From 654552c14ba8c98a244f82f9b8f1225a68526efb Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Thu, 25 Mar 2021 18:55:27 +0000
Subject: Add PHP8 for linux distributions on the CI

---
 .../broken_conf_session_encryption_without_encryption_key.phpt           | 1 +
 .../broken_conf_session_encryption_without_env_var.phpt                  | 1 +
 2 files changed, 2 insertions(+)

(limited to 'src/tests')

diff --git a/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_encryption_key.phpt b/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_encryption_key.phpt
index 046dc7d..62ee41e 100644
--- a/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_encryption_key.phpt
+++ b/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_encryption_key.phpt
@@ -6,6 +6,7 @@ Broken configuration - encrypted session without encryption key
 --INI--
 sp.configuration_file={PWD}/config/broken_conf_session_encryption_without_encryption_key.ini
 --FILE--
+--XFAIL--
 --EXPECT--
 
 Fatal error: [snuffleupagus][0.0.0.0][config][log] You're trying to use the session cookie encryption feature on line 2 without having set the `.secret_key` option in`sp.global`: please set it first in Unknown on line 0
diff --git a/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_env_var.phpt b/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_env_var.phpt
index bb0f212..5acc1cd 100644
--- a/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_env_var.phpt
+++ b/src/tests/broken_configuration_php8/broken_conf_session_encryption_without_env_var.phpt
@@ -6,6 +6,7 @@ Broken configuration - encrypted session without env var
 --INI--
 sp.configuration_file={PWD}/config/broken_conf_session_encryption_without_env_var.ini
 --FILE--
+--XFAIL--
 --EXPECT--
 
 Fatal error: [snuffleupagus][0.0.0.0][config][log] You're trying to use the session cookie encryption feature on line 2 without having set the `.cookie_env_var` option in`sp.global`: please set it first in Unknown on line 0
-- 
cgit v1.3


From 7fc7743977905807b4c2fdcde183a219ace25ba9 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Mon, 26 Apr 2021 22:25:50 +0200
Subject: Make it easier to figure functions parameters' names

---
 src/sp_var_value.c                                               | 9 +++++++--
 .../broken_configuration/broken_conf_config_invalid_param.phpt   | 6 ++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

(limited to 'src/tests')

diff --git a/src/sp_var_value.c b/src/sp_var_value.c
index b9ac357..e351446 100644
--- a/src/sp_var_value.c
+++ b/src/sp_var_value.c
@@ -1,6 +1,7 @@
 #include "php_snuffleupagus.h"
 
-static zval *get_param_var(zend_execute_data *ed, const char *var_name) {
+static zval *get_param_var(zend_execute_data *ed, const char *var_name,
+                           bool print) {
   unsigned int nb_param = ed->func->common.num_args;
 
   for (unsigned int i = 0; i < nb_param; i++) {
@@ -13,6 +14,9 @@ static zval *get_param_var(zend_execute_data *ed, const char *var_name) {
     if (0 == strcmp(arg_name, var_name)) {
       return ZEND_CALL_VAR_NUM(ed, i);
     }
+    if (print == true) {
+      sp_log_warn("config", "  - %d parameter's name: '%s'", i, arg_name);
+    }
   }
   return NULL;
 }
@@ -68,7 +72,7 @@ static zval *get_var_value(zend_execute_data *ed, const char *var_name,
   }
 
   if (is_param) {
-    zval *zvalue = get_param_var(ed, var_name);
+    zval *zvalue = get_param_var(ed, var_name, false);
     if (!zvalue) {
       char *complete_function_path = get_complete_function_path(ed);
       sp_log_warn("config",
@@ -76,6 +80,7 @@ static zval *get_var_value(zend_execute_data *ed, const char *var_name,
                   "'%s' of the function '%s', but the parameter does "
                   "not exists.",
                   var_name, complete_function_path);
+      get_param_var(ed, var_name, true);
       efree(complete_function_path);
       return NULL;
     }
diff --git a/src/tests/broken_configuration/broken_conf_config_invalid_param.phpt b/src/tests/broken_configuration/broken_conf_config_invalid_param.phpt
index ac85dea..45ccf24 100644
--- a/src/tests/broken_configuration/broken_conf_config_invalid_param.phpt
+++ b/src/tests/broken_configuration/broken_conf_config_invalid_param.phpt
@@ -13,4 +13,10 @@ function foo($blah, $x = null, $y = null) {
 foo("qwe");
 --EXPECTF--
 Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'qwe' of the function 'foo', but the parameter does not exists. in %s/tests/broken_configuration/broken_conf_config_invalid_param.php on line %d
+
+Warning: [snuffleupagus][0.0.0.0][config][log]   - 0 parameter's name: 'blah' in %s/tests/broken_configuration/broken_conf_config_invalid_param.php on line %d
+
+Warning: [snuffleupagus][0.0.0.0][config][log]   - 1 parameter's name: 'x' in %s/tests/broken_configuration/broken_conf_config_invalid_param.php on line %d
+
+Warning: [snuffleupagus][0.0.0.0][config][log]   - 2 parameter's name: 'y' in %s/tests/broken_configuration/broken_conf_config_invalid_param.php on line %d
 ok
-- 
cgit v1.3


