Fix blocking on PHP 7.0-7.1 ZTS

cataphract · cataphract · commit 6965136abcd4 · 2024-02-02T08:56:29.000Z
diff --git a/appsec/src/extension/commands/request_exec.c b/appsec/src/extension/commands/request_exec.c
@@ -38,7 +38,7 @@ dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data)
 
     struct ctx ctx = {.data = data};
 
-    return dd_command_exec(conn, &_spec, &ctx);
+    return dd_command_exec_req_info(conn, &_spec, &ctx.req_info);
 }
 
 static dd_result _pack_command(mpack_writer_t *nonnull w, void *nonnull _ctx)
diff --git a/appsec/src/extension/commands/request_init.c b/appsec/src/extension/commands/request_init.c
@@ -44,7 +44,7 @@ static const dd_command_spec _spec = {
 dd_result dd_request_init(
     dd_conn *nonnull conn, struct req_info_init *nonnull ctx)
 {
-    return dd_command_exec(conn, &_spec, ctx);
+    return dd_command_exec_req_info(conn, &_spec, &ctx->req_info);
 }
 
 static dd_result _request_pack(mpack_writer_t *nonnull w, void *nonnull _ctx)
diff --git a/appsec/src/extension/commands/request_shutdown.c b/appsec/src/extension/commands/request_shutdown.c
@@ -28,7 +28,7 @@ static const dd_command_spec _spec = {
 dd_result dd_request_shutdown(
     dd_conn *nonnull conn, struct req_shutdown_info *nonnull req_info)
 {
-    return dd_command_exec(conn, &_spec, req_info);
+    return dd_command_exec_req_info(conn, &_spec, &req_info->req_info);
 }
 
 static dd_result _request_pack(mpack_writer_t *nonnull w, void *nonnull ctx)
diff --git a/appsec/src/extension/commands_ctx.h b/appsec/src/extension/commands_ctx.h
@@ -4,6 +4,7 @@
 #include <php.h>
 
 struct req_info {
+    const char *nullable command_name; // for logging
     zend_object *nullable root_span;
     zend_string *nullable client_ip;
 };
diff --git a/appsec/src/extension/commands_helpers.c b/appsec/src/extension/commands_helpers.c
@@ -194,6 +194,13 @@ dd_result ATTR_WARN_UNUSED dd_command_exec(dd_conn *nonnull conn,
     return _dd_command_exec(conn, false, spec, ctx);
 }
 
+dd_result ATTR_WARN_UNUSED dd_command_exec_req_info(dd_conn *nonnull conn,
+    const dd_command_spec *nonnull spec, struct req_info *nonnull ctx)
+{
+    ctx->command_name = spec->name;
+    return _dd_command_exec(conn, false, spec, ctx);
+}
+
 dd_result ATTR_WARN_UNUSED dd_command_exec_cred(dd_conn *nonnull conn,
     const dd_command_spec *nonnull spec, void *unspecnull ctx)
 {
@@ -361,6 +368,8 @@ static void _command_process_block_parameters(mpack_node_t root)
         }
     }
 
+    mlog(dd_log_debug, "Blocking parameters: status_code=%d, type=%d",
+        status_code, type);
     dd_set_block_code_and_type(status_code, type);
 }
 
@@ -425,7 +434,8 @@ dd_result dd_command_proc_resp_verd_span_data(
         if (verd_len > INT_MAX) {
             verd_len = INT_MAX;
         }
-        mlog(dd_log_debug, "Verdict of request_init was '%.*s'", (int)verd_len,
+        mlog(dd_log_debug, "Verdict of %s was '%.*s'",
+            ctx->command_name ? ctx->command_name : "(unknown)", (int)verd_len,
             verd_str);
     }
 
diff --git a/appsec/src/extension/commands_helpers.h b/appsec/src/extension/commands_helpers.h
@@ -25,6 +25,9 @@ typedef struct _dd_command_spec {
 dd_result ATTR_WARN_UNUSED dd_command_exec(dd_conn *nonnull conn,
     const dd_command_spec *nonnull spec, void *unspecnull ctx);
 
