Deliver firewall to php 8.5 (#362)

Author: ioaniftimesei

.github/workflows/Dockerfile.centos-php-test

@@ -19,6 +19,9 @@ RUN dnf --assumeyes module reset php
 RUN dnf --assumeyes --nogpgcheck module install php:remi-${PHP_VERSION}
 RUN dnf --assumeyes install php-pdo
 RUN dnf --assumeyes install php-mysqlnd
+RUN if [ "$(printf '%s\n' "${PHP_VERSION}" "8.5" | sort -V | head -n1)" != "8.5" ]; then \
+      dnf --assumeyes install php-opcache || true; \
+    fi
 RUN yum install -y mod_php nginx php-fpm procps-ng mysql-server
 
 

.github/workflows/Dockerfile.ubuntu-php-test

@@ -33,14 +33,18 @@ RUN set -eux; \
       mariadb-server \
       ${PHP_PKG} ${PHP_PKG}-cli ${PHP_PKG}-common ${PHP_PKG}-fpm \
       ${PHP_PKG}-curl ${PHP_PKG}-sqlite3 ${PHP_PKG}-mysql \
-      ${PHP_PKG}-mbstring ${PHP_PKG}-xml ${PHP_PKG}-zip ${PHP_PKG}-opcache \
+      ${PHP_PKG}-mbstring ${PHP_PKG}-xml ${PHP_PKG}-zip \
       libapache2-mod-php${PHP_VERSION} \
     ; \
     # Apache: switch to prefork for mod_php scenario and enable rewrite
     a2dismod mpm_event || true; \
     a2dismod mpm_worker || true; \
     a2enmod mpm_prefork rewrite || true
 
+RUN if [ "$(printf '%s\n' "${PHP_VERSION}" "8.5" | sort -V | head -n1)" != "8.5" ]; then \
+      apt-get install -y --no-install-recommends php${PHP_VERSION}-opcache; \
+    fi
+
 # ---- Python toolchain used by tests ----
 ENV PIP_DISABLE_PIP_VERSION_CHECK=1 \
   PYTHONDONTWRITEBYTECODE=1 \
@@ -93,7 +97,7 @@ RUN printf '%s\n' '#!/usr/bin/env bash' \
       'if ! a2query -m "php${ver}" >/dev/null 2>&1; then' \
       '  apt-get update && apt-get install -y --no-install-recommends "libapache2-mod-php${ver}"' \
       'fi' \
-      'for m in php5 php7 php7.0 php7.1 php7.2 php7.3 php7.4 php8 php8.0 php8.1 php8.2 php8.3 php8.4; do' \
+      'for m in php5 php7 php7.0 php7.1 php7.2 php7.3 php7.4 php8 php8.0 php8.1 php8.2 php8.3 php8.4 php8.5; do' \
       '  a2query -m "$m" >/dev/null 2>&1 && a2dismod "$m" >/dev/null 2>&1 || true' \
       'done' \
       'a2enmod "php${ver}"' \

.github/workflows/build-centos-php-test-images.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        php_version: ['7.4','8.0','8.1','8.2','8.3','8.4']
+        php_version: ['7.4','8.0','8.1','8.2','8.3','8.4','8.5']
       fail-fast: false
     permissions: { contents: read, packages: write }
     steps:
@@ -38,14 +38,14 @@ jobs:
           build-args: |
             PHP_VERSION=${{ matrix.php_version }}
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.php_version }}-amd64-${{ env.VERSION }}
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }}
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }},mode=max
+          #cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }}
+          #cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }},mode=max
 
   build-arm64:
     runs-on: ubuntu-24.04-arm
     strategy:
       matrix:
-        php_version: ['7.4','8.0','8.1','8.2','8.3','8.4']
+        php_version: ['7.4','8.0','8.1','8.2','8.3','8.4','8.5']
       fail-fast: false
     permissions: { contents: read, packages: write }
     steps:
@@ -66,15 +66,15 @@ jobs:
           build-args: |
             PHP_VERSION=${{ matrix.php_version }}
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.php_version }}-arm64-${{ env.VERSION }}
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }}
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }},mode=max
+          #cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }}
+          #cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }},mode=max
 
   publish-manifests:
     runs-on: ubuntu-24.04
     needs: [build-amd64, build-arm64]
     strategy:
       matrix:
-        php_version: ['7.4','8.0','8.1','8.2','8.3','8.4']
+        php_version: ['7.4','8.0','8.1','8.2','8.3','8.4','8.5']
       fail-fast: false
     permissions: { contents: read, packages: write }
     steps:

.github/workflows/build-extension-images.yml

@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4']
+        php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4','8.5']
     permissions:
       contents: read
       packages: write
@@ -53,7 +53,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4']
+        php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4','8.5']
     permissions:
       contents: read
       packages: write
@@ -91,7 +91,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4']
+        php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4','8.5']
     permissions:
       contents: read
       packages: write

