Eval whitelist

Implement whitelist in eval
author: jvoisin 2018-01-10 14:56:33 +0100
committer: GitHub 2018-01-10 14:56:33 +0100
commit: ad6b3e723fe26bf1a3a573aed776960916d35499 (patch)
tree: eec9e15028f4529d776489d273bf9699333aa987 /src/sp_execute.c
parent: b6e5bc4557cca3abbcfd179e7143ea54b9844e49 (diff)
1 files changed, 69 insertions, 19 deletions
diff --git a/src/sp_execute.c b/src/sp_execute.c
index 3ce6643..c1d68d7 100644
--- a/src/sp_execute.c
+++ b/src/sp_execute.c
@@ -6,6 +6,8 @@
 ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
 static void (*orig_execute_ex)(zend_execute_data *execute_data);
+static void (*orig_zend_execute_internal)(zend_execute_data *execute_data,
+                                          zval *return_value);
 static int (*orig_zend_stream_open)(const char *filename,
                                    zend_file_handle *handle);
@@ -29,9 +31,9 @@ ZEND_COLD static inline void terminate_if_writable(const char *filename) {
 }
 static void is_builtin_matching(const char *restrict const filename,
-                                char *restrict function_name,
+                                const char *restrict const function_name,
-                                char *restrict param_name,
+                                const char *restrict const param_name,
-                                sp_list_node *config) {
+                                const sp_list_node *config) {
  if (!config || !config->data) {
    return;
  }
@@ -42,6 +44,43 @@ static void is_builtin_matching(const char *restrict const filename,
  }
 }
+static void is_in_eval_and_whitelisted(zend_execute_data *execute_data) {
+  if (EXPECTED(0 == SNUFFLEUPAGUS_G(in_eval))) {
+    return;
+  }
+  if (EXPECTED(NULL == SNUFFLEUPAGUS_G(config).config_eval->whitelist->data)) {
+    return;
+  }
+  if (zend_is_executing() && !EG(current_execute_data)->func) {
+    return;
+  }
+  if (!(execute_data->func->common.function_name)) {
+    return;
+  }
+  char const* const current_function = ZSTR_VAL(EX(func)->common.function_name);
+  if (EXPECTED(current_function)) {
+    const sp_list_node *it = SNUFFLEUPAGUS_G(config).config_eval->whitelist;
+    while (it) {
+      if (0 == strcmp(current_function, (char *)(it->data))) {
+        /* We've got a match, the function is whiteslited. */
+        return;
+      }
+      it = it->next;
+    }
+    sp_log_msg(
+        "Eval_whitelist", SP_LOG_DROP,
+        "The function '%s' isn't in the eval whitelist, dropping its call.",
+        current_function);
+    sp_terminate();
+  }
+}
 /* This function gets the filename in which `eval()` is called from,
 * since it looks like "foo.php(1) : eval()'d code", so we're starting
 * from the end of the string until the second closing parenthesis. */
@@ -67,28 +106,42 @@ static void sp_execute_ex(zend_execute_data *execute_data) {
    sp_terminate();
  }
-  if (execute_data->func->op_array.type == ZEND_EVAL_CODE) {
+  if (EX(func)->op_array.type == ZEND_EVAL_CODE) {
    SNUFFLEUPAGUS_G(in_eval)++;
-    sp_list_node *config =
+    const sp_list_node *config =
        SNUFFLEUPAGUS_G(config).config_disabled_constructs->construct_eval;
    char *filename = get_eval_filename((char *)zend_get_executed_filename());
    is_builtin_matching(filename, "eval", NULL, config);
    efree(filename);
  }
-  if (NULL != execute_data->func->op_array.filename) {
+  is_in_eval_and_whitelisted(execute_data);
+  if (NULL != EX(func)->op_array.filename) {
    if (true == SNUFFLEUPAGUS_G(config).config_readonly_exec->enable) {
-      terminate_if_writable(ZSTR_VAL(execute_data->func->op_array.filename));
+      terminate_if_writable(ZSTR_VAL(EX(func)->op_array.filename));
    }
  }
  orig_execute_ex(execute_data);
-  if (true == should_drop_on_ret(execute_data->return_value, execute_data)) {
+  if (true == should_drop_on_ret(EX(return_value), execute_data)) {
    sp_terminate();
  }
-  SNUFFLEUPAGUS_G(in_eval)--;
+  if (ZEND_EVAL_CODE == EX(func)->op_array.type) {
+    SNUFFLEUPAGUS_G(in_eval)--;
+  }
+}
+static void sp_zend_execute_internal(INTERNAL_FUNCTION_PARAMETERS) {
+  is_in_eval_and_whitelisted(execute_data);
+  EX(func)->internal_function.handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+  if (UNEXPECTED(NULL != orig_zend_execute_internal)) {
+    orig_zend_execute_internal(INTERNAL_FUNCTION_PARAM_PASSTHRU);
+  }
 }
 static int sp_stream_open(const char *filename, zend_file_handle *handle) {
@@ -121,11 +174,7 @@ static int sp_stream_open(const char *filename, zend_file_handle *handle) {
          is_builtin_matching(filename, "include_once", "inclusion path",
                              config);
          break;
-        case ZEND_EVAL:
+        EMPTY_SWITCH_DEFAULT_CASE();
-          is_builtin_matching(filename, "eval", NULL, config);
-          break;
-        default:
-          break;
      }
  }
@@ -136,16 +185,17 @@ end:
 int hook_execute(void) {
  TSRMLS_FETCH();
-  /* zend_execute_ex is used for "classic" function calls */
+  /* zend_execute_ex is used for "user" function calls */
  orig_execute_ex = zend_execute_ex;
  zend_execute_ex = sp_execute_ex;
-  /* zend_stream_open_function is used FIXME */
+  /* zend_execute_internal is used for "builtin" functions calls */
+  orig_zend_execute_internal = zend_execute_internal;
+  zend_execute_internal = sp_zend_execute_internal;
+  /* zend_stream_open_function is used for include-related stuff */
  orig_zend_stream_open = zend_stream_open_function;
  zend_stream_open_function = sp_stream_open;
-  /* zend_execute_internal is used for "indirect" functions call,
-   * like array_map or call_user_func. */
  return SUCCESS;
 }
author	jvoisin	2018-01-10 14:56:33 +0100
committer	GitHub	2018-01-10 14:56:33 +0100
commit	ad6b3e723fe26bf1a3a573aed776960916d35499 (patch)
tree	eec9e15028f4529d776489d273bf9699333aa987 /src/sp_execute.c
parent	b6e5bc4557cca3abbcfd179e7143ea54b9844e49 (diff)