dd-trace-php icon indicating copy to clipboard operation
dd-trace-php copied to clipboard

Published 20 hours ago verified publisher icon DataDog

Implement LFI

Open estringana opened this issue 1 year ago • 4 comments

Description

This PR implements the first exploit prevention added to PHP. That means that apart of wrapping the LFI php functions, it also implements everything else to report exploits. This PR consists on:

  • Wrapped certain file operations
    • file_get_contents
    • file_put_contents
    • fopen
    • readfile
  • Add exploit preventions metrics
  • Add LFI capability to RC
  • Add rasp configurations

Related Jiras: APPSEC-52929, APPSEC-53812, APPSEC-53813

estringana avatar Jul 23 '24 11:07 estringana

Codecov Report

:x: Patch coverage is 39.70588% with 41 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 72.75%. Comparing base (8273bb7) to head (1526965). :warning: Report is 489 commits behind head on master.

Files with missing lines Patch % Lines
.../Integrations/Filesystem/FilesystemIntegration.php 0.00% 37 Missing :warning:
appsec/src/extension/ddappsec.c 87.50% 0 Missing and 2 partials :warning:
appsec/src/extension/tags.c 75.00% 1 Missing and 1 partial :warning:

:x: Your patch status has failed because the patch coverage (39.70%) is below the target coverage (90.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #2770      +/-   ##
============================================
- Coverage     72.90%   72.75%   -0.16%     
- Complexity     2741     2750       +9     
============================================
  Files           137      138       +1     
  Lines         14978    15038      +60     
  Branches       1016     1020       +4     
============================================
+ Hits          10920    10941      +21     
- Misses         3506     3543      +37     
- Partials        552      554       +2
Flag Coverage Δ
appsec-extension 67.97% <87.09%> (+0.13%) :arrow_up:
tracer-php 74.56% <0.00%> (-0.26%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
appsec/src/extension/backtrace.c 70.88% <100.00%> (+0.18%) :arrow_up:
appsec/src/extension/commands/request_exec.c 100.00% <100.00%> (ø)
appsec/src/extension/configuration.h 100.00% <ø> (ø)
appsec/src/extension/user_tracking.c 71.69% <100.00%> (ø)
appsec/src/extension/ddappsec.c 79.07% <87.50%> (+1.20%) :arrow_up:
appsec/src/extension/tags.c 79.80% <75.00%> (-0.07%) :arrow_down:
.../Integrations/Filesystem/FilesystemIntegration.php 0.00% <0.00%> (ø)

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 8273bb7...1526965. Read the comment docs.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov-commenter avatar Jul 23 '24 11:07 codecov-commenter

Benchmarks

Benchmark execution time: 2024-09-20 09:39:55

Comparing candidate commit eb254e3862d137e6319ac91b76121b15ddff8ede in PR branch estringana/implement-lfi with baseline commit 339adfc7dc1eecbe94d48f5cd45dec90ed674976 in branch estringana/add-appsec-benchmarks.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario:WordPressBench/benchWordPressOverhead-appsec

  • 🟥 execution_time [+3.357ms; +3.691ms] or [+12.342%; +13.570%]

pr-commenter[bot] avatar Jul 23 '24 11:07 pr-commenter[bot]

Benchmarks [ appsec ]

Benchmark execution time: 2024-12-12 12:15:08

Comparing candidate commit 15269656601270579c4c5286e53191f069f88a29 in PR branch estringana/implement-lfi with baseline commit 8273bb78249deae2ea735e856a288145aa67799b in branch master.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario:WordPressBench/benchWordPressOverhead-appsec

  • 🟥 execution_time [+2.122ms; +2.596ms] or [+7.677%; +9.391%]

pr-commenter[bot] avatar Sep 12 '24 11:09 pr-commenter[bot]

Benchmarks [ tracer ]

Benchmark execution time: 2024-12-12 12:06:09

Comparing candidate commit 15269656601270579c4c5286e53191f069f88a29 in PR branch estringana/implement-lfi with baseline commit 8273bb78249deae2ea735e856a288145aa67799b in branch master.

Found 2 performance improvements and 1 performance regressions! Performance is the same for 175 metrics, 0 unstable metrics.

scenario:PDOBench/benchPDOBaseline

  • 🟥 execution_time [+9.574µs; +17.030µs] or [+5.298%; +9.425%]

scenario:TraceFlushBench/benchFlushTrace

  • 🟩 execution_time [-1000.000ns; -1000.000ns] or [-50.000%; -50.000%]

scenario:TraceSerializationBench/benchSerializeTrace

  • 🟩 execution_time [-10.047µs; -4.453µs] or [-4.876%; -2.161%]

pr-commenter[bot] avatar Sep 16 '24 07:09 pr-commenter[bot]