Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppSec support for Frankenphp #3165

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

AppSec support for Frankenphp #3165

wants to merge 1 commit into from

Conversation

cataphract
Copy link
Contributor

Description

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@cataphract cataphract force-pushed the glopes/appsec-frankenphp branch from 259c3e8 to e07bb91 Compare March 31, 2025 15:36
@codecov-commenter
Copy link

codecov-commenter commented Mar 31, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 11.20000% with 111 lines in your changes missing coverage. Please review.

Project coverage is 75.86%. Comparing base (f115837) to head (8b71b6b).
Report is 47 commits behind head on master.

Files with missing lines Patch % Lines
.../Integrations/Frankenphp/FrankenphpIntegration.php 0.00% 74 Missing ⚠️
appsec/src/extension/request_abort.c 5.88% 29 Missing and 3 partials ⚠️
appsec/src/extension/entity_body.c 0.00% 1 Missing and 1 partial ⚠️
appsec/src/extension/request_lifecycle.c 81.81% 0 Missing and 2 partials ⚠️
appsec/src/extension/ddappsec.c 50.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #3165      +/-   ##
============================================
- Coverage     79.09%   75.86%   -3.23%     
- Complexity     2890     2910      +20     
============================================
  Files           114      141      +27     
  Lines         11443    15967    +4524     
  Branches          0     1105    +1105     
============================================
+ Hits           9051    12114    +3063     
- Misses         2392     3278     +886     
- Partials          0      575     +575
Flag Coverage Δ
appsec-extension 68.80% <27.45%> (?)
tracer-php 78.60% <0.00%> (-0.50%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
appsec/src/extension/dddefs.c 75.00% <100.00%> (ø)
.../Integrations/Roadrunner/RoadrunnerIntegration.php 72.67% <ø> (ø)
appsec/src/extension/ddappsec.c 75.21% <50.00%> (ø)
appsec/src/extension/entity_body.c 62.06% <0.00%> (ø)
appsec/src/extension/request_lifecycle.c 63.41% <81.81%> (ø)
appsec/src/extension/request_abort.c 65.20% <5.88%> (ø)
.../Integrations/Frankenphp/FrankenphpIntegration.php 0.00% <0.00%> (ø)

... and 22 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f115837...8b71b6b. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter
Copy link

pr-commenter bot commented Mar 31, 2025
edited
Loading

Benchmarks [ tracer ]

Benchmark execution time: 2025-04-02 17:00:31

Comparing candidate commit 8b71b6b in PR branch glopes/appsec-frankenphp with baseline commit f115837 in branch master.

Found 2 performance improvements and 0 performance regressions! Performance is the same for 176 metrics, 0 unstable metrics.

scenario:PDOBench/benchPDOBaseline-opcache

  • 🟩 execution_time [-18.159µs; -11.717µs] or [-9.030%; -5.827%]

scenario:TraceFlushBench/benchFlushTrace

  • 🟩 execution_time [-1000.000ns; -1000.000ns] or [-50.000%; -50.000%]

@pr-commenter
Copy link

pr-commenter bot commented Mar 31, 2025
edited
Loading

Benchmarks [ appsec ]

Benchmark execution time: 2025-04-02 17:08:28

Comparing candidate commit 8b71b6b in PR branch glopes/appsec-frankenphp with baseline commit f115837 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

bwoebi
bwoebi reviewed Mar 31, 2025
View reviewed changes
ext/user_request.c
@@ -14,7 +13,7 @@ static struct {

DDTRACE_PUBLIC bool ddtrace_user_req_add_listeners(ddtrace_user_req_listeners *listeners)
{
if (strcmp(sapi_module.name, "cli") != 0) {
if (strcmp(sapi_module.name, "cli") != 0 && strcmp(sapi_module.name, "frankenphp") != 0) {
Copy link
Collaborator

@bwoebi bwoebi Mar 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You know that the frankenphp SAPI has two different ways of working, one worker mode and one which essentially works like fpm ("classic mode")? In the latter case you likely want this function to not be skipped.

Copy link
Contributor Author

@cataphract cataphract Apr 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition does the opposite: it skips adding the listeners if not on cli (or frankenphp).

If we're running in classic mode, this has no ill effects: frankenphp_handle_request will never be called; the frankenphp integration won't be installed and \DDTrace\UserRequest\notify_start will never be called; the installed listeners will never be called.

I've added support and tests for classic mode; however, because I'm unable to detect it, it requires option DD_APPSEC_CLI_START_ON_RINIT, which disables the "user request" lifecycle and delineates the request with RINIT/RSHUTDOWN

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah right, this code runs in MINIT, and then you don't know yet. You can only detect that in RINIT via contents of $_SERVER.

@cataphract cataphract force-pushed the glopes/appsec-frankenphp branch from e07bb91 to 3efd5ea Compare April 2, 2025 15:35
@cataphract cataphract force-pushed the glopes/appsec-frankenphp branch from 3efd5ea to 8b71b6b Compare April 2, 2025 16:31
@cataphract cataphract marked this pull request as ready for review April 2, 2025 16:32
@cataphract cataphract requested review from a team as code owners April 2, 2025 16:32
bwoebi
bwoebi reviewed Apr 2, 2025
View reviewed changes
appsec/src/extension/request_abort.c
Comment on lines +629 to +635
#ifdef FRANKENPHP_SUPPORT
if (strcmp(sapi_module.name, "frankenphp") == 0) {
// prepare a noop zend_compile_file for req init blocking in frankenphp
_orig_zend_compile_file = zend_compile_file;
zend_compile_file = _req_init_block_zend_compile_file;
}
#endif
Copy link
Collaborator

@bwoebi bwoebi Apr 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to happen in post_startup (after executing other modules post_startup) otherwise it won't be executed with opcache active.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwoebi bwoebi bwoebi left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cataphract @codecov-commenter @bwoebi