Sandbox curl (PHP 7) #814
Sandbox curl (PHP 7) #814
Conversation
PHP 5 is stubbed out, but doesn't do anything.
Put ddtrace_curl_handlers_startup behind it.
Note that PHP 5 is stubbed out and doesn't sandbox.
The signature of zend_lookup_class_ex changed from taking "should autoload?" to taking flags. This is not documented in UPGRADING.INTERNALS. Note there is a change there about the "key" changing from zval* to zend_string*; we do not use this arg, so we avoid that change.
There was a problem hiding this comment.
Lovely PR @morrisonlevi! I left some questions and feedback. :)
| static void ddtrace_activate(void) {} | ||
| static void ddtrace_deactivate(void) {} | ||
|
|
||
| static zend_extension _dd_zend_extension_entry = {"ddtrace", |
There was a problem hiding this comment.
Do we know for sure if running as a Zend extension hybrid will have any side effects? Especially from the perspective of neighboring extensions?
There was a problem hiding this comment.
I'm not sure. The only bits of the zend_extension we are using in this PR is the startup -- that should be very safe.
| PHP5_UNUSED(extension); | ||
| PHP7_UNUSED(extension); | ||
|
|
||
| ddtrace_curl_handlers_startup(); |
There was a problem hiding this comment.
Given we make _dd_ext_curl_loaded atomic, would having a one-time RINIT feature achieve this same functionality without having to run as a Zend extension hybrid?
There was a problem hiding this comment.
No. The handlers must be overwritten in startup/minit -- rinit is too late. Doing it in minit will not work reliably if the extension we want to change the handlers for is loaded as a shared object, because then we have possible load order issues.
In other words, it's only safe in startup and minit and minit is too early. I think startup is literally the only place we can do this safely.
There was a problem hiding this comment.
I see why doing it in MINIT is too early, but what makes RINIT too late? Doing it for every RINIT doesn't make sense, but doing it in a one-time RINIT would allow us to avoid running as a zend extension hybrid, no? Is there something that makes it unsafe to do in RINIT at all?
I guess ultimately my concern is really about converting to a zend extension hybrid which in my opinion has more unknowns in terms of side effects versus a one-time RINIT feature. But if that's our only option, let's definitely do some nice-neighbor framework testing. :)
There was a problem hiding this comment.
Replacing an internal function handler in RINIT would only be safe for NTS builds, and I seem to remember a conversation in Stack Overflow PHP chat about how it may not be valid at all with JIT -- I'll try to dig that up.
Doing it in zend_extension startup should always be safe.
| PHP_RSHUTDOWN(ddtrace), | ||
| PHP_MINFO(ddtrace), | ||
| PHP_DDTRACE_VERSION, | ||
| PHP_MODULE_GLOBALS(ddtrace), |
src/ext/php7/curl_handlers.c
Outdated
| _dd_curl_close_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU); | ||
| } | ||
|
|
||
| static void _dd_instrument_curl_close(void) { |
There was a problem hiding this comment.
I'm a bit confused by this function name as it mentions instrumentation but I don't see any instrumentation logic. I'm guessing this is just a hook for the custom handler?
Same goes for _dd_instrument_curl_copy_handle(), _dd_instrument_curl_exec(), _dd_instrument_curl_setopt(), and _dd_instrument_curl_setopt_array() below. :)
There was a problem hiding this comment.
This series of functions overrides the internal function handlers -- I could change "instrument" to "install"?
src/ext/php7/curl_handlers.c
Outdated
|
|
||
| zval *curl_var = zend_call_method_with_0_params(NULL, NULL, NULL, "curl_init", &retval); | ||
| if (curl_var && Z_TYPE_P(curl_var) == IS_RESOURCE) { | ||
| le_curl = Z_RES_P(curl_var)->type; |
If we expand this technique to other extensions (like PDO), then the files will be next to each other for convenience.
There was a problem hiding this comment.
Nicely done. This just needs, milestone, labels, and changelog, but other than that it's good to go. Solid work @morrisonlevi!
morrisonlevi
added
c-extension
|
Everything still look good after testing on the nice-neighbor framework and also running a |
Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com> Add SSRF Rasp capability (#814) Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com>
…og changes (#3005) * refactor: add feature_flag to Cargo.toml according to libdatadog changes * change reference to libdatadog * Make cbindgen Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com> * Bump the minimum rust version to 1.78 Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com> * test: fix prof asan nightly version * Avoid undefined symbol errors in test run Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com> Add SSRF Rasp capability (#814) Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com> --------- Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com> Co-authored-by: Bob Weinand <bob.weinand@datadoghq.com> Co-authored-by: Levi Morrison <levi.morrison@datadoghq.com>
Description
This sandboxes curl on PHP 7. It has two parts:
curl_execto make a span and add meta.curl_exec,curl_copy_handle,curl_close,curl_setopt, andcurl_setopt_arrayto gather headers and to inject distributed tracing headers.Some calls are not sandboxed yet, and there are a few other todo comments in the code.
Readiness checklist
Reviewer checklist