+dd_result ATTR_WARN_UNUSED dd_command_exec_req_info(dd_conn *nonnull conn,
+    const dd_command_spec *nonnull spec, struct req_info *nonnull ctx);
+
 dd_result ATTR_WARN_UNUSED dd_command_exec_cred(dd_conn *nonnull conn,
     const dd_command_spec *nonnull spec, void *unspecnull ctx);
 
diff --git a/appsec/src/extension/php_compat.h b/appsec/src/extension/php_compat.h
@@ -29,7 +29,15 @@ static zend_always_inline zend_string *zend_string_init_interned(
     const char *str, size_t len, int persistent)
 {
     zend_string *ret = zend_string_init(str, len, persistent);
+#    ifdef ZTS
+    // believe it or not zend_new_interned_string() is an identity function
+    // set the interned flag manually so zend_string_release() is a no-op
+    GC_FLAGS(ret) |= IS_STR_INTERNED;
+    zend_string_hash_val(ret);
+    return ret;
+#    else
     return zend_new_interned_string(ret);
+#    endif
 }
 #endif
 
diff --git a/appsec/src/extension/request_abort.c b/appsec/src/extension/request_abort.c
@@ -128,6 +128,7 @@ static void _set_content_type(const char *nonnull content_type)
 static void _set_output(const char *nonnull output, size_t length)
 {
     size_t written = php_output_write(output, length);
+    mlog_g(dd_log_debug, "php_output_write() returned %zu", written);
     if (written != length) {
         mlog(dd_log_info, "could not write full response (written: %zu)",
             written);
@@ -146,8 +147,8 @@ static dd_response_type _get_response_type_from_accept_header(
         dd_php_get_string_elem_cstr(_server, LSTRARG("HTTP_ACCEPT"));
     if (!accept_zstr) {
         mlog(dd_log_info,
-            "Could not find Accept header, using default content-type");
-        goto exit;
+            "Could not find Accept header, using default content-type (json)");
+        return response_type_json;
     }
 
     const char *accept_end = ZSTR_VAL(accept_zstr) + ZSTR_LEN(accept_zstr);
@@ -172,7 +173,7 @@ static dd_response_type _get_response_type_from_accept_header(
         return response_type_html;
     }
 
-exit:
+    mlog_g(dd_log_debug, "No recognized accept header, defaulting to json");
     return response_type_json;
 }
 
@@ -214,13 +215,17 @@ void dd_request_abort_redirect()
     }
 
     if (!_abort_prelude()) {
+        mlog(dd_log_debug, "_abort_prelude has failed");
         return;
     }
 
     char *line;
     uint line_len = (uint)spprintf(
         &line, 0, "Location: %s", ZSTR_VAL(_redirection_location));
 
+    mlog_g(dd_log_debug, "Will forward to %s with status %d",
+        ZSTR_VAL(_redirection_location), _redirection_response_code);
+
     SG(sapi_headers).http_response_code = _redirection_response_code;
     int res = sapi_header_op(SAPI_HEADER_REPLACE,
         &(sapi_header_line){.line = line, .line_len = line_len});
@@ -232,7 +237,7 @@ void dd_request_abort_redirect()
     efree(line);
 
     if (sapi_flush() == SUCCESS) {
-        mlog(dd_log_debug, "Successful call to sapi_flush()");
+        mlog_g(dd_log_debug, "Successful call to sapi_flush()");
     } else {
         mlog(dd_log_warning, "Call to sapi_flush() failed");
     }
@@ -299,6 +304,7 @@ void _request_abort_static_page(int response_code, int type)
     }
 
     if (!_abort_prelude()) {
+        mlog(dd_log_debug, "_abort_prelude has failed");
         zend_string_release(body);
         return;
     }
@@ -434,8 +440,10 @@ static void _suppress_error_reporting(void);
 ATTR_FORMAT(1, 2)
 static void _emit_error(const char *format, ...)
 {
-    va_list args;
+    mlog_g(dd_log_debug, "_emit_error() called: during_request_startup: %d",
+        PG(during_request_startup));
 
