Fixed Bypassed IPs not returning populated should_block_request decision structure

README.md

@@ -39,25 +39,25 @@ Prerequisites:
 
 ##### x86_64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.3/aikido-php-firewall.x86_64.rpm
 ```
 
 ##### arm64 / aarch64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.aarch64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.3/aikido-php-firewall.aarch64.rpm
 ```
 
 #### For Debian-based Systems (Debian, Ubuntu)
 
 ##### x86_64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.3/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
 ##### arm64 / aarch64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.aarch64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.3/aikido-php-firewall.aarch64.deb
 dpkg -i -E ./aikido-php-firewall.aarch64.deb
 ```
 

docs/aws-elastic-beanstalk.md

@@ -4,7 +4,7 @@
 ```
 commands:
   aikido-php-firewall:
-    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.rpm"
+    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.3/aikido-php-firewall.x86_64.rpm"
     ignoreErrors: true
 
 files:

docs/fly-io.md

@@ -32,7 +32,7 @@ Create a script to install the Aikido PHP Firewall during deployment:
 #!/usr/bin/env bash
 cd /tmp
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.3/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 

docs/laravel-forge.md

@@ -8,7 +8,7 @@ You can get your token from the [Aikido Security Dashboard](https://help.aikido.
 
 Go to "Commands" and run the following by replacing the sudo password with the one that Forge displays when the server is created:
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S dpkg -i -E ./aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S service php8.4-fpm restart
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.3/aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S dpkg -i -E ./aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S service php8.4-fpm restart
 ```
 
 ![Forge Commands](./forge-commands.png)

docs/laravel-octane-frankenphp.md

@@ -8,7 +8,7 @@ You can get your token from the [Aikido Security Dashboard](https://help.aikido.
 
 `docker/version/Dockerfile`
 ```dockerfile
-ARG AIKIDO_VERSION=1.5.2
+ARG AIKIDO_VERSION=1.5.3
 
