Skip to content

Add include/require sinks for path traversal #1115

Add include/require sinks for path traversal

Add include/require sinks for path traversal #1115

Workflow file for this run

name: Build
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_call:
jobs:
build_libs:
runs-on: ubuntu-20.04
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y protobuf-compiler protobuf-compiler-grpc
- name: GO setup
run: |
go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
echo "$HOME/go/bin" >> $GITHUB_PATH
- name: Get Aikido version
run: |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}')
echo $AIKIDO_VERSION
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
echo "AIKIDO_INTERNALS_REPO=https://api.github.com/repos/AikidoSec/zen-internals" >> $GITHUB_ENV
- name: Build Aikido Agent
run: |
cd lib
protoc --go_out=agent --go-grpc_out=agent ipc.proto
cd agent
go get main/ipc/protos
go get google.golang.org/grpc
go get github.com/stretchr/testify/assert
go test ./...
go build -ldflags "-s -w" -buildmode=c-shared -o ../../build/aikido-agent.so
ls -l ../../build
- name: Build Aikido Request Processor
run: |
ls -l ${{ github.workspace }}/build/
cd lib
protoc --go_out=request-processor --go-grpc_out=request-processor ipc.proto
cd request-processor
go mod tidy
go get google.golang.org/grpc
go get github.com/stretchr/testify/assert
go get main/ipc/protos
go test ./...
go build -ldflags "-s -w" -buildmode=c-shared -o ../../build/aikido-request-processor.so
ls -l ../../build
- name: Archive agent
uses: actions/upload-artifact@v4
if: always()
with:
name: aikido-agent
if-no-files-found: error
path: |
${{ github.workspace }}/build/aikido-agent.so
- name: Archive request processor
uses: actions/upload-artifact@v4
if: always()
with:
name: aikido-request-processor
if-no-files-found: error
path: |
${{ github.workspace }}/build/aikido-request-processor.so
build_php_extension:
runs-on: ubuntu-20.04
strategy:
matrix:
php_version: ['7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y autoconf bison re2c libxml2-dev libssl-dev libcurl4-gnutls-dev
- name: Get Aikido version
run: |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}')
echo $AIKIDO_VERSION
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
echo "AIKIDO_ARTIFACT=aikido-extension-php-${{ matrix.php_version }}" >> $GITHUB_ENV
- name: Setup PHP
uses: AikidoSec/setup-php@v2
with:
php-version: ${{ matrix.php_version }}
extensions: curl
coverage: none
- name: Check PHP setup
run: |
which php
php -v
php -i
- name: Build extension
run: |
cd ${{ github.workspace }}
rm -rf build
mkdir build
cd lib/php-extension
phpize
cd ../../build
CXX=g++ CXXFLAGS="-fPIC -O2 -I../lib/php-extension/include" LDFLAGS="-lstdc++" ../lib/php-extension/configure
make
- name: Version Aikido extension
run: |
cd ${{ github.workspace }}/build/modules
mv aikido.so ${{ env.AIKIDO_ARTIFACT }}.so
- name: Archive build artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: ${{ env.AIKIDO_ARTIFACT }}
if-no-files-found: error
path: |
${{ github.workspace }}/build/modules/${{ env.AIKIDO_ARTIFACT }}.so
${{ github.workspace }}/tests/*.diff
build_rpm:
runs-on: ubuntu-latest
container:
image: centos:latest
needs: [ build_libs, build_php_extension ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install rpmdevtools
run: |
cd /etc/yum.repos.d/
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
yum -y install epel-release
yum -y install rpmdevtools
yum -y install jq
- name: Get Aikido version
run: |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}')
echo $AIKIDO_VERSION
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
echo "AIKIDO_INTERNALS_REPO=https://api.github.com/repos/AikidoSec/zen-internals" >> $GITHUB_ENV
echo "AIKIDO_INTERNALS_LIB=libzen_internals_x86_64-unknown-linux-gnu.so" >> $GITHUB_ENV
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: |
aikido-extension-php-*
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: |
aikido-agent*
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: |
aikido-request-processor*
- name: Download Aikido Zen Internals Lib
run: |
curl -L -o ${{ env.AIKIDO_INTERNALS_LIB }} $(curl -s ${{ env.AIKIDO_INTERNALS_REPO }}/releases/latest | jq -r ".assets[] | select(.name == \"${{ env.AIKIDO_INTERNALS_LIB }}\") | .browser_download_url")
- name: Prepare rpm package
run: |
mv aikido-agent/aikido-agent.so package/rpm/opt/aikido/aikido-agent.so
mv aikido-request-processor/aikido-request-processor.so package/rpm/opt/aikido/aikido-request-processor.so
mv ${{ env.AIKIDO_INTERNALS_LIB }} package/rpm/opt/aikido/${{ env.AIKIDO_INTERNALS_LIB }}
mv aikido-extension-php-*/build/modules/aikido-extension-php-* package/rpm/opt/aikido/
mv package/rpm/opt/aikido package/rpm/opt/aikido-${{ env.AIKIDO_VERSION }}
chmod 777 package/rpm/opt/aikido-${{ env.AIKIDO_VERSION }}/*
rpmdev-setuptree
mkdir -p ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}
cp -rf package/rpm/opt ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}/
cp -f package/rpm/aikido.spec ~/rpmbuild/SPECS/
- name: Setup RPM for prod
run: |
echo "AIKIDO_ARTIFACT=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.rpm" >> $GITHUB_ENV
