Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:116847
Return-Path: <duesterhus@woltlab.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79594 invoked from network); 7 Jan 2022 17:02:47 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jan 2022 17:02:47 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 95A131804C3
	for <internals@lists.php.net>; Fri,  7 Jan 2022 10:10:45 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS199118 195.10.208.0/24
X-Spam-Virus: No
X-Envelope-From: <duesterhus@woltlab.com>
Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [195.10.208.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri,  7 Jan 2022 10:10:44 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4JVrqk5HPGzQkW4
	for <internals@lists.php.net>; Fri,  7 Jan 2022 19:10:42 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=woltlab.com; s=MBO0001;
	t=1641579040;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qfMrqPt2k4gbh65w6X31HkPxqtc7RPSIz5ntAk/MloY=;
	b=Ytc+Z55lcanQtFHGtA3JajtYIiGhqsm0cD/LOWJH9YnVy9PBfx/s5oATRxh+TEN60Tu0Xs
	ZOmmbBVsKR8I7WMyG4TFtsKip1XyvSu6PrT8+AbcTjjiz2Cn8mXsqlE6y+0C2QzYxcMYNc
	9g1x1NiZOzTLTh4dbLqOuZA1vO3l9YycyBm2FslnZhu/iAyYk908XQ8u/tDDhdrl5VL28p
	yMpBihDk6E5WRLgWcJPJ/sXSlbE02wFVni2pIOQ1MP+oZNdLccStcWb74QlgaZ8CBouvIy
	5GWnWLRnfXpa0//mOM4oaEnZQry5Kf6bGioO5SSMkpxRas+conOtwe57bJG5QA==
To: PHP internals <internals@lists.php.net>
Message-ID: <77c88aeb-5792-b3f1-56bc-ffad95cf42ff@woltlab.com>
Date: Fri, 7 Jan 2022 19:10:36 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Subject: Pre-RFC: Redacting parameters in back traces (SensitiveParameter
 Attribute)
From: duesterhus@woltlab.com (=?UTF-8?Q?Tim_D=c3=bcsterhus=2c_WoltLab_GmbH?=)

Hi Internals!

PHP's stack traces in exceptions are very useful for debugging, because 
they include the original parameters for each stack frame, allowing the 
developer to see exactly what data is passed to a function call.

Unfortunately sometimes this verbosity is a drawback. Specifically when 
sensitive values, such as credentials, are passed to a function and some 
other function deep down the call stack throws an Exception.

One common "offender" is PDO which takes the database password as a 
constructor parameter and immediately attempts to connect to the 
database within the constructor, instead of having a pure constructor 
and a separate ->connect() method. Thus when the database connection 
fails the stack trace will include the database password:

> PDOException: SQLSTATE[HY000] [2002] No such file or directory in /var/www/html/test.php:3
> Stack trace:
> #0 /var/www/html/test.php(3): PDO->__construct('mysql:host=loca...', 'root', 'password')
> #1 {main}
We're developing an application that is commonly self-hosted by 
laypersons at a shared hosting provider. This application includes an 
error log, logging any uncaught exception including its stack trace. 
Depending on the configuration by the customer it might also publicly 
print error details, because this eases debugging by the layperson 
administrator.

To keep (database) credentials out of the log files - and more 
importantly hidden from any public visitors - our exception handler 
specifically scans the full stack trace for the PDO constructor to 
replace any parameters. More recently the exception handler was extended 
to also check each parameter via Reflection and redact any values for 
parameters called $password, $secret, and similar names. It also redacts 
any parameter having a `SensitiveArgument` attribute defined in our 
software.

While this works reasonably well for any code we write, it does not work 
for non-stock exception handlers, e.g. loggers such as Sentry. It also 
cannot redact sensitive arguments in third party libraries that do not 
match one of the special-cased parameter names, because they won't have 
the SensitiveArgument attribute.

For this reason we'd like to propose a *standardized* attribute to mark 
parameters as sensitive. This attribute can then be used by libraries to 
indicate their sensitive parameters.

With regards to loggers our proposal would be that PHP itself performs 
the redaction when collecting the parameters for all stack frames. 
Specifically we propose that PHP will place an object of the 
SensitiveParameter class instead of the actual parameter value. This way 
an exception handler can easily detect which parameters have been 
redacted by performing an `instanceof SensitiveParameter` check.

The `zend.exception_ignore_args` option is not an alternative in our 
opinion:
- On shared webhosters, the customer might not be able to configure it.
- The stack trace parameters are just too useful for debugging to 
completely strip them.

The `zend.exception_string_param_max_len` option is not alternative either:
- Many sensitive values might already be fully exposed before they are 
truncated. This specifically includes end-user credentials which tend to 
be low-entropy and shortish.

We have created a proof of concept implementation of our proposal at:

https://github.com/php/php-src/compare/master...WoltLab:sensitive-parameter

For the RFC and the final implementation we would need assistance by 
someone who is more experienced in PHP internals and the RFC process.

What our implementation already handles:
- Redaction of ordered arguments.
- Redaction of named arguments.
- Redaction of variadic arguments.

What's missing:
- Adding arguments to native functions / methods / classes (e.g. PDO's 
constructor)

Thank you all for reading through our proposal. We're happy to hear your 
feedback!

I already registered a Wiki account (timwolla, duesterhus@woltlab.com) 
and would require RFC karma to proceed if you feel like the proposal is 
worthwhile writing up as an RFC.

PS: It appears that the time on the ezmlm host is misconfigured. The 
email to confirm my subscription was dated 09:42:51 -0000, when it 
actually was 11:50:20 +0100 (i.e. off by 1 hour, 8 minutes).

Best regards
Tim Düsterhus
Developer WoltLab GmbH

-- 

WoltLab GmbH
Nedlitzer Str. 27B
14469 Potsdam

Tel.: +49 331 96784338

duesterhus@woltlab.com
www.woltlab.com

Managing director:
Marcel Werk

AG Potsdam HRB 26795 P