Blocking from a hook is not stopping code execution #2836

estringana · 2024-09-05T15:19:49Z

Description

Blocking a request from Appsec should stop customer code execution. However, when this blocking happens within a tracer hook, it does not stop executing customer code execution.

Reviewer checklist

Test coverage seems ok.
Appropriate labels assigned.

codecov-commenter · 2024-09-05T15:26:32Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 51.21%. Comparing base (4cc2897) to head (7fd4a50).
Report is 2 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (4cc2897) and HEAD (7fd4a50). Click for more details.

HEAD has 4 uploads less than BASE

Flag BASE (4cc2897) HEAD (7fd4a50)

tracer-php 11 8

appsec-extension 1 0

Additional details and impacted files

@@              Coverage Diff              @@
##             master    #2836       +/-   ##
=============================================
- Coverage     72.75%   51.21%   -21.54%     
+ Complexity     2750     2745        -5     
=============================================
  Files           138      111       -27     
  Lines         15038    10895     -4143     
  Branches       1020        0     -1020     
=============================================
- Hits          10941     5580     -5361     
- Misses         3543     5315     +1772     
+ Partials        554        0      -554

Flag	Coverage Δ
appsec-extension	`?`
tracer-php	`51.21% <ø> (-23.36%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 60 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4cc2897...7fd4a50. Read the comment docs.

bwoebi · 2024-09-05T19:12:23Z

I see, the tracer sandboxing is sandboxing the bailout away :-)
I suppose some it would be ideal to signal the tracer "please bailout again after catching this" :-D

pr-commenter · 2024-11-29T10:46:01Z

Benchmarks [ tracer ]

Benchmark execution time: 2024-12-16 15:43:32

Comparing candidate commit 7fd4a50 in PR branch estringana/blocking-within-tracer-hook with baseline commit 4cc2897 in branch master.

Found 3 performance improvements and 3 performance regressions! Performance is the same for 172 metrics, 0 unstable metrics.

scenario:EmptyFileBench/benchEmptyFileBaseline

🟥 execution_time [+113.262µs; +257.598µs] or [+3.961%; +9.008%]

scenario:MessagePackSerializationBench/benchMessagePackSerialization

🟩 execution_time [-6.103µs; -4.277µs] or [-3.509%; -2.460%]

scenario:PDOBench/benchPDOBaseline

🟩 execution_time [-15.087µs; -13.651µs] or [-7.765%; -7.026%]

scenario:PDOBench/benchPDOBaseline-opcache

🟩 execution_time [-14.684µs; -9.580µs] or [-7.664%; -5.000%]

scenario:SamplingRuleMatchingBench/benchRegexMatching4-opcache

🟥 execution_time [+139.095ns; +461.905ns] or [+2.023%; +6.718%]

scenario:TraceFlushBench/benchFlushTrace

🟥 execution_time [+1000.000ns; +1000.000ns] or [+100.000%; +100.000%]

cataphract

I think it's fine although it's a mystery to me why sandbox.{h,c} are written the way they are.

cataphract · 2024-11-29T18:09:48Z