Fix apache E2E tests (#249)

* test

* f

* f

* Fix apache

* f

* f

* f

* f

* f

* f

Author: tudor-timcu

.github/workflows/build.yml

@@ -72,7 +72,7 @@ jobs:
         go build -ldflags "-s -w" -buildmode=c-shared -o ../../build/aikido-request-processor.so
         ls -l ../../build
 
-    - name: Archive agent 
+    - name: Archive agent
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
       if: always()
       with:
@@ -149,7 +149,7 @@ jobs:
       run: |
         cd ./build/modules
         mv aikido.so ${{ env.AIKIDO_ARTIFACT }}.so
-        
+
     - name: Archive build artifacts
       uses: actions/upload-artifact@v4
       if: always()
@@ -245,7 +245,7 @@ jobs:
         if: matrix.os == 'ubuntu-22.04'
         run: |
           yum deplist ~/rpmbuild/RPMS/${{ env.ARCH }}/${{ env.AIKIDO_ARTIFACT_RELEASE }} | grep -E "GLIBC_2.32|GLIBC_2.34|GLIBCXX_3.4.29" && exit 1 || exit 0
-      
+
       - name: Archive rpm package
         uses: actions/upload-artifact@v4
         with:
@@ -301,19 +301,19 @@ jobs:
           echo $AIKIDO_VERSION
           echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
           echo "AIKIDO_RPM=aikido-php-firewall.${{ env.ARCH }}.rpm" >> $GITHUB_ENV
-          echo "AIKIDO_ARTIFACT=aikido-php-firewall.${{ env.ARCH }}.deb" >> $GITHUB_ENV    
-      
+          echo "AIKIDO_ARTIFACT=aikido-php-firewall.${{ env.ARCH }}.deb" >> $GITHUB_ENV
+
       - name: Build deb
         run: |
           alien --to-deb --scripts --keep-version ${{ env.AIKIDO_RPM }}/${{ env.AIKIDO_RPM }}
           mv aikido-php-firewall_${{ env.AIKIDO_VERSION }}-1_${{ env.DEB_ARCH }}.deb temp-${{ env.AIKIDO_ARTIFACT }}
-          
+
           # Package contents into deb with gzip compression (because default zstd compression is not supported by older versions of dpkg)
           mkdir deb-temp
           dpkg-deb -R temp-${{ env.AIKIDO_ARTIFACT }} deb-temp/
           dpkg-deb -Zgzip -b deb-temp ${{ env.AIKIDO_ARTIFACT }}
           rm -rf deb-temp
-  
+
       - name: Archive deb package
         uses: actions/upload-artifact@v4
         with:
@@ -367,11 +367,12 @@ jobs:
           mysqld -u root --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock &
           sleep 10
           mysql -u root -e "CREATE DATABASE IF NOT EXISTS db;"
+          mysql -u root -e "ALTER USER 'root'@'localhost' IDENTIFIED BY 'pwd'; FLUSH PRIVILEGES;"
 
       - name: Test MySQL connection with mysqli
         run: |
           php -r '
-            $mysqli = new mysqli("localhost", "root", "", "db");
+            $mysqli = new mysqli("localhost", "root", "pwd", "db");
             if ($mysqli->connect_error) {
               echo "MySQL connection failed: " . $mysqli->connect_error . "\n";
               exit(1);
@@ -396,7 +397,7 @@ jobs:
           echo $AIKIDO_VERSION
           echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
           echo "AIKIDO_RPM=aikido-php-firewall.${{ env.ARCH }}.rpm" >> $GITHUB_ENV
-      
+
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
@@ -475,6 +476,7 @@ jobs:
           mysqld --user=root --datadir=/var/lib/mysql &
           sleep 10
           mysql -u root -e "CREATE DATABASE IF NOT EXISTS db;"
+          mysql -u root -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('pwd'); FLUSH PRIVILEGES;"
 