.github/workflows/build-ubuntu-php-test-images.yml

@@ -16,7 +16,7 @@ jobs:
   build-amd64:
     runs-on: ubuntu-24.04
     strategy:
-      matrix: { php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4'] }
+      matrix: { php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4','8.5'] }
       fail-fast: false
     permissions: { contents: read, packages: write }
     steps:
@@ -36,13 +36,13 @@ jobs:
           build-args: |
             PHP_VERSION=${{ matrix.php_version }}
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.php_version }}-amd64-${{ env.VERSION }}
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }}
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }},mode=max
+          #cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }}
+          #cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-amd64-${{ env.VERSION }},mode=max
 
   build-arm64:
     runs-on: ubuntu-24.04-arm
     strategy:
-      matrix: { php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4'] }
+      matrix: { php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4','8.5'] }
       fail-fast: false
     permissions: { contents: read, packages: write }
     steps:
@@ -62,14 +62,14 @@ jobs:
           build-args: |
             PHP_VERSION=${{ matrix.php_version }}
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.php_version }}-arm64-${{ env.VERSION }}
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }}
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }},mode=max
+          #cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }}
+          #cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.php_version }}-arm64-${{ env.VERSION }},mode=max
 
   publish-manifests:
     runs-on: ubuntu-24.04
     needs: [build-amd64, build-arm64]
     strategy:
-      matrix: { php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4'] }
+      matrix: { php_version: ['7.2','7.3','7.4','8.0','8.1','8.2','8.3','8.4','8.5'] }
       fail-fast: false
     permissions: { contents: read, packages: write }
     steps:

.github/workflows/build.yml

@@ -84,7 +84,7 @@ jobs:
     container: ghcr.io/aikidosec/firewall-php-build-extension:${{ matrix.php_version }}-v1
     strategy:
       matrix:
-        php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
+        php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5']
         arch: [ '', '-arm' ]
       fail-fast: false
 
@@ -307,7 +307,7 @@ jobs:
     needs: [ build_rpm ]
     strategy:
       matrix:
-        php_version: ['7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
+        php_version: ['7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5']
         server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in']
         arch: ['', '-arm']
       fail-fast: false
@@ -394,7 +394,7 @@ jobs:
     strategy:
       matrix:
         arch: ['', '-arm']
-        php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
+        php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5']
         server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in']
       fail-fast: false
     steps:

README.md

@@ -30,7 +30,7 @@ Zen for PHP comes as a single package that needs to be installed on the system t
 
 Prerequisites:
 * Ensure you have sudo privileges on your system.
-* Check that you have a supported PHP version installed (PHP version >= 7.2 and tested up to 8.4).
+* Check that you have a supported PHP version installed (PHP version >= 7.2 and tested up to 8.5).
 * Make sure to use the appropriate commands for your system or cloud provider.
 
 ### Manual install
@@ -88,7 +88,7 @@ You can run on Debian 10, by doing this setup before install: [Debian10 setup](.
 ## Supported libraries and frameworks
 
 ### PHP versions
-Zen for PHP supports the following PHP versions: 7.2, 7.3, 7.4, 8.0, 8.1, 8.2, 8.3, 8.4.
+Zen for PHP supports the following PHP versions: 7.2, 7.3, 7.4, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5.
 
 ### Web frameworks
 

lib/php-extension/Action.cpp

@@ -5,7 +5,7 @@ Action action;
 ACTION_STATUS Action::executeThrow(json &event) {
     int _code = event["code"].get<int>();
     std::string _message = event["message"].get<std::string>();
-    zend_throw_exception(zend_exception_get_default(), _message.c_str(), _code);
+    zend_throw_exception(GetFirewallDefaultExceptionCe(), _message.c_str(), _code);
     CallPhpFunctionWithOneParam("http_response_code", _code);
     return BLOCK;
 }

lib/php-extension/HandleQueries.cpp

@@ -69,8 +69,15 @@ AIKIDO_HANDLER_FUNCTION(handle_pre_pdostatement_execute) {
     eventCache.moduleName = "PDOStatement"; 
     eventCache.sqlQuery = PHP_GET_CHAR_PTR(stmt->query_string);    
 
-    zval *pdo_object = &stmt->database_object_handle;
-    eventCache.sqlDialect = GetSqlDialectFromPdo(pdo_object);
+#if PHP_VERSION_ID >= 80500
+    if (!stmt->database_object_handle) {
+        eventCache.sqlDialect = "unknown";
+        return;
+    }
+    eventCache.sqlDialect = GetSqlDialectFromPdo(stmt->database_object_handle);
+#else
+    eventCache.sqlDialect = GetSqlDialectFromPdo(&stmt->database_object_handle);
+#endif
 }
 
 zend_class_entry* helper_load_mysqli_link_class_entry() {

lib/php-extension/Utils.cpp

@@ -111,6 +111,18 @@ std::string GetSqlDialectFromPdo(zval *pdo_object) {
     return "unknown";
 }
 
+#if PHP_VERSION_ID >= 80500
+std::string GetSqlDialectFromPdo(zend_object *pdo_object) {
+    if (!pdo_object) {
+        return "unknown";
+    }
+
+    zval pdo_object_zval;
+    ZVAL_OBJ(&pdo_object_zval, pdo_object);
+    return GetSqlDialectFromPdo(&pdo_object_zval);
+}
+#endif
+
 bool StartsWith(const std::string& str, const std::string& prefix, bool caseSensitive) {
     std::string strToCompare = str;
     std::string prefixToCompare = prefix;
@@ -207,3 +219,13 @@ std::string GetStackTrace() {
     return "";
 #endif
 }
+
+zend_class_entry* GetFirewallDefaultExceptionCe() {
+#if PHP_VERSION_ID >= 80500
+    // PHP 8.5+: zend_exception_get_default() removed
+    return zend_ce_exception;
+#else
+    // PHP < 8.5
+    return zend_exception_get_default();
+#endif
+}