ctors/pledge-symfony-routing

Adds OpenBSD pledge/unveil support to Symfony routing

Maintainers

Details

github.com/tvlooy/PledgeSymfonyRouting

Source

Issues

Installs: 6

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 2

Forks: 0

Open Issues: 0

Type:symfony-bundle

1.0.0 2023-11-22 18:08 UTC

Requires

ISC 85e25a53c0acb76d7b6c799886dedcd4d3df238d

symfonysecurityopenbsd

This package is auto-updated.

Last update: 2024-10-22 20:02:37 UTC

README

This bundle adds PHP attributes #[Pledge] and #[Unveil] so you can add these to your routes. It's possible to add these attributes to your route class, or method and it is possible to add multiple of them.

Installing

composer require ctors/pledge-symfony-routing

The bundle requires ext/pledge, which is available as an OpenBSD port and package. See pecl-pledge for installation instructions.

cd /usr/ports/www/pecl-pledge
env FLAVOR="php82" make install

pkg_add pecl82-pledge-2.1.0

Using

#[Unveil('/', 'r')]
#[Unveil('/htdocs/var/log', 'rwc')]
#[Unveil('/htdocs/var/cache', 'rwc')]
class DnsLookupController extends AbstractController
{
    #[Route('/hello', name: 'hello')]
    #[Unveil] // Disallow future unveil calls
    #[Pledge('stdio rpath wpath cpath fattr flock')]
    public function index(): Response
    {
        return $this->render('hello/index.html.twig');
    }
}

If you want to write in an additional directory you can modify it like this:

#[Unveil('/', 'r')]
#[Unveil('/htdocs/var/log', 'rwc')]
#[Unveil('/htdocs/var/cache', 'rwc')]
class DnsLookupController extends AbstractController
{
    #[Route('/hello', name: 'hello')]
    #[Unveil('/htdocs/src/Controller', 'rwc')]
    #[Unveil] // Disallow future unveil calls
    #[Pledge('stdio rpath wpath cpath fattr flock')]
    public function index(): Response
    {
        file_put_contents(__DIR__.'/test', 'ohai');

        return $this->render('hello/index.html.twig');
    }
}

If you want to connect to a MariaDB database over TCP/IP, add the inet pledge:

#[Unveil('/', 'r')]
#[Unveil('/htdocs/var/log', 'rwc')]
#[Unveil('/htdocs/var/cache', 'rwc')]
class DnsLookupController extends AbstractController
{
    public function __construct(
        private UserRepository $userRepository,
    ) {
    }

    #[Route('/hello', name: 'hello')]
    #[Unveil] // Disallow future unveil calls
    #[Pledge('stdio rpath wpath cpath fattr flock inet')]
    public function index(): Response
    {
        return $this->render(
            'hello/index.html.twig',
            [
                'users' => $this->userRepository->findAll(),
            ]
        );
    }
}

See pecl-pledge for configuring this on an FPM pool level.

Notes

Make sure to set PHP-FPM pm.max_requests = 1 so you don't reuse a pledged/unveiled process.