Download the PHP package outcompute/phpwatchdog without Composer
On this page you can find all versions of the php package outcompute/phpwatchdog. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download outcompute/phpwatchdog
More information about outcompute/phpwatchdog
Files in outcompute/phpwatchdog
Package phpwatchdog
Short Description Apply fine grained execution and file access policies in PHP and block malicious scripts from execution.
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package phpwatchdog
PHPWatchDog
(based on AOP-PHP/AOP)
PHPWatchDog allows you to create fine grained access policies for function & method calls, and restrict file accesses. Although you can always set file permissions in your OS, and use disable_functions to disable certain functions throughout your PHP environment, but this library allows you to replicate that behaviour, but control it on a per-scope basis. For example, you can restrict access to json_encode() to the method encode() in class CustomJSONEncoder by including the following line as early in your code as possible.
The above block will setup PHPWatchDog to throw an Exception every time json_encode is accessed from outside the scope of the method, CustomJSONEncoder->encode(). Similarly, you can also limit read/write access to specific files from specific scopes, like this:
Note: Any function that executes code, or enables executing code in the current context (eg.: eval()) will be monitored by this library, whereas code executed by breaking out of the context of the current execution process (eg.: exec()) will not be monitored by this library.
What is Aspect Oriented Programming(AOP)?
The above features are achieved using this AOP library which implements AOP in PHP. It is strongly recommended that you read up about AOP from the links provided, however a simplification is provided here. AOP enables the programmer to specify a function to be executed when a specific event in execution occurs, and the event can be any function or method call. The PHPWatchDog library presented here uses AOP and enables the user of the library to specify access policies as a PHP associative array, and based on the array sets up the pointcuts. In the first example provided above, the library will monitor every json_encode call, and checks to see if the scope and filename from where the call originated matches any 'except' rule, and after consulting every except and default filter, takes an action to either block or allow the execution to proceed. The AOP library used is a great tool in itself, and has far more features than have been used here. You can read more about its features here.
How To Use
There are a few recommendations to use this library, as listed below:
- You will need to install the AOP extension for your PHP installation, the steps for which are provided here. It is recommended not to use the pecl install route. and instead compile it on your own system. The master branch has been tested on RedHat/Debian for PHP versions 5.4, 5.5 & 5.6 and they compile without issues. Further below, this document also lists steps to get the Docker images which come pre-installed and configured with the AOP extension, PHP & PHPUnit.
- Do not assign the result of the configure call to a variable. This will prevent any malicious code to delete it. The Main class is implemented as a singleton, and as such, the properties get set once you call configure() with valid parameters.
-
Try to call Main::configure as early in your execution as possible to prevent any code from disabling AOP, trying to block the execution, or install measures to circumvent the effects of this library. The fully qualified class name, and arguments are like so:
- Be careful when you create a watchlist of methods, as it is possible to create a access policy which interferes with the very execution of this library as the library uses some PHP functions.
NOTE: This is still in a proof-of-concept state, and use in production systems is discouraged. However, you are encouraged to use it, invalidate the concept with proofs, to find bugs or extend it.
Pre-built Docker images
3 Debian based Docker images with different versions of PHP(5.4, 5.5 & 5.6) alongwith the AOP extension & PHPUnit are also available here. You can use the docker images, for example to run the PHPUnit tests, like so:
PHP5.6:
PHP5.5:
PHP5.4:
Use Cases
Several attack vectors inject code by uploading malicious files, or executing arbitrary code to overwrite valid code with their own attack vectors. PHPWatchDog can be used to prevent this, and also limit the execution of any code not explicitly permitted. You can load PHPWatchDog by using the auto_prepend_file configuration in either .htaccess or the VirtualHost block and have your access policy enforced on all scripts as a default.
TODO
- Gather feedback & validate the concept
License
MIT