+    va_list args;
     va_start(args, format);
     if (PG(during_request_startup)) {
         /* if emitting error during startup, RSHUTDOWN will not run (except fpm)
@@ -615,6 +623,7 @@ static zend_string *nonnull _get_json_blocking_template()
             return _empty_zstr;
         }
         if (ZSTR_LEN(body_error_json) == 0) {
+            zend_string_release(body_error_json);
             return _body_error_json_def;
         }
 
@@ -635,6 +644,7 @@ static zend_string *nonnull _get_html_blocking_template()
             return _empty_zstr;
         }
         if (ZSTR_LEN(body_error_html) == 0) {
+            zend_string_release(body_error_html);
             return _body_error_html_def;
         }
 
diff --git a/appsec/tests/integration/src/docker/apache2-fpm/entrypoint.sh b/appsec/tests/integration/src/docker/apache2-fpm/entrypoint.sh
@@ -20,4 +20,4 @@ enable_extensions.sh
 php-fpm -y /etc/php-fpm.conf -c /etc/php/php.ini
 service apache2 start
 
-exec tail -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}"
+exec tail -n +1 -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}"
diff --git a/appsec/tests/integration/src/docker/apache2-mod/entrypoint.sh b/appsec/tests/integration/src/docker/apache2-mod/entrypoint.sh
@@ -19,4 +19,4 @@ enable_extensions.sh
 
 service apache2 start
 
-exec tail -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}"
+exec tail -n +1 -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}"
diff --git a/appsec/tests/integration/src/docker/nginx-fpm/entrypoint.sh b/appsec/tests/integration/src/docker/nginx-fpm/entrypoint.sh
@@ -16,4 +16,4 @@ enable_extensions.sh
 php-fpm -y /etc/php-fpm.conf -c /etc/php/php.ini
 service nginx start
 
-exec tail -F "${LOGS_PHP[@]}" "${LOGS_NGINX[@]}"
+exec tail -n +1 -F "${LOGS_PHP[@]}" "${LOGS_NGINX[@]}"
diff --git a/appsec/tests/integration/src/test/www/roadrunner/run.sh b/appsec/tests/integration/src/test/www/roadrunner/run.sh
@@ -18,5 +18,5 @@ echo datadog.trace.cli_enabled=true >> /etc/php/php.ini
 
 ./rr serve 2>&1 >> /tmp/logs/rr.log &
 
-tail -f "${LOGS_PHP[@]}"
+tail -n +1 -F "${LOGS_PHP[@]}"
 

