From b02fe16c8e97a212e2f438353235691c9d5f555e Mon Sep 17 00:00:00 2001
From: Tudor Timcu <tudor@aikido.dev>
Date: Tue, 17 Dec 2024 17:09:22 +0100
Subject: [PATCH 1/6] Update should_block_request.md

---
 docs/should_block_request.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/should_block_request.md b/docs/should_block_request.md
index 5cecd597..31ce8cbb 100644
--- a/docs/should_block_request.md
+++ b/docs/should_block_request.md
@@ -36,6 +36,7 @@ class AikidoMiddleware implements MiddlewareInterface
         
         // If the user is authenticated, set the user ID in Aikido Zen context
         if ($userId && $userName) {
+            // Username is optional: \aikido\set_user can be called only with user ID
             \aikido\set_user(strval($userId), $userName);
         }
 
@@ -119,8 +120,8 @@ class ZenBlockDecision
 
 		// If a user is authenticated, set the user in Aikido's firewall context
 		if ($userId) {
-			// If username is available, you can set it as the second parameter in the \aikido\set_user function call
-			\aikido\set_user(strval($userId));
+                    // If username is available, you can set it as the second parameter in the \aikido\set_user function call
+                    \aikido\set_user(strval($userId));
 		}
 
         // Check blocking decision from Aikido

From 45716e7751df809040a5eba2b4ed830f85a36be2 Mon Sep 17 00:00:00 2001
From: Tudor TIMCU <tudor@aikido.dev>
Date: Tue, 17 Dec 2024 17:03:26 +0000
Subject: [PATCH 2/6] Fix

---
 docs/should_block_request.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/should_block_request.md b/docs/should_block_request.md
index 31ce8cbb..f51b5f9a 100644
--- a/docs/should_block_request.md
+++ b/docs/should_block_request.md
@@ -32,11 +32,11 @@ class AikidoMiddleware implements MiddlewareInterface
 
         // Get the user ID / name (from session or other auth system)
         $userId = $this->getAuthenticatedUserId();
-        $userName = $this->getAuthenticatedUserName();
-        
+
         // If the user is authenticated, set the user ID in Aikido Zen context
-        if ($userId && $userName) {
+        if ($userId) {
             // Username is optional: \aikido\set_user can be called only with user ID
+            $userName = $this->getAuthenticatedUserName();
             \aikido\set_user(strval($userId), $userName);
         }
 

From fb528108d8b763c23db4d443f4f681ca7a1503d5 Mon Sep 17 00:00:00 2001
From: Tudor TIMCU <tudor@aikido.dev>
Date: Tue, 17 Dec 2024 17:04:55 +0000
Subject: [PATCH 3/6] Fix logging

---
 lib/request-processor/handle_user_event.go | 2 +-
 tests/cli/user/set_user_test.phpt          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/request-processor/handle_user_event.go b/lib/request-processor/handle_user_event.go
index c0c4a530..07eeafb1 100644
--- a/lib/request-processor/handle_user_event.go
+++ b/lib/request-processor/handle_user_event.go
@@ -13,7 +13,7 @@ func OnUserEvent() string {
 	username := context.GetUserName()
 	ip := context.GetIp()
 
-	log.Infof("[UEVENT] Got user event: \"%s\" \"%s\" \"%s\"", id, username, ip)
+	log.Infof("Got user event!")
 
 	if id == "" || ip == "" {
 		return ""
diff --git a/tests/cli/user/set_user_test.phpt b/tests/cli/user/set_user_test.phpt
index bb7dfde1..7ac0b3a4 100644
--- a/tests/cli/user/set_user_test.phpt
+++ b/tests/cli/user/set_user_test.phpt
@@ -20,5 +20,5 @@ if ($a == true) {
 ?>
 
 --EXPECTF--
-[AIKIDO][INFO] [UEVENT] Got user event: "122-sa-2" "username1" "::1"
+[AIKIDO][INFO] [UEVENT] Got user event!
 User set successfully
\ No newline at end of file

From 2e4d081bd204740f7bdbdf4146001dc78f73ef11 Mon Sep 17 00:00:00 2001
From: Tudor TIMCU <tudor@aikido.dev>
Date: Tue, 17 Dec 2024 17:07:23 +0000
Subject: [PATCH 4/6] Fix

---
 tests/cli/user/set_user_test.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/cli/user/set_user_test.phpt b/tests/cli/user/set_user_test.phpt
index 7ac0b3a4..37fe0f33 100644
--- a/tests/cli/user/set_user_test.phpt
+++ b/tests/cli/user/set_user_test.phpt
@@ -20,5 +20,5 @@ if ($a == true) {
 ?>
 
 --EXPECTF--
-[AIKIDO][INFO] [UEVENT] Got user event!
+[AIKIDO][INFO] Got user event!
 User set successfully
\ No newline at end of file

From 8023a226a52f7a29a197c178cdd0f07fc480efa8 Mon Sep 17 00:00:00 2001
From: Tudor TIMCU <tudor@aikido.dev>
Date: Tue, 17 Dec 2024 17:33:24 +0000
Subject: [PATCH 5/6] Fix

