Add include/require sinks for path traversal #1115
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
workflow_call: | |
jobs: | |
build_libs: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y protobuf-compiler protobuf-compiler-grpc | |
- name: GO setup | |
run: | | |
go install google.golang.org/protobuf/cmd/protoc-gen-go@latest | |
go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest | |
echo "$HOME/go/bin" >> $GITHUB_PATH | |
- name: Get Aikido version | |
run: | | |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}') | |
echo $AIKIDO_VERSION | |
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV | |
echo "AIKIDO_INTERNALS_REPO=https://api.github.com/repos/AikidoSec/zen-internals" >> $GITHUB_ENV | |
- name: Build Aikido Agent | |
run: | | |
cd lib | |
protoc --go_out=agent --go-grpc_out=agent ipc.proto | |
cd agent | |
go get main/ipc/protos | |
go get google.golang.org/grpc | |
go get github.com/stretchr/testify/assert | |
go test ./... | |
go build -ldflags "-s -w" -buildmode=c-shared -o ../../build/aikido-agent.so | |
ls -l ../../build | |
- name: Build Aikido Request Processor | |
run: | | |
ls -l ${{ github.workspace }}/build/ | |
cd lib | |
protoc --go_out=request-processor --go-grpc_out=request-processor ipc.proto | |
cd request-processor | |
go mod tidy | |
go get google.golang.org/grpc | |
go get github.com/stretchr/testify/assert | |
go get main/ipc/protos | |
go test ./... | |
go build -ldflags "-s -w" -buildmode=c-shared -o ../../build/aikido-request-processor.so | |
ls -l ../../build | |
- name: Archive agent | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: aikido-agent | |
if-no-files-found: error | |
path: | | |
${{ github.workspace }}/build/aikido-agent.so | |
- name: Archive request processor | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: aikido-request-processor | |
if-no-files-found: error | |
path: | | |
${{ github.workspace }}/build/aikido-request-processor.so | |
build_php_extension: | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
php_version: ['7.3', '7.4', '8.0', '8.1', '8.2', '8.3'] | |
fail-fast: false | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y autoconf bison re2c libxml2-dev libssl-dev libcurl4-gnutls-dev | |
- name: Get Aikido version | |
run: | | |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}') | |
echo $AIKIDO_VERSION | |
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV | |
echo "AIKIDO_ARTIFACT=aikido-extension-php-${{ matrix.php_version }}" >> $GITHUB_ENV | |
- name: Setup PHP | |
uses: AikidoSec/setup-php@v2 | |
with: | |
php-version: ${{ matrix.php_version }} | |
extensions: curl | |
coverage: none | |
- name: Check PHP setup | |
run: | | |
which php | |
php -v | |
php -i | |
- name: Build extension | |
run: | | |
cd ${{ github.workspace }} | |
rm -rf build | |
mkdir build | |
cd lib/php-extension | |
phpize | |
cd ../../build | |
CXX=g++ CXXFLAGS="-fPIC -O2 -I../lib/php-extension/include" LDFLAGS="-lstdc++" ../lib/php-extension/configure | |
make | |
- name: Version Aikido extension | |
run: | | |
cd ${{ github.workspace }}/build/modules | |
mv aikido.so ${{ env.AIKIDO_ARTIFACT }}.so | |
- name: Archive build artifacts | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: ${{ env.AIKIDO_ARTIFACT }} | |
if-no-files-found: error | |
path: | | |
${{ github.workspace }}/build/modules/${{ env.AIKIDO_ARTIFACT }}.so | |
${{ github.workspace }}/tests/*.diff | |
build_rpm: | |
runs-on: ubuntu-latest | |
container: | |
image: centos:latest | |
needs: [ build_libs, build_php_extension ] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install rpmdevtools | |
run: | | |
cd /etc/yum.repos.d/ | |
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* | |
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* | |
yum -y install epel-release | |
yum -y install rpmdevtools | |
yum -y install jq | |
- name: Get Aikido version | |
