Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124821
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 699811A00B7
	for <internals@lists.php.net>; Wed,  7 Aug 2024 11:11:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1723029219; bh=USS04SX+sQV6mcu63Kz1tNHezWe2/bnfqjMEvbCp1+Q=;
	h=Date:Subject:To:References:Cc:From:In-Reply-To:From;
	b=WtSOOSvv+aa20XzChhergMJ4N1ttmw5Ppjwoa/P//Jgbcmd/fDti6EgUFKbevUqJH
	 pPAmFVSjW18qUgcuCyKYU8Ji89FvTKZASn6ksDpLn5DSv+l3B0mjaAvV38TxTJ8doB
	 CpzWHJ20ChKvmhXU07geFi8O75kbURflkbqwbCEanlhCYenDPYRI/fSfLDi+YwKNos
	 IPCFQOUAiCUdq02pVTIt4DWPdJc6nqLJBUzkQ2yz6G7/GfM/72A9DthpY7XLdz72My
	 rmexAM0/X0TEcEklkKSin5Rr7fQ/zX32vKim6f1FUaaKZy1IJtmsoTdpoVXgOyPv5x
	 DzIu1fqRafVfg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2C18E18003E
	for <internals@lists.php.net>; Wed,  7 Aug 2024 11:13:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <cmbecker69@gmx.de>
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  7 Aug 2024 11:13:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de;
	s=s31663417; t=1723029110; x=1723633910; i=cmbecker69@gmx.de;
	bh=6g+IqhNb+PXprpda88Vt2TsyeLCQI+jv1OJHBqsmZIE=;
	h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To:
	 References:Cc:From:In-Reply-To:Content-Type:
	 Content-Transfer-Encoding:cc:content-transfer-encoding:
	 content-type:date:from:message-id:mime-version:reply-to:subject:
	 to;
	b=FX1GIzIwsYEzXIM7Ea++TGLpbu15SLKmAwlJfD0pzR53FMn7VmzEnl6wnlvwOd+o
	 s2bnbLgQEadlf+a1Xf6UZUN1p/OhtiMWe7+6AsC91oO2hYcumXEVk6Un5iszQHK3r
	 DYmmBQlPcl98ujuOAjcVYnStb3U1XKdvnapp2G0T9pplfoXb+Fookn+iEIrzmKbEQ
	 SMDGW2/I5jMd8OHndWhs30qeKCJwmFLsghbE9B2p3St3VeN7YRygUrJW3I41c8lZy
	 YU9TTGk5eZKFDp1HfjfRVnIMVAwSRyuk740jqZrSQUB3NRdCI20epmCvZYJJ2ZL1r
	 4476NidcGJGjRN/eYg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.2.130] ([79.251.205.37]) by mail.gmx.net (mrgmx105
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MKKUp-1svf4b37Lr-00UycY; Wed, 07
 Aug 2024 13:11:50 +0200
Message-ID: <fe2f9d71-8582-4d5d-b369-728d96e4d2de@gmx.de>
Date: Wed, 7 Aug 2024 13:11:50 +0200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [Discussion] Sandbox API
Content-Language: de-DE
To: Niels Dossche <dossche.niels@gmail.com>, internals@lists.php.net
References: <e08f6af322dcc5b4e4dd5e772f28be07ffa07ba4.camel@ageofdream.com>
 <c510eb675bd0038efbbe5489bebd42ff7438e967.camel@ageofdream.com>
 <7d9a9752-a202-4099-a60a-2686d4265d96@gmail.com>
Cc: Nick Lockheart <lists@ageofdream.com>
In-Reply-To: <7d9a9752-a202-4099-a60a-2686d4265d96@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:gS0FRN1KWKwvsfkhDv6/G4raXE0/xwBayqZw1Ul7D5Sk0b+wX2R
 NGaqd57PSNQhX2V9+0fmH2+v3aS4PCcnGIOGC8bCk8/vRHm+tvzyZMqxYE0EjOaQwUG9dtV
 0KUOwLEji1ck0qb49aqS1vdmbNp9MwvqmCmsyvYxHmnnHuc+1Y6BdKIJZooSZci+aJ9QEo0
 3yKYje91oEuXslvrc0A5g==
UI-OutboundReport: notjunk:1;M01:P0:o4gXThSVpGQ=;+8wcpVrO/BKIFTYzjBT8gnh+Plg
 Y9+JqAeJTjXJQcNAVUOnEu2wuebNx+1/v2JGkwe4Vw06Jv9SSiZFHdnJgW9lfEGWNK7jPpX0r
 9sq40xH/oz6A87pA7szdHwPb2Jxi5dLeArk+C0cDmR3OFNgD6Ayv87rf2ILZFa/Wr2xVMOQtS
 yYkd/j3x2P+IJf9ZigFVGsSsDs3lzWC+JgDMUlSvrTptglAG+MLWqSqWqQx9VuglnK0+yy8fL
 Q05TDW7/K1EUhUVuG/cJBs2UL/JaXqaJiNnkFnYOsp3Jsao+MCWBPxmj612TfLeJ/sMcJJRD1
 BURX8I+vagFTFNyGnWG8o8Gi31Eh362xgIFXoMgm1CYbMD21fndk+2wQhN0lBkVndv7mQ7Gg5
 v5RKyDb8xA4KWLDX1aMjiKn1Zp+WDjqbLSTvjSdT90EKA0sA6qNm6m9UYFHFL1oEJZ+r4AdZa
 NKFL0okGaYCol4vbMbw3eIC2sCzG4KPrgSr9k31FCMkTGi1PTl7ncLB7uyAcux3vsauuObx/V
 2iMzijtQMcMkHZKjifFjA0htXR05IqQsF51ye+5kM9OgOi5R+XZrbEOc+d/7X0OSqHeMH4aPl
 CLjeStyddNLdugUxgeMrW/jf5ctNf3MiF5/1tlEeqOu96a0z+WaRNhWgQAiibT1U2uQ//vy4k
 Q8FW8h1ZnVEurbrzhoe2SwevbkG1THZTsZgX2Rlxj5/RGOuWVVLxZrUD0Ay7KLg4V3+AkPbVh
 R1X0ApkG3TjneB3taV2V5JJ/yMaUJhaVkRZS/eJswAGNGxWuUCdv38Kd4Tc88gJfixTpqYvMM
 shGEKYfTb38DXw8adwMC3q/euvaQMZKRM+YQZD73TvE6s=
From: cmbecker69@gmx.de ("Christoph M. Becker")