---
 docs/should_block_request.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/should_block_request.md b/docs/should_block_request.md
index f51b5f9a..8a196fc7 100644
--- a/docs/should_block_request.md
+++ b/docs/should_block_request.md
@@ -37,7 +37,7 @@ class AikidoMiddleware implements MiddlewareInterface
         if ($userId) {
             // Username is optional: \aikido\set_user can be called only with user ID
             $userName = $this->getAuthenticatedUserName();
-            \aikido\set_user(strval($userId), $userName);
+            \aikido\set_user($userId, $userName);
         }
 
         // Check blocking decision from Aikido
@@ -120,8 +120,8 @@ class ZenBlockDecision
 
 		// If a user is authenticated, set the user in Aikido's firewall context
 		if ($userId) {
-                    // If username is available, you can set it as the second parameter in the \aikido\set_user function call
-                    \aikido\set_user(strval($userId));
+			// If username is available, you can set it as the second parameter in the \aikido\set_user function call
+			\aikido\set_user($userId);
 		}
 
         // Check blocking decision from Aikido

From 080e2236e954bf13420d6165ed570a138e6a4bb9 Mon Sep 17 00:00:00 2001
From: nadiraikido <166383531+nadiraikido@users.noreply.github.com>
Date: Tue, 17 Dec 2024 18:41:04 +0100
Subject: [PATCH 6/6] Add include_*/require_* sinks

---
 lib/php-extension/Hooks.cpp                   |  4 ++++
 .../test_path_traversal_include.phpt          | 20 +++++++++++++++++++
 .../test_path_traversal_include_once.phpt     | 20 +++++++++++++++++++
 .../test_path_traversal_require.phpt          | 20 +++++++++++++++++++
 .../test_path_traversal_require_once.phpt     | 20 +++++++++++++++++++
 5 files changed, 84 insertions(+)
 create mode 100644 tests/cli/path_traversal/test_path_traversal_include.phpt
 create mode 100644 tests/cli/path_traversal/test_path_traversal_include_once.phpt
 create mode 100644 tests/cli/path_traversal/test_path_traversal_require.phpt
 create mode 100644 tests/cli/path_traversal/test_path_traversal_require_once.phpt

diff --git a/lib/php-extension/Hooks.cpp b/lib/php-extension/Hooks.cpp
index 4fc67b21..bf704763 100644
--- a/lib/php-extension/Hooks.cpp
+++ b/lib/php-extension/Hooks.cpp
@@ -37,6 +37,10 @@ unordered_map<std::string, PHP_HANDLERS> HOOKED_FUNCTIONS = {
     AIKIDO_REGISTER_FUNCTION_HANDLER_EX(symlink, handle_pre_file_path_access_2),
     AIKIDO_REGISTER_FUNCTION_HANDLER_EX(touch, handle_pre_file_path_access),
     AIKIDO_REGISTER_FUNCTION_HANDLER_EX(unlink, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(require, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(require_once, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(include, handle_pre_file_path_access),
+    AIKIDO_REGISTER_FUNCTION_HANDLER_EX(include_once, handle_pre_file_path_access),
 };
 
 unordered_map<AIKIDO_METHOD_KEY, PHP_HANDLERS, AIKIDO_METHOD_KEY_HASH> HOOKED_METHODS = {
diff --git a/tests/cli/path_traversal/test_path_traversal_include.phpt b/tests/cli/path_traversal/test_path_traversal_include.phpt
new file mode 100644
index 00000000..c608bb9e
--- /dev/null
+++ b/tests/cli/path_traversal/test_path_traversal_include.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (include)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+    
+include($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*
diff --git a/tests/cli/path_traversal/test_path_traversal_include_once.phpt b/tests/cli/path_traversal/test_path_traversal_include_once.phpt
new file mode 100644
index 00000000..562120f5
--- /dev/null
+++ b/tests/cli/path_traversal/test_path_traversal_include_once.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (include_once)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+    
+include_once($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*
diff --git a/tests/cli/path_traversal/test_path_traversal_require.phpt b/tests/cli/path_traversal/test_path_traversal_require.phpt
new file mode 100644
index 00000000..717c7aff
--- /dev/null
+++ b/tests/cli/path_traversal/test_path_traversal_require.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (require)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+    
+require($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*
diff --git a/tests/cli/path_traversal/test_path_traversal_require_once.phpt b/tests/cli/path_traversal/test_path_traversal_require_once.phpt
new file mode 100644
index 00000000..05be0cc4
--- /dev/null
+++ b/tests/cli/path_traversal/test_path_traversal_require_once.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Test path traversal (require_once)
+
+--ENV--
+AIKIDO_LOG_LEVEL=INFO
+AIKIDO_BLOCK=1
+
+--FILE--
+<?php
+
+$_SERVER['HTTP_USER'] = '../file';
+
+$file = '../file/test.txt';
+    
+require_once($file);
+
+?>
+
+--EXPECTREGEX--
+.*Fatal error: Uncaught Exception: Aikido firewall has blocked a path traversal attack.*