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ dd_result dd_request_exec(dd_conn nonnull conn, zval nonnull data)`
`38`	`38`
`39`	`39`	`struct ctx ctx = {.data = data};`
`40`	`40`
`41`		`- return dd_command_exec(conn, &_spec, &ctx);`
	`41`	`+ return dd_command_exec_req_info(conn, &_spec, &ctx.req_info);`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`static dd_result _pack_command(mpack_writer_t nonnull w, void nonnull _ctx)`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ static const dd_command_spec _spec = {`
`44`	`44`	`dd_result dd_request_init(`
`45`	`45`	`dd_conn nonnull conn, struct req_info_init nonnull ctx)`
`46`	`46`	`{`
`47`		`- return dd_command_exec(conn, &_spec, ctx);`
	`47`	`+ return dd_command_exec_req_info(conn, &_spec, &ctx->req_info);`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`static dd_result _request_pack(mpack_writer_t nonnull w, void nonnull _ctx)`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ static const dd_command_spec _spec = {`
`28`	`28`	`dd_result dd_request_shutdown(`
`29`	`29`	`dd_conn nonnull conn, struct req_shutdown_info nonnull req_info)`
`30`	`30`	`{`
`31`		`- return dd_command_exec(conn, &_spec, req_info);`
	`31`	`+ return dd_command_exec_req_info(conn, &_spec, &req_info->req_info);`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`static dd_result _request_pack(mpack_writer_t nonnull w, void nonnull ctx)`
Original file line number	Diff line number	Diff line change
`@@ -194,6 +194,13 @@ dd_result ATTR_WARN_UNUSED dd_command_exec(dd_conn *nonnull conn,`
`194`	`194`	`return _dd_command_exec(conn, false, spec, ctx);`
`195`	`195`	`}`
`196`	`196`
	`197`	`+dd_result ATTR_WARN_UNUSED dd_command_exec_req_info(dd_conn *nonnull conn,`
	`198`	`+ const dd_command_spec nonnull spec, struct req_info nonnull ctx)`
	`199`	`+{`
	`200`	`+ ctx->command_name = spec->name;`
	`201`	`+ return _dd_command_exec(conn, false, spec, ctx);`
	`202`	`+}`
	`203`	`+`
`197`	`204`	`dd_result ATTR_WARN_UNUSED dd_command_exec_cred(dd_conn *nonnull conn,`
`198`	`205`	`const dd_command_spec nonnull spec, void unspecnull ctx)`
`199`	`206`	`{`
`@@ -361,6 +368,8 @@ static void _command_process_block_parameters(mpack_node_t root)`
`361`	`368`	`}`
`362`	`369`	`}`
`363`	`370`
	`371`	`+ mlog(dd_log_debug, "Blocking parameters: status_code=%d, type=%d",`
	`372`	`+ status_code, type);`
`364`	`373`	`dd_set_block_code_and_type(status_code, type);`
`365`	`374`	`}`
`366`	`375`
`@@ -425,7 +434,8 @@ dd_result dd_command_proc_resp_verd_span_data(`
`425`	`434`	`if (verd_len > INT_MAX) {`
`426`	`435`	`verd_len = INT_MAX;`
`427`	`436`	`}`
`428`		`- mlog(dd_log_debug, "Verdict of request_init was '%.*s'", (int)verd_len,`
	`437`	`+ mlog(dd_log_debug, "Verdict of %s was '%.*s'",`
	`438`	`+ ctx->command_name ? ctx->command_name : "(unknown)", (int)verd_len,`
`429`	`439`	`verd_str);`
`430`	`440`	`}`
`431`	`441`
Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,7 @@ static void _set_content_type(const char *nonnull content_type)`
`128`	`128`	`static void _set_output(const char *nonnull output, size_t length)`
`129`	`129`	`{`
`130`	`130`	`size_t written = php_output_write(output, length);`
	`131`	`+ mlog_g(dd_log_debug, "php_output_write() returned %zu", written);`
`131`	`132`	`if (written != length) {`
`132`	`133`	`mlog(dd_log_info, "could not write full response (written: %zu)",`
`133`	`134`	`written);`
`@@ -146,8 +147,8 @@ static dd_response_type _get_response_type_from_accept_header(`
`146`	`147`	`dd_php_get_string_elem_cstr(_server, LSTRARG("HTTP_ACCEPT"));`
