Skip to content

Commit

Permalink
PHP filters support for path traversal
Browse files Browse the repository at this point in the history
  • Loading branch information
tudor-timcu committed Dec 17, 2024
1 parent a9db333 commit cdfb4db
Show file tree
Hide file tree
Showing 6 changed files with 47 additions and 16 deletions.
6 changes: 4 additions & 2 deletions lib/php-extension/HandlePathAccess.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@

/* Helper for handle pre file path access */
void helper_handle_pre_file_path_access(char *filename, EVENT_ID &eventId) {
if (strncmp(filename, "php://", 6) == 0) {
// Whitelist php:// streams as they are often used by PHP frameworks a lot
if (strncmp(filename, "php://", 6) == 0 &&
strncmp(filename, "php://filter", 12) != 0) {
// Whitelist all php:// streams apart from php://filter, for performance reasons (some PHP frameworks do 1000+ calls / request with these streams as param)
// php://filter can be used to open arbitrary files, so we still monitor this
return;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,16 @@
]
},
"method": "POST",
"body": "{\"folder\": \"../../../..\"}",
"body": "{\"file\": \"../../../../file\"}",
"route": "/testDetection"
},
"attack": {
"kind": "path_traversal",
"operation": "fopen",
"blocked": true,
"source": "body",
"path": ".folder",
"payload": "../../../..",
"path": ".file",
"payload": "../../../../file",
"metadata": {
"filename": "../../../../file"
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{
"type": "detected_attack",
"request": {
"headers": {
"content_type": [
"application/json"
]
},
"method": "POST",
"body": "{\"file\": \"php://filter/convert.base64-encode/resource=../../../../file\"}",
"route": "/testDetection"
},
"attack": {
"kind": "path_traversal",
"operation": "fopen",
"blocked": true,
"source": "body",
"path": ".file",
"payload": "php://filter/convert.base64-encode/resource=../../../../file",
"metadata": {
"filename": "php://filter/convert.base64-encode/resource=../../../../file"
}
},
"agent": {
"dryMode": false
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,16 @@
]
},
"method": "POST",
"body": "{\"folder\": \"../../../..\"}",
"body": "{\"file\": \"../../../../file\"}",
"route": "/testDetection"
},
"attack": {
"kind": "path_traversal",
"operation": "fopen",
"blocked": false,
"source": "body",
"path": ".folder",
"payload": "../../../..",
"path": ".file",
"payload": "../../../../file",
"metadata": {
"filename": "../../../../file"
}
Expand Down
5 changes: 2 additions & 3 deletions tests/server/test_path_traversal/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,8 @@
$data = json_decode($requestBody, true);

// Check if 'folder' exists and get its value
if (isset($data['folder'])) {
$f = $data['folder'] . '/file';
fopen($f, 'r');
if (isset($data['file'])) {
fopen($data['file'], 'r');
echo "File opened!";
} else {
echo "Field 'folder' is not present in the JSON data.";
Expand Down
13 changes: 8 additions & 5 deletions tests/server/test_path_traversal/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
3. Checks that the detection event was submitted and is valid.
'''

def check_path_traversal(response_code, response_body, event_id, expected_json):
response = php_server_post("/testDetection", {"folder": "../../../.."})
def check_path_traversal(exploit_path, response_code, response_body, event_id, expected_json):
response = php_server_post("/testDetection", {"file": exploit_path})
assert_response_code_is(response, response_code)
assert_response_body_contains(response, response_body)

Expand All @@ -22,13 +22,16 @@ def check_path_traversal(response_code, response_body, event_id, expected_json):
assert_event_contains_subset_file(events[event_id], expected_json)

def run_test():
check_path_traversal(500, "", 1, "expect_detection_blocked.json")
exploit_path = "../../../../file"

check_path_traversal(exploit_path, 500, "", 1, "expect_detection_blocked.json")
check_path_traversal(f"php://filter/convert.base64-encode/resource={exploit_path}", 500, "", 2, "expect_detection_blocked_php_filter.json")

apply_config("change_config_disable_blocking.json")
check_path_traversal(200, "File opened!", 2, "expect_detection_not_blocked.json")
check_path_traversal(exploit_path, 200, "File opened!", 3, "expect_detection_not_blocked.json")

apply_config("start_config.json")
check_path_traversal(500, "", 3, "expect_detection_blocked.json")
check_path_traversal(exploit_path, 500, "", 4, "expect_detection_blocked.json")

if __name__ == "__main__":
load_test_args()
Expand Down

0 comments on commit cdfb4db

Please sign in to comment.