run: | | |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}') | |
echo $AIKIDO_VERSION | |
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV | |
echo "AIKIDO_INTERNALS_REPO=https://api.github.com/repos/AikidoSec/zen-internals" >> $GITHUB_ENV | |
echo "AIKIDO_INTERNALS_LIB=libzen_internals_x86_64-unknown-linux-gnu.so" >> $GITHUB_ENV | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: | | |
aikido-extension-php-* | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: | | |
aikido-agent* | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: | | |
aikido-request-processor* | |
- name: Download Aikido Zen Internals Lib | |
run: | | |
curl -L -o ${{ env.AIKIDO_INTERNALS_LIB }} $(curl -s ${{ env.AIKIDO_INTERNALS_REPO }}/releases/latest | jq -r ".assets[] | select(.name == \"${{ env.AIKIDO_INTERNALS_LIB }}\") | .browser_download_url") | |
- name: Prepare rpm package | |
run: | | |
mv aikido-agent/aikido-agent.so package/rpm/opt/aikido/aikido-agent.so | |
mv aikido-request-processor/aikido-request-processor.so package/rpm/opt/aikido/aikido-request-processor.so | |
mv ${{ env.AIKIDO_INTERNALS_LIB }} package/rpm/opt/aikido/${{ env.AIKIDO_INTERNALS_LIB }} | |
mv aikido-extension-php-*/build/modules/aikido-extension-php-* package/rpm/opt/aikido/ | |
mv package/rpm/opt/aikido package/rpm/opt/aikido-${{ env.AIKIDO_VERSION }} | |
chmod 777 package/rpm/opt/aikido-${{ env.AIKIDO_VERSION }}/* | |
rpmdev-setuptree | |
mkdir -p ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }} | |
cp -rf package/rpm/opt ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}/ | |
cp -f package/rpm/aikido.spec ~/rpmbuild/SPECS/ | |
- name: Setup RPM for prod | |
run: | | |
echo "AIKIDO_ARTIFACT=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.rpm" >> $GITHUB_ENV | |
sed -i "s/aikido.so/aikido-${{ env.AIKIDO_VERSION }}.so/" ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}/opt/aikido-${{ env.AIKIDO_VERSION }}/aikido.ini | |
- name: Build rpm package | |
run: | | |
cd ~/rpmbuild/SOURCES | |
tar czvf ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}.tar.gz * | |
rm -rf ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }} | |
rpmbuild -ba ~/rpmbuild/SPECS/aikido.spec | |
ls -l ~/rpmbuild/RPMS/x86_64/ | |
- name: Check rpm dependencies | |
run: | | |
yum deplist ~/rpmbuild/RPMS/x86_64/${{ env.AIKIDO_ARTIFACT }} | grep -E "GLIBC_2.32|GLIBC_2.34|GLIBCXX_3.4.29" && exit 1 || exit 0 | |
- name: Archive rpm package | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.AIKIDO_ARTIFACT }} | |
if-no-files-found: error | |
path: | | |
~/rpmbuild/RPMS/x86_64/${{ env.AIKIDO_ARTIFACT }} | |
build_deb: | |
runs-on: ubuntu-20.04 | |
needs: [ build_rpm ] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: | | |
aikido-php-firewall-* | |
- name: Install dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y alien | |
- name: Get Aikido version | |
run: | | |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}') | |
echo $AIKIDO_VERSION | |
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV | |
echo "AIKIDO_RPM=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.rpm" >> $GITHUB_ENV | |
echo "AIKIDO_ARTIFACT=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.deb" >> $GITHUB_ENV | |
- name: Build deb | |
run: | | |
sudo alien --to-deb --scripts --keep-version ${{ env.AIKIDO_RPM }}/${{ env.AIKIDO_RPM }} | |
ls -l | |
mv aikido-php-firewall_${{ env.AIKIDO_VERSION }}-1_amd64.deb ${{ env.AIKIDO_ARTIFACT }} | |
- name: Archive deb package | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.AIKIDO_ARTIFACT }} | |
if-no-files-found: error | |
path: | | |
${{ env.AIKIDO_ARTIFACT }} | |
test_php_centos: | |
runs-on: ubuntu-latest | |
container: | |
image: centos:latest | |
needs: [ build_rpm ] | |
strategy: | |
matrix: | |
php_version: ['7.3', '7.4', '8.0', '8.1', '8.2', '8.3'] | |
server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in'] | |