       - name: Setup PHP
         uses: shivammathur/setup-php@27853eb8b46dc01c33bf9fef67d98df2683c3be2
@@ -486,7 +488,7 @@ jobs:
       - name: Test MySQL connection with mysqli
         run: |
           php -r '
-            $mysqli = new mysqli("localhost", "root", "", "db");
+            $mysqli = new mysqli("localhost", "root", "pwd", "db");
             if ($mysqli->connect_error) {
               echo "MySQL connection failed: " . $mysqli->connect_error . "\n";
               exit(1);
@@ -514,6 +516,8 @@ jobs:
           DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -f noninteractive tzdata
           apt-get install -y libapache2-mod-php${{ matrix.php_version }}
           a2enmod php${{ matrix.php_version }}
+          apt-get install -y php${{ matrix.php_version }}-mysqli
+          apt-get install -y php${{ matrix.php_version }}-pdo
           php -i
 
       - name: Setup Python
@@ -542,4 +546,3 @@ jobs:
           if-no-files-found: ignore
           path: |
             ${{ github.workspace }}/tests/cli/**/*.diff
-            /var/log/mysql/error.log

lib/php-extension/Action.cpp

@@ -6,6 +6,7 @@ ACTION_STATUS Action::executeThrow(json &event) {
     int _code = event["code"].get<int>();
     std::string _message = event["message"].get<std::string>();
     zend_throw_exception(zend_exception_get_default(), _message.c_str(), _code);
+    CallPhpFunctionWithOneParam("http_response_code", _code);
     return BLOCK;
 }
 

lib/request-processor/attack/attack.go

@@ -79,7 +79,7 @@ func GetThrowAction(message string, code int) string {
 }
 
 func GetAttackDetectedAction(result utils.InterceptorResult) string {
-	return GetThrowAction(BuildAttackDetectedMessage(result), -1)
+	return GetThrowAction(BuildAttackDetectedMessage(result), 500)
 }
 
 func ReportAttackDetected(res *utils.InterceptorResult) string {

tests/server/test_sql_injection_mysqli_obj_multi_query/index.php

@@ -3,7 +3,7 @@
 \aikido\set_user("12345", "Tudor");
 
 // Connect to MySQL (adjust credentials as needed)
-$mysqli = new mysqli("localhost", "root", "", "db");
+$mysqli = new mysqli("127.0.0.1", "root", "pwd", "db");
 
 // Check connection
 if ($mysqli->connect_error) {

tests/server/test_sql_injection_mysqli_obj_query/index.php

@@ -3,7 +3,7 @@
 \aikido\set_user("12345", "Tudor");
 
 // Connect to MySQL (adjust credentials as needed)
-$mysqli = new mysqli("localhost", "root", "", "db");
+$mysqli = new mysqli("127.0.0.1", "root", "pwd", "db");
 
 // Check connection
 if ($mysqli->connect_error) {

tests/server/test_sql_injection_mysqli_obj_real_query/index.php

@@ -3,7 +3,7 @@
 \aikido\set_user("12345", "Tudor");
 
 // Connect to MySQL (adjust credentials as needed)
-$mysqli = new mysqli("localhost", "root", "", "db");
+$mysqli = new mysqli("127.0.0.1", "root", "pwd", "db");
 
 // Check connection
 if ($mysqli->connect_error) {

tests/server/test_sql_injection_mysqli_procedure_multi_query/index.php

@@ -3,7 +3,7 @@
 \aikido\set_user("12345", "Tudor");
 
 // Connect to MySQL (adjust credentials as needed)
-$conn = mysqli_connect("localhost", "root", "", "db");
+$conn = mysqli_connect("127.0.0.1", "root", "pwd", "db");
 
 // Check connection
 if (!$conn) {

tests/server/test_sql_injection_mysqli_procedure_query/index.php

@@ -3,7 +3,7 @@
 \aikido\set_user("12345", "Tudor");
 
 // Connect to MySQL (adjust credentials as needed)
-$conn = mysqli_connect("localhost", "root", "", "db");
+$conn = mysqli_connect("127.0.0.1", "root", "pwd", "db");
 
 // Check connection
 if (!$conn) {

tests/server/test_sql_injection_mysqli_procedure_real_query/index.php

@@ -3,7 +3,7 @@
 \aikido\set_user("12345", "Tudor");
 