sed -i "s/aikido.so/aikido-${{ env.AIKIDO_VERSION }}.so/" ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}/opt/aikido-${{ env.AIKIDO_VERSION }}/aikido.ini
- name: Build rpm package
run: |
cd ~/rpmbuild/SOURCES
tar czvf ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}.tar.gz *
rm -rf ~/rpmbuild/SOURCES/aikido-php-firewall-${{ env.AIKIDO_VERSION }}
rpmbuild -ba ~/rpmbuild/SPECS/aikido.spec
ls -l ~/rpmbuild/RPMS/x86_64/
- name: Check rpm dependencies
run: |
yum deplist ~/rpmbuild/RPMS/x86_64/${{ env.AIKIDO_ARTIFACT }} | grep -E "GLIBC_2.32|GLIBC_2.34|GLIBCXX_3.4.29" && exit 1 || exit 0
- name: Archive rpm package
uses: actions/upload-artifact@v4
with:
name: ${{ env.AIKIDO_ARTIFACT }}
if-no-files-found: error
path: |
~/rpmbuild/RPMS/x86_64/${{ env.AIKIDO_ARTIFACT }}
build_deb:
runs-on: ubuntu-20.04
needs: [ build_rpm ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: |
aikido-php-firewall-*
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y alien
- name: Get Aikido version
run: |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}')
echo $AIKIDO_VERSION
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
echo "AIKIDO_RPM=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.rpm" >> $GITHUB_ENV
echo "AIKIDO_ARTIFACT=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.deb" >> $GITHUB_ENV
- name: Build deb
run: |
sudo alien --to-deb --scripts --keep-version ${{ env.AIKIDO_RPM }}/${{ env.AIKIDO_RPM }}
ls -l
mv aikido-php-firewall_${{ env.AIKIDO_VERSION }}-1_amd64.deb ${{ env.AIKIDO_ARTIFACT }}
- name: Archive deb package
uses: actions/upload-artifact@v4
with:
name: ${{ env.AIKIDO_ARTIFACT }}
if-no-files-found: error
path: |
${{ env.AIKIDO_ARTIFACT }}
test_php_centos:
runs-on: ubuntu-latest
container:
image: centos:latest
needs: [ build_rpm ]
strategy:
matrix:
php_version: ['7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in']
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup
run: |
cat /etc/centos-release
cd /etc/yum.repos.d/
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
yum install -y yum-utils
yum install -y https://rpms.remirepo.net/enterprise/remi-release-8.4.rpm
yum -y install gcc python3-devel
pip3 install flask
pip3 install requests
pip3 install pandas
pip3 install psutil
yum install -y httpd
dnf --assumeyes module reset php
dnf --assumeyes --nogpgcheck module install php:remi-${{ matrix.php_version }}
dnf --assumeyes install php-pdo
yum install -y mod_php
yum install -y nginx
yum install -y php-fpm
- name: Check PHP setup
run: |
php -v
php -i
- name: Get Aikido version
run: |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}')
echo $AIKIDO_VERSION
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
echo "AIKIDO_RPM=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.rpm" >> $GITHUB_ENV
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: |
aikido-php-firewall-*
- name: Install RPM
run: |
rpm -Uvh --oldpackage ${{ env.AIKIDO_RPM }}/${{ env.AIKIDO_RPM }}
- name: Run CLI tests
run: |
export TEST_PHP_EXECUTABLE=/usr/bin/php
php lib/php-extension/run-tests.php ./tests/cli
- name: Run ${{ matrix.server }} server tests
run: |
cd tools
python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }}
test_php_ubuntu:
runs-on: ${{ matrix.os }}
needs: [ build_deb ]
strategy:
matrix:
os: ['ubuntu-latest', 'ubuntu-20.04']
php_version: ['7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in']
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: |
aikido-php-firewall-*
- name: Set env
run: |
AIKIDO_VERSION=$(grep '#define PHP_AIKIDO_VERSION' lib/php-extension/include/php_aikido.h | awk -F'"' '{print $2}')
echo $AIKIDO_VERSION
echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
echo "AIKIDO_DEB=aikido-php-firewall-$AIKIDO_VERSION-1.x86_64.deb" >> $GITHUB_ENV
- name: Setup nginx & php-fpm
run: |
sudo apt-get install -y nginx php-fpm
- name: Setup Apache (mod_php)
run: |
sudo apt-get install -y nginx php-fpm
sudo apt-get install -y apache2
sudo a2dismod mpm_event
sudo a2dismod mpm_worker
sudo a2enmod mpm_prefork
sudo a2enmod rewrite
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php_version }}
extensions: curl
coverage: none
- name: Check PHP setup
run: |
php_versions=("php7.3" "php7.4" "php8.0" "php8.1" "php8.2" "php8.3")
for version in "${php_versions[@]}"; do
if a2query -m "$version" > /dev/null 2>&1; then
echo "Disabling $version..."
sudo a2dismod "$version"
else
echo "$version is not installed."
fi
done
sudo apt-get update
sudo apt install libapache2-mod-php${{ matrix.php_version }}
sudo a2enmod php${{ matrix.php_version }}
php -i
- name: Setup Python
run: |
sudo apt-get install -y python3-flask python3-pandas python3-psutil
python --version
- name: Install DEB
run: |
sudo dpkg -i ${{ env.AIKIDO_DEB }}/${{ env.AIKIDO_DEB }}
- name: Run CLI tests
if: matrix.os == 'ubuntu-latest'
run: |
cd ${{ github.workspace }}
php lib/php-extension/run-tests.php ./tests/cli
- name: Run ${{ matrix.server }} server tests
run: |
cd tools
sudo python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }}
- name: Archive test artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: test-results-aikido-${{ env.AIKIDO_VERSION }}-${{ matrix.os }}-php-${{ matrix.php_version }}
if-no-files-found: ignore
path: |
${{ github.workspace }}/tests/cli/**/*.diff