search

laravel / octane

Supercharge your Laravel application's performance.
https://laravel.com/docs/octane
MIT License
3.73k stars 288 forks source link

vulnerability question, log handler problem, database connection exception #843

Closed i-chernyshov closed 5 months ago

i-chernyshov commented 5 months ago

Octane Version

2.3.2

Laravel Version

10.42.0

PHP Version

8.1

What server type are you using?

Open Swoole

Server Version

22.1.2

Database Driver & Version

(PostgreSQL) 15.4 (Debian 15.4-2.pgdg120+1)

Description

hello! I have combined 3 of my current problems into one thread

first: security warnings, could you give a couple of comments about this?

commit 8f9d0da559ba4366fecc5c106d1298abe6773396 (HEAD -> 2.x, origin/HEAD, origin/2.x)
Author: Taylor Otwell <taylor@laravel.com>
Date:   Sun Feb 4 16:49:02 2024 +0100

    default to true

 ✗ [High] Deserialization of Untrusted Data
   Path: src/OctaneServiceProvider.php, line 206
   Info: Unsanitized input from an HTTP parameter flows into unserialize, where it is used to deserialize an object. This may result in an Unsafe Deserialization vulnerability.

 ✗ [High] Deserialization of Untrusted Data
   Path: src/OctaneServiceProvider.php, line 221
   Info: Unsanitized input from an HTTP parameter flows into unserialize, where it is used to deserialize an object. This may result in an Unsafe Deserialization vulnerability.

second: in monolog, I use my custom driver and handler (inherited from Abstract ProcessingHandler), thanks to which I collect records in the terminate method of my middleware and send them to storage. they are quite simple and I have limited rights, so I can't attach the full code. so the problem is that records is filled only when processing the very first request after the start of the worker, then in all subsequent requests the write method is called, but records always turns out to be empty. commenting out FlushMonologState does not help. Could you help me understand what the problem is?

third: sometimes I just get an error. it works stably for 2/3 of the time. what could be the reason for such unexpected behavior?

production.ERROR: Call to a member function prepare() on null {"exception":"[object] (Error(code: 0): Call to a member function prepare() on null at /vendor/laravel/framework/src/Illuminate/Database/Connection.php:479)

   INFO  [stacktrace]

   INFO  #0 /vendor/laravel/framework/src/Illuminate/Database/Connection.php(809): Illuminate\\Database\\Connection->Illuminate\\Database\\{closure}()

   INFO  #1 /vendor/laravel/framework/src/Illuminate/Database/Connection.php(776): Illuminate\\Database\\Connection->runQueryCallback()

   INFO  #2 /vendor/laravel/framework/src/Illuminate/Database/Connection.php(470): Illuminate\\Database\\Connection->run()

   INFO  #3 /vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2945): Illuminate\\Database\\Connection->cursor()

Thanks!

Steps To Reproduce

first problem: use a security checker

second problem: periodically occurs on its own

third problem: create your own custom handler like this

'driver' => 'custom',
'via' => LoggerFactory::class,
'handler' => ApplicationLogHandler::class,

throw several exceptions when processing a request in terminated middleware, try to get GetRecords, they will only be available when processing the first request after the start of the worker

i-chernyshov commented 5 months ago

i found that the second problem can be solved by turning the singleton binding 'log' into scoped: /vendor/laravel/framework/src/Illuminate/Log/LogServiceProvider.php

PR didn't work for me

i can do it myself, but how many places in laravel should i still think about? is this production-ready? could it be the right solution to redefine all singleton bindings as scoped?

driesvints commented 5 months ago

Hi there,

Thanks for reporting but it looks like this is a question which can be asked on a support channel. Please only use this issue tracker for reporting bugs with the library itself. If you have a question on how to use functionality provided by this repo you can try one of the following channels:

However, this issue will not be locked and everyone is still free to discuss solutions to your problem!

Thanks.

i-chernyshov commented 5 months ago

@driesvints

Hey, why did you close the problem? I have 3 important questions about the work of octane, could you show more respect to the consumer and give advice?

driesvints commented 5 months ago

These questions can be asked on a support channel. We generally only handle bug reports on this issue tracker.

i-chernyshov commented 5 months ago

@driesvints

you just threw me over to try my luck somewhere else, even though I clearly attached two problems, two obvious errors and a potential security issue. thanks)

driesvints commented 5 months ago

could you give a couple of comments about this?

Could you help me understand what the problem is?

what could be the reason for such unexpected behavior?

These are support questions. This is open source, not free support.