c807bcf3938b172" + }, + "files": [ + ".env" + ] + }, + "symfony/framework-bundle": { + "version": "6.2", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "6.2", + "ref": "af47254c5e4cd543e6af3e4508298ffebbdaddd3" + }, + "files": [ + "config/packages/cache.yaml", + "config/packages/framework.yaml", + "config/preload.php", + "config/routes/framework.yaml", + "config/services.yaml", + "public/index.php", + "src/Controller/.gitignore", + "src/Kernel.php" + ] + }, + "symfony/maker-bundle": { + "version": "1.50", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "1.0", + "ref": "fadbfe33303a76e25cb63401050439aa9b1a9c7f" + } + }, + "symfony/monolog-bundle": { + "version": "3.8", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "3.7", + "ref": "213676c4ec929f046dfde5ea8e97625b81bc0578" + }, + "files": [ + "config/packages/monolog.yaml" + ] + }, + "symfony/routing": { + "version": "6.2", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "6.2", + "ref": "e0a11b4ccb8c9e70b574ff5ad3dfdcd41dec5aa6" + }, + "files": [ + "config/packages/routing.yaml", + "config/routes.yaml" + ] + }, + "symfony/security-bundle": { + "version": "6.2", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "6.0", + "ref": "8a5b112826f7d3d5b07027f93786ae11a1c7de48" + }, + "files": [ + "config/packages/security.yaml" + ] + }, + "symfony/twig-bundle": { + "version": "6.2", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "5.4", + "ref": "bb2178c57eee79e6be0b297aa96fc0c0def81387" + }, + "files": [ + "config/packages/twig.yaml", + "templates/base.html.twig" + ] + }, + "symfony/validator": { + "version": "6.2", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "5.3", + "ref": "c32cfd98f714894c4f128bb99aa2530c1227603c" + }, + "files": [ + "config/packages/validator.yaml" + ] + } +} diff --git a/appsec/tests/integration/src/test/www/symfony62/templates/base.html.twig b/appsec/tests/integration/src/test/www/symfony62/templates/base.html.twig new file mode 100644 index 00000000000..16d7273bb47 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/templates/base.html.twig @@ -0,0 +1,19 @@ + + + + + {% block title %}Welcome!{% endblock %} + {# Run `composer require symfony/webpack-encore-bundle` + and uncomment the following Encore helpers to start using Symfony UX #} + {% block stylesheets %} + {#{{ encore_entry_link_tags('app') }}#} + {% endblock %} + + {% block javascripts %} + {#{{ encore_entry_script_tags('app') }}#} + {% endblock %} + + + {% block body %}{% endblock %} + + diff --git a/appsec/tests/integration/src/test/www/symfony62/templates/login/index.html.twig b/appsec/tests/integration/src/test/www/symfony62/templates/login/index.html.twig new file mode 100644 index 00000000000..471213fa5fd --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/templates/login/index.html.twig @@ -0,0 +1,21 @@ +{# templates/login/index.html.twig #} +{% extends 'base.html.twig' %} + +{% block body %} + {% if error %} +
{{ error.messageKey|trans(error.messageData, 'security') }}
+ {% endif %} + +
+ + + + + + + {# If you want to control the URL the user is redirected to on success + #} + + +
+{% endblock %} \ No newline at end of file diff --git a/appsec/tests/integration/src/test/www/symfony62/templates/registration/register.html.twig b/appsec/tests/integration/src/test/www/symfony62/templates/registration/register.html.twig new file mode 100644 index 00000000000..97f32c9af11 --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/templates/registration/register.html.twig @@ -0,0 +1,19 @@ +{% extends 'base.html.twig' %} + +{% block title %}Register{% endblock %} + +{% block body %} +

Register

+ + {{ form_errors(registrationForm) }} + + {{ form_start(registrationForm) }} + {{ form_row(registrationForm.email) }} + {{ form_row(registrationForm.plainPassword, { + label: 'Password' + }) }} + {{ form_row(registrationForm.agreeTerms) }} + + + {{ form_end(registrationForm) }} +{% endblock %} diff --git a/appsec/tests/integration/src/test/www/symfony62/templates/twig_template.html.twig b/appsec/tests/integration/src/test/www/symfony62/templates/twig_template.html.twig new file mode 100644 index 00000000000..cacda46b55d --- /dev/null +++ b/appsec/tests/integration/src/test/www/symfony62/templates/twig_template.html.twig @@ -0,0 +1 @@ +This is the view diff --git a/appsec/tests/mock_helper/CMakeLists.txt b/appsec/tests/mock_helper/CMakeLists.txt index 78565c6769a..4e104e94540 100644 --- a/appsec/tests/mock_helper/CMakeLists.txt +++ b/appsec/tests/mock_helper/CMakeLists.txt @@ -25,7 +25,10 @@ add_executable(mock_helper set_property(TARGET mock_helper PROPERTY CXX_STANDARD 17) target_compile_definitions(mock_helper PRIVATE - BOOST_ASIO_NO_DEPRECATED SPDLOG_ACTIVE_LEVEL=0 BOOST_STACKTRACE_LINK=1) + BOOST_ASIO_NO_DEPRECATED + BOOST_STACKTRACE_LINK=1 + BOOST_NO_CXX98_FUNCTION_BASE + BOOST_NO_CXX98_FUNCTION_BASE) target_compile_options(mock_helper PRIVATE -Wall -pedantic -Werror) target_link_libraries(mock_helper PRIVATE diff --git a/appsec/third_party/CMakeLists.txt b/appsec/third_party/CMakeLists.txt index fc92b2ac34c..d06aa54ff3d 100644 --- a/appsec/third_party/CMakeLists.txt +++ b/appsec/third_party/CMakeLists.txt @@ -58,4 +58,3 @@ endif() target_compile_definitions(zlibstatic PUBLIC ZLIB_CONST=1) target_include_directories(zlibstatic INTERFACE ${zlib_SOURCE_DIR} ${zlib_BINARY_DIR}) - diff --git a/appsec/valgrind.supp