From 24e3f3d80a62fc32b986a2493d4d85be9aa6a6e2 Mon Sep 17 00:00:00 2001
From: Tristan Deloche
Date: Tue, 27 Apr 2021 19:39:36 +0100
Subject: Fix SKIPIF output syntax error

---
 src/tests/deny_writable/deny_writable_execution_simulation.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/tests')

diff --git a/src/tests/deny_writable/deny_writable_execution_simulation.phpt b/src/tests/deny_writable/deny_writable_execution_simulation.phpt
index 30f8cb1..d4b8efc 100644
--- a/src/tests/deny_writable/deny_writable_execution_simulation.phpt
+++ b/src/tests/deny_writable/deny_writable_execution_simulation.phpt
@@ -3,7 +3,7 @@ Readonly execution attempt (simulation mode)
 --SKIPIF--
 <?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 <?php
-if (!extension_loaded("snuffleupagus")) { print "skip" };
+if (!extension_loaded("snuffleupagus")) { print "skip"; };
 
 // root has write privileges on any file
 if (TRUE == function_exists("posix_getuid")) {
-- 
cgit v1.3


From fb3571de3d9dd0df9bfb38579b56dbb9746df551 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 28 Apr 2021 09:34:42 +0200
Subject: Add some logging for the XXE mitigation

---
 src/sp_disable_xxe.c                        | 16 +++++++++++++---
 src/tests/xxe/disable_xxe_dom_disabled.phpt |  5 +++++
 2 files changed, 18 insertions(+), 3 deletions(-)

(limited to 'src/tests')

diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c
index 3ef1a5d..9dea33c 100644
--- a/src/sp_disable_xxe.c
+++ b/src/sp_disable_xxe.c
@@ -1,6 +1,14 @@
 #include "php_snuffleupagus.h"
 
-PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; }
+PHP_FUNCTION(sp_libxml_disable_entity_loader) {
+  sp_log_warn( "xxe", "A call to libxml_disable_entity_loader was tried and nopped");
+  RETURN_TRUE;
+}
+
+PHP_FUNCTION(sp_libxml_set_external_entity_loader) {
+  sp_log_warn("xxe", "A call to libxml_set_external_entity_loader was tried and nopped");
+  RETURN_TRUE;
+}
 
 int hook_libxml_disable_entity_loader() {
   TSRMLS_FETCH();
@@ -10,19 +18,21 @@ int hook_libxml_disable_entity_loader() {
   zval params[1];
 
 #if PHP_VERSION_ID < 80000
-	// This function is deprecated in PHP8, but better safe than sorry for php7.
+  // This function is deprecated in PHP8, but better safe than sorry for php7.
   ZVAL_STRING(&func_name, "libxml_disable_entity_loader");
   ZVAL_STRING(&params[0], "true");
   call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
 #endif
 
-	// This is now the recommended way to disable external entities
+  // This is now the recommended way to disable external entities
   ZVAL_STRING(&func_name, "libxml_set_external_entity_loader");
   ZVAL_NULL(&params[0]);
   call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
 
   HOOK_FUNCTION("libxml_disable_entity_loader", sp_internal_functions_hook,
                 PHP_FN(sp_libxml_disable_entity_loader));
+  HOOK_FUNCTION("libxml_set_external_entity_loader", sp_internal_functions_hook,
+                PHP_FN(sp_libxml_set_external_entity_loader));
 
   return SUCCESS;
 }
diff --git a/src/tests/xxe/disable_xxe_dom_disabled.phpt b/src/tests/xxe/disable_xxe_dom_disabled.phpt
index 493f5a3..a49e094 100644
--- a/src/tests/xxe/disable_xxe_dom_disabled.phpt
+++ b/src/tests/xxe/disable_xxe_dom_disabled.phpt
@@ -44,8 +44,13 @@ printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeVa
 
