Add support for method overrides (_method query param or X-HTTP-Method-Override header) (#344)

PopoviciMarian · web-flow · commit 917d611477a7 · 2025-11-10T13:00:33.000+02:00
diff --git a/lib/php-extension/GoWrappers.cpp b/lib/php-extension/GoWrappers.cpp
@@ -22,7 +22,7 @@ char* GoContextCallback(int callbackId) {
                 break;
             case CONTEXT_METHOD:
                 ctx = "METHOD";
-                ret = server.GetVar("REQUEST_METHOD");
+                ret = server.GetMethod();
                 break;
             case CONTEXT_ROUTE:
                 ctx = "ROUTE";
diff --git a/lib/php-extension/RequestProcessor.cpp b/lib/php-extension/RequestProcessor.cpp
@@ -9,7 +9,8 @@ std::string RequestProcessor::GetInitData(const std::string& token) {
     if (!token.empty()) {
         AIKIDO_GLOBAL(token) = token;
     }
-
+    unordered_map<std::string, std::string> packages = GetPackages();
+    AIKIDO_GLOBAL(uses_symfony_http_foundation) = packages.find("symfony/http-foundation") != packages.end();
     json initData = {
         {"token", AIKIDO_GLOBAL(token)},
         {"platform_name", AIKIDO_GLOBAL(sapi_name)},
@@ -22,7 +23,7 @@ std::string RequestProcessor::GetInitData(const std::string& token) {
         {"disk_logs", AIKIDO_GLOBAL(disk_logs)},
         {"localhost_allowed_by_default", AIKIDO_GLOBAL(localhost_allowed_by_default)},
         {"collect_api_schema", AIKIDO_GLOBAL(collect_api_schema)},
-        {"packages", GetPackages()}};
+        {"packages", packages}};
     return NormalizeAndDumpJson(initData);
 }
 
diff --git a/lib/php-extension/Server.cpp b/lib/php-extension/Server.cpp
@@ -35,6 +35,57 @@ std::string Server::GetVar(const char* var) {
     return Z_STRVAL_P(data);
 }
 
+// Return the method from the query param _method (_GET["_method"])
+std::string Server::GetMethodFromQuery() {
+    zval *get_array;
+    get_array = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1);
+    if (!get_array || Z_TYPE_P(get_array) != IS_ARRAY) {
+        return "";
+    }
+
+    zval* query_method = zend_hash_str_find(Z_ARRVAL_P(get_array), "_method", sizeof("_method") - 1);
+    if (!query_method) {
+        return "";
+    }
+    if (Z_TYPE_P(query_method) != IS_STRING) {
+        return "";
+    }
+    std::string query_method_str = Z_STRVAL_P(query_method);
+    return ToUppercase(query_method_str);
+}
+ 
+// For frameworks like Symfony, Laravel, method override is supported using X-HTTP-METHOD-OVERRIDE or _method query param
+// https://github.com/symfony/symfony/blob/b8eaa4be31f2159918e79e5694bc9ff241e0d692/src/Symfony/Component/HttpFoundation/Request.php#L1169-L1215
+std::string Server::GetMethod() {
+    std::string method = ToUppercase(this->GetVar("REQUEST_METHOD"));
+    
+    // if symfony http foundation is not used, return the method as is, otherwise we need to check the method override
+    if (!AIKIDO_GLOBAL(uses_symfony_http_foundation)) { 
+        return method;
+    }
+
+    // only for POST requests, we need to check the method override
+    if (method != "POST") {
+        return method;
+    }
+
+    // X-HTTP-METHOD-OVERRIDE
+    std::string x_http_method_override = ToUppercase(this->GetVar("HTTP_X_HTTP_METHOD_OVERRIDE"));
+    if (x_http_method_override != "") {
+        method = x_http_method_override;
+    }
+
+    // in case of X-HTTP-METHOD-OVERRIDE is not set, we check the query param _method
+    if (x_http_method_override == "") {
+        std::string query_method = this->GetMethodFromQuery();
+        if (query_method != "") {
+            method = query_method;
+        }
+    }
+   
+    return method;
+}
+
 std::string Server::GetRoute() {
     std::string route = this->GetVar("REQUEST_URI");
     size_t pos = route.find("?");
diff --git a/lib/php-extension/Utils.cpp b/lib/php-extension/Utils.cpp
@@ -6,6 +6,12 @@ std::string ToLowercase(const std::string& str) {
     return result;
 }
 