`147`	`148`	`if (!accept_zstr) {`
`148`	`149`	`mlog(dd_log_info,`
`149`		`- "Could not find Accept header, using default content-type");`
`150`		`- goto exit;`
	`150`	`+ "Could not find Accept header, using default content-type (json)");`
	`151`	`+ return response_type_json;`
`151`	`152`	`}`
`152`	`153`
`153`	`154`	`const char *accept_end = ZSTR_VAL(accept_zstr) + ZSTR_LEN(accept_zstr);`
`@@ -172,7 +173,7 @@ static dd_response_type _get_response_type_from_accept_header(`
`172`	`173`	`return response_type_html;`
`173`	`174`	`}`
`174`	`175`
`175`		`-exit:`
	`176`	`+ mlog_g(dd_log_debug, "No recognized accept header, defaulting to json");`
`176`	`177`	`return response_type_json;`
`177`	`178`	`}`
`178`	`179`
`@@ -214,13 +215,17 @@ void dd_request_abort_redirect()`
`214`	`215`	`}`
`215`	`216`
`216`	`217`	`if (!_abort_prelude()) {`
	`218`	`+ mlog(dd_log_debug, "_abort_prelude has failed");`
`217`	`219`	`return;`
`218`	`220`	`}`
`219`	`221`
`220`	`222`	`char *line;`
`221`	`223`	`uint line_len = (uint)spprintf(`
`222`	`224`	`&line, 0, "Location: %s", ZSTR_VAL(_redirection_location));`
`223`	`225`
	`226`	`+ mlog_g(dd_log_debug, "Will forward to %s with status %d",`
	`227`	`+ ZSTR_VAL(_redirection_location), _redirection_response_code);`
	`228`	`+`
`224`	`229`	`SG(sapi_headers).http_response_code = _redirection_response_code;`
`225`	`230`	`int res = sapi_header_op(SAPI_HEADER_REPLACE,`
`226`	`231`	`&(sapi_header_line){.line = line, .line_len = line_len});`
`@@ -232,7 +237,7 @@ void dd_request_abort_redirect()`
`232`	`237`	`efree(line);`
`233`	`238`
`234`	`239`	`if (sapi_flush() == SUCCESS) {`
`235`		`- mlog(dd_log_debug, "Successful call to sapi_flush()");`
	`240`	`+ mlog_g(dd_log_debug, "Successful call to sapi_flush()");`
`236`	`241`	`} else {`
`237`	`242`	`mlog(dd_log_warning, "Call to sapi_flush() failed");`
`238`	`243`	`}`
`@@ -299,6 +304,7 @@ void _request_abort_static_page(int response_code, int type)`
`299`	`304`	`}`
`300`	`305`
`301`	`306`	`if (!_abort_prelude()) {`
	`307`	`+ mlog(dd_log_debug, "_abort_prelude has failed");`
`302`	`308`	`zend_string_release(body);`
`303`	`309`	`return;`
`304`	`310`	`}`
`@@ -434,8 +440,10 @@ static void _suppress_error_reporting(void);`
`434`	`440`	`ATTR_FORMAT(1, 2)`
`435`	`441`	`static void _emit_error(const char *format, ...)`
`436`	`442`	`{`
`437`		`- va_list args;`
	`443`	`+ mlog_g(dd_log_debug, "_emit_error() called: during_request_startup: %d",`
	`444`	`+ PG(during_request_startup));`
`438`	`445`
	`446`	`+ va_list args;`
`439`	`447`	`va_start(args, format);`
`440`	`448`	`if (PG(during_request_startup)) {`
`441`	`449`	`/* if emitting error during startup, RSHUTDOWN will not run (except fpm)`
`@@ -615,6 +623,7 @@ static zend_string *nonnull _get_json_blocking_template()`
`615`	`623`	`return _empty_zstr;`
`616`	`624`	`}`
`617`	`625`	`if (ZSTR_LEN(body_error_json) == 0) {`
	`626`	`+ zend_string_release(body_error_json);`
`618`	`627`	`return _body_error_json_def;`
`619`	`628`	`}`
`620`	`629`
`@@ -635,6 +644,7 @@ static zend_string *nonnull _get_html_blocking_template()`
`635`	`644`	`return _empty_zstr;`
`636`	`645`	`}`
`637`	`646`	`if (ZSTR_LEN(body_error_html) == 0) {`
	`647`	`+ zend_string_release(body_error_html);`
`638`	`648`	`return _body_error_html_def;`
`639`	`649`	`}`
`640`	`650`
Original file line number	Diff line number	Diff line change
`@@ -19,4 +19,4 @@ enable_extensions.sh`
`19`	`19`
`20`	`20`	`service apache2 start`
`21`	`21`
`22`		`-exec tail -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}"`
	`22`	`+exec tail -n +1 -F "${LOGS_PHP[@]}" "${LOGS_APACHE[@]}"`