b/appsec/valgrind.supp new file mode 100644 index 00000000000..335cabd3ac5 --- /dev/null +++ b/appsec/valgrind.supp @@ -0,0 +1,193 @@ +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:ddtrace_coms_init_and_start_writer + fun:dd_rinit_once + ... + fun:zm_activate_ddtrace + fun:zend_activate_modules + fun:php_request_startup + ... +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:ddtrace_coms_init_and_start_writer + ... + fun:zm_activate_ddtrace + fun:zend_activate_modules + ... + fun:php_request_startup + ... +} +# https://gist.github.com/nikic/8d404c6799a1532b0c10280f5e57a888 +{ + String_Equality_Intentionally_Reads_Uninit_Memory + Memcheck:Cond + fun:zend_string_equal_val +} +{ + <_emit_error> + Memcheck:Leak + match-leak-kinds: definite + ... + fun:php_verror + fun:_emit_error + ... +} +{ + + Memcheck:Leak + match-leak-kinds: definite + ... + fun:__zend_malloc + fun:zend_compile + fun:compile_file + fun:zend_execute_scripts + fun:php_execute_script +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:php_load_shlib + fun:php_load_extension + fun:zend_llist_apply + fun:php_ini_register_extensions +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:php_load_shlib + fun:php_load_zend_extension_cb + fun:zend_llist_apply + fun:php_ini_register_extensions +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:zai_hook_register_inheritor + fun:zai_hook_register_all_inheritors + fun:zai_hook_post_startup + fun:zai_interceptor_post_startup + ... +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:_dd_compile_file + fun:zai_interceptor_compile_file + ... +} +{ + + Memcheck:Leak + match-leak-kinds: definite + ... + fun:_dd_compile_file + fun:zai_interceptor_compile_file + ... +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:zai_hook_activate + fun:zm_activate_ddtrace + ... +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:zai_hook_rinit + fun:ddtrace_activate + ... +} +{ + + Memcheck:Leak + match-leak-kinds: definite + ... + fun:zai_hook_activate + fun:zm_activate_ddtrace + ... +} + +{ + + Memcheck:Leak + match-leak-kinds: definite + ... + fun:zai_hook_rinit + fun:ddtrace_activate + ... +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:zai_hook_resolve_class + fun:zai_interceptor_add_new_entries + fun:zai_interceptor_compile_file + ... +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:zai_hook_resolve_class + fun:zai_interceptor_add_new_entries + fun:zai_interceptor_compile_file + ... +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:dd_initialize_request + fun:zm_activate_ddtrace +} +{ + + Memcheck:Leak + match-leak-kinds: possible + ... + fun:php_load_extension + ... +} +{ + + Memcheck:Leak + match-leak-kinds: definite + ... + fun:__zend_malloc + fun:zend_compile + fun:compile_file + fun:zend_e + fun:php_request_startup +} +{ + + Memcheck:Cond + ... + fun:dd_initialize_request + fun:zm_activate_ddtrace + ... +} diff --git a/cmake/Modules/FindPhpConfig.cmake b/cmake/Modules/FindPhpConfig.cmake index b7e6f64f5f6..c6d1a5952ad 100644 --- a/cmake/Modules/FindPhpConfig.cmake +++ b/cmake/Modules/FindPhpConfig.cmake @@ -122,7 +122,7 @@ if(PhpConfig_FOUND) target_link_libraries(mylib PRIVATE PhpConfig::PhpConfig) ]] add_library(PhpConfig INTERFACE) - target_include_directories(PhpConfig INTERFACE ${PhpConfig_INCLUDE_DIRS}) + target_include_directories(PhpConfig SYSTEM INTERFACE ${PhpConfig_INCLUDE_DIRS}) target_link_directories(PhpConfig INTERFACE ${PhpConfig_LIBRARY_DIRS}) target_compile_features(PhpConfig INTERFACE c_std_99) diff --git a/config.m4 b/config.m4 index 4acba102537..d18189d7a7b 100644 --- a/config.m4 +++ b/config.m4 @@ -159,6 +159,7 @@ if test "$PHP_DDTRACE" != "no"; then ext/startup_logging.c \ ext/telemetry.c \ ext/tracer_tag_propagation/tracer_tag_propagation.c \ + ext/user_request.c \ ext/hook/uhook.c \ ext/hook/uhook_legacy.c \ " diff --git a/ddtrace.sym b/ddtrace.sym index 17ea45ff2c6..cbdfdbcb404 100644 --- a/ddtrace.sym +++ b/ddtrace.sym @@ -1,8 +1,8 @@ ddtrace_close_all_spans_and_flush ddtrace_get_profiling_context -ddtrace_set_priority_sampling_on_root -ddtrace_root_span_get_meta -ddtrace_root_span_get_metrics +ddtrace_get_root_span +ddtrace_set_priority_sampling_on_span_zobj ddtrace_runtime_id +ddtrace_user_req_add_listeners get_module ddog_daemon_entry_point diff --git a/dockerfiles/services/request-replayer/src/index.php b/dockerfiles/services/request-replayer/src/index.php index 34e122e646d..092ecb4455f 100644 --- a/dockerfiles/services/request-replayer/src/index.php +++ b/dockerfiles/services/request-replayer/src/index.php @@ -50,7 +50,9 @@ function logRequest($message, $data = '') } unlink(REQUEST_LATEST_DUMP_FILE); unlink(REQUEST_LOG_FILE); - unlink(REQUEST_NEXT_RESPONSE_FILE); + if (file_exists(REQUEST_NEXT_RESPONSE_FILE)) { + unlink(REQUEST_NEXT_RESPONSE_FILE); + } logRequest('Deleted request log'); break; case '/next-response': diff --git a/ext/ddtrace.c b/ext/ddtrace.c index b9df2334ea2..4696218edfc 100644 --- a/ext/ddtrace.c +++ b/ext/ddtrace.c @@ -63,6 +63,7 @@ #include "startup_logging.h" #include "telemetry.h" #include "tracer_tag_propagation/tracer_tag_propagation.h" +#include "user_request.h" #include "ext/standard/file.h" #include "../hook/uhook.h" @@ -782,6 +783,11 @@ static void dd_disable_if_incompatible_sapi_detected(void) { } } +static void ddtrace_execute_ex(zend_execute_data *execute_data) +{ + execute_ex(execute_data); +} + static PHP_MINIT_FUNCTION(ddtrace) { UNUSED(type); @@ -867,6 +873,13 @@ static PHP_MINIT_FUNCTION(ddtrace) { ddtrace_integrations_minit(); dd_ip_extraction_startup(); + ddtrace_user_request_startup(); + + // we need to trigger the slow path in the fcall handler in order to be able to suppress calls + // otherwise OPLINE is not refreshed after calling the begin observers + if (zend_execute_ex == execute_ex) { + zend_execute_ex = ddtrace_execute_ex; + } return SUCCESS; } @@ -908,6 +921,8 @@ static PHP_MSHUTDOWN_FUNCTION(ddtrace) { ddtrace_limiter_destroy(); zai_config_mshutdown(); + ddtrace_user_request_shutdown(); + ddtrace_sidecar_shutdown(); #if PHP_VERSION_ID >= 80000 && PHP_VERSION_ID < 80100 diff --git a/ext/handlers_api.c b/ext/handlers_api.c index 7f0514ef436..125a24d6838 100644 --- a/ext/handlers_api.c +++ b/ext/handlers_api.c @@ -5,6 +5,7 @@ void datadog_php_install_handler(datadog_php_zif_handler handler) { zend_function *old_handler; old_handler = zend_hash_str_find_ptr(CG(function_table), handler.name, handler.name_len); + if (old_handler != NULL) { *handler.old_handler = old_handler->internal_function.handler; old_handler->internal_function.handler = handler.new_handler; diff --git a/ext/hook/uhook.c b/ext/hook/uhook.c index beed6ae4ca9..471bac5bfaf 100644 --- a/ext/hook/uhook.c +++ b/ext/hook/uhook.c @@ -2,7 +2,9 @@ #include #include +#include #include +#include #include "../compatibility.h" #include "../configuration.h" @@ -56,11 +58,16 @@ typedef struct { zend_execute_data *execute_data; zval *vm_stack_top; zval *retval_ptr; + zend_object *exception_override; ddtrace_span_data *span; ddtrace_span_stack *prior_stack; + bool *running_ptr; bool returns_reference; + bool suppress_call; } dd_hook_data; +#define EXCEPTION_OVERRIDE_CLEAR ((zend_object *)0x1) + typedef struct { dd_hook_data *hook_data; } dd_uhook_dynamic; @@ -228,6 +235,7 @@ static bool dd_uhook_begin(zend_ulong invocation, zend_execute_data *execute_dat dyn->hook_data = (dd_hook_data *)dd_hook_data_create(ddtrace_hook_data_ce); dyn->hook_data->returns_reference = execute_data->func->common.fn_flags & ZEND_ACC_RETURN_REFERENCE; dyn->hook_data->vm_stack_top = EG(vm_stack_top); + dyn->hook_data->running_ptr = &def->running; dyn->hook_data->invocation = invocation; ZVAL_LONG(&dyn->hook_data->property_id, def->id); @@ -250,6 +258,37 @@ static bool dd_uhook_begin(zend_ulong invocation, zend_execute_data *execute_dat } dyn->hook_data->execute_data = NULL; + if (dyn->hook_data->suppress_call) { + if (ZEND_USER_CODE(execute_data->func->type)) { + static union { + zend_op zop; + zval zv; + } retop[] = {[0].zop = + { + .opcode = ZEND_RETURN, + .op1_type = IS_CONST, + .op1 = {.constant = sizeof(retop[0])}, + .op2_type = IS_UNUSED, + }, + [1].zv = {.u1.type_info = IS_NULL}}; + // the race condition doesn't matter + if (!retop[0].zop.handler) { + zend_vm_set_opcode_handler(&retop[0].zop); + } + struct { + zend_function new_func; + zend_function *orig_func; } *fs = emalloc(sizeof *fs); + memcpy(&fs->new_func, execute_data->func, sizeof fs->new_func); + fs->orig_func = execute_data->func; + fs->new_func.op_array.last = 1; + fs->new_func.op_array.opcodes = (zend_op *)retop; + execute_data->func = &fs->new_func; + execute_data->opline = &retop[0].zop; + } else { + // XXX: not supported yet + } + } + return true; } @@ -331,6 +370,30 @@ static void dd_uhook_end(zend_ulong invocation, zend_execute_data *execute_data, } } + zend_object *exception_override = dyn->hook_data->exception_override; + if (exception_override) { + zend_clear_exception(); + if (exception_override != EXCEPTION_OVERRIDE_CLEAR) { +#if PHP_VERSION_ID >= 80000 + zend_throw_exception_internal(exception_override); +#else + zval e; + ZVAL_OBJ(&e, exception_override); + zend_throw_exception_internal(&e); +#endif + } + } + + if (dyn->hook_data->suppress_call) { + if (ZEND_USER_CODE(execute_data->func->type)) { + zend_function *orig_func = *(zend_function**)(execute_data->func + 1); + efree(execute_data->func); + execute_data->func = orig_func; + } else { + // XXX: not supported yet + } + } + OBJ_RELEASE(&dyn->hook_data->std); } @@ -763,8 +826,6 @@ ZEND_METHOD(DDTrace_HookData, overrideArguments) { } ZEND_METHOD(DDTrace_HookData, overrideReturnValue) { - (void)return_value; - dd_hook_data *hookData = (dd_hook_data *)Z_OBJ_P(ZEND_THIS); zval *retval; @@ -789,6 +850,57 @@ ZEND_METHOD(DDTrace_HookData, overrideReturnValue) { RETURN_TRUE; } +ZEND_METHOD(DDTrace_HookData, suppressCall) { + dd_hook_data *hookData = (dd_hook_data *)Z_OBJ_P(ZEND_THIS); + + if (zend_parse_parameters_none() == FAILURE) { + return; + } + + hookData->suppress_call = true; + + RETURN_TRUE; +} + +ZEND_METHOD(DDTrace_HookData, enableAdviceOnRecursiveCall) { + dd_hook_data *hookData = (dd_hook_data *)Z_OBJ_P(ZEND_THIS); + + if (zend_parse_parameters_none() == FAILURE) { + return; + } + + if (!