+std::string ToUppercase(const std::string& str) {
+    std::string result = str;
+    std::transform(result.begin(), result.end(), result.begin(), [](unsigned char c) { return std::toupper(c); });
+    return result;
+}
+
 std::string GetRandomNumber() {
     std::random_device rd;
     std::mt19937 gen(rd());
diff --git a/lib/php-extension/include/Server.h b/lib/php-extension/include/Server.h
@@ -9,6 +9,10 @@ class Server {
 
     std::string GetVar(const char* var);
 
+    std::string GetMethod();
+    
+    std::string GetMethodFromQuery();
+
     std::string GetRoute();
 
     std::string GetStatusCode();
diff --git a/lib/php-extension/include/Utils.h b/lib/php-extension/include/Utils.h
@@ -4,6 +4,8 @@
 
 std::string ToLowercase(const std::string& str);
 
+std::string ToUppercase(const std::string& str);
+
 std::string GetRandomNumber();
 
 std::string GetTime();
diff --git a/lib/php-extension/include/php_aikido.h b/lib/php-extension/include/php_aikido.h
@@ -18,6 +18,7 @@ bool disk_logs; // When enabled, it writes logs to disk instead of stdout. It's
 bool collect_api_schema;
 bool trust_proxy;
 bool localhost_allowed_by_default;
+bool uses_symfony_http_foundation; // If true, method override is supported using X-HTTP-METHOD-OVERRIDE or _method query param
 unsigned int report_stats_interval_to_agent; // Report once every X requests the collected stats to Agent
 std::string log_level_str;
 std::string sapi_name;
diff --git a/tests/server/test_http_method_override/env.json b/tests/server/test_http_method_override/env.json
@@ -0,0 +1,5 @@
+{
+    "AIKIDO_BLOCK": "1",
+    "AIKIDO_LOCALHOST_ALLOWED_BY_DEFAULT": "0",
+    "AIKIDO_FEATURE_COLLECT_API_SCHEMA": "1"
+}
diff --git a/tests/server/test_http_method_override/expect_method_overrides.json b/tests/server/test_http_method_override/expect_method_overrides.json
@@ -0,0 +1,32 @@
+{
+    "type": "heartbeat",
+    "routes": [
+        {
+            "path": "/",
+            "method": "GET",
+            "hits": 8,
+            "rateLimitedCount": 3
+        },
+        {
+            "path": "/",
+            "method": "POST",
+            "hits": 1
+        },
+        {
+            "path": "/",
+            "method": "PUT",
+            "hits": 3
+        },
+        {
+            "path": "/",
+            "method": "DELETE",
+            "hits": 1
+        },
+        {
+            "path": "/",
+            "method": "PATCH",
+            "hits": 1
+        }
+    ]
+}
+
diff --git a/tests/server/test_http_method_override/index.php b/tests/server/test_http_method_override/index.php
@@ -0,0 +1,30 @@
+<?php
+
+
+$method = $_SERVER['REQUEST_METHOD'];
+$_SERVER['REMOTE_ADDR'] = '5.2.190.71';
+
+if ($method === 'POST') {
+    if (isset($_GET['_method'])) {
+        $method = strtoupper($_GET['_method']);
+    }
+
+    else if (isset($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'])) {
+        $method = strtoupper($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE']);
+    }
+}
+
+
+if (extension_loaded('aikido')) {
+    $decision = \aikido\should_block_request();
+
+    // If the rate limit is exceeded, return a 429 status code
+    if ($decision->block && $decision->type == "ratelimited" && $decision->trigger == "ip") {
+        http_response_code(429);
+        echo "Rate limit exceeded by IP: " . $decision->ip;
+        exit();
+    }
+}
+
+echo "Method: " . $method;
+
diff --git a/tests/server/test_http_method_override/start_config.json b/tests/server/test_http_method_override/start_config.json
@@ -0,0 +1,22 @@
+{
+    "success": true,
+    "serviceId": 1,
+    "heartbeatIntervalInMS": 600000,
