Merge branch 'main' into php-filters

docs/should_block_request.md

@@ -32,11 +32,12 @@ class AikidoMiddleware implements MiddlewareInterface
 
         // Get the user ID / name (from session or other auth system)
         $userId = $this->getAuthenticatedUserId();
-        $userName = $this->getAuthenticatedUserName();
-
+
         // If the user is authenticated, set the user ID in Aikido Zen context
-        if ($userId && $userName) {
-            \aikido\set_user(strval($userId), $userName);
+        if ($userId) {
+            // Username is optional: \aikido\set_user can be called only with user ID
+            $userName = $this->getAuthenticatedUserName();
+            \aikido\set_user($userId, $userName);
         }
 
         // Check blocking decision from Aikido
@@ -120,7 +121,7 @@ class ZenBlockDecision
 		// If a user is authenticated, set the user in Aikido's firewall context
 		if ($userId) {
 			// If username is available, you can set it as the second parameter in the \aikido\set_user function call
-			\aikido\set_user(strval($userId));
+			\aikido\set_user($userId);
 		}
 
         // Check blocking decision from Aikido

lib/php-extension/Hooks.cpp

@@ -37,6 +37,10 @@ unordered_map<std::string, PHP_HANDLERS> HOOKED_FUNCTIONS = {
     AIKIDO_REGISTER_FUNCTION_HANDLER_EX(symlink, handle_pre_file_path_access_2),
     AIKIDO_REGISTER_FUNCTION_HANDLER_EX(touch, handle_pre_file_path_access),
     AIKIDO_REGISTER_FUNCTION_HANDLER_EX(unlink, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(require, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(require_once, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(include, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(include_once, handle_pre_file_path_access),
 };
 
 unordered_map<AIKIDO_METHOD_KEY, PHP_HANDLERS, AIKIDO_METHOD_KEY_HASH> HOOKED_METHODS = {

lib/request-processor/handle_user_event.go

@@ -13,7 +13,7 @@ func OnUserEvent() string {
 	username := context.GetUserName()
 	ip := context.GetIp()
 
-	log.Infof("[UEVENT] Got user event: \"%s\" \"%s\" \"%s\"", id, username, ip)
+	log.Infof("Got user event!")
 
 	if id == "" || ip == "" {
 		return ""

tests/cli/path_traversal/test_path_traversal_include.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (include)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+
+include($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*

tests/cli/path_traversal/test_path_traversal_include_once.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (include_once)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+
+include_once($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*

tests/cli/path_traversal/test_path_traversal_require.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (require)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+
+require($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*

tests/cli/path_traversal/test_path_traversal_require_once.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (require_once)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+
+require_once($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*

tests/cli/user/set_user_test.phpt

@@ -20,5 +20,5 @@ if ($a == true) {
 ?>
 
 --EXPECTF--
-[AIKIDO][INFO] [UEVENT] Got user event: "122-sa-2" "username1" "::1"
+[AIKIDO][INFO] Got user event!
 User set successfully