 // Connect to MySQL (adjust credentials as needed)
-$conn = mysqli_connect("localhost", "root", "", "db");
+$conn = mysqli_connect("127.0.0.1", "root", "pwd", "db");
 
 // Check connection
 if (!$conn) {

tools/server_tests/apache/main.py

@@ -78,17 +78,18 @@
         Options Indexes FollowSymLinks
         AllowOverride All
         Require all granted
-        
+
         RewriteEngine On
         RewriteCond %{{REQUEST_FILENAME}} !-f
         RewriteCond %{{REQUEST_FILENAME}} !-d
         RewriteRule ^(.*)$ index.php [L]
-        
+
         SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
     </Directory>
 
     ErrorLog {log_dir}/error_{name}.log
     CustomLog {log_dir}/access_{name}.log combined
+
 </VirtualHost>
 """
 
@@ -137,7 +138,7 @@ def toggle_config_line(file_path, line_to_check, comment_ch, enable=False):
     if not os.path.exists(file_path):
         print(f"File '{file_path}' does not exist.")
         return
-    
+
     with open(file_path, 'r') as file:
         lines = file.readlines()
 
@@ -185,9 +186,9 @@ def select_apache_user():
         if u in usernames:
             apache_user = u
             break
-    
+
     assert apache_user is not None
-        
+
     print("Selected apache user: ", apache_user)
 
 
@@ -220,7 +221,7 @@ def apache_create_config_file(test_name, test_dir, server_port, env):
         optional_conf = apache_include_conf,
         error_log = apache_error_log
     )
-    
+
     apache_config_file = os.path.join(test_dir, f"{test_name}.conf")
     with open(apache_config_file, "w") as f:
         f.write(apache_config)
@@ -239,13 +240,13 @@ def add_user_group_access(full_path, user, group):
             current_path = os.sep.join(path_parts[:i])
             if current_path:  # Avoid empty strings for the root "/"
                 # print(f"Setting permissions for {current_path}")
-                
+
                 # Change ownership of the directory
                 subprocess.run(['chown', f'{user}:{group}', current_path], check=True)
 
                 # Ensure the execute permission (search permission) on directories
                 subprocess.run(['chmod', '775', current_path], check=True)
-        
+
         print(f"Successfully added access to full path '{full_path}' for user '{user}' and group '{group}'.")
     except subprocess.CalledProcessError as e:
         print(f"Failed to modify permissions: {e}")
@@ -259,28 +260,28 @@ def apache_mod_php_init(tests_dir):
     subprocess.run(['mkdir', '-p', apache_log_folder], check=True)
     subprocess.run(['chown', f'{apache_user}:{apache_user}', apache_log_folder], check=True)
     subprocess.run(['chmod', '755', apache_log_folder], check=True)
-    
-    
+
+
     toggle_config_line(apache_conf_proxy_module_file, "LoadModule proxy_fcgi_module", "#")
     toggle_config_line(apache_conf_proxy_h2_module_file, "LoadModule proxy_http2_module", "#")
-    
+
     toggle_config_line(apache_conf_mpm_worker_file, "LoadModule mpm_worker_module", "#")
     toggle_config_line(apache_conf_mpm_event_file, "LoadModule mpm_event_module", "#")
     toggle_config_line(apache_conf_mpm_prefork_file, "LoadModule mpm_prefork_module", "#", enable=True)
-    
+
     global prev_owning_user, prev_owning_group
     prev_owning_user, prev_owning_group = get_user_and_group(tests_dir)
     print(f"Got previous owning user:group -> {prev_owning_user}:{prev_owning_group}")
-    
+
 
 def apache_mod_php_process_test(test_data):
     test_dir = test_data["test_dir"]
     server_port = test_data["server_port"]
     test_data["apache_config"] = apache_create_config_file(test_data["test_name"], test_dir, server_port, test_data["env"])
-    
+
     global apache_user
     add_user_group_access(os.path.join(test_dir, "index.php"), apache_user, apache_user)
-    
+
     # append_if_not_exists(apache_conf_global_file, f"Listen {server_port}\n")
     return test_data