*hookData->running_ptr) { + RETURN_FALSE; + } + + *hookData->running_ptr = false; + + RETURN_TRUE; +} + +ZEND_METHOD(DDTrace_HookData, overrideException) { + dd_hook_data *hookData = (dd_hook_data *)Z_OBJ_P(ZEND_THIS); + zend_object *throwable = NULL; + + ZEND_PARSE_PARAMETERS_START(0, 1) + Z_PARAM_OPTIONAL + Z_PARAM_OBJ_OF_CLASS_EX(throwable, zend_ce_throwable, 1, 0) + ZEND_PARSE_PARAMETERS_END(); + + if (hookData->exception_override && hookData->exception_override != EXCEPTION_OVERRIDE_CLEAR) { + OBJ_RELEASE(hookData->exception_override); + } + + if (throwable) { + GC_ADDREF(throwable); + hookData->exception_override = throwable; + } else { + hookData->exception_override = EXCEPTION_OVERRIDE_CLEAR; + } + + RETURN_TRUE; +} + ZEND_METHOD(DDTrace_HookData, getSourceFile) { (void)return_value; diff --git a/ext/hook/uhook.stub.php b/ext/hook/uhook.stub.php index 2a06bf1192f..3ea355f9d8b 100644 --- a/ext/hook/uhook.stub.php +++ b/ext/hook/uhook.stub.php @@ -75,6 +75,27 @@ public function overrideArguments(array $arguments): bool; */ public function overrideReturnValue(mixed $value): bool; + /** + * Replaces the exception thrown by a function call. Must be called within a post-hook. + * + * @param \Throwable|null $exception An exception which will replace the original exception. + * @return bool 'true' on success, otherwise 'false' + */ + public function overrideException(\Throwable|null $exception): bool; + + /** + * Suppresses the call to the hooked function. Must be called within a pre-hook. + * @return bool always 'true' + */ + public function suppressCall(): bool; + + /** + * By default, advice is not called when the instrumented function from its advice. + * This method can be used to override this behavior. + * @return bool 'true' if called from the advice, which should always be the case + */ + public function enableAdviceOnRecursiveCall(): bool; + /** * The name of the file where the function/method call was made from. * diff --git a/ext/hook/uhook_arginfo.h b/ext/hook/uhook_arginfo.h index 6516be132ed..6955a678658 100644 --- a/ext/hook/uhook_arginfo.h +++ b/ext/hook/uhook_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: e25a961e65f8aa086ed4f7d83b86b141e13e718c */ + * Stub hash: 8fa4825b6822c2bd3c0388cb1e7a5294cb212233 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_DDTrace_install_hook, 0, 1, IS_LONG, 0) ZEND_ARG_OBJ_TYPE_MASK(0, target, Closure|Generator, MAY_BE_STRING|MAY_BE_CALLABLE, NULL) @@ -27,6 +27,15 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_DDTrace_HookData_overrideR ZEND_ARG_TYPE_INFO(ZEND_SEND_PREFER_REF, value, IS_MIXED, 0) ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_DDTrace_HookData_overrideException, 0, 1, _IS_BOOL, 0) + ZEND_ARG_OBJ_INFO(0, exception, Throwable, 1) +ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_DDTrace_HookData_suppressCall, 0, 0, _IS_BOOL, 0) +ZEND_END_ARG_INFO() + +#define arginfo_class_DDTrace_HookData_enableAdviceOnRecursiveCall arginfo_class_DDTrace_HookData_suppressCall + ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_DDTrace_HookData_getSourceFile, 0, 0, IS_STRING, 0) ZEND_END_ARG_INFO() @@ -37,6 +46,9 @@ ZEND_METHOD(DDTrace_HookData, span); ZEND_METHOD(DDTrace_HookData, unlimitedSpan); ZEND_METHOD(DDTrace_HookData, overrideArguments); ZEND_METHOD(DDTrace_HookData, overrideReturnValue); +ZEND_METHOD(DDTrace_HookData, overrideException); +ZEND_METHOD(DDTrace_HookData, suppressCall); +ZEND_METHOD(DDTrace_HookData, enableAdviceOnRecursiveCall); ZEND_METHOD(DDTrace_HookData, getSourceFile); @@ -52,6 +64,9 @@ static const zend_function_entry class_DDTrace_HookData_methods[] = { ZEND_ME(DDTrace_HookData, unlimitedSpan, arginfo_class_DDTrace_HookData_unlimitedSpan, ZEND_ACC_PUBLIC) ZEND_ME(DDTrace_HookData, overrideArguments, arginfo_class_DDTrace_HookData_overrideArguments, ZEND_ACC_PUBLIC) ZEND_ME(DDTrace_HookData, overrideReturnValue, arginfo_class_DDTrace_HookData_overrideReturnValue, ZEND_ACC_PUBLIC) + ZEND_ME(DDTrace_HookData, overrideException, arginfo_class_DDTrace_HookData_overrideException, ZEND_ACC_PUBLIC) + ZEND_ME(DDTrace_HookData, suppressCall, arginfo_class_DDTrace_HookData_suppressCall, ZEND_ACC_PUBLIC) + ZEND_ME(DDTrace_HookData, enableAdviceOnRecursiveCall, arginfo_class_DDTrace_HookData_enableAdviceOnRecursiveCall, ZEND_ACC_PUBLIC) ZEND_ME(DDTrace_HookData, getSourceFile, arginfo_class_DDTrace_HookData_getSourceFile, ZEND_ACC_PUBLIC) ZEND_FE_END }; diff --git a/ext/priority_sampling/priority_sampling.c b/ext/priority_sampling/priority_sampling.c index 572b1b364d9..e6685ed86ad 100644 --- a/ext/priority_sampling/priority_sampling.c +++ b/ext/priority_sampling/priority_sampling.c @@ -10,6 +10,8 @@ #include "../limiter/limiter.h" #include "ddshared.h" +#include "ddtrace.h" +#include "span.h" ZEND_EXTERN_MODULE_GLOBALS(ddtrace); @@ -308,7 +310,7 @@ zend_long ddtrace_fetch_priority_sampling_from_span(ddtrace_root_span_data *root return zval_get_long(&root_span->property_sampling_priority); } -DDTRACE_PUBLIC void ddtrace_set_priority_sampling_on_root(zend_long priority, enum dd_sampling_mechanism mechanism) { +void ddtrace_set_priority_sampling_on_root(zend_long priority, enum dd_sampling_mechanism mechanism) { ddtrace_root_span_data *root_span = DDTRACE_G(active_stack)->root_span; if (!root_span) { @@ -328,3 +330,9 @@ void ddtrace_set_priority_sampling_on_span(ddtrace_root_span_data *root_span, ze root_span->explicit_sampling_priority = true; } } + +DDTRACE_PUBLIC void ddtrace_set_priority_sampling_on_span_zobj(zend_object *root_span, zend_long priority, enum dd_sampling_mechanism mechanism) { + assert(root_span->ce == ddtrace_ce_root_span_data); + + ddtrace_set_priority_sampling_on_span(ROOTSPANDATA(root_span), priority, mechanism); +} diff --git a/ext/priority_sampling/priority_sampling.h b/ext/priority_sampling/priority_sampling.h