 ?>
 --EXPECTF-- 
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %s/tests/xxe/disable_xxe_dom_disabled.php on line %d
 libxml_disable_entity to true: WARNING, external entity loaded!
+
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %s/tests/xxe/disable_xxe_dom_disabled.php on line %d
 libxml_disable_entity to false: WARNING, external entity loaded!
+
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %s/tests/xxe/disable_xxe_dom_disabled.php on line %d
 without xxe: foo
 --CLEAN--
 <?php
-- 
cgit v1.3


From ad623f1d78151dfe2eaee85e93ed1058be1c7f91 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 8 May 2021 16:45:07 +0200
Subject: Add a test for #390

---
 src/tests/disable_function/config/disabled_functions.ini   |  1 +
 .../disabled_functions_shell_exec_wrong.phpt               | 14 ++++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt

(limited to 'src/tests')

diff --git a/src/tests/disable_function/config/disabled_functions.ini b/src/tests/disable_function/config/disabled_functions.ini
index df7013f..0758c98 100644
--- a/src/tests/disable_function/config/disabled_functions.ini
+++ b/src/tests/disable_function/config/disabled_functions.ini
@@ -7,3 +7,4 @@ sp.disable_function.function_r("^var_dump$").drop();
 sp.disable_function.function("sprintf").filename("/wrong file name").drop();
 sp.disable_function.function("sprintf").filename("/wrong file name").drop();
 sp.disable_function.function("eval").drop();
+sp.disable_function.function("shell_exec").param("foo").value("bar").drop();
diff --git a/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt
new file mode 100644
index 0000000..580679c
--- /dev/null
+++ b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - shell_exec, with a non-existing command
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions.ini
+--FILE--
+<?php 
+$gs = exec( 'foo' );
+echo "YES";
+?>
+--EXPECTF--
+%sfoo: not found
+YES
-- 
cgit v1.3


From d5adcd6d17afc7015011088d8af5a2094fb3370d Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sun, 9 May 2021 18:10:41 +0200
Subject: Fix the testsuite on fedora

---
 src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/tests')

diff --git a/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt
index 580679c..fe8e73a 100644
--- a/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt
+++ b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt
@@ -10,5 +10,5 @@ $gs = exec( 'foo' );
 echo "YES";
 ?>
 --EXPECTF--
-%sfoo: not found
+%snot found
 YES
-- 
cgit v1.3


From 8bd4d819012e4d426911c9f4a04e0f73bfe57888 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sun, 9 May 2021 18:20:01 +0200
Subject: Allow session-related things to fail on php8 for now

---
 src/tests/session_encryption/crypt_session_corrupted_session.phpt | 1 +
 src/tests/session_encryption/crypt_session_invalid.phpt           | 1 +
 2 files changed, 2 insertions(+)

(limited to 'src/tests')

diff --git a/src/tests/session_encryption/crypt_session_corrupted_session.phpt b/src/tests/session_encryption/crypt_session_corrupted_session.phpt
index a89faf4..23f2580 100644
--- a/src/tests/session_encryption/crypt_session_corrupted_session.phpt
+++ b/src/tests/session_encryption/crypt_session_corrupted_session.phpt
@@ -2,6 +2,7 @@
 Set a custom session handler
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 --INI--
 sp.configuration_file={PWD}/config/config_crypt_session.ini
 session.save_path = "/tmp"
diff --git a/src/tests/session_encryption/crypt_session_invalid.phpt b/src/tests/session_encryption/crypt_session_invalid.phpt
index 9ec7c50..76fac5b 100644
--- a/src/tests/session_encryption/crypt_session_invalid.phpt
+++ b/src/tests/session_encryption/crypt_session_invalid.phpt
@@ -2,6 +2,7 @@
 SESSION crypt and bad decrypt
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 --INI--
 sp.configuration_file={PWD}/config/config_crypt_session.ini
 --ENV--
-- 
cgit v1.3


From 49d1664cd3708482c954ef4ffdddc54d3e7cbcf0 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sun, 9 May 2021 18:26:33 +0200
Subject: Fix the testsuite on php7.4

---
 src/tests/session_encryption/crypt_session_corrupted_session.phpt | 1 +
 src/tests/session_encryption/crypt_session_invalid.phpt           | 1 +
 2 files changed, 2 insertions(+)

