We just did a new release of Snuffleupagus,
the 0.3.0, named Dentalium elephantinum, after the eponym species of scaphopod mollusc, that looks like a miniature elephant tusk.
It's the first release that I didn't do myself, letting the release manager seat to my colleague kkadosh, to reduce the bus factor.
Changelog
We have several new majors features, along with the usual bugfixes:
- The previous version suffered
from a memory leak
that wasn't detected earlier, because we're using
php-fpmwhere processes are recycled, instead ofmod_php. This defect is now fixed. - Thanks to the amazing caillou, we now have literally zero impact on the performances (with the default ruleset) of your php process.
- Encryption is now supported on session cookies, thanks to the stellar work of kkadosh
- It's now possible to forbid most occurrences of type juggling, thanks to caillou.
- Documentation improvement (yes, the documentation is versioned in git.)
- The
.filename()filter is now matching in the file where the function is called, and not in the one where it's declared anymore. - Two more language constructs, namely
echoandprint, can now be virtual-patched. - The logs format has been normalized a bit to be easier to parse.
- Various obscure integer overflow were fixed. We don't think that they are exploitable, but heh, better safe than sorry.
- As usual, code simplification/cleanup.
Benchmarks
All those benchmarks were done by caillou's on Joomla's testsuite, on a low-end
laptop. They were done using the default set of rules.
If you're writing stupid things with a lot of regexps involved, you might
will of course experience overhead.
Impact of the rules
Previously, the rules where all stored in several linked lists. This is not the case anymore for rules that are matching on literal function name: they are now stored in a hash table, granting us a significant performance boost when processing a lot of rules.
| number of rules | time on 0.2.2 |
time on 0.3.0 |
|---|---|---|
| 25 | 0m 50s | 0m 51s |
| 50 | 0m 52s | 0m 51s |
| 100 | 0m 57s | 0m 51s |
| 500 | 1m 41s | 0m 51s |
| 1000 | 2m 55s | 0m 53s |
| 5000 | 15m 46s | 0m 52s |
CPU and memory impact
Those graphs are showcasing our now-fixed-memory-leak (look at the memory
consumption for the 0.2.2), but more importantly,
that we effectively have no noticeable impact on the CPU and memory
consumption at all!
Snuffleupagus 0.2.2
Snuffleupagus 0.3.0
PHP without Snuffleupagus
Pass the Salt
I gave along with smagnin and bui a talk at the very first edition of Pass the Salt. You can get the video here and the slides here.
It was a nice conference, with a large majority of interesting talk containing actionable bits: the theme being security and open-source, everything that was presented was openly available immediately to play with! I warmly recommend watching the other talks while waiting for the 2nd edition.
What's next
With the next minor release of PHP (7.3) that should happen
somewhere before the end of the year, we'll need to make sure that
Snuffleupagus is compatible with it,
especially the samesite feature.
We don't have many big issues
remaining, but we do plan to fix them all anyway :)
If you want to help, we have some low hanging fruits just for you ♥
See you in your PHP stack!