+    "endpoints": [
+        {
+            "method": "GET",
+            "route": "\/",
+            "forceProtectionOff": false,
+            "graphql": null,
+            "allowedIPAddresses": [],
+            "rateLimiting": {
+                "enabled": true,
+                "maxRequests": 5,
+                "windowSizeInMS": 60000
+            }
+        }
+    ],
+    "blockedUserIds": [],
+    "allowedIPAddresses": [],
+    "receivedAnyStats": false
+}
diff --git a/tests/server/test_http_method_override/test.py b/tests/server/test_http_method_override/test.py
@@ -0,0 +1,87 @@
+import requests
+import time
+import sys
+from testlib import *
+import shutil
+import os
+import json
+
+'''
+Tests HTTP method override functionality when Symfony HTTP Foundation is present.
+
+1. Verifies _method query parameter overrides (POST → PUT, DELETE, GET)
+2. Verifies X-HTTP-Method-Override header overrides (POST → PATCH, PUT, GET)
+3. Tests case-insensitive header handling (x-http-Method-Override)
+4. Validates that rate limiting applies to the overridden method, not the original POST
+   - Configures 5 GET requests/minute limit
+   - Sends 5 GET requests (allowed)
+   - Sends POST requests with method override to GET (rate limited as GET)
+'''
+
+COMPOSER_LOCK_FULL_PATH = os.path.join(os.path.dirname(__file__), "../composer.lock")
+
+def run_test():
+  
+    response = php_server_post("/?_method=PUT", {})
+    assert_response_code_is(response, 200)
+    assert_response_body_contains(response, "Method: PUT")
+    
+    response = php_server_post("/?_method=DELETE", {})
+    assert_response_code_is(response, 200)
+    assert_response_body_contains(response, "Method: DELETE")
+
+    response = php_server_post("/", {}, headers={"X-HTTP-Method-Override": "PATCH"})
+    assert_response_code_is(response, 200)
+    assert_response_body_contains(response, "Method: PATCH")
+
+    response = php_server_post("/", {}, headers={"X-HTTP-Method-Override": "PUT"})
+    assert_response_code_is(response, 200)
+    assert_response_body_contains(response, "Method: PUT")
+
+    response = php_server_post("/", {})
+    assert_response_code_is(response, 200)
+    assert_response_body_contains(response, "Method: POST")
+
+    response = php_server_post("/?_method=put", {})
+    assert_response_code_is(response, 200)
+    assert_response_body_contains(response, "Method: PUT")
+
+    for _ in range(5):
+        response = php_server_get("/")
+        assert_response_code_is(response, 200)
+        assert_response_body_contains(response, "Method: GET")
+
+    time.sleep(10)
+    response = php_server_post("/", {}, headers={"X-HTTP-Method-Override": "GET"})
+    assert_response_code_is(response, 429)
+
+    response = php_server_post("/", {}, headers={"x-http-Method-Override": "GET"})
+    assert_response_code_is(response, 429)
+
+
+    response = php_server_post("/?_method=GET", {})
+    assert_response_code_is(response, 429)
+
+    mock_server_wait_for_new_events(70)
+
+    events = mock_server_get_events()
+    assert_events_length_is(events, 2)
+    assert_started_event_is_valid(events[0])
+    assert_event_contains_subset_file(events[1], "expect_method_overrides.json")
+
+def create_composer_lock():
+    package_data = {"packages": [{"name": "symfony/http-foundation", "version": "v7.3.6"}]}
+    with open(COMPOSER_LOCK_FULL_PATH, "w") as f:
+        json.dump(package_data, f)
+
+def delete_composer_lock():
+    os.remove(COMPOSER_LOCK_FULL_PATH)
+
+if __name__ == "__main__":
+    load_test_args()
+
+    try:
+        create_composer_lock()
+        run_test()
+    finally:
+        delete_composer_lock()
