Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:116848
Return-Path: <ayesh@php.watch>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82412 invoked from network); 7 Jan 2022 17:26:08 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jan 2022 17:26:08 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 411191804C3
	for <internals@lists.php.net>; Fri,  7 Jan 2022 10:34:06 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS208722 37.140.128.0/18
X-Spam-Virus: No
X-Envelope-From: <ayesh@php.watch>
Received: from forward501o.mail.yandex.net (forward501o.mail.yandex.net [37.140.190.203])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri,  7 Jan 2022 10:34:05 -0800 (PST)
Received: from iva6-9c4bacd762e0.qloud-c.yandex.net (iva6-9c4bacd762e0.qloud-c.yandex.net [IPv6:2a02:6b8:c0c:9107:0:640:9c4b:acd7])
	by forward501o.mail.yandex.net (Yandex) with ESMTP id B8B1A45C48B4
	for <internals@lists.php.net>; Fri,  7 Jan 2022 21:34:02 +0300 (MSK)
Received: from iva6-2d18925256a6.qloud-c.yandex.net (iva6-2d18925256a6.qloud-c.yandex.net [2a02:6b8:c0c:7594:0:640:2d18:9252])
	by iva6-9c4bacd762e0.qloud-c.yandex.net (mxback/Yandex) with ESMTP id 89RW1nCnw1-Y2e820n0;
	Fri, 07 Jan 2022 21:34:02 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=php.watch; s=mail; t=1641580442;
	bh=NBOIYb53hbpVNuMQyu/JmQfDvJBg4q14FPTsQqfN7dI=;
	h=Subject:From:In-Reply-To:Date:References:Cc:To:Message-ID;
	b=IN1mlQAqiTw/AWcJykFSnwuova9vQ0HdCILmNVKWXGw+3vxO5qnKtTKaKnbFlQfFJ
	 PUxmgXcC5SoJ5dllcXPu+G2SXahMcvhnkqqC7PrigcSWvXB+P7g0LkAwjRK3mqJNvz
	 ouFcFCVyPjM27CHbwEH14o6NHnSwxax5HEB60NW8=
Authentication-Results: iva6-9c4bacd762e0.qloud-c.yandex.net; dkim=pass header.i=@php.watch
Received: by iva6-2d18925256a6.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id aJr0TrxyQ5-Y1PqDlKr;
	Fri, 07 Jan 2022 21:34:01 +0300
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client certificate not present)
X-Yandex-Fwd: 2
Received: by mail-ot1-f43.google.com with SMTP id o3-20020a9d4043000000b0058f31f4312fso7543959oti.1
        for <internals@lists.php.net>; Fri, 07 Jan 2022 10:34:01 -0800 (PST)
X-Gm-Message-State: AOAM532YVNgOvCT/fOC9wl/CAMAIu78hbNngVQVuRtoxdT06fC+oaJAG
	8cYtwCJocl2vrxISALFRxNhYUCmTA7Yaw2zSgeo=
X-Google-Smtp-Source: ABdhPJzVT++3CXGTwOY4/MhNwQth/R8wnq2hrWrtOYXDshrnUBdaGJIOejFNUHTYIddEgOWsMBFr3N7x4siuBWDkCgA=
X-Received: by 2002:a05:6830:2366:: with SMTP id r6mr47203899oth.376.1641580440395;
 Fri, 07 Jan 2022 10:34:00 -0800 (PST)
MIME-Version: 1.0
References: <77c88aeb-5792-b3f1-56bc-ffad95cf42ff@woltlab.com>
In-Reply-To: <77c88aeb-5792-b3f1-56bc-ffad95cf42ff@woltlab.com>
Date: Sat, 8 Jan 2022 00:03:32 +0530
X-Gmail-Original-Message-ID: <CANLbj-oEe_wXSrAUvYVv56F7asRSfNdeRBXO6PtJ-y1idQ-YRA@mail.gmail.com>
Message-ID: <CANLbj-oEe_wXSrAUvYVv56F7asRSfNdeRBXO6PtJ-y1idQ-YRA@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus=2C_WoltLab_GmbH?= <duesterhus@woltlab.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Pre-RFC: Redacting parameters in back traces
 (SensitiveParameter Attribute)
From: ayesh@php.watch (Ayesh Karunaratne)

Hi Tim,
Thank you for opening the discussion. I personally find this feature
useful, and glancing at the diff, it looks like a rather
straightforward and minimal change.

FWIW, it is possible to selectively expose class properties in a class
object being `var_dump`-ed with the `__debugInfo` magic method, but it
is not used for stack traces.

