Roadrunner appsec support #2443

cataphract · 2023-12-29T16:56:08Z

Description

Adds AppSec support for RoadRunner.
Adds integration tests to AppSec
Adds (limited) ability to suppress function calls, to throw exceptions from advice, and to do recursive calls in advice.

Reviewer checklist

Test coverage seems ok.
Appropriate labels assigned.

Tickets

APPSEC-14734 APPSEC-12702 APPSEC-12703 APPSEC-12705

zend_abstract_interface/interceptor/php7/interceptor.c

ext/hook/uhook.c

ext/hook/uhook.stub.php

ext/hook/uhook.c

ext/ddtrace.c

ext/hook/uhook.c

bwoebi

Ack for the uhook changes :-)

Maybe emit a LOG() line if suppressCall is attempted on an internal function, but that's it.

ext/hook/uhook.stub.php

src/Integrations/Integrations/Roadrunner/RoadrunnerIntegration.php

ext/user_request.stub.php

ext/user_request.c

Anilm3

Still a lot to look through...

appsec/CMakeLists.txt

appsec/src/extension/ddappsec.h

appsec/src/extension/ddtrace.c

appsec/src/extension/ddappsec.c

appsec/src/extension/msgpack_helpers.c

estringana · 2024-01-12T08:49:46Z

appsec/src/extension/ddappsec.c

+        DDAPPSEC_G(enabled) = get_DD_APPSEC_ENABLED() ? APPSEC_FULLY_ENABLED
+                                                      : APPSEC_FULLY_DISABLED;
+        DDAPPSEC_G(active) = get_DD_APPSEC_ENABLED() ? true : false;
+        DDAPPSEC_G(to_be_configured) = false;


Not sure If I missed something but, when appsec is enabled dynamically by remote config, it status can change many times. So saying it does not have to be configure sounds confusing.

"To be configured" means "yet to be configured" (=not configured yet") or "it is to be configured" (=it's arranged/programmed for it to be configured in the future"). The purpose of this setting is just to indicate in MINIT if we got a configuration setting for the state of remote config yet (if, for instance, we can't contact the daemon, then to_be_configured will stay with the value true). In this branch, appsec is explicitly enabled or disabled, so we're never waiting for a setting from remote config. Does this make sense? I also added some comments in bbdb003

pr-commenter · 2024-01-16T13:14:47Z

Benchmarks

Benchmark execution time: 2024-01-16 18:34:11

Comparing candidate commit 5fa4475 in PR branch glopes/roadrunner with baseline commit 32251e3 in branch master.

Found 2 performance improvements and 1 performance regressions! Performance is the same for 38 metrics, 49 unstable metrics.

scenario:HookBench/benchHookOverheadInstallHookOnFunction

🟥 execution_time [+24.981µs; +57.154µs] or [+3.289%; +7.525%]

scenario:PHPRedisBench/benchRedisBaseline

🟩 execution_time [-351.544µs; -184.114µs] or [-11.649%; -6.101%]

scenario:PHPRedisBench/benchRedisOverhead

🟩 execution_time [-404.658µs; -247.311µs] or [-12.636%; -7.722%]

cataphract requested review from a team as code owners December 29, 2023 16:56

Base automatically changed from glopes/exec-integration to master December 29, 2023 17:45

cataphract force-pushed the glopes/roadrunner branch from aa950e2 to 150d4c8 Compare December 31, 2023 19:43

cataphract force-pushed the glopes/roadrunner branch from 150d4c8 to 1f674a6 Compare January 8, 2024 09:58