index 5c9a18ede97..7d162a025fd 100644 --- a/ext/priority_sampling/priority_sampling.h +++ b/ext/priority_sampling/priority_sampling.h @@ -20,8 +20,9 @@ enum dd_sampling_mechanism { DD_MECHANISM_MANUAL = 4, }; -DDTRACE_PUBLIC void ddtrace_set_priority_sampling_on_root(zend_long priority, enum dd_sampling_mechanism mechanism); +void ddtrace_set_priority_sampling_on_root(zend_long priority, enum dd_sampling_mechanism mechanism); void ddtrace_set_priority_sampling_on_span(ddtrace_root_span_data *root_span, zend_long priority, enum dd_sampling_mechanism mechanism); +DDTRACE_PUBLIC void ddtrace_set_priority_sampling_on_span_zobj(zend_object *root_span, zend_long priority, enum dd_sampling_mechanism mechanism); zend_long ddtrace_fetch_priority_sampling_from_span(ddtrace_root_span_data *root_span); zend_long ddtrace_fetch_priority_sampling_from_root(void); void ddtrace_decide_on_closed_span_sampling(ddtrace_span_data *span); diff --git a/ext/span.c b/ext/span.c index c419033f53d..f08972b3470 100644 --- a/ext/span.c +++ b/ext/span.c @@ -14,6 +14,8 @@ #include "serializer.h" #include "ext/standard/php_string.h" #include +#include "user_request.h" +#include "zend_types.h" #define USE_REALTIME_CLOCK 0 #define USE_MONOTONIC_CLOCK 1 @@ -32,6 +34,10 @@ void ddtrace_init_span_stacks(void) { } static void dd_drop_span_nodestroy(ddtrace_span_data *span, bool silent) { + if (span->notify_user_req_end) { + ddtrace_user_req_notify_finish(span); + span->notify_user_req_end = false; + } span->duration = silent ? DDTRACE_SILENTLY_DROPPED_SPAN : DDTRACE_DROPPED_SPAN; } @@ -354,32 +360,17 @@ void ddtrace_push_root_span(void) { GC_DELREF(&span->std); } -DDTRACE_PUBLIC zval *ddtrace_root_span_get_meta(void) +DDTRACE_PUBLIC zend_object *ddtrace_get_root_span() { if (!DDTRACE_G(active_stack)) { return NULL; } - ddtrace_root_span_data *root_span = DDTRACE_G(active_stack)->root_span; - if (root_span == NULL) { + ddtrace_root_span_data *rsd = DDTRACE_G(active_stack)->root_span; + if (!rsd) { return NULL; } - - return &root_span->property_meta; -} - -DDTRACE_PUBLIC zval *ddtrace_root_span_get_metrics(void) -{ - if (!DDTRACE_G(active_stack)) { - return NULL; - } - - ddtrace_root_span_data *root_span = DDTRACE_G(active_stack)->root_span; - if (root_span == NULL) { - return NULL; - } - - return &root_span->property_metrics; + return &rsd->std; } bool ddtrace_span_alter_root_span_config(zval *old_value, zval *new_value) { @@ -594,6 +585,10 @@ void ddtrace_close_top_span_without_stack_swap(ddtrace_span_data *span) { } ddtrace_decide_on_closed_span_sampling(span); + if (span->notify_user_req_end) { + ddtrace_user_req_notify_finish(span); + span->notify_user_req_end = false; + } if (!stack->active || SPANDATA(stack->active)->stack != stack) { dd_close_entry_span_of_stack(stack); diff --git a/ext/span.h b/ext/span.h index 3f53d56463c..a5ff7a78c0e 100644 --- a/ext/span.h +++ b/ext/span.h @@ -72,7 +72,8 @@ struct ddtrace_span_data { uint64_t start; uint64_t duration_start; uint64_t duration; - enum ddtrace_span_dataype type; + enum ddtrace_span_dataype type : 8; + bool notify_user_req_end; struct ddtrace_span_data *next; struct ddtrace_root_span_data *root; @@ -181,9 +182,8 @@ static inline ddtrace_span_properties *ddtrace_active_span_props(void) { ddtrace_span_data *ddtrace_alloc_execute_data_span(zend_ulong invocation, zend_execute_data *execute_data); void ddtrace_clear_execute_data_span(zend_ulong invocation, bool keep); -// Note that these functions are used externally by the appsec extension. -DDTRACE_PUBLIC zval *ddtrace_root_span_get_meta(void); -DDTRACE_PUBLIC zval *ddtrace_root_span_get_metrics(void); +// Note that this function is used externally by the appsec extension. +DDTRACE_PUBLIC zend_object *ddtrace_get_root_span(void); void dd_trace_stop_span_time(ddtrace_span_data *span); bool ddtrace_has_top_internal_span(ddtrace_span_data *end); diff --git a/ext/user_request.c b/ext/user_request.c new file mode 100644 index 00000000000..37a43c60b38 --- /dev/null +++ b/ext/user_request.c @@ -0,0 +1,168 @@ +#include "user_request.h" +#include
+#include "configuration.h" +#include "ddtrace.h" +#include "ext/priority_sampling/priority_sampling.h" +#include "span.h" +#include "user_request_arginfo.h" +#include "zend_API.h" + +#define NS "DDTrace\\UserRequest\\" + +static struct { + ddtrace_user_req_listeners **listeners; + size_t size; +} reg_listeners; + +DDTRACE_PUBLIC bool ddtrace_user_req_add_listeners(ddtrace_user_req_listeners *listeners) +{ + if (strcmp(sapi_module.name, "cli") != 0) { + return false; + } + + reg_listeners.size += 1; + reg_listeners.listeners = realloc(reg_listeners.listeners, + sizeof(*reg_listeners.listeners) * reg_listeners.size); + reg_listeners.listeners[reg_listeners.size - 1] = listeners; + + return true; +} + +PHP_FUNCTION(DDTrace_UserRequest_has_listeners) +{ + if (zend_parse_parameters_none() == FAILURE) { + RETURN_FALSE; + } + + RETURN_BOOL(reg_listeners.size > 0); +} + +PHP_FUNCTION(DDTrace_UserRequest_notify_start) +{ + zend_object *span; + zend_array *array; + + ZEND_PARSE_PARAMETERS_START(2, 2) + Z_PARAM_OBJ_OF_CLASS_EX(span, ddtrace_ce_root_span_data, 0, 1) + Z_PARAM_ARRAY_HT(array) + ZEND_PARSE_PARAMETERS_END(); + + ddtrace_span_data *span_data = OBJ_SPANDATA(span); + if (span_data->duration != 0) { + php_error_docref(NULL, E_WARNING, "Span already