fail-fast: false | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Setup | |
run: | | |
cat /etc/centos-release | |
cd /etc/yum.repos.d/ | |
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* | |
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* | |
yum install -y yum-utils | |
yum install -y https://rpms.remirepo.net/enterprise/remi-release-8.4.rpm | |
yum -y install gcc python3-devel | |
pip3 install flask | |
pip3 install requests | |
pip3 install pandas | |
pip3 install psutil | |
yum install -y httpd | |
dnf --assumeyes module reset php | |
dnf --assumeyes --nogpgcheck module install php:remi-${{ matrix.php_version }} | |
dnf --assumeyes install php-pdo | |
yum install -y mod_php | |
yum install -y nginx | |
yum install -y php-fpm | |
- name: Check PHP setup | |
run: | | |
php -v | |
php -i | |
- name: Get Aikido version | |
run: | | |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}') | |
echo $AIKIDO_VERSION | |
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV | |
echo "AIKIDO_RPM=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.rpm" >> $GITHUB_ENV | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: | | |
aikido-php-firewall-* | |
- name: Install RPM | |
run: | | |
rpm -Uvh --oldpackage ${{ env.AIKIDO_RPM }}/${{ env.AIKIDO_RPM }} | |
- name: Run CLI tests | |
run: | | |
export TEST_PHP_EXECUTABLE=/usr/bin/php | |
php lib/php-extension/run-tests.php ./tests/cli | |
- name: Run ${{ matrix.server }} server tests | |
run: | | |
cd tools | |
python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }} | |
test_php_ubuntu: | |
runs-on: ${{ matrix.os }} | |
needs: [ build_deb ] | |
strategy: | |
matrix: | |
os: ['ubuntu-latest', 'ubuntu-20.04'] | |
php_version: ['7.3', '7.4', '8.0', '8.1', '8.2', '8.3'] | |
server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in'] | |
fail-fast: false | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: | | |
aikido-php-firewall-* | |
- name: Set env | |
run: | | |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}') | |
echo $AIKIDO_VERSION | |
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV | |
echo "AIKIDO_DEB=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.deb" >> $GITHUB_ENV | |
- name: Setup nginx & php-fpm | |
run: | | |
sudo apt-get install -y nginx php-fpm | |
- name: Setup Apache (mod_php) | |
run: | | |
sudo apt-get install -y nginx php-fpm | |
sudo apt-get install -y apache2 | |
sudo a2dismod mpm_event | |
sudo a2dismod mpm_worker | |
sudo a2enmod mpm_prefork | |
sudo a2enmod rewrite | |
- name: Setup PHP | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: ${{ matrix.php_version }} | |
extensions: curl | |
coverage: none | |
- name: Check PHP setup | |
run: | | |
php_versions=("php7.3" "php7.4" "php8.0" "php8.1" "php8.2" "php8.3") | |
for version in "${php_versions[@]}"; do | |
if a2query -m "$version" > /dev/null 2>&1; then | |
echo "Disabling $version..." | |
sudo a2dismod "$version" | |
else | |
echo "$version is not installed." | |
fi | |
done | |
sudo apt-get update | |
sudo apt install libapache2-mod-php${{ matrix.php_version }} | |
sudo a2enmod php${{ matrix.php_version }} | |
php -i | |
- name: Setup Python | |
run: | | |
sudo apt-get install -y python3-flask python3-pandas python3-psutil | |
python --version | |
- name: Install DEB | |
run: | | |
sudo dpkg -i ${{ env.AIKIDO_DEB }}/${{ env.AIKIDO_DEB }} | |
- name: Run CLI tests | |
if: matrix.os == 'ubuntu-latest' | |
run: | | |
cd ${{ github.workspace }} | |
php lib/php-extension/run-tests.php ./tests/cli | |
- name: Run ${{ matrix.server }} server tests | |
run: | | |
cd tools | |
sudo python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }} | |
- name: Archive test artifacts | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: test-results-aikido-${{ env.AIKIDO_VERSION }}-${{ matrix.os }}-php-${{ matrix.php_version }} | |
if-no-files-found: ignore | |
path: | | |
${{ github.workspace }}/tests/cli/**/*.diff |