From 7974e544911545a2b08b63f27acc141cf94a1490 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sun, 6 Mar 2022 20:52:13 +0100 Subject: [PATCH] support and enable snuffleupagus --- Dockerfile | 9 +- README.md | 4 +- rootfs/usr/local/bin/run.sh | 6 + .../php/snuffleupagus/nextcloud-php8.rules | 126 ++++++++++++++++++ .../etc/php/snuffleupagus/snuffleupagus.ini | 2 + 5 files changed, 145 insertions(+), 2 deletions(-) create mode 100644 rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules create mode 100644 rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini diff --git a/Dockerfile b/Dockerfile index 2436cfd..e215e88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ ARG NGINX_VERSION=1.20 ARG ALPINE_VERSION=3.15 ARG HARDENED_MALLOC_VERSION=11 +ARG SNUFFLEUPAGUS_VERSION=0.7.1 ARG UID=1000 ARG GID=1000 @@ -19,10 +20,13 @@ ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" ### Build PHP base FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base +ARG SNUFFLEUPAGUS_VERSION + RUN apk -U upgrade \ && apk add -t build-deps \ $PHPIZE_DEPS \ freetype-dev \ + git \ gmp-dev \ icu-dev \ libjpeg-turbo-dev \ @@ -70,8 +74,10 @@ RUN apk -U upgrade \ smbclient \ redis \ imagick \ + && cd /tmp && git clone --depth 1 --branch v${SNUFFLEUPAGUS_VERSION} https://github.com/jvoisin/snuffleupagus \ + && cd snuffleupagus/src && phpize && ./configure --enable-snuffleupagus && make && make install \ && apk del build-deps \ - && rm -rf /var/cache/apk/* + && rm -rf /var/cache/apk/* /tmp/* ### Build Hardened Malloc @@ -115,6 +121,7 @@ ENV UPLOAD_MAX_SIZE=10G \ CRON_MEMORY_LIMIT=1g \ DB_TYPE=sqlite3 \ DOMAIN=localhost \ + PHP_HARDENING=true \ LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so /usr/lib/preloadable_libiconv.so" RUN apk --no-cache add \ diff --git a/README.md b/README.md index 99b8ae7..5676231 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ Don't run random images from random dudes on the Internet. Ideally, you want to - **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. - **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version. - **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer. +- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: it that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and open an issue. You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container. - **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well: ``` @@ -54,7 +55,7 @@ Only the **latest stable version** will be maintained by myself. For convenience they were put at [the very top of the Dockerfile](https://github.com/hoellen/docker-nextcloud/blob/master/Dockerfile#L1-L13) and their usage should be quite explicit if you intend to build this image yourself. -## Environment variables (Dockerfile) +## Environment variables (Dockerfile defaults, used at runtime) | Variable | Description | Default | | ------------------------- | --------------------------- | ------------------ | @@ -65,6 +66,7 @@ For convenience they were put at [the very top of the Dockerfile](https://github | **CRON_MEMORY_LIMIT** | cron max memory usage | 1G | | **DB_TYPE** | sqlite3, mysql, pgsql | sqlite3 | | **DOMAIN** | host domain | localhost | +| **PHP_HARDENING** | enables snuffleupagus | true | Leave them at default if you're not sure what you're doing. diff --git a/rootfs/usr/local/bin/run.sh b/rootfs/usr/local/bin/run.sh index a5869a9..45a15ed 100644 --- a/rootfs/usr/local/bin/run.sh +++ b/rootfs/usr/local/bin/run.sh @@ -9,6 +9,12 @@ sed -i -e "s//$APC_SHM_SIZE/g" /usr/local/etc/php/conf.d/apcu.ini -e "s//$UPLOAD_MAX_SIZE/g" /etc/nginx/nginx.conf /usr/local/etc/php-fpm.conf \ -e "s//$MEMORY_LIMIT/g" /usr/local/etc/php-fpm.conf +# Enable Snuffleupagus +if [ "$PHP_HARDENING" == "true" ] && [ ! -f /usr/local/etc/php/conf.d/snuffleupagus.ini ]; then + echo "Enabling Snuffleupagus..." + cp /usr/local/etc/php/snuffleupagus/* /usr/local/etc/php/conf.d +fi + # If new install, run setup if [ ! -f /nextcloud/config/config.php ]; then touch /nextcloud/config/CAN_INSTALL diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules new file mode 100644 index 0000000..6f3c2ca --- /dev/null +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -0,0 +1,126 @@ +# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io), +# for php8. +# It contains "reasonable" defaults that won't break your websites, +# and a lot of commented directives that you can enable if you want to +# have a better protection. + +# Harden the PRNG +sp.harden_random.enable(); + +# Disabled XXE +sp.disable_xxe.enable(); + +# Global configuration variables +# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS."); + +# Globally activate strict mode +# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict +# sp.global_strict.enable(); + +# Prevent unserialize-related exploits +# sp.unserialize_hmac.enable(); + +# Only allow execution of read-only files. This is a low-hanging fruit that you should enable. +# sp.readonly_exec.enable(); + +# PHP has a lot of wrappers, most of them aren't usually useful, you should +# only enable the ones you're using. +# sp.wrappers_whitelist.list("file,php,phar"); + +# Prevent sloppy comparisons. +# sp.sloppy_comparison.enable(); + +# Use SameSite on session cookie +# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery +sp.cookie.name("PHPSESSID").samesite("lax"); + +# Nextcloud whitelist (tested with Nextcloud 23.0.2) +sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); +sp.disable_function.function("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); +sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename("/nextcloud/lib/base.php").allow(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow(); + +# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) +sp.disable_function.function("chmod").param("permissions").value("438").drop(); +sp.disable_function.function("chmod").param("permissions").value("511").drop(); + +# Prevent various `mail`-related vulnerabilities +sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); + +# Since it's now burned, me might as well mitigate it publicly +sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() + +# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 +sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() + +# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector +sp.disable_function.function("extract").param("array").value_r("^_").drop() +sp.disable_function.function("extract").param("flags").value("0").drop() + +# This is also burned: +# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); +# Since we have no way of matching on two parameters at the same time, we're +# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. +# Moreover, there are non-public bypasses that are also using this vector ;) +sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() + +# Prevent various `include`-related vulnerabilities +sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require_once").drop() +sp.disable_function.function("include_once").drop() +sp.disable_function.function("require").drop() +sp.disable_function.function("include").drop() + +# Prevent `system`-related injections +sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); + +# Prevent runtime modification of interesting things +sp.disable_function.function("ini_set").param("option").value("assert.active").drop(); +sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop(); +sp.disable_function.function("ini_set").param("option").value("memory_limit").drop(); +sp.disable_function.function("ini_set").param("option").value("include_path").drop(); +sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); + +# Detect some backdoors via environment recon +sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").drop(); +sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop(); +sp.disable_function.function("function_exists").param("function").value("eval").drop(); +sp.disable_function.function("function_exists").param("function").value("exec").drop(); +sp.disable_function.function("function_exists").param("function").value("system").drop(); +sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); +sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); +sp.disable_function.function("function_exists").param("function").value("passthru").drop(); +sp.disable_function.function("is_callable").param("value").value("eval").drop(); +sp.disable_function.function("is_callable").param("value").value("exec").drop(); +sp.disable_function.function("is_callable").param("value").value("system").drop(); +sp.disable_function.function("is_callable").param("value").value("shell_exec").drop(); +sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); +sp.disable_function.function("is_callable").param("value").value("passthru").drop(); + +# Ghetto error-based sqli detection +# sp.disable_function.function("mysql_query").ret("FALSE").drop(); +# sp.disable_function.function("mysqli_query").ret("FALSE").drop(); +# sp.disable_function.function("PDO::query").ret("FALSE").drop(); + +# Ensure that certificates are properly verified +sp.disable_function.function("curl_setopt").param("value").value("1").allow(); +sp.disable_function.function("curl_setopt").param("value").value("2").allow(); +# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER +sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); +sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); + +# File upload +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); + +# Logging lockdown +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() +sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop() +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() \ No newline at end of file diff --git a/rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini b/rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini new file mode 100644 index 0000000..27fe107 --- /dev/null +++ b/rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini @@ -0,0 +1,2 @@ +extension=snuffleupagus.so +sp.configuration_file=/usr/local/etc/php/conf.d/nextcloud-php8.rules \ No newline at end of file