finished"); + RETURN_NULL(); + } + if (span_data->notify_user_req_end) { + php_error_docref(NULL, E_WARNING, "Start of span already notified"); + RETURN_NULL(); + } + + zend_array *replacement_resp = NULL; + for (size_t i = 0; i < reg_listeners.size; i++) { + ddtrace_user_req_listeners *listener = reg_listeners.listeners[i]; + zend_array *repl = listener->start_user_req(listener, span, array); + if (repl != NULL && replacement_resp == NULL) { + replacement_resp = repl; + } else if (repl != NULL) { +#ifdef GC_TRY_DELREF + GC_TRY_DELREF(repl); +#else + GC_DELREF(repl); +#endif + if (GC_REFCOUNT(repl) == 0) { + zend_array_destroy(repl); + } + } + } + + span_data->notify_user_req_end = true; + + if (replacement_resp != NULL) { + RETURN_ARR(replacement_resp); + } else { + RETURN_NULL(); + } +} + +PHP_FUNCTION(DDTrace_UserRequest_notify_commit) +{ + zend_object *span; + zend_long status; + zend_array *headers; + + ZEND_PARSE_PARAMETERS_START(3, 3) + Z_PARAM_OBJ(span) + Z_PARAM_LONG(status) + Z_PARAM_ARRAY_HT(headers) + ZEND_PARSE_PARAMETERS_END(); + + zend_array *replacement_resp = NULL; + for (size_t i = 0; i < reg_listeners.size; i++) { + ddtrace_user_req_listeners *listener = reg_listeners.listeners[i]; + zend_array *repl = listener->response_committed(listener, span, status, headers); + if (repl != NULL && replacement_resp == NULL) { + replacement_resp = repl; + } else if (repl != NULL) { +#ifdef GC_TRY_DELREF + GC_TRY_DELREF(repl); +#else + GC_DELREF(repl); +#endif + if (GC_REFCOUNT(repl) == 0) { + zend_array_destroy(repl); + } + } + } + + if (replacement_resp != NULL) { + RETURN_ARR(replacement_resp); + } else { + RETURN_NULL(); + } +} + +void ddtrace_user_req_notify_finish(ddtrace_span_data *span) +{ + for (size_t i = 0; i < reg_listeners.size; i++) { + ddtrace_user_req_listeners *listener = reg_listeners.listeners[i]; + listener->finish_user_req(listener, &span->std); + } +} + +PHP_FUNCTION(DDTrace_UserRequest_set_blocking_function) +{ + UNUSED(return_value); + zend_object *span; + zval *callable; + + ZEND_PARSE_PARAMETERS_START(2, 2) + Z_PARAM_OBJ(span) + Z_PARAM_ZVAL(callable) + ZEND_PARSE_PARAMETERS_END(); + + for (size_t i = 0; i < reg_listeners.size; i++) { + ddtrace_user_req_listeners *listener = reg_listeners.listeners[i]; + listener->set_blocking_function(listener, span, callable); + } +} + +void ddtrace_user_request_startup() { + zend_register_functions(NULL, ext_functions, NULL, MODULE_PERSISTENT); +} + +void ddtrace_user_request_shutdown() +{ + for (size_t i = 0; i < reg_listeners.size; i++) { + ddtrace_user_req_listeners *listener = reg_listeners.listeners[i]; + if (listener->delete) { + listener->delete (listener); + } + } + free(reg_listeners.listeners); + reg_listeners.size = 0; + reg_listeners.listeners = NULL; + +#if PHP_VERSION_ID < 80300 + zend_unregister_functions(ext_functions, sizeof(ext_functions) / sizeof(zend_function_entry) - 1, NULL); +#endif +} diff --git a/ext/user_request.h b/ext/user_request.h new file mode 100644 index 00000000000..9cd1da68e02 --- /dev/null +++ b/ext/user_request.h @@ -0,0 +1,21 @@ +#pragma once + +#include "ddtrace.h" +#include "ddtrace_export.h" + +typedef struct _ddtrace_user_req_listeners ddtrace_user_req_listeners; +struct _ddtrace_user_req_listeners { + zend_array *(*start_user_req)(ddtrace_user_req_listeners *self, zend_object *span, zend_array *variables); + zend_array *(*response_committed)(ddtrace_user_req_listeners *self, zend_object *span, int status, zend_array *headers); + void (*finish_user_req)(ddtrace_user_req_listeners *self, zend_object *span); + void (*set_blocking_function)(ddtrace_user_req_listeners *self, zend_object *span, zval *blocking_function); + void (*delete)(ddtrace_user_req_listeners *self); +}; + +// exported +DDTRACE_PUBLIC bool ddtrace_user_req_add_listeners(ddtrace_user_req_listeners *listeners); + +void ddtrace_user_req_notify_finish(ddtrace_span_data *span); + +void ddtrace_user_request_startup(void); +void ddtrace_user_request_shutdown(void); diff --git a/ext/user_request.stub.php b/ext/user_request.stub.php new file mode 100644 index 00000000000..63e3d4fc786 --- /dev/null +++ b/ext/user_request.stub.php @@ -0,0 +1,39 @@ + array(values) + * @return array|null an array with the keys 'status', 'headers' and 'body', or null + */ + function notify_commit(\DDTrace\RootSpanData $span, int $status, array $headers): ?array {} + + /** + * Sets a function to be called when blocking a request midway. + * + * @param \DDTrace\RootSpanData $span + * @param callable $blockingFunction a blocking function taking an array with the keys 'status', 'headers', 'body' + * @return void + */ + function set_blocking_function(\DDTrace\RootSpanData $span, callable $blockingFunction): void {} +} + diff --git a/ext/user_request_arginfo.h b/ext/user_request_arginfo.h new file mode 100644 index 00000000000..8ac9e092e7d --- /dev/null +++ b/ext/user_request_arginfo.h @@ -0,0 +1,36 @@ +/* This is a generated file, edit the .stub.php file instead. + * Stub hash: 82769c0b1f283e7a1e9373763774229726d10ccb */ + +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_DDTrace_UserRequest_has_listeners, 0, 0, _IS_BOOL, 0) +ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_DDTrace_UserRequest_notify_start, 0, 2, IS_ARRAY, 1) + ZEND_ARG_OBJ_INFO(0, span, DDTrace\\RootSpanData, 0) + ZEND_ARG_TYPE_INFO(0, data, IS_ARRAY, 