For the RFC, someone with the permission to grant RFC karma should
grant it for you to start the RFC and open it for voting. You emailed
the right mailing list, I think someone will see this soon.
You can open a PR and start code reviews in the meantime.

Cheers,
Ayesh.

On Fri, Jan 7, 2022 at 11:40 PM Tim D=C3=BCsterhus, WoltLab GmbH
<duesterhus@woltlab.com> wrote:
>
> Hi Internals!
>
> PHP's stack traces in exceptions are very useful for debugging, because
> they include the original parameters for each stack frame, allowing the
> developer to see exactly what data is passed to a function call.
>
> Unfortunately sometimes this verbosity is a drawback. Specifically when
> sensitive values, such as credentials, are passed to a function and some
> other function deep down the call stack throws an Exception.
>
> One common "offender" is PDO which takes the database password as a
> constructor parameter and immediately attempts to connect to the
> database within the constructor, instead of having a pure constructor
> and a separate ->connect() method. Thus when the database connection
> fails the stack trace will include the database password:
>
> > PDOException: SQLSTATE[HY000] [2002] No such file or directory in /var/=
www/html/test.php:3
> > Stack trace:
> > #0 /var/www/html/test.php(3): PDO->__construct('mysql:host=3Dloca...', =
'root', 'password')
> > #1 {main}
> We're developing an application that is commonly self-hosted by
> laypersons at a shared hosting provider. This application includes an
> error log, logging any uncaught exception including its stack trace.
> Depending on the configuration by the customer it might also publicly
> print error details, because this eases debugging by the layperson
> administrator.
>
> To keep (database) credentials out of the log files - and more
> importantly hidden from any public visitors - our exception handler
> specifically scans the full stack trace for the PDO constructor to
> replace any parameters. More recently the exception handler was extended
> to also check each parameter via Reflection and redact any values for
> parameters called $password, $secret, and similar names. It also redacts
> any parameter having a `SensitiveArgument` attribute defined in our
> software.
>
> While this works reasonably well for any code we write, it does not work
> for non-stock exception handlers, e.g. loggers such as Sentry. It also
> cannot redact sensitive arguments in third party libraries that do not
> match one of the special-cased parameter names, because they won't have
> the SensitiveArgument attribute.
>
> For this reason we'd like to propose a *standardized* attribute to mark
> parameters as sensitive. This attribute can then be used by libraries to
> indicate their sensitive parameters.
>
> With regards to loggers our proposal would be that PHP itself performs
> the redaction when collecting the parameters for all stack frames.
> Specifically we propose that PHP will place an object of the
> SensitiveParameter class instead of the actual parameter value. This way
> an exception handler can easily detect which parameters have been
> redacted by performing an `instanceof SensitiveParameter` check.
>
> The `zend.exception_ignore_args` option is not an alternative in our
> opinion:
> - On shared webhosters, the customer might not be able to configure it.
> - The stack trace parameters are just too useful for debugging to
> completely strip them.
>
> The `zend.exception_string_param_max_len` option is not alternative eithe=
r:
> - Many sensitive values might already be fully exposed before they are
> truncated. This specifically includes end-user credentials which tend to
> be low-entropy and shortish.
>
> We have created a proof of concept implementation of our proposal at:
>
> https://github.com/php/php-src/compare/master...WoltLab:sensitive-paramet=
er
>
> For the RFC and the final implementation we would need assistance by
> someone who is more experienced in PHP internals and the RFC process.
>
> What our implementation already handles:
> - Redaction of ordered arguments.
> - Redaction of named arguments.
> - Redaction of variadic arguments.
>
> What's missing:
> - Adding arguments to native functions / methods / classes (e.g. PDO's
> constructor)
>
> Thank you all for reading through our proposal. We're happy to hear your
> feedback!
>
> I already registered a Wiki account (timwolla, duesterhus@woltlab.com)
> and would require RFC karma to proceed if you feel like the proposal is
> worthwhile writing up as an RFC.
>
> PS: It appears that the time on the ezmlm host is misconfigured. The
> email to confirm my subscription was dated 09:42:51 -0000, when it
> actually was 11:50:20 +0100 (i.e. off by 1 hour, 8 minutes).
>
> Best regards
> Tim D=C3=BCsterhus
> Developer WoltLab GmbH
>
> --
>
> WoltLab GmbH
> Nedlitzer Str. 27B
> 14469 Potsdam
>
> Tel.: +49 331 96784338
>
> duesterhus@woltlab.com
> www.woltlab.com
>
> Managing director:
> Marcel Werk
>
> AG Potsdam HRB 26795 P
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>