Name | Date | Size | #Lines | LOC | ||
---|---|---|---|---|---|---|
.. | 03-May-2022 | - | ||||
config/ | H | 02-Jan-2021 | - | 237 | 187 | |
debian/ | H | 02-Jan-2021 | - | 227 | 175 | |
doc/ | H | 02-Jan-2021 | - | 2,269 | 1,516 | |
scripts/ | H | 02-Jan-2021 | - | 146 | 117 | |
slides/ | H | 03-May-2022 | - | |||
src/ | H | 02-Jan-2021 | - | 15,507 | 13,157 | |
.gitattributes | H A D | 02-Jan-2021 | 38 | 2 | 1 | |
.gitignore | H A D | 02-Jan-2021 | 707 | 49 | 47 | |
.gitlab-ci.yml | H A D | 02-Jan-2021 | 686 | 45 | 36 | |
.mailmap | H A D | 02-Jan-2021 | 1.2 KiB | 29 | 21 | |
CONTRIBUTING.md | H A D | 02-Jan-2021 | 5.6 KiB | 147 | 107 | |
LICENSE | H A D | 02-Jan-2021 | 7.5 KiB | 166 | 128 | |
Makefile | H A D | 02-Jan-2021 | 2.4 KiB | 65 | 52 | |
PKGBUILD | H A D | 02-Jan-2021 | 1,007 | 35 | 30 | |
README.md | H A D | 02-Jan-2021 | 5.2 KiB | 118 | 99 |
README.md
1<h1 align="center"> 2 <br> 3 <a href="https://snuffleupagus.readthedocs.io/"> 4 <img src="https://github.com/jvoisin/snuffleupagus/raw/master/doc/source/_static/sp.png" alt="Snuffleupagus' logo" width="200"></a> 5 <br> 6 Snuffleupagus 7 <br> 8</h1> 9 10<h4 align="center">Security module for php7 - Killing bugclasses and virtual-patching the rest!</h4> 11 12<p align="center"> 13 <a href="https://gitlab.com/jvoisin/snuffleupagus/commits/master"> 14 <img src="https://gitlab.com/jvoisin/snuffleupagus/badges/master/pipeline.svg" 15 alt="gitlab pipeline testing _all_ distributions" /> 16 </a> 17 <a href="https://scan.coverity.com/projects/jvoisin-snuffleupagus"> 18 <img src="https://scan.coverity.com/projects/13821/badge.svg?flat=1" 19 alt="Coverity"> 20 </a> 21 <a href="https://bestpractices.coreinfrastructure.org/projects/1267"> 22 <img src="https://bestpractices.coreinfrastructure.org/projects/1267/badge" 23 alt="CII Best Practises"> 24 </a> 25 <a href="http://snuffleupagus.readthedocs.io/?badge=latest"> 26 <img src="https://readthedocs.org/projects/snuffleupagus/badge/?version=latest" 27 alt="readthedocs.org"> 28 </a> 29 <a href="https://coveralls.io/github/jvoisin/snuffleupagus?branch=master"> 30 <img src="https://coveralls.io/repos/github/jvoisin/snuffleupagus/badge.svg?branch=master" 31 alt="coveralls"> 32 </a> 33 <a href="https://twitter.com/sp_php"> 34 <img src="https://img.shields.io/badge/twitter-follow-blue.svg" 35 alt="twitter"> 36 </a> 37</p> 38 39<p align="center"> 40 <a href="#key-features">Key Features</a> • 41 <a href="#download">Download</a> • 42 <a href="#examples">Examples</a> • 43 <a href="https://snuffleupagus.readthedocs.io/">Documentation</a> • 44 <a href="https://github.com/jvoisin/snuffleupagus/blob/master/LICENSE">License</a> • 45 <a href="#thanks">Thanks</a> 46</p> 47 48Snuffleupagus is a [PHP 7+](https://secure.php.net/) module designed to 49drastically raise the cost of attacks against websites, by killing entire bug 50classes. It also provides a powerful virtual-patching system, allowing 51administrator to fix specific vulnerabilities and audit suspicious behaviours 52without having to touch the PHP code. 53 54## Key Features 55 56* No [noticeable performance impact](https://dustri.org/b/snuffleupagus-030-dentalium-elephantinum.html) 57* Powerful yet simple to write virtual-patching rules 58* Killing several classes of vulnerabilities 59 * [Unserialize-based](https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf) code execution 60 * [`mail`-based]( https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ ) code execution 61 * Cookie-stealing [XSS]( https://en.wikipedia.org/wiki/Cross-site_scripting ) 62 * File-upload based code execution 63 * Weak PRNG 64 * [XXE]( https://en.wikipedia.org/wiki/XML_external_entity_attack ) 65* Several hardening features 66 * Automatic `secure` and `samesite` flag for cookies 67 * Bundled set of rules to detect post-compromissions behaviours 68 * Global [strict mode]( https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations) and type-juggling prevention 69 * Whitelisting of [stream wrappers](https://secure.php.net/manual/en/intro.stream.php) 70 * Preventing writeable files execution 71 * Whitelist/blacklist for `eval` 72 * Enforcing TLS certificate validation when using [curl](https://secure.php.net/manual/en/book.curl.php) 73 * Request dumping capability 74* A relatively sane code base: 75 * A [comprehensive](https://coveralls.io/github/jvoisin/snuffleupagus?branch=master) test suite close to 100% coverage 76 * Every commit is tested on [several distributions](https://gitlab.com/jvoisin/snuffleupagus/pipelines) 77 * An `clang-format`-enforced code style 78 * A [comprehensive documentation](https://snuffleupagus.rtfd.io) 79 * Usage of [coverity](https://scan.coverity.com/projects/jvoisin-snuffleupagus) 80 81## Download 82 83We've got a [download 84page](https://snuffleupagus.readthedocs.io/download.html), where you can find 85packages for your distribution, but you can of course just `git clone` this 86repo, or check the releases on [github](https://github.com/jvoisin/snuffleupagus/releases). 87 88## Examples 89 90We're providing [various example rules](https://github.com/jvoisin/snuffleupagus/tree/master/config), 91that are looking like this: 92 93```python 94# Harden the `chmod` function 95sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); 96 97# Mitigate command injection in `system` 98sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); 99``` 100 101Upon violation of a rule, you should see lines like this in your logs: 102 103```python 104[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in /var/www/index.php:2, because the return value (0) of the function 'strpos' matched a rule. 105``` 106 107## Documentation 108 109We've got a [comprehensive website](https://snuffleupagus.readthedocs.io/) with 110all the documentation that you could possibly wish for. You can of course 111[build it yourself](https://github.com/jvoisin/snuffleupagus/tree/master/doc). 112 113## Thanks 114 115Many thanks to the [Suhosin project](https://suhosin.org) for being a __huge__ 116source of inspiration, and to all [our 117contributors](https://github.com/jvoisin/snuffleupagus/graphs/contributors). 118