0) +ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_DDTrace_UserRequest_notify_commit, 0, 3, IS_ARRAY, 1) + ZEND_ARG_OBJ_INFO(0, span, DDTrace\\RootSpanData, 0) + ZEND_ARG_TYPE_INFO(0, status, IS_LONG, 0) + ZEND_ARG_TYPE_INFO(0, headers, IS_ARRAY, 0) +ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_DDTrace_UserRequest_set_blocking_function, 0, 2, IS_VOID, 0) + ZEND_ARG_OBJ_INFO(0, span, DDTrace\\RootSpanData, 0) + ZEND_ARG_TYPE_INFO(0, blockingFunction, IS_CALLABLE, 0) +ZEND_END_ARG_INFO() + + +ZEND_FUNCTION(DDTrace_UserRequest_has_listeners); +ZEND_FUNCTION(DDTrace_UserRequest_notify_start); +ZEND_FUNCTION(DDTrace_UserRequest_notify_commit); +ZEND_FUNCTION(DDTrace_UserRequest_set_blocking_function); + + +static const zend_function_entry ext_functions[] = { + ZEND_NS_FALIAS("DDTrace\\UserRequest", has_listeners, DDTrace_UserRequest_has_listeners, arginfo_DDTrace_UserRequest_has_listeners) + ZEND_NS_FALIAS("DDTrace\\UserRequest", notify_start, DDTrace_UserRequest_notify_start, arginfo_DDTrace_UserRequest_notify_start) + ZEND_NS_FALIAS("DDTrace\\UserRequest", notify_commit, DDTrace_UserRequest_notify_commit, arginfo_DDTrace_UserRequest_notify_commit) + ZEND_NS_FALIAS("DDTrace\\UserRequest", set_blocking_function, DDTrace_UserRequest_set_blocking_function, arginfo_DDTrace_UserRequest_set_blocking_function) + ZEND_FE_END +}; diff --git a/src/Integrations/Integrations/Roadrunner/RoadrunnerIntegration.php b/src/Integrations/Integrations/Roadrunner/RoadrunnerIntegration.php index d3cac4bb237..ffa6e2e07c9 100644 --- a/src/Integrations/Integrations/Roadrunner/RoadrunnerIntegration.php +++ b/src/Integrations/Integrations/Roadrunner/RoadrunnerIntegration.php @@ -2,10 +2,13 @@ namespace DDTrace\Integrations\Roadrunner; -use DDTrace\Tag; +use DDTrace\HookData; use DDTrace\Integrations\Integration; +use DDTrace\Tag; use DDTrace\Type; use DDTrace\Util\Normalizer; +use http\Exception\RuntimeException; +use function DDTrace\UserRequest\{notify_commit, notify_start, set_blocking_function}; /** * Roadrunner integration @@ -30,6 +33,73 @@ public function requiresExplicitTraceAnalyticsEnabling() return false; } + public static function build_req_spec(\Spiral\RoadRunner\Http\Request $req) { + $ret = array(); + + // _SERVER + $parsed_url = parse_url($req->uri); + if (!$parsed_url) { + return null; + } + + $server = [ + 'REMOTE_ADDR' => $req->remoteAddr, + 'SERVER_PROTOCOL' => $req->protocol, + 'REQUEST_METHOD' => $req->method, + 'REQUEST_URI' => ($parsed_url['path'] ?? '/') . + (empty($parsed_url['query']) ? '' : ('?' . $parsed_url['query'])), + 'HTTPS' => $parsed_url['scheme'] === 'https' ? 'on' : 'off', + 'SERVER_NAME' => $parsed_url['host'], + 'SERVER_PORT' => $parsed_url['port'] ?? ($parsed_url['scheme'] === 'https' ? 443 : 80), + 'HTTP_HOST' => $parsed_url['host'], // roadrunner doesn't include it + ]; + if (isset($parsed_url['query'])) { + $_SERVER['QUERY_STRING'] = $parsed_url['query']; + } + + foreach ($req->headers as $name => $values) { + $collapsedValue = implode(', ', $values); + $name = preg_replace("/[^A-Z\d]/", "_", strtoupper($name)); + $server["HTTP_$name"] = $collapsedValue; + } + + $ret['_SERVER'] = $server; + + // _GET + $ret['_GET'] = $req->query; + + // _POST + if ($req->parsed && isset($server['HTTP_CONTENT_TYPE']) && + strtolower($server['HTTP_CONTENT_TYPE']) == 'application/x-www-form-urlencoded') { + try { + $post = $req->getParsedBody(); + } catch (\JsonException $e) { + } + $ret['_POST'] = $post; + } + if (!isset($ret['_POST'])) { + $ret['_POST'] = array(); + } + + // _COOKIE + $ret['_COOKIE'] = $req->cookies; + + // _FILES + $ret['_FILES'] = array_map( + function ($upload) { + return [ + 'name' => $upload['name'], + 'type' => $upload['mime'], + 'tmp_name' => $upload['tmpName'], + 'error' => $upload['error'], + 'size' => $upload['size'], + ]; + }, + $req->uploads); + + return $ret; + } + /** * @return int */ @@ -46,28 +116,38 @@ public function init() $service = \ddtrace_config_app_name('roadrunner'); - \DDTrace\hook_method('Spiral\RoadRunner\Http\HttpWorker', 'waitRequest', [ - 'prehook' => function () use (&$activeSpan) { + $suppressResponse = null; + $recCall = 0; + + \DDTrace\install_hook('Spiral\RoadRunner\Http\HttpWorker::waitRequest', + function () use (&$activeSpan, &$suppressResponse) { if ($activeSpan) { \DDTrace\close_spans_until($activeSpan); \DDTrace\close_span(); } + $activeSpan = null; + $suppressResponse = null; }, - 'posthook' => function ($worker, $scope, $args, $retval, $exception) use (&$activeSpan, $integration, $service) { - if (!$retval && !$exception) { + function (HookData $hook) use (&$activeSpan, &$suppressResponse, $integration, $service, &$recCall) { + /** @var ?\Spiral\RoadRunner\Http\Request $retval */ + $retval = $hook->returned; + if (!$retval && !$hook->exception) { return; // shutdown } + if (!empty($hook->args)) { + return; + } - /** @var ?