(limited to 'src/tests')

diff --git a/src/tests/session_encryption/crypt_session_corrupted_session.phpt b/src/tests/session_encryption/crypt_session_corrupted_session.phpt
index 23f2580..a97dbca 100644
--- a/src/tests/session_encryption/crypt_session_corrupted_session.phpt
+++ b/src/tests/session_encryption/crypt_session_corrupted_session.phpt
@@ -3,6 +3,7 @@ Set a custom session handler
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
 <?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 70400) print "skip"; ?>
 --INI--
 sp.configuration_file={PWD}/config/config_crypt_session.ini
 session.save_path = "/tmp"
diff --git a/src/tests/session_encryption/crypt_session_invalid.phpt b/src/tests/session_encryption/crypt_session_invalid.phpt
index 76fac5b..967d9d1 100644
--- a/src/tests/session_encryption/crypt_session_invalid.phpt
+++ b/src/tests/session_encryption/crypt_session_invalid.phpt
@@ -3,6 +3,7 @@ SESSION crypt and bad decrypt
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
 <?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 70400) print "skip"; ?>
 --INI--
 sp.configuration_file={PWD}/config/config_crypt_session.ini
 --ENV--
-- 
cgit v1.3


From ec67149705739f9c13dc1f5dee335768cab3d7a0 Mon Sep 17 00:00:00 2001
From: WhiteWinterWolf
Date: Sun, 9 May 2021 18:56:38 +0200
Subject: Fix disable function chmod

---
 config/default.rules                                       |  5 +++--
 config/default_php8.rules                                  |  5 +++--
 .../disable_function/config/disabled_functions_chmod.ini   |  4 ++++
 src/tests/disable_function/disabled_functions_chmod.phpt   | 14 ++++++++++++++
 .../disable_function/disabled_functions_chmod_php8.phpt    | 14 ++++++++++++++
 5 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 src/tests/disable_function/config/disabled_functions_chmod.ini
 create mode 100644 src/tests/disable_function/disabled_functions_chmod.phpt
 create mode 100644 src/tests/disable_function/disabled_functions_chmod_php8.phpt

(limited to 'src/tests')

diff --git a/config/default.rules b/config/default.rules
index 74e1edb..ea65e01 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -33,8 +33,9 @@ sp.disable_xxe.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
-# Harden the `chmod` function
-sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
+sp.disable_function.function("chmod").param("mode").value("438").drop();
+sp.disable_function.function("chmod").param("mode").value("511").drop();
 
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
diff --git a/config/default_php8.rules b/config/default_php8.rules
index 893bfbc..c024176 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -34,8 +34,9 @@ sp.disable_xxe.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
-# Harden the `chmod` function
-sp.disable_function.function("chmod").param("permissions").value_r("^[0-9]{2}[67]$").drop();
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
+sp.disable_function.function("chmod").param("permissions").value("438").drop();
+sp.disable_function.function("chmod").param("permissions").value("511").drop();
 
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
diff --git a/src/tests/disable_function/config/disabled_functions_chmod.ini b/src/tests/disable_function/config/disabled_functions_chmod.ini
new file mode 100644
index 0000000..e601900
--- /dev/null
+++ b/src/tests/disable_function/config/disabled_functions_chmod.ini
@@ -0,0 +1,4 @@
+# PHP7 and below
+sp.disable_function.function("chmod").param("mode").value("511").drop();
+# PHP8
+sp.disable_function.function("chmod").param("permissions").value("511").drop();
diff --git a/src/tests/disable_function/disabled_functions_chmod.phpt b/src/tests/disable_function/disabled_functions_chmod.phpt
new file mode 100644
index 0000000..28f948d
--- /dev/null
+++ b/src/tests/disable_function/disabled_functions_chmod.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - chmod
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_chmod.ini
+--FILE--
+<?php
+chmod( 'foo', 0777 );
+?>
+--XFAIL--
+--EXPECTF--
+Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$mode' content (511) matched a rule in %a/disabled_function_chmod.php on line %d
diff --git a/src/tests/disable_function/disabled_functions_chmod_php8.phpt b/src/tests/disable_function/disabled_functions_chmod_php8.phpt
new file mode 100644
index 0000000..71bb034
--- /dev/null
+++ b/src/tests/disable_function/disabled_functions_chmod_php8.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - chmod, in php8
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_chmod.ini
+--FILE--
+<?php
+chmod( 'foo', 0777 );
+?>
+--XFAIL--
+--EXPECTF--
+Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$permissions' content (511) matched a rule in %a/disabled_function_chmod_php8.php on line %d
-- 
cgit v1.3