1 files changed, 0 insertions, 128 deletions

diff --git a/config/default_php8.rules b/config/default_php8.rules
deleted file mode 100644
index 0490654..0000000
--- a/config/default_php8.rules
+++ /dev/null
@@ -1,128 +0,0 @@
-# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io),
-# for php8.
-# It contains "reasonable" defaults that won't break your websites,
-# and a lot of commented directives that you can enable if you want to 
-# have a better protection.
-
-# Harden the PRNG
-sp.harden_random.enable();
-
-# Disabled XXE
-sp.xxe_protection.enable();
-
-# Global configuration variables
-# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
-
-# Globally activate strict mode
-# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict
-# sp.global_strict.enable();
-
-# Prevent unserialize-related exploits
-# sp.unserialize_hmac.enable();
-
-# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
-# sp.readonly_exec.enable();
-
-# PHP has a lot of wrappers, most of them aren't usually useful, you should
-# only enable the ones you're using.
-# sp.wrappers_whitelist.list("file,php,phar");
-# The "php" wrapper can be further filtered, e.g. to only allow `php://stdout`, `php://stdin` and `php://stderr`:
-# sp.wrappers_whitelist.php_list("stdout,stdin,stderr");
-
-# Prevent sloppy comparisons.
-# sp.sloppy_comparison.enable();
-
-# Use SameSite on session cookie
-# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
-sp.cookie.name("PHPSESSID").samesite("lax");
-
-# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
-sp.disable_function.function("chmod").param("permissions").value("438").drop();
-sp.disable_function.function("chmod").param("permissions").value("511").drop();
-
-# Prevent various `mail`-related vulnerabilities
-# Uncommend the second rule if you're using php8.3+
-#sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
-#sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();
-
-# Since it's now burned, me might as well mitigate it publicly
-sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
-sp.disable_function.function("putenv").param("assignment").value("PATH").drop()
-
-# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
-sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
-
-# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
-sp.disable_function.function("extract").param("array").value_r("^_").drop()
-sp.disable_function.function("extract").param("flags").value("0").drop()
-
-# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
-# Since we have no way of matching on two parameters at the same time, we're
-# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
-# Moreover, there are non-public bypasses that are also using this vector ;)
-sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
-
-# Prevent various `include`-related vulnerabilities
-sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("require_once").drop()
-sp.disable_function.function("include_once").drop()
-sp.disable_function.function("require").drop()
-sp.disable_function.function("include").drop()
-
-# Prevent `system`-related injections
-sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
-sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
-sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
-sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
-
-# Prevent runtime modification of interesting things
-sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
-sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
-sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
-sp.disable_function.function("ini_set").param("option").value("include_path").drop();
-sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
-
-# Detect some backdoors via environment recon
-sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
-sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
-sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
-sp.disable_function.function("function_exists").param("function").value("eval").drop();
-sp.disable_function.function("function_exists").param("function").value("exec").drop();
-sp.disable_function.function("function_exists").param("function").value("system").drop();
-sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
-sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
-sp.disable_function.function("function_exists").param("function").value("passthru").drop();
-sp.disable_function.function("is_callable").param("value").value("eval").drop();
-sp.disable_function.function("is_callable").param("value").value("exec").drop();
-sp.disable_function.function("is_callable").param("value").value("system").drop();
-sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
-sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
-sp.disable_function.function("is_callable").param("value").value("passthru").drop();
-
-# Ghetto error-based sqli detection
-# sp.disable_function.function("mysql_query").ret("FALSE").drop();
-# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
-# sp.disable_function.function("PDO::query").ret("FALSE").drop();
-
-# Ensure that certificates are properly verified
-sp.disable_function.function("curl_setopt").param("value").value("1").allow();
-sp.disable_function.function("curl_setopt").param("value").value("2").allow();
-# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
-sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
-sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
-
-# Ensure that file:// protocol is not allowed in CURL
-sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
-sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
-
-# File upload
-sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
-sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
-
-# Logging lockdown
-sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
-sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
-sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()