 RUN curl -L -o /tmp/aikido-php-firewall.deb \
     "https://github.com/AikidoSec/firewall-php/releases/download/v${AIKIDO_VERSION}/aikido-php-firewall.$(uname -m).deb" \
@@ -72,7 +72,7 @@ dpkg -i -E ./aikido-php-firewall.$(uname -m).deb
 ```dockerfile
 FROM dunglas/frankenphp:php${PHP_VERSION}-bookworm
 
-ARG AIKIDO_VERSION=1.5.2
+ARG AIKIDO_VERSION=1.5.3
 
 RUN apt-get update && apt-get install -y curl \
     && curl -L -o /tmp/aikido-php-firewall.deb \

lib/agent/constants/constants.go

@@ -1,7 +1,7 @@
 package constants
 
 const (
-	Version                             = "1.5.2"
+	Version                             = "1.5.3"
 	SocketPath                          = "/run/aikido-" + Version + "/aikido-agent.sock"
 	PidPath                             = "/run/aikido-" + Version + "/aikido-agent.pid"
 	ConfigUpdatedAtMethod               = "GET"

lib/agent/go.mod

@@ -1,10 +1,10 @@
 module main
 
-go 1.26.0
+go 1.26.1
 
 require (
 	github.com/stretchr/testify v1.9.0
-	google.golang.org/grpc v1.79.1
+	google.golang.org/grpc v1.79.2
 	google.golang.org/protobuf v1.36.10
 )
 

lib/agent/go.sum

@@ -106,6 +106,8 @@ google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
 google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
+google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
 google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=

lib/php-extension/HandleShouldBlockRequest.cpp

@@ -37,19 +37,22 @@ ZEND_FUNCTION(should_block_request) {
         return;
     }
 
-    if (IsAikidoDisabledOrBypassed()) {
+    if (!blockingStatusClass) {
         return;
     }
 
-    if (!blockingStatusClass) {
+    // Initialize the returned object with default values so that block = false
+    // even if the IP is bypassed
+    object_init_ex(return_value, blockingStatusClass);
+
+    if (IsAikidoDisabledOrBypassed()) {
         return;
     }
 
     if (!CheckBlocking(EVENT_GET_BLOCKING_STATUS, AIKIDO_GLOBAL(checkedShouldBlockRequest))) {
         return;
     }
 
-    object_init_ex(return_value, blockingStatusClass);
 #if PHP_VERSION_ID >= 80000
     zend_object *obj = Z_OBJ_P(return_value);
     if (!obj) {

lib/php-extension/include/php_aikido.h

@@ -19,7 +19,7 @@
 extern zend_module_entry aikido_module_entry;
 #define phpext_aikido_ptr &aikido_module_entry
 
-#define PHP_AIKIDO_VERSION "1.5.2"
+#define PHP_AIKIDO_VERSION "1.5.3"
 
 #if defined(ZTS) && defined(COMPILE_DL_AIKIDO)
 ZEND_TSRMLS_CACHE_EXTERN()

lib/request-processor/globals/globals.go

@@ -79,6 +79,6 @@ func CreateServer(token string) *ServerData {
 }
 
 const (
-	Version    = "1.5.2"
+	Version    = "1.5.3"
 	SocketPath = "/run/aikido-" + Version + "/aikido-agent.sock"
 )

lib/request-processor/go.mod

@@ -1,11 +1,11 @@
 module main
 
-go 1.26.0
+go 1.26.1
 
 require (
 	github.com/stretchr/testify v1.11.1
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	google.golang.org/grpc v1.79.1
+	google.golang.org/grpc v1.79.2
 	google.golang.org/protobuf v1.36.10
 )
 

lib/request-processor/go.sum

@@ -108,6 +108,8 @@ google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
 google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
+google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
 google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=

package/rpm/aikido.spec

@@ -1,5 +1,5 @@
 Name:           aikido-php-firewall
-Version:        1.5.2
+Version:        1.5.3
 Release:        1
 Summary:        Aikido PHP Extension
 License:        GPL

tests/server/test_bypassed_ip_should_block_request/env.json

@@ -0,0 +1,5 @@
+{
+    "AIKIDO_BLOCK": "1",
+    "AIKIDO_LOCALHOST_ALLOWED_BY_DEFAULT": "0",
+    "AIKIDO_FEATURE_COLLECT_API_SCHEMA": "1"
+}

tests/server/test_bypassed_ip_should_block_request/index.php

@@ -0,0 +1,13 @@
+<?php
+
+if (extension_loaded('aikido')) {
+    $decision = \aikido\should_block_request();
+
+    if ($decision == null) {
+        echo "Decision is null!";
+    }
+}
+
+echo "Something!";
+
+?>

tests/server/test_bypassed_ip_should_block_request/start_config.json

@@ -0,0 +1,21 @@
+{
+    "success": true,
+    "serviceId": 1,
+    "heartbeatIntervalInMS": 600000,
+    "endpoints": [
+        {
+            "method": "GET",
+            "route": "/somethingVerySpecific",
+            "forceProtectionOff": false,
+            "graphql": null,
+            "rateLimiting": {
+                "enabled": false,
+                "maxRequests": 100,
+                "windowSizeInMS": 60000
+            }
+        }
+    ],
+    "blockedUserIds": [],
+    "allowedIPAddresses": ["185.245.255.211"],
+    "receivedAnyStats": true
+}

tests/server/test_bypassed_ip_should_block_request/test.py

@@ -0,0 +1,26 @@
+import requests
+import time
+import sys
+from testlib import *
+
+'''
+Test that should_block_request returns a valid object when IP is bypassed.
+
+The IP 185.245.255.211 is in the global allowedIPAddresses (bypassed).
+The endpoint only allows 185.245.255.212 via endpoint-level allowedIPAddresses.
+
+A request from the bypassed IP should not crash when accessing
+properties on the return value of should_block_request().
+'''
+
+
+def run_test():
+    response = php_server_get("/somethingVerySpecific", headers={"X-Forwarded-For": "185.245.255.211"})
+    assert_response_code_is(response, 200)
+    assert_response_body_not_contains(response, "Decision is null!")
+    assert_response_body_contains(response, "Something!")
+
+
+if __name__ == "__main__":
+    load_test_args()
+    run_test()

tests/testlib/testlib.py

@@ -187,6 +187,9 @@ def assert_response_header_contains(response, header, value):
 def assert_response_body_contains(response, text):
     assert text in response.text, f"Test '{text}' is not part of response body: {response.text}"
 
+def assert_response_body_not_contains(response, text):
+    assert text not in response.text, f"Test '{text}' is part of response body: {response.text}"
+
 def assert_is_valid_ip(ip_address):
     try:
         ipaddress.ip_address(ip_address)