\Spiral\RoadRunner\Http\Request $retval */ $activeSpan = \DDTrace\start_trace_span(); + $activeSpan->service = $service; $activeSpan->name = "web.request"; $activeSpan->type = Type::WEB_SERVLET; $activeSpan->meta[Tag::COMPONENT] = RoadrunnerIntegration::NAME; $activeSpan->meta[Tag::SPAN_KIND] = 'server'; $integration->addTraceAnalyticsIfEnabled($activeSpan); - if ($exception) { - $activeSpan->exception = $exception; + if ($hook->exception) { + $activeSpan->exception = $hook->exception; \DDTrace\close_span(); $activeSpan = null; } else { @@ -114,36 +194,102 @@ public function init() $activeSpan->resource = $retval->method . " " . $normalizedPath; $activeSpan->meta["http.method"] = $retval->method; $activeSpan->meta["http.url"] = Normalizer::urlSanitize($retval->uri); - } - } - ]); - \DDTrace\hook_method('Spiral\RoadRunner\Http\HttpWorker', 'respond', [ - 'posthook' => function ($worker, $scope, $args, $retval, $exception) use (&$activeSpan) { - if ($activeSpan) { - /** @var int $status */ - $status = $args[0]; - /** @var string[][] $headerList */ - $headerList = $args[2]; + $res = notify_start($activeSpan, RoadrunnerIntegration::build_req_spec($retval)); + if ($res) { + // block on start + RoadrunnerIntegration::ensure_headers_map_fmt($res['headers']); - $activeSpan->meta["http.status_code"] = $status; - $activeSpan->meta[Tag::COMPONENT] = RoadrunnerIntegration::NAME; - $allowedHeaders = \dd_trace_env_config("DD_TRACE_HEADER_TAGS"); - foreach ($headerList as $header => $headers) { - $normalizedHeader = preg_replace("([^a-z0-9-])", "_", strtolower($header)); - if (\array_key_exists($normalizedHeader, $allowedHeaders)) { - $activeSpan->meta["http.response.headers.$normalizedHeader"] = implode(", ", $headers); + $this->respond($res['status'], $res['body'] ?? '', $res['headers']); + \DDTrace\close_span(); + $activeSpan = null; + + // Ideally, I would call the method again to prevent the worker from + // exiting after returning null, but this hook wouldn't be called for such + // a recursive call + $hook->enableAdviceOnRecursiveCall(); + if ($recCall++ > 128) { + // too many recursive calls. Exit so that the worker can be restarted + $hook->overrideReturnValue(null); + $this->getWorker()->stop(); + return; } + $newRet = $this->waitRequest(); + $hook->overrideReturnValue($newRet); + $recCall = 0; + } else { + $thiz = $this; + // to support block midrequest + set_blocking_function($activeSpan, + static function ($res) use (&$activeSpan, &$suppressResponse, $thiz) { + RoadrunnerIntegration::ensure_headers_map_fmt($res['headers']); + $thiz->respond($res['status'], $res['body'] ?? '', $res['headers']); + $suppressResponse = $activeSpan; + throw new \RuntimeException('Request blocked by AppSec'); + }); } - if ($exception && empty($activeSpan->exception)) { - $activeSpan->exception = $exception; - } elseif ($status >= 500 && $ex = \DDTrace\find_active_exception()) { - $activeSpan->exception = $ex; + } + }); + + \DDTrace\install_hook('Spiral\RoadRunner\Http\HttpWorker::respond', + function (HookData $hook) use (&$activeSpan, &$suppressResponse) { + if (!$activeSpan || count($hook->args) < 3) { + return; + } + + if ($suppressResponse === $activeSpan) { + // we're blocking midrequest and trying to second a second response. + // (Maybe the application caught the RuntimeException thrown by the blocking function, and + // now it's trying to respond with a 500) + // Suppress this second response + $hook->suppressCall(); + return; + } + + $blocking = notify_commit($activeSpan, $hook->args[0], $hook->args[2]); + if ($blocking) { + $hook->args[0] = $blocking['status']; + $hook->args[1] = $blocking['body']; + $hook->args[2] = RoadrunnerIntegration::ensure_headers_map_fmt($blocking['headers']); + $hook->overrideArguments($hook->args); + } + }, + function (HookData $hook) use (&$activeSpan, &$suppressResponse) { + if (!$activeSpan || count($hook->args) < 3) { + return; + } + + /** @var int $status */ + $status = $hook->args[0]; + /** @var string[][] $headerList */ + $headerList = $hook->args[2]; + + $activeSpan->meta["http.status_code"] = $status; + $activeSpan->meta[Tag::COMPONENT] = RoadrunnerIntegration::NAME; + $allowedHeaders = \dd_trace_env_config("DD_TRACE_HEADER_TAGS"); + foreach ($headerList as $header => $headers) { + $normalizedHeader = preg_replace("([^a-z0-9-])", "_", strtolower($header)); + if (\array_key_exists($normalizedHeader, $allowedHeaders)) { + $activeSpan->meta["http.response.headers.$normalizedHeader"] = implode(", ", $headers); } } + if ($hook->exception && empty($activeSpan->exception)) { + $activeSpan->exception = $hook->exception; + } elseif ($status >= 500 && $ex = \DDTrace\find_active_exception()) { + $activeSpan->exception = $ex; + } } - ]); + ); return Integration::LOADED; } + + public static function ensure_headers_map_fmt(&$arr) { + foreach ($arr as $k => $v) { + if (!is_array($v)) { + $arr[$k] = [(string)$v]; + } + } + return $arr; + } } diff --git a/zend_abstract_interface/interceptor/php7/interceptor.c b/zend_abstract_interface/interceptor/php7/interceptor.c index fa4d74838c2..6b0663198ec 100644 --- a/zend_abstract_interface/interceptor/php7/interceptor.c +++ b/zend_abstract_interface/interceptor/php7/interceptor.c @@ -176,7 +176,15 @@ static inline int zai_interceptor_ext_nop_handler_no_prev(zend_execute_data *exe } } - return ZEND_USER_OPCODE_DISPATCH; + if (&execute_data->func->op_array == op_array) { + return ZEND_USER_OPCODE_DISPATCH; + } else { + // the code was changed, so instead of executing the original handler of + // opline->opcode (gotten via zend_vm_get_opcode_handler_func), + // we return ZEND_USER_OPCODE_CONTINUE so that user opcode handler + // of the new execute_data->opline is executed + return ZEND_USER_OPCODE_CONTINUE; + } } static int zai_interceptor_ext_nop_handler(zend_execute_data *execute_data) {