Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124795 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 3AC441A00B7 for ; Tue, 6 Aug 2024 08:41:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722933820; bh=MgLGXukPTD6/q+U5XUaZ8P9RWvBVFJkM4IVTM8Q8aMs=; h=Subject:From:To:Date:In-Reply-To:References:From; b=Y5hLM7f+bbXq/YAKi+A/rHuFYcyzrw9JKi/zX383oDdUG0R5HcMbvPnxHp8rk1lCS 1daJBxUE5uWPWi0/ooR39gsKaKAzxrUIl4AjHxY3wNb8xj4dbsPakRP9ZLhg75O+Xw ollOk6hPa+URXTHtCdwi44neVSrQUQ2/34UFQiQyl01TvUxVYNoC69M7imXei8ZzKz jdirK470KRvgMuR+cTvzp/K1aY68tj6HcEfW9j7EItr9HHppaWcAmcWs1fXMom8guT hiL5stLHxjysJVOO+JYXw4CT6DC/HOiKKN+Owwdst0BvVnQYyKNVQxK0v7IqQn/hc/ wx3xU99TGL8Hw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id CF7BF180077 for ; Tue, 6 Aug 2024 08:43:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from ageofdream.com (ageofdream.com [45.33.21.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 6 Aug 2024 08:43:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ageofdream.com; s=ageofdream; t=1722933716; bh=MgLGXukPTD6/q+U5XUaZ8P9RWvBVFJkM4IVTM8Q8aMs=; h=Subject:From:To:Date:In-Reply-To:References:From; b=zBkFJt5X4Pi/kHkWXBeadIuXUk9elBnf3ZJJDo0szMS2biAi94tplR3t8k6PbR7AA ZYOqA8kqqWKgYRhXKvpur4FmR6LHUDVWTlp0hVU4ECnSBP8b8ZiEr80w8T7MoGF+8S C/rC90y5T8iCQrDzvAlFYv1dYDUgo6+z7ww3xh0kRw41NoAR/rPM+drfXiSf/qnEsw AyymARauhj9YgrQFC0Oo0GdWktSR2DFgcVK+OiClurpvUg3NV9LKwVzfeOPvqAMhw6 ASheA0YkkPvsbDlWZAwGOrHjaYXnn5Gk/QyzxjwuwyNPIGaXToAVV0IIIPnW1Hb4n+ av4m4LxhwNVdQ== Received: from [192.168.1.7] (unknown [72.255.193.122]) by ageofdream.com (Postfix) with ESMTPSA id CC54725090 for ; Tue, 6 Aug 2024 04:41:56 -0400 (EDT) Message-ID: Subject: Re: [PHP-DEV] [Discussion] Sandbox API To: internals@lists.php.net Date: Tue, 06 Aug 2024 04:41:56 -0400 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 From: lists@ageofdream.com (Nick Lockheart) Sandbox: Security A SandBox has two use cases: 1. Unit Testing of code with mocks or stubs, and also, allowing testing with different environments. 2. The secure running of 3rd party code inside a 1st party application. For the second use case, I will use a fictional blogging software called "Hot Blog" as the example. Hot Blog is a very popular Open Source blogging platform. Hot Blog allows third party developers to write plugins. While many Hot Blog plugin developers have the best of intentions, some of them are novice coders that make security mistakes. So let's talk about how Hot Blog could benefit from using the new SandBox API. By default, a SandBox instance is a blank slate. There's nothing inside of it, unless the SandBox is told to have something in it. That means that sandboxed code that tries to read $_SESSION will find an empty array. Same with $_SERVER, $_POST, and $_GET. That's by default. This allows the code that controls the sandbox to create custom access to application level resources. Let's say that Hot Blog wants plugin developers to be able to access certain $_POST variables, but only *after* Hot Blog has checked the strings for multi-byte attack vulnerabilities. To do this, Hot Blog creates a class called PluginAPI with a GetCleanPost method. This lets sandboxed plugins get $_POST data without being able to bypass Hot Blog's mandatory security check. (Remember, $_POST is empty inside the sandbox). The code looks like this: $oSandbox =3D new SPLSandBox(); $oSandbox->MockClass('\HotBlog\PluginAPI','\HotBlog\PluginAPI'); $oUserPlugin =3D $oSandbox->GetInstance('BobsMagicPlugin'); $oUserPlugin->Run(); Because "Bob" has written his plugin as a Hot Blog plugin and knows that Hot Blog's rules require him to use \HotBlog\PluginAPI::GetCleanPost() to access a $_POST variable, he calls that instead of using $_POST. Now, Hot Blog can impose mandatory security checks on incoming data making their application more secure. Next, let's talk about includes. By default, if sandboxed code tries to include or require a file, a SandBoxAccessViolation is thrown. Letting sandboxed code include whatever it wants defeats the point of a sandbox, at least for security use cases. Of course, includes are useful, and plugins may need them. But the outer application should be able to control that access. Enter SPLSandBox::RegisterIncludeHandler(). RegisterIncludeHandler accepts a callable. The callable's signature is: (int $IncludeType, string $FileName, string $FilePath) Where: $IncludeType is: 0 - require 1 - require_once 2 - include 3 - include_once $FileName is the file without the path, and $FilePath is the path with trailing `/`. If the sandbox should allow includes, the sandbox should have an Include Handler registered. The SandBox API calls the include handler, if defined, when sandboxed code tries to include or require files. Let's setup a function so our plugin authors can include files, but only from their own plugin directory: // Sandbox setup for includes: $oSandbox =3D new SPLSandBox(); $oSandbox->RegisterIncludeHandler('HotBlogInclude'); $oUserPlugin =3D $oSandbox->GetInstance('BobsMagicPlugin'); $oUserPlugin->Run(); // Include Handler: function HotBlogInclude($Type, $FileName, $FilePath){ =20 if(file_exists($PluginDirectoy.$FileName)){ $oSandbox->Include($PluginDirectoy.$FileName); return 0; } return 1; // error! } In the above example, $FilePath contained the path that Bob requested with his include statement. But we ignored it! Bob is only allowed to include from his plugin's own directory, so we see if the file is in $PluginDirectoy instead. If the file is in Bob's directory, we include it *into* the sandbox with SPLSandBox::Include(), making it available to Bob's code, but keeping the main application code clean of any registrations the include may cause. ** Back to Unit Testing ** For the Unit Testing use case, however, certain code under test may normally read from $_GET, and that shouldn't change under test. In this next example, we are running a unit test on a FrontController class, and we want to see if it works with many different URL structures. Normally, the web server will map example.com/a/b/c to $_GET vars, so the FrontController class expects something like: $_GET =3D [ 'a' =3D> 'Forum', 'b' =3D> 'Post' 'c' =3D> '123' ]; Let's make sure our FrontController is doing everything right with a battery of tests: $aControllerTests =3D [ ['Forum','Post','123'], ['Blog','Post','123'], ['Article','acb'], ['Cart','Product','723'], ['Cart','Category','Jeans'] ]; $aTestResults =3D []; foreach($aControllerTests as $TestID =3D> $GetVars){ $oSandbox =3D new SPLSandBox(); $oSandbox->MockGlobal('$_GET',$GetVars); =20 $oController =3D $oSandbox->GetInstance('FrontController'); $aTestResults[$TestID] =3D $oController->Init(); $oSandbox->Destroy(); } SPLSandBox::MockGlobal() lets us set global variables (including super globals) inside the sandbox. Now, $aTestResults contains the results of each test, run with separate $_GET parameters. With this structure, you could get **every** valid URL from a database and run a unit test with custom $_GET params on your FrontController to make sure everything works.