On 06.08.2024 at 20:59, Niels Dossche wrote:

> On 06/08/2024 10:41, Nick Lockheart wrote:
>>
>> Sandbox: Security
>>
>> A SandBox has two use cases:
>>
>> 1. Unit Testing of code with mocks or stubs, and also, allowing testing
>> with different environments.
>>
>> 2. The secure running of 3rd party code inside a 1st party application.
>
> The use-case of securely running 3rd party code inside your application =
is impossible at this moment, and will still be impossible after a sandbox=
 API is introduced.
> The reason is that the PHP interpreter as it is today is not memory safe=
. It is relatively easy to cause memory corruption by only using PHP code =
by abusing things like custom error handlers set from userland. This in tu=
rn can be used to gain arbitrary read/write primitives which has been show=
n to circumvent disable_functions & open_basedir, and some PoCs can even r=
un arbitrary commands. It would be doable to extend these tricks to circum=
vent a sandboxing API.
> As such, a sandboxing API for securely executing 3rd party code is only =
possible after the interpreter has become memory safe.
> Although some work has been done in PHP 8.3 to plug many of these memory=
 safety bugs in the VM, much more work remains and would likely require co=
mplicated changes.
> So therefore I propose to only focus on the mocking functionality of you=
r proposal for now, until the time comes that the interpreter is memory sa=
fe.
> I would therefore also not call it "sandbox".

I concur.  The old <https://pecl.php.net/package/runkit> did provide a
"sandbox" feature, but that had not been ported to
<https://pecl.php.net/package/runkit7>, possibly for exactly these reasons=
.

> Introducing a sandbox API for security also opens up a can of worms for =
the security policy.
> Right now we are assuming an attacker model of a remote attacker, and th=
at the code running on your server is trusted.
> But that would